Tag Archives: Malware

DeepLocker: AI Powered, Ultra-Targeted and Evasive Malware

19 August 2018

Mohit Kumar’s report on DeepLocker (1) published on 9 August 2018 in The Hacker News made me jump. Is AI becoming the doomsday machine of the 21st century?

DeepLocker is the result of a study (2) performed by IBM Researcher Marc Stoecklin and his colleagues on the question how the use of AI will change cyber-attacks:

“DeepLocker has changed the game of malware evasion by taking a fundamentally different approach from any other current evasive and targeted malware.”

The good news is that DeepLocker still needs a carrier app. Marc Stoecklin writes:

“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.”

Seven Phases Cyber Kill Chain

Cyber Kill Chain

DeepLocker is hence not invincible. A compromised carrier app will have another fingerprint than the not compromised version, at least until the carrier app is not compromised during development.

With this, program reputation, a must-have in every Next Generation Endpoint Protection Solution (NGEPS), can stop a malicious app very early in the Cyber Kill Chain (CKC).

The bad news is that reverse engineering is hardly possible. Marc Stoecklin writes:

“What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.”

Although I am fond of reading malware analysis papers I won’t miss them. From my point of view, it is only important that the NGEPS blocks the payload from being executed. In terms of the Cyber Kill Chain this means: ideally in the delivery phase, the latest in the installation phase.

For more details on DeepLocker please see the presentation (3) Marc Stoecklin delivered at the Black Hat 2018 conference.

Don’t panic, but be prepared: Skynet will gain world supremacy soon …

Have a great week.

  1. Kumar M. Researchers Developed Artificial Intelligence-Powered Stealthy Malware [Internet]. The Hacker News. 2018 [cited 2018 Aug 13]. Available from: https://thehackernews.com/2018/08/artificial-intelligence-malware.html
  2. Stoecklin MP. DeepLocker: How AI Can Power a Stealthy New Breed of Malware [Internet]. Security Intelligence. 2018 [cited 2018 Aug 13]. Available from: https://securityintelligence.com/deeplocker-how-ai-can-power-a-stealthy-new-breed-of-malware/
  3. Stoecklin MP, Kirat D, Jang J. DeepLocker – Concealing Targeted Attacks with AI Locksmithing [Internet]. Black Hat USA 2018. 2018 [cited 2018 Aug 19]. Available from: https://www.blackhat.com/us-18/briefings/schedule/#deeplocker—concealing-targeted-attacks-with-ai-locksmithing-11549

Don’t ‘Enable Macro if Data Encoding is Incorrect’!

30 January 2016

If you open a word document attached to an email and you see the message ‘Enable macro if data encoding is incorrect’ you are well on the way to become the victim of a cyber-attack:

Dridex malware requests to lower macor security

Dridex malware requests to lower macro security

Word blocked the auto-open macro in the document to prevent its execution. In the case of document ‘Fax 49 2232949992120160128232732.doc’ it’s about the trojan ‘W2KM_DRIDEX.BM’. Besides other malicious activities the macro downloads and executes the program g545.exe from a server hosted in the Russian Federation.

So far everything went well. Word was well secured and blocked the auto-open macro from executing the payload. The best way to go ahead is to close word and drop the email and the downloaded attachment.

But if you comply with the request and lower the macro virus settings in word you will be definitely tricked.

As always the first line of defense is a well-trained user who follows the commandments

  • ‘Think twice before you click on whatever links or attachments’,
  • ‘Never lower your security settings upon requests of whatever sources’ and
  • ‘Disable all macros with notification’ in Word Trust Center, section Macro Settings.

In the worst case it may come to a blackout in a country, done in Ukraine 23 December 2015.

Have a good weekend.

TrojanDownloader:Win32/Upatre not detected by 22 of 57 Anti-Malware Programs after 2 days

20 June 2015

In the past days I got lots of emails with suspicious attachments. I carefully analyzed most of them on my test system (VMWare with Windows 8.1 64bit and Microsoft Defender) and identified most of them as good old friends, sent by cyber criminals to steal personal information.

Cyber-attacks follow always the same pattern:

Development of a Cyber Attack

Development of a Cyber Attack

[1] Attract the reader’s attention.

[2] Force the reader to extract and execute the malware disguised as an innocuous pdf or html file.

[3] Make the Trojan persistent in the operating system and wipe out the digital traces as far as possible.

[4] Connect to the Command & Control (C&C) server and download additional software from the C&C server. The C&C server is the cyber attacker’s command center.

[5] Send the users secrets to the C&C server.

In most cases, email providers put such mails directly in the Junk E-mail or Spam folder. Unfortunately a small part of e-mails, with well camouflaged malware attachments or new variants of malware, are directed to the inbox. But this should be no problem at all. Since most of the Trojans are variants of already known malware one would expect that the heuristic scanners of the anti-malware systems should be able detect and sanitize the attachments during download from the email to the file system.

I use Trend Micro MaximumSecurity because the program got a 5 star rating in a comprehensive test last November. I run the program in protection level “Hypersensitive” to get maximum protection, but, to my great surprise, Trend Micro did not detect the malware.

On 18 June I uploaded the payload to virustotal.com to get an overview of the detection rate of 57 anti-malware programs. The malware was first analyzed on virustotal.com on 16 June 2015 at 11:48 a.m.

I received the mail on 16 June 2015 at 1:37 p.m. Microsoft Defender, rated “worst” in the November evaluation, identified the Trojan as Trojan:Win32/Peals.D!plock on 16 June 2015 at 9:45 p.m, 10 hours after the first upload to virustotal.com. This is a very good result!

On 18 June, 29 of 57 scanners were able to detect the malware, Trend Micro MaximumSecurity was not among them. Defender identified the malware as TrojanDownloader:Win32/Upatre, but this change is not relevant.

Defender Report

Defender Report

Yesterday evening I repeated the check on virustotal.com. 35 of 57 anti-malware programs successfully detected the malware. Again, Trend Micro MaximumSecurity was still not among them.

I am really puzzled. I thought, I bought one of the best anti-malware systems, but 6 months later it’s just not capable to detect variants of old Trojans. It’s time to switch back to Defender and to write-off the Trend Micro software. This seems to me an acceptable risk.

By the way, the most effective protection measure here is user training. Never open attachments of nested zip-files. It is very likely that they contain malware which puts your information systems at risk.

And don’t trust Anti-Malware program evaluations in German computer magazines.

Have a good weekend!

Appendix: virustotal.com check results as of 19 June 2015

Antivirus Result Update
ALYac Trojan.GenericKD.2494514 20150619
AVG Generic_s.EUO 20150619
AVware Trojan-Downloader.Win32.Upatre.ic (v) 20150619
Ad-Aware Trojan.GenericKD.2494514 20150619
AhnLab-V3 Trojan/Win32.Upatre 20150619
Arcabit Trojan.Generic.D261032 20150619
Avira TR/Agent.68096.251 20150619
Baidu-International Trojan.Win32.Upatre.bkby 20150619
BitDefender Trojan.GenericKD.2494514 20150619
CAT-QuickHeal TrojanDownloader.Upatre.r3 20150619
Cyren W32/Upatre.AT.gen!Eldorado 20150619
DrWeb Trojan.Upatre.3504 20150619
ESET-NOD32 a variant of Win32/Kryptik.DMJN 20150619
Emsisoft Trojan.GenericKD.2494514 (B) 20150619
F-Prot W32/Upatre.AT.gen!Eldorado 20150619
F-Secure Trojan.GenericKD.2494514 20150619
Fortinet W32/Waski.A!tr 20150619
GData Trojan.GenericKD.2494514 20150619
Ikarus PUA.Bundler 20150619
K7GW Trojan ( 004c5fac1 ) 20150619
Kaspersky Trojan-Downloader.Win32.Upatre.bkby 20150619
Malwarebytes Trojan.Downloader.Upatre 20150619
McAfee Upatre-FACH!9B004AD1DBB5 20150619
McAfee-GW-Edition BehavesLike.Win32.Dropper.km 20150619
MicroWorld-eScan Trojan.GenericKD.2494514 20150619
Microsoft TrojanDownloader:Win32/Upatre 20150619
Panda Trj/Genetic.gen 20150619
Qihoo-360 HEUR/QVM20.1.Malware.Gen 20150619
Rising PE:Trojan.Win32.Generic.18C77685!415725189 20150618
Sophos Troj/Dyreza-FP 20150619
Symantec Downloader.Upatre!gen5 20150619
Tencent Trojan.Win32.Qudamah.Gen.2 20150619
TrendMicro-HouseCall TROJ_GEN.F0D1H0ZFG15 20150619
VIPRE Trojan-Downloader.Win32.Upatre.ic (v) 20150619
nProtect Trojan.GenericKD.2494514 20150619
AegisLab 20150619
Agnitum 20150619
Alibaba 20150619
Antiy-AVL 20150619
Avast 20150619
Bkav 20150619
ByteHero 20150619
CMC 20150618
ClamAV 20150619
Comodo 20150619
Jiangmin 20150618
K7AntiVirus 20150619
Kingsoft 20150619
NANO-Antivirus 20150619
SUPERAntiSpyware 20150619
TheHacker 20150619
TotalDefense 20150619
TrendMicro 20150619
VBA32 20150619
ViRobot 20150619
Zillya 20150619
Zoner 20150619

 

Some thoughts about ‘Mitigation strategies for data-wiping malware’

21 May 2015

In article ‘Mitigation strategies for data-wiping malware’ published on Security Think Tank in January 2015, Peter Wenham talks about mitigation strategies for data-wiping malware.

Peter’s proposals for creating a prevention strategy, training and strict refusal of local administrator access for employees, can be implemented quickly and at a fair price.

To complement this, companies should add a trusted zone concept for administrative tasks. A server administrator should never sign in to a server from a system at a lower trust level, e.g. from the laptop he uses to connect from outside the company network to a server. A trusted admin zone concept will prevent the lateral drift of attackers within the company network once they got access through e.g. a phishing attack and a RAT (Remote Access Trojan).

Have a good day!

Anthem hacked – company says five employee’s credentials phished and used

26 February 2015

In his report ‘Anthem: company says five employee’s credentials phished and used’ posted on IT Security Guru at 12 February 2015, Dan Raywood gives us some background details about how the hack occurred.

The attackers used a phishing attack to steal the credentials of employees. To be honest, I’m relieved to hear that. No rocket science! Phishing is and remains the #1 attack vector.

Awareness training and Two Factor Authentication are the preferred preventive protection measures. Anthem did the right thing. In report ‘Anthem’s IT system had cracks before hack’ we read: ‘Then on Feb. 7 and 8, Anthem reworked all its IT accounts that have privileged access to sensitive information to now require three layers of authentication—a permanent login, a physical token, and a temporary password that changes every few hours.’

If Two Factor Authentication could not be implemented, SmartScreen Filtering in Internet Explorer or the Reported Attack Site Blocker in Firefox could be helpful. The error messages can hardly be ignored:

SmartScreen Warning Phishing Attack

SmartScreen Warning Phishing Attack

Some anti-malware packages, e.g. Trend Micro Maximum security, will also block access to malicious sites. But the above options are of limited use in the case of zero day exploits, although it’s amazing to see how fast the filters are updated.

Have a good day! … And,  don’t forget to activate SmartScreen Filtering as soon as possible.

Free email providers are preferred distribution channels for malware

21 February 2015

Thursday morning I got a very puzzling e-mail. A collection agency informed me of an allegedly not paid invoice and threatened me with defaulted interest and overdue fines.

But, I conduct no business with Pay Bank AG. In addition the mail was sent from a GMX, a Germany based free mail service, address and not from the Pay Bank AG domain.

This was just another spam mail, but, compared to others, well and convincing written. The message was crystal clear: Open the attachment!

In the evening I checked the attachment and found nested zip files. The inner zip file contained a program that appeared to be the data-gathering malware Win32/Zbot.gen!plock (TROJ_DLOADR.JCQ). Fortunately the anti-malware program on my computer removed the malware during download to my hard disk.

Sending malware in nested zip files ensures that the anti-malware systems on the e-mail provider’s mail-in servers become not aware of the malicious attachments. Scanning of archives is very time-consuming because the anti-malware system has to open the archive and to scan all files inside. Therefore nearly all anti-malware systems are configured to ignore nested zip files..

But what amazed me was that apparently no e-mail provider runs an in-depth scan of attachments. From the e-mail header I found that the mail was sent from the attacker’s computer PC14-050 to mail.gmx.com (GMX) and via mailin55.aul.t-online.de (T-Online) to SNT004-MC3F11.hotmail.com (Microsoft).

Since the malicious attachment wasn’t removed on his way to the inbox on my computer, GMX, T-Online and Microsoft use a similar, inadequate anti-malware configuration on their mail-in servers. As always, the last line of defense is the anti-malware system on the end-user’s computer.

In my opinion, this is an enormous waste of resources. Every day millions of malicious attachments clog the internet because of inadequate anti-malware configurations. We could save a lot of bandwidth for really important business, and much hassle, if mail-in servers would just reject any e-mail that has known malicious attachments.

That’s it for today. Please configure the anti-malware program, which is installed on your computer, to perform in-depth scans of attachments. Safety has priority over speed!

Have a good weekend.

Sony-pocalypse is still stuck in my mind

13 December 2014

The more technical details about the Sony attack come to light, the more restless I become. Although the attacker delivered a high sophisticated piece of code, the impact of this attack would not have been such serious without the unintended help of the Sony users and IT groups.

Samuel Gibbs writes in theguardian ‘While security analysts have said that preventing sophisticated and well-funded cyber criminals from breaking into a company is very hard indeed, researchers have criticised Sony Pictures for its poor data security, which allegedly saw login details stored in unencrypted spreadsheets.’

That’s really bad! And particularly critical in the case of functional accounts or global admin accounts.

Another large weak spot, users who work with administrative privileges or accounts, was exploited for the initial attack.

The big question is: How could we make an attackers life more difficult?

Just a few suggestions:

  • Never use an account with administrative rights for daily work. This also applies for members of the IT groups. Administrators should work with standard user accounts, and switch to privileged accounts if required.
  • Never use the same accounts and passwords for administration of services like email or database server systems and workstations. Even if a workstation account is compromised the server will stay safe.
  • Never use the same functional accounts and passwords for workstations and servers. Functional accounts are often used for managing services of third-party vendors, e.g. the anti-malware systems. Unfortunately these accounts must often have administrative privileges. Different accounts and passwords for workstations and servers will prevent the spread of malware to servers if e.g. the workstation account is compromised.
  • Never use the same functional account for multiple services. Mind the isolation principle!
  • Service specific functional accounts should be defined locally, and only on systems where the services are hosted.
  • Use strong passwords with length > 20 chars only. This is in particular for functional accounts no problem because the passwords are not very often used.
  • Decide about implementing Two Factor Authorization.

That’s it for today, and for this year. I will take a Christmas break.

Christmas Trees

A merry Christmas to you all
and the best wishes for health, happiness
and prosperity in the New Year.

Webinar Review: How to Stop Malware and Advanced Persistent Threats

25 October 2014

Last Thursday evening I attended the SC Magazine eSymposium: Advanced persistent threats. You have to register with SC Magazine to get access to the sessions. Please use always a strong Password.

Among the many informative sessions offered, ‘How to Stop Malware and Advanced Persistent Threats’, sponsored by AccelOps, was in particular interesting for me. In this 30 minutes session Benjamin Powell, Director of Product Marketing at AccelOps, showed how malware, in this case a Remote Administration Tool (RAT), is constructed and how it works.

It is really frightening to see what an attacker can do once he hijacked your computer!

On two slides Benjamin Powell talked about how to protect your organization against APT. Please click to enlarge.

How to Stop Malware and Advanced Persistent Threats I

How to Stop Malware and Advanced Persistent Threats I

How to Stop Malware and Advanced Persistent Threats II

How to Stop Malware and Advanced Persistent Threats II

I recommend to generalize the advice about USB drives to ‘Don’t trust USB devices and the files they contain’ because USB devices are in general dangerous. Remind the discussion about BadUsb in summer.

I am often asked ‘What should I do with this USB stick full of documents I got from the organiser of an event’. My standard answer is ‘Never use it! Shred it!’

If you can’t avoid using USB devices for data exchange securely erase all data on the device before copying your data. Format the device and run cipher /w on the volume from a command prompt. Cipher /w (w for wipe) overwrites in 3 passes each block on the device with zeros, ones and random numbers. This makes it very unlikely that an attacker could re-create deleted files.

On Friday I got an invitation to the InformationWeek webinar ‘3 New Tactics To Protect Data On The Move’. First 40 registrants get an 8 GB Dual Purpose USB! It’s hard to believe …

Shred it!

Software manufacturers have no sense for IT security – Part II

23 October 2014

Sometimes malware protection software works too well. I found some emails with malicious executables, disguised as pdf files, in the attachment in my junk-mail folder. Unfortunately the anti-malware system removed the attachments and replaced them by the filename.

Some weeks ago a new kind of malware that resides solely in the registry was in the news. To implant Poweliks attackers must exploit a vulnerability of the system and, the good faith of the users. Pdf or rtf documents with embedded malicious code are used very often to start the attack.

Just why is the Adobe Reader such a popular tool for attackers?

Adobe Reader is very popular for viewing of pdf documents, and very notorious for its vulnerabilities. The list of known vulnerabilities published in the National Vulnerability Database is really long, and some of them are perfectly suited to implant malware. By the way, Adobe Flash Player is as popular as the Adobe Reader for attackers, and the list of vulnerabilities is of comparable size.

Fortunately advanced security options like a sandbox are available to defend malicious attacks, but these are not activated during a standard installation. Even for enterprise users the standard installation procedure must be pre-configured.

I can’t find a reason why Adobe does not install the Reader with advanced security options enabled by default. Apparently, Adobe is not interested in protecting the privacy and security of their customers.

Fortunately the National Checklist Program Repository provides ‘detailed low level guidance on setting the security configuration of operating systems and applications’.

For Acrobat Reader X a checklist is available which could be easily adapted to the Acrobat Reader XI. Although this checklist is meant for pre-configuring installation packages the configuration hints could be used to secure existing installations as well:

Navigate to menu Edit/Preferences.

In category General section Application Startup activate option Use only certified plug-ins.

In category Security (Enhanced) set the protection options as described below:

Adobe ReaderEnhanced Security Settings

Adobe ReaderEnhanced Security Settings

[1] Enable sandboxing for all files

[2] Enable Enhanced Security

[3] Disable all Privileged Locations.

Although this sounds somewhat paranoid viewing of pdf files is much more secure now. A pdf file is now opened in a sandbox running at the lowest integrity level. Most features are disabled by default, but could be enabled with just one click.

Enjoy!