Tag Archives: WIndows Defender

Keep calm and ignore Illusion Gap

5 October 2017

During a cycling trip through the Eifel national park last week, a new weakness called Illusion Gap was extensively discussed in the media.

Security researchers at CyberArk detected a feature in the Windows SMB Server that allows attackers to bypass Windows Defender, and possibly other anti-malware products, when serving an executable from a file share. For more details please see Kasif Dekel’s excellent post at the CyberArk Threat Research blog.

CyberArk notified Microsoft of this vulnerability, but Microsoft did not view it as a security issue:

“Thanks for your email. Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature request which I have forwarded to the engineering group.”

In my opinion, the effort to successfully exploit Illusion Gap appears to be somewhat too high:

First of all, an attacker must convince a user to execute a program that installs a specially crafted SMB server service on a Windows system. Since administrative privileges are required to do this the perfect victim should either work with permanent administrative rights or should at least have access to an administrative account he can leverage for UAC. Finally, the attacker must install a malicious and a clean version of the executable on the newly created file share and trick a user to run the executable from the share.

Since the attack complexity is high and authentication is required the likelihood of rapid detection is high. This is aggravated by the fact that the execution of programs from file shares is often used as indicator of compromise.

With this, we should not waste our time with Illusion Gap.

Have a great weekend.

Advertisements

Next generation endpoint protection for end-users

29 May 2016

Application virtualization is a great means to deal with malware. In particular ransomware cannot create massive damage if the malicious program is executed in an isolated virtual container which prevents any interaction with the computing environment.

Unfortunately, most vendors of next generation endpoint protection solutions are directed on the protection of large private businesses and administrative bodies. End-user protection is falling increasingly by the wayside. Consumers must rely on inherently weak anti-malware solutions.

By now some products are available which overcome of the most severe deficits of anti-malware solutions. They offer protection e.g. against drive-by downloads, zero-day malware or file-less malware, for private businesses, administrative bodies and end-users alike.

The winners and finalists of the 2015 Homeland Security Awards in subcategory Best Anti-Malware Platform are :

  • Blue Ridge Networks (Winner)
  • Cylance (Finalist)
  • Malwarebytes (Finalist)

The products of these companies are available for end-users. During the next weeks and posts I will discuss my experience with this products, with special regards to their ability to block zero-day malware and usability.

Today I will share my first experiences with Blue Ridge Networks ‘AppGuard Zero Day Malware Protection‘.

AppGuard is installed on top of an anti-malware solution, in my case Windows Defender. In the AppGuard users guide one reads:

‘Conventional “detect and respond” approaches available are not enough in today’s cyber world. AppGuard is a breach prevention defense that stops breaches at the earliest stages. AppGuard delivers a multi-layered defense, protecting the endpoint at multiple points, including launch control, run-time application control, and memory protection to prevent one application from reading or writing to the memory of another. AppGuard protects your computer against certain applications with the greatest risk of malware, such as Microsoft and Adobe products. AppGuard stops the cyber attacks that traditional security products often miss, even zero-day and fileless malware. AppGuard prevents suspicious applications from running and stops even allowed applications such as your browser from performing high-risk activities that might result in an infected computer.’

Great zero-day malware is available from Malwr.com. Let’s get to work.

I used the following sample (zero-day malware, delivered by Microsoft Word document in zip file) for my first test:

Timestamp MD5 File Name File Type Antivirus
May 24, 2016,
2:53 p.m.
60a59b324f63621a1e2577e87db4439f Security Notification3.zip Zip archive data 5/57

Security Notification3.zip is delivered by email. The zip file contains a Word Document which loads a file called harakiri.pfx from the attacker’s command and control server and executes this file afterwards.

At May 24, 2016, 6:46 p.m. only 6 of 57 anti-malware solutions on VirusTotal identified the malware:

Antivirus Result Update
AVware LooksLike.Macro.Malware.b (v) 20160524
Arcabit HEUR.VBA.Trojan.e 20160524
McAfee W97M/Downloader.bdx 20160524
Qihoo-360 virus.office.obfuscated.1 20160524
Rising Trojan.Obfus/VBA@DT!1.A540 20160524
VIPRE LooksLike.Macro.Malware.b (v) 20160524

With this, Security Notification3.zip is a perfect zero-day malware sample.

After running a standard installation, I customized AppGuard slightly only. I set the protection level to “Locked Down”:

Blue Ridge Networks AppGuard Main Menu

Blue Ridge Networks AppGuard Main Menu

I downloaded the sample file to my test environment and opened the file in word. AppGuard made a great job. The AutoOpen macro downloaded Harakiri.exe to the local temp folder and AppGuard blocked the execution:

AppGuard blocked Execution Notification

AppGuard blocked Execution Notification

I checked some more samples and got the same results in any case: AppGuard blocks the execution of the downloaded files.

With this, AppGuard fully meets my expectations about zero-day malware delivered by Word-documents.

By now Security Notification3.zip is detected by 35 of 56 anti-malware solutions on VirusTotal.com, e.g. as Trojan:O97M/Madeba.A!det by Windows Defender or  as W2KM_DRIDEX.YYSVD by TrendMicro.

Have a good weekend.