The Information Systems and Computer Applications examination covers material that is usually taught in an introductory college-level business information systems course.

Posts tagged “malware

Hardening Windows 10 with zero-day exploit mitigations

 Cyberattacks involving zero-day exploits happen from time to time, affecting different platforms and applications. Over the years, Microsoft security teams have been working extremely hard to address these attacks. While delivering innovative solutions like Windows Defender Application Guard, which provides a safe virtualized layer for the Microsoft Edge browser, and Windows Defender Advanced Threat Protection, a cloud-based service that identifies breaches using data from built-in Windows 10 sensors, we are hardening the Windows platform with mitigation techniques that can stop exploits of newly discovered and even undisclosed vulnerabilities. As Terry Myerson reiterated in his blog post, we take our commitment to security innovation very seriously.

A key takeaway from the detonation of zero-day exploits is that each instance represents a valuable opportunity to assess how resilient a platform can be—how mitigation techniques and additional defensive layers can keep cyberattacks at bay while vulnerabilities are being fixed and patches are being deployed. Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits.

In this blog, we look at two recent kernel-level zero-day exploits used by multiple activity groups. These kernel-level exploits, based on CVE-2016-7255 and CVE-2016-7256 vulnerabilities, both result in elevation of privileges. Microsoft has promptly fixed the mentioned vulnerabilities in November 2016. However, we are testing the exploits against mitigation techniques delivered in August 2016 with Windows 10 Anniversary Update, hoping to see how these techniques might fare against future zero-day exploits with similar characteristics.

 

CVE Microsoft Update Exploit Type Mitigation in Anniversary Update
CVE-2016-7255 MS16-135 (Nov, 2016) Win32k Elevation of Privilege Exploit Strong  validation of tagWND structure
CVE-2016-7256 MS16-132 (Nov, 2016) Open Type Font Exploit Isolated Font Parsing (AppContainer)
Stronger validation in font parsing

 

CVE-2016-7255 exploit: Win32k elevation of privilege

In October 2016, the STRONTIUM attack group launched a spear-phishing campaign targeting a small number of think tanks and nongovernmental organizations in the United States. The campaign, also discussed in the previously mentioned blog post, involved the use of the exploit for CVE-2016-7255 in tandem with an exploit for the Adobe Flash Player vulnerability CVE-2016-7855.

The attack group used the Flash exploit to take advantage of a use-after-free vulnerability and access targeted computers. They then leveraged the type-confusion vulnerability in win32k.sys (CVE-2016-7255) to gain elevated privileges.

Abusing the tagWND.strName kernel structure

In this section, we’ll go through the internals of the specific exploit for CVE-2016-7255 crafted by the attacker. We will show how mitigation techniques provided customers with preemptive protection from the exploit, even before the release of the specific update fixing the vulnerability.

Figure 1. Exploit and shellcode phases of this attack

 

Modern exploits often rely on read-write (RW) primitives to achieve code execution or gain additional privileges. For this exploit, attackers acquire RW primitives by corrupting tagWND.strName kernel structure.  This exploit method is a trend discussed in security conferences and visible to those who investigated actual attacks. For example, we detailed similar findings in a presentation about the Duqu 2.0 exploit at Virus Bulletin 2015.

By reverse engineering its code, we found that the Win32k exploit used by STRONTIUM in October 2016 reused the exact same method. The exploit, after the initial Win32k vulnerability, corrupts tagWND.strName structure and uses SetWindowTextW to write arbitrary content anywhere in kernel memory.

Figure 2. SetWindowTextW as a write primitive

 

The exploit abuses this API call to overwrite data of current processes and copy token privileges of the SYSTEM. If successful, the exploit enables the victim process—iexplore.exe, in this example—to execute with elevated privileges.

Figure 3. Internet Explorer with SYSTEM privileges

 

Mitigating tagWND exploits with stronger validation

To mitigate the Win32k exploit and similar exploits, the Windows Offensive Security Research Team (OSR) introduced techniques in the Windows 10 Anniversary Update that prevent abusive use of tagWND.strName. This mitigation performs additional checks for the base and length fields, making sure that they are in  the expected virtual address ranges and are not usable for RW primitives. In our tests on Anniversary Update, exploits using this method to create an RW primitive in the kernel are ineffective. These exploits instead cause exceptions and subsequent blue screen errors.

Figure 4. Windows 10 Anniversary Update mitigation on a common kernel write primitive

 

With the upcoming Windows 10 Creators Update, Windows Defender ATPintroduces numerous forms of generic kernel exploit detection for deeper visibility into targeted attacks leveraging zero-day exploits. Technical details about the enhanced sensor will be shared in a forthcoming blog post.

CVE-2016-7256 exploit: Open type font elevation of privilege

As early as June 2016, unidentified actors began to use an implant detected as “Henkray” in low-volume attacks primarily focused on targets in South Korea. Later, in November 2016, these attackers were detected exploiting a flaw in the Windows font library (CVE-2016-7256) to elevate privileges and install the Henkray backdoor on targeted computers with older versions of Windows.

The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.

Figure 5. Auto-generation of font file with exploit

 

This secondary executable or script tool, which has not been recovered, appears to prepare and drop the font exploit, calculating and preparing the hardcoded offsets needed to exploit the kernel API and the kernel structures on the targeted system. Through deep forensic inspection of the binary data found in samples, we extracted all the hardcoded offsets and ascertained the kernel version targeted by this exploit: Windows 8 64-bit.

Function table corruption for initial code execution

The font exploit uses fa_Callbacks to corrupt the function table and achieve initial code execution. The callback is called from the CFF parsing function. The following snippet shows a corrupted ftell pointer to a nt!qsort+0x39 location in kernel code.

Figure 6. fa_Callbacks table corruption

 

The following snippet shows the code that calls the corrupt function pointer leading to a kernel ROP chain.

Figure 7. fa_Callbacks.ftell function call code

 

When the corrupted function is called, the control jumps to the first ROP gadget at nt!qsort+0x39, which adjusts stack pointer and initializes some register values from stack values.

Figure 8. First ROP gadget

 

After the first gadget, the stack points to a kernel ROP chain which calls to ExAllocatePoolWithTag call to reserve shellcode memory. Another ROP gadget will copy the first 8 bytes of the stage 1 shellcode to the allocated memory.

Figure 9. Copying the stage 1 shellcode

 

Shellcode and privilege escalation

The stage 1 shellcode is very small. Its main function is to copy the main body of the shellcode to newly allocated memory and run them with a JMP RAX control transfer.

Figure 10. Stage 1 shellcode

 

The main shellcode runs after the copy instructions. The main shellcode—also a small piece of code—performs a well-known token-stealing technique. It then copies the token pointer from a SYSTEM process to the target process, achieving privilege escalation. Both the SYSTEM process and target process PIDs, as well as certain offsets for the kernel APIs needed by the shellcode, are hardcoded in the font sample.

Figure 11. Token replacement technique

 

Mitigating font exploits with AppContainer

When opening the malicious font sample on Windows 10 Anniversary Update, font parsing happens completely in AppContainer instead of the kernel. AppContainer provides an isolated sandbox that effectively prevents font exploits (among other types of exploits) from gaining escalated privileges. The isolated sandbox considerably reduces font parsing as an attack surface.

Figure 12. AppContainer protects against untrusted fonts in Windows 10 Anniversary Update

 

Windows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code.

Figure 13. Windows 10 font viewer error

 

Conclusion: Fighting the good fight with exploit mitigation and layered detection

While fixing a single-point vulnerability helps neutralize a specific bug, Microsoft security teams continue to look into opportunities to introduce more and more mitigation techniques. Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact.

In this article, we looked into recent attack campaigns involving two zero-day kernel exploits. We saw how exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits.

By delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation.

In addition to the techniques mentioned in this article, Windows 10 Anniversary Update introduced many other mitigation techniques in core Windows components and the Microsoft Edge browser, helping protect customers from entire classes of exploits for very recent and even undisclosed vulnerabilities.

For effective post-breach detection, including cover for the multiple stages of attacks described in this blog post, sign up for Window Defender ATP. The service leverages built-in sensors to raise alerts for exploits and other attack activity, providing corresponding threat intelligence. Customers interested in the Windows Defender ATP post-breach detection solution can find more information here.

Microsoft would like to thank KrCERT for their collaboration in protecting customers and for providing the sample for CVE-2016-7256.

 

Matt Oh and Elia Florio, Windows Defender ATP Research Team

 

Updates:

Jan 18, 2017 – Corrected the spelling of Henkray backdoor.

Advertisements

Atacantes abusan de Google Docs para distribuir malware. (Google no quiere escuchar)

by noreply@blogger.com (- Raúl -)
Hace tres meses informabamos aquí de correos maliciosos con enlaces para descargar e infectar las PC de las víctimas. Allí comentamos y opinamos sobre el abuso de Google Docs para almacenar y distribuir malware; y que Google no aplique restricciones para evitar ese abuso. Nuevamente vemos hoy otro ejemplo de ese tipo de correos tal como este: Correo con enlace malicioso a Google Docs  (Descarga malware) En el correo al pasar el cursor por arriba del enlace se observa un enlace a…

Contenido completo del post en http://blog.segu-info.com.ar o haciendo clic en el título de la noticia

 

Enhanced by Zemanta

El 77% de los usuarios ha perdido información por no realizar respaldos by André Goujon

Cada mes, los lectores comparten con nosotros tendencias y estadísticas relacionadas a diversos temas de Seguridad de la Información que planteamos a través de las encuestas que realizamos en ESET Latinoamérica. Durante octubre el tópico a tratar fue la pérdida de datos y el uso de respaldos o copias de seguridad. Aunque los códigos maliciosos […]

http://blogs.eset-la.com/laboratorio/2012/11/09/77-usuarios-perdido-informacion-no-realizar-respaldos/

Enhanced by Zemanta

SOPHOS

Global websites Press About us Contact us

Solutions

Quick product finder

Please select Enterprise Sophos Anti-Virus Sophos Client Firewall Enterprise Console Sophos Mobile Security Sophos for MS SharePoint PureMessage Email Appliances SAV Interface Web Appliance NAC Advanced SafeGuard SafeGuard Enterprise SafeGuard Easy SafeGuard Disk Encryption for Mac SafeGuard LAN Crypt SafeGuard MailGateway SafeGuard PrivateDisk SafeGuard PortProtector SafeGuard PortAuditor SafeGuard PrivateCrypto SafeGuard RemovableMedia Small business Product comparison Sophos Security Suite Sophos Computer Security Sophos Anti-Virus

Protect your sector

Please select Education Government Service providers Healthcare

Free tools

Sophos Anti-Virus for Mac: Home Edition – Free

Free anti-virus that works simply and beautifully. Just like your Mac.

Free Mac anti-virus download By downloading you agree to the EULA

Overview

As Apple computers grow more popular than ever, they’re an increasingly-enticing target for hackers. And these hackers aren’t just mischief-makers—by targeting your computer or applications you use, these criminals are out to steal and profit from your valuable personal information. Don’t let them. Get free Sophos Anti-Virus for Mac today.

Introducing Sophos Anti-Virus for Mac Home Edition.

It’s easy to install, quiet to run and simple to use—it keeps you safe from viruses, Trojans and worms without getting in your way.

High-grade protection without slowing you down.

Best of all, it’s free full-featured anti-virus. You get business-grade protection for your Mac backed by our SophosLabs experts—they’re on the job every day of the year, 24 hours a day. We’ll stop, quarantine and clean up Mac or Windows threats that try to infect your computer. We can even stop new, unknown threats.

As versatile as you want it to be, as powerful as you need it to be.

Nobody likes system pop-ups or system slow-downs. That’s why our product won’t annoy you with messages or take up your computer’s resources. And once you install Sophos Anti-Virus for Mac Home Edition, you’re the boss. Want it to just scan quietly in the background as you work? No problem. Need to create a custom scan to check what you want and leave out what you don’t? It can do that, too.

Download Sophos Anti-Virus for Mac Home Edition


In many cases, especially with botnets, the malware might not initially exhibit malicious…

SecureMac Releases New Information About Boonana Trojan Virus

from MACLIFE Magazine Apple by Cory Bohon

We told you about the Boonana Trojan Mac virus that was discovered by SecureMac just yesterday. SecureMac has now completed its initial analysis of the virus and has new information about it, as well as a removal tool if you believe your Mac is infected.

According to the company’s security bulletin, “The initial infection vector of the Boonana trojan is through a message on social networking sites similar to “Is this you in this video?” which includes a link to an external site. Upon clicking the link, a java applet will attempt to load in the user’s web browser. During our testing, the malicious Java applet communicated with a Command & Control server, and presented an installer window at a random time after accessing the malicious site. This installer did not indicate that it had been downloaded from the web which indicates it is avoiding the quarantine flag typically set by programs such as Safari.”

This virus is still listed as a critical security threat due to the fact that the control servers are still operational. SecureMac notes that this means that servers could be gathering information from infected computers like IP Addresses, and potentially the modification of sudoers file that would allow passwordless access to any potentially infected machines. It is thought that this trojan virus could be used for control purposes.

“In many cases, especially with botnets, the malware might not initially exhibit malicious behavior, but can become active at any time as the command and control servers are updated,” notes SecureMac in the updated bulletin.

You can read the provided by SecureMac by clicking here, and you can also keep an eye out on the SecureMac bulletin page where future updates on this virus will be posted. If you believe your Mac is infected with this virus, you can try running the removal tool found on the bulletin page or by clicking here to directly download the tool.

For more information about the virus stay tuned to Mac|Life.

 

Follow this article’s author, Cory Bohon on Twitter.


Ayudando a creadores de malware despistados

Ayudando a creadores de malware despistados: “

Poniéndome al día en un montón de RSS acumulados, encontré una noticia que me abrió los ojos ante cómo funcionan (o no) ciertas mentes humanas.
En Windows, cuando una aplicación ha ejecutado alguna instrucción no autorizada, el sistema operativo reacciona cerrando la aplicación mostrando una ventana con un mensaje que permite notificar a Microsoft sobre qué ha sucedido en dicha aplicación. La idea es ayudar al equipos de desarrolladores de Microsoft para mejorar las capacidades del sistema operativo y de la integración con las aplicaciones (ya las desarrollen ellos mismos también o por parte de terceros), así como sugerir a los usuarios si algún parche corrige la causa del ‘cuelgue’.

Gracias a esto, según Rocky Heckman, arquitecto senior de seguridad de Microsoft, a lo largo del día, reciben un montón de estas notificaciones, con parte del código (un dump de cierta porción de memoria) que generó el error. El tema está en que muchas de estas notificaciones corresponden a acciones por parte de desarrolladores de virus/malware (con prisa, -podríamos añadir-) que en fase de creación de sus nuevas obras de arte, lógicamente hacen pruebas sobre sus propias máquinas. Al no estar depurado el comportamiento del software, lo normal es que se generen ‘crashes’ de aplicación sobre el sistema operativo y al pulsar el botón ‘Enviar Informe’ de la ventana que se abre (sin leer el texto de la misma), se enviará información preciosa de la creatividad del revolucionario troyano beta directamente a Microsoft. ¿Paradójico no? Precisamente el fabricante del sistema operativo de cuyas vulnerabilidades se quieren aprovechar, reciben información de primera mano directamente de parte de su creador.

Y es que estas cosas pasan cuando no ‘escuchamos’ TODO lo que nuestro sistema operativo nos dice… Pero venga va, ¿quién se lee siempre el texto completo de un EULA cuando lo está instalando? Si el mensaje es muy largo o muy ‘repleto de letras y líneas’ directamente buscamos el botón ‘Aceptar’ y que continúe lo antes posible.

Y pensar que el propio Windows proporciona la posibilidad de deshabilitar la solicitud y envío de informe de errores a Microsoft… Cuántos leaks podrían haberse evitado por parte de estos despistados desarrolladores de malware sobrados de creatividad e ilusión si, en Windows 2000/2003 o XP, hubieran ido al menú contextual de “Mi PC” -> “Propiedades” -> “Informe de Errores” y hubieran configurado convenientemente esta opción para evitar la notificación de errores a los de Redmond.


En caso de que nuestros desarrolladores despistados de malware usen Windows Vista o Windows 7, la forma de deshabilitar la notificación de errores es diferente.
Para ello, ejecutaremos ‘gpedit.msc‘ en Inicio -> Ejecutar para abrir la ‘Configuración de Políticas Locales‘. En ‘Administración de Plantillas” -> “Componentes de Windows‘, modificaremos ‘Deshabilitar Informes de Error de Windows‘ a ‘Habilitado