Archive

Archive for the ‘malware research’ Category

Hunting down Dofoil with Windows Defender ATP

Dofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV protected customers from a massive Dofoil outbreak that we traced back to a software update poisoning campaign several weeks prior. Notably, customers of Windows 10 S, a special Windows 10 configuration that provides streamlined Microsoft-verified security, were not affected by the Dofoil outbreak.

In this blog post, we will expound on Dofoils anti-debugging and anti-analysis tactics, and demonstrate how the rich detection libraries of Windows Defender Advanced Threat Protection and Windows Defender Exploit Guard can help during investigation.

We found that Dofoil was designed to be elusive to analysis. It checks its environment and stops running in virtual machine environments. It also checks for various analysis tools and kills them right away. This can make malware analysis and assessment challenging.

The following diagram shows the multi-stage malware execution process, which includes checks for traits of analysis environments during some stages.

Figure 1. Dofoil multi-stage shellcode and payload execution flow

The table below describes the purpose of each stage. The first five stages have at least one or two different techniques that can deter dynamic or static malware analysis.

STAGES DESCRIPTION
1. Obfuscated wrapper code Anti-heuristics

Anti-emulation

2. Bootstrap module Performs self-process hollowing to load the next module
3. Anti-debugging module Performs anti-debugging operation
4. Trojan downloader module Performs system environment checks

Performs anti-VM operation

Injects itself to explorer.exe through process hollowing

5. Trojan downloader module in explorer.exe Contacts C&C server to download trojan and run it using process hollowing technique
6. Payload downloader module in explorer.exe Contacts C&C server to download the main payload
7. Trojan module Steals credentials from various application settings and sends stolen into to the C&C server over HTTP channel
8. CoinMiner.D Mines digital currencies

Table 1. Dofoil’s multi-stage modules

Initial stages

The first three stages (i.e., obfuscated wrapper code, bootstrap module, anti-debugging module) use the following techniques to avoid analysis and identification.

ANTI-ANALYSIS TECHNIQUES DESCRIPTION
Benign code insertion Inserts a huge benign code block to confuse heuristics and manual inspection
Anti-emulation Enumerates an arbitrary registry key (HKEY_CLASSES_ROOT\Interface\{3050F557-98B5-11CF-BB82-00AA00BDCE0B}) and compares the data with an expected value (DispHTMLCurrentStyle) to check if the malware runs inside an emulator
Self-process hollowing Uses the process hollowing technique on the current process, making analysis extra difficult due to the altered code mapping
Debugger checks Checks for debuggers, and modifies code to crash. This can add additional layer of confusion to researchers, who are bound to investigate the cause of the crashes. It checks for the PEB.BeingDebugged and PEB.NtGlobalFlag fields in the PEB structure. For example, PEB.BeingDebugged is set to 1 and PEB.NtGlobalFlag is set to FLG_HEAP_ENABLE_TAIL_CHECK|FLG_HEAP_ENABLE_FREE_CHECK| FLG_HEAP_VALIDATE_PARAMETERS when a debugger is attached to the process.

Table 2. Anti-analysis techniques

The first stage contains some benign-looking code before the actual malicious code. This can give the executable a harmless appearance. It can also make the emulation of the code difficult because emulating various API calls that are not present in many malware codes can be challenging.

The first-stage code also performs a registry key enumeration to make sure it has the expected value. When all checks are passed, it decodes the second-stage shellcode and runs it on the allocated memory. This shellcode un-maps the original main modules memory, and then decodes the third-stage shellcode into that memory this is known as a self-process hollowing technique.

Figure 2. Self-modification based on PEB.BeingDebugged value

Windows Defender ATPs process tree can help with investigation by exposing these anti-debugging techniques.

Figure 3. Windows Defender ATP process tree showing anti-debugging techniques

Trojan downloader module

The trojan downloader module performs various environment checks, including virtual environment and analysis tool checks, before downloading the payload.

ANTI-ANALYSIS TECHNIQUES DESCRIPTION
Check module name Checks if the main executable name contains the string “sample”
Check volume serial Checks if current volume serial number is 0xCD1A40 or 0x70144646
Check modules Checks the presence of DLLs related to debuggers
Check disk-related registry keys Checks the value of the registry key HKLM\System\CurrentControlSet\Services\Disk\Enum against well-known disk name patterns for virtual machines (qemu, virtual, vmware, xen, ffffcce24)
Process check Checks running processes and kills those with processes names associated with analysis tools (procexp.exe, procexp64.exe, procmon.exe, procmon64.exe, tcpview.exe, wireshark.exe, processhacker.exe, ollydbg.exe, idaq.exe, x32dbg.exe)
Windows class name check Checks the current Windows class names and exits when some well-known names are found (Autoruns, PROCEXPL, PROCMON_WINDOW_CLASS, TCPViewClass, ProcessHacker, OllyDbg, WinDbgFrameClass)

Table 3. Anti-analysis techniqueof Dofoil’s trojan downloader module

The list of target process names and Windows class names exist in custom checksum form. The checksum algorithm looks like the following:

Figure 4. Shift and XOR custom checksum algorithm

The purpose of this checksum is to prevent malware researchers from quickly figuring out what analysis tools it detects, making analysis more time-consuming.

STRING CHECKSUM
Autoruns 0x0E5C1C5D
PROCEXPL 0x1D421B41
PROCMON_WINDOW_CLASS 0x4B0C105A
TCPViewClass 0x1D4F5C43
ProcessHacker 0x571A415E
OllyDbg 0x4108161D
WinDbgFrameClass 0x054E1905
procexp.exe 0x19195C02
procexp64.exe 0x1C0E041D
procmon.exe 0x06185D0B
procmon64.exe 0x1D07120A
tcpview.exe 0x060B5118
wireshark.exe 0x550E1E0D
processhacker.exe 0x51565C47
ollydbg.exe 0x04114C14
x32dbg.exe 0x5F4E5C04
idaq.exe 0x14585A12

Table 4. String checksum table used for process names and Windows class names

Process hollowing

Dofoil heavily uses the process hollowing technique. Its main target for process hollowing is explorer.exe. The Dofoil shellcode launches a new instance of explorer.exe, allocates shellcode in heap region, and then modifies the entry point code to jump into the shellcode. This way, the malware avoids using CreateRemoteThread API, but can still achieve code injection.

Figure 5. Modification of explorer.exe entry point code

Windows Defender ATP can detect the process hollowing behavior with advanced memory signals. The following process tree shows that the malware injects itself into explorer.exe using the process hollowing technique.

Figure 6. Windows Defender ATP alert process tree showing the first process hollowing

When the shellcode downloads another layer of payload, it spawns another explorer.exe to inject the payload into using process hollowing. Windows Defender ATP can save analysis time on these cases by pinpointing the malicious actions, eliminating the need for guessing what these newly spawned Windows system processes are doing.

Figure 7. Windows Defender ATP alert process tree showing the second process hollowing

The process hollowing behavior can be detected through Exploit protection in Windows Defender Exploit Guard. This can be done by enabling the Export Address Filter (EAF) mitigation against explorer.exe. The detection happens when the shellcode goes through the export addresses of the modules to find the export address of the LoadLibraryA and GetProcAddress functions.

Figure 8. Export Address Filter (EAF) event exposed in Event viewer

Windows Defender Exploit Guard events are also exposed in the Windows Defender ATP portal:

Figure 9. Windows Defender ATP view of the Windows Defender Exploit Guard event

Adding Windows Defender Exploit Guard EAF audit/block policy to common system processes like explorer.exe, cmd.exe, or verclsid.exe can be useful in finding and blocking process hollowing or process injection techniques commonly used by malware. This policy can impact third-party apps that may behave like shellcode, so we recommend testing Windows Defender Exploit Guard with audit mode enabled before enforcement.

Command-and-control (C&C) and NameCoin domains

Dofoils C&C connection is very cautious. The trojan code first tries to connect to well-known web pages and verifies that the malware has proper and real Internet connection, not simulated as in test environments. After it makes sure it has a real Internet connection, the malware makes HTTP connections to the actual C&C servers.

Figure 10. Access to known servers to confirm Internet connectivity

The malware uses NameCoin domain name servers. NameCoin is a decentralized name server system that provides extra privacy backed by blockchain technology. Except for the fact that the DNS client needs to use specific sets of NameCoin DNS servers, the overall operation is very similar to a normal DNS query. Because NameCoin uses blockchain technology, you can query the history of the domain name changes through blocks.

Figure 11. Malicious hostname DNS entry changes over time (https://namecha.in/name/d/vrubl)

Windows Defender ATP can provide visibility into the malwares network activities. The following alert process tree shows the malwares .bit domain resolution activity and, after that, the connections to the resolved C&C servers. You can also view other activities from the executable, for example, its connections to other servers using SMTP ports.

Figure 12. Windows Defender ATP alert process tree showing C&C server connection through NameCoin server name resolution

The Windows Defender ATP advanced hunting feature, which is currently in preview, can be used to hunt down more malware samples that possibly abuse NameCoin servers. For example, the following query will let you view recent connections observed in the network. This can lead to extra insights on other threats that use the same NameCoin servers.

Figure 13. Advanced hunting for other threats using the same NameCoin servers

The purpose of using NameCoin is to prevent easy sinkholing of the domains. Because there are no central authorities on the NameCoin domain name records, it is not possible for the authorities to change the domain record. Also, malware abusing NameCoin servers use massive numbers of NameCoin DNS servers to make full shutdown of those servers very difficult.

Conclusion

Dofoil is a very evasive malware. It has various system environment checks and tests Internet connectivity to make sure it runs on real machines, not in analysis environments or virtual machines. This can make the analysis time-consuming and can mislead malware analysis systems.

In attacks like the Dofoil outbreak, Windows Defender Advanced Threat Protection (Windows Defender ATP) can help network defenders analyze the timeline from the victim machine and get rich information on process execution flow, C&C connections, and process hollowing activities. Windows Defender ATP can be used as an analysis platform with fine-tuned visibility into system activities when set up in a lab environment. This can save time and resource during malware investigation.

In addition, Windows Defender Exploit Guard can be useful in finding malicious shellcodes that traverse export address tables. Windows Defender Exploit Guard can be an excellent tool for finding and blocking malware and exploit activities.

Windows Defender Exploit Guard events are surfaced in the Windows Defender ATP portal, which integrates protections from other Microsoft solutions, including Windows Defender AV and Windows Defender Application Guard. This integrated security management experience makes Windows Defender ATP a comprehensive solution for detecting and responding to a wide range of malicious activities across the network.

Windows 10 S, a special configuration of Windows 10, locks down devices against Dofoil and other attacks by working exclusively with apps from the Microsoft Store and using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common malware entry points.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

 

 

Matt Oh, Stefan Sellmer, Jonathan Bar Or, Mark Wodrich
Windows Defender ATP Research

 

 

Indicators of compromise (IoCs)

TrojanDownloader:Win32/Dofoil.AB:

d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d

eaa63f6b500afedcaeb8d5b18a08fd6c7d95695ea7961834b974e2a653a42212

cded7aedca6b54a6d4273153864a25ccad35cba5cafeaec828a6ad5670a5973a

Trojan:Win32/Dofoil.AB:

070243ad7fb4b3c241741e564039c80ca65bfdf15daa4add70d5c5a3ed79cd5c

5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299C

28ce9763a808c4a7509e9bf92d9ca80212a241dfa1aecd82caedf1f101eac692

5d7875abbbf104f665a0ee909c372e1319c5157dfc171e64ac2bc8b71766537f

Trojan:Win32/CoinMiner.D

2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f12

C&C URLs:

hxxp://levashov.bit/15022018/

hxxp://vrubl.bit/15022018/

C&C server:

vinik.bit

Related .bit domains (updated in same block as C&C server):

henkel.bit

makron.bit

makronwin.bit

NameCoin servers used by Dofoil:

139.59.208.246

130.255.73.90

31.3.135.232

52.174.55.168

185.121.177.177

185.121.177.53

62.113.203.55

144.76.133.38

169.239.202.202

5.135.183.146

142.0.68.13

103.253.12.18

62.112.8.85

69.164.196.21

107.150.40.234

162.211.64.20

217.12.210.54

89.18.27.34

193.183.98.154

51.255.167.0

91.121.155.13

87.98.175.85

185.97.7.7

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

 

Now you see me: Exposing fileless malware

January 24th, 2018 No comments

Attackers are determined to circumvent security defenses using increasingly sophisticated techniques. Fileless malware boosts the stealth and effectiveness of an attack, and two of last years major ransomware outbreaks (Petya and WannaCry) used fileless techniques as part of their kill chains.

The idea behind fileless malware is simple: If tools already exist on a device (for example PowerShell.exe or wmic.exe) to fulfill an attackers objectives, then why drop custom tools that could be flagged as malware? If an attacker can take over a process, run code in its memory space, and then use that code to call tools that are already on a device, the attack becomes more difficult to detect.

Successfully using this approach, sometimes called living off the land, is not a walk in the park. Theres another thing that attackers need to deal with: Establishing persistence. Memory is volatile, and with no files on disk, how can attackers get their code to auto-start after a system reboot and retain control of a compromised system?

Misfox: A fileless gateway to victim networks

In April 2016, a customer contacted the Microsoft Incident Response team about a case of cyber-extortion. The attackers had requested a substantial sum of money from the customer in exchange for not releasing their confidential corporate information that the attackers had stolen from the customers compromised computers. In addition, the attackers had threatened to “flatten” the network if the customer contacted law enforcement. It was a difficult situation.

Quick fact
Windows Defender AV detections of Misfox more than doubled in Q2 2017 compared to Q1 2017.

The Microsoft Incident Response team investigated machines in the network, identified targeted implants, and mapped out the extent of the compromise. The customer was using a well-known third-party antivirus product that was installed on the vast majority of machines. While it was up-to-date with the latest signatures, the AV product had not detected any targeted implants.

The Microsoft team then discovered that the attackers attempted to encrypt files with ransomware twice. Luckily, those attempts failed. As it turned out, the threat to flatten the network was a plan B to monetize the attack after their plan A had failed.

Whats more, the team also discovered that the attackers had covertly persisted in the network for at least seven months through two separate channels:

  • The first channel involved a backdoor named Swrort.A that was deployed on several machines; this backdoor was easily detected by antivirus.
  • The second channel was much more subtle and interesting, because:

    • It did not infect any files on the device
    • It left no artifacts on disk
    • Common file scanning techniques could not detect it

Should you disable PowerShell?
No. PowerShell is a powerful and secure management tool and is important for many system and IT functions. Attackers use malicious PowerShell scripts as post-exploitation technique that can only take place after an initial compromise has already occurred. Its misuse is a symptom of an attack that begins with other malicious actions like software exploitation, social engineering, or credential theft. The key is to prevent an attacker from getting into the position where they can misuse PowerShell. For tips on mitigating PowerShell abuse, continue reading.

The second tool was a strain of fileless malware called Misfox. Once Misfox was running in memory, it:

  • Created a registry run key that launches a “one-liner” PowerShell cmdlet
  • Launched an obfuscated PowerShell script stored in the registry BLOB; the obfuscated PowerShell script contained a reflective portable executable (PE) loader that loaded a Base64-encoded PE from the registry

Misfox did not drop any executable files, but the script stored in the registry ensured the malware persisted.

Fileless techniques

Misfox exemplifies how cyberattacks can incorporate fileless components in the kill chain. Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:

  1. Reflective DLL injection
    Reflective DLL injection involves the manual loading of malicious DLLs into a process’ memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors like macros and scripts. This results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.
  2. Memory exploits
    Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, and has been observed to install the DoublePulsar backdoor, which lives entirely in the kernel’s memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX does not drop any files on disk.
  3. Script-based techniques
    Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shellcodes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry (as in the case of Misfox), read from network streams, or simply run manually in the command-line by an attacker, without ever touching the disk.
  4. WMI persistence
    Weve seen certain attackers use the Windows Management Instrumentation (WMI) repository to store malicious scripts that are then invoked periodically using WMI bindings. This article [PDF] presents very good examples.

Fileless malware-specific mitigations on Microsoft 365

Microsoft 365 brings together a set of next-gen security technologies to protect devices, SaaS apps, email, and infrastructure from a wide spectrum of attacks. The following Windows-related components from Microsoft 365 have capabilities to detect and mitigate malware that rely on fileless techniques:

Tip
In addition to fileless malware-specific mitigations, Windows 10 comes with other next-gen security technologies that mitigate attacks in general. For example, Windows Defender Application Guard can stop the delivery of malware, fileless or otherwise, through Microsoft Edge and Internet Explorer. Read about the Microsoft 365 security and management features available in Windows 10 Fall Creators Update.

Windows Defender Antivirus

Windows Defender AV blocks the vast majority of malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Windows Defender AV protects against fileless malware through these capabilities:

  • Detecting script-based techniques by leveraging AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation
  • Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed
  • Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring

Windows Defender Exploit Guard

Windows Defender Exploit Guard (Windows Defender EG), a new set of host intrusion prevention capabilities, helps reduce the attack surface area by locking down the device against a wide variety of attack vectors. It can help stop attacks that use fileless malware by:

  • Mitigating kernel-memory exploits like EternalBlue through Hypervisor Code Integrity (HVCI), which makes it extremely difficult to inject malicious code using kernel-mode software vulnerabilities
  • Mitigating user-mode memory exploits through the Exploit protection module, which consists of a number of exploit mitigations that can be applied either at the operating system level or at the individual app level
  • Mitigating many script-based fileless techniques, among other techniques, through Attack Surface Reduction (ASR) rules that lock down application behavior

Tip
On top of technical controls, it is important that administrative controls related to people and processes are also in place. The use of fileless techniques that rely on PowerShell and WMI on a remote victim machine requires that the adversary has privileged access to those machines. This may be due to poor administrative practices (for example, configuring a Windows service to run in the context of a domain admin account) that can enable credential theft. Read more about Securing Privileged Access.

Windows Defender Application Control

Windows Defender Application Control (WDAC) offers a mechanism to enforce strong code Integrity policies and to allow only trusted applications to run. In the context of fileless malware, WDAC locks down PowerShell to Constrained Language Mode, which limits the extended language features that can lead to unverifiable code execution, such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects. This essentially mitigates PowerShell-based reflective DLL injection attacks.

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (Windows Defender ATP) is the integrated platform for our Windows Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) capabilities. When it comes to post breach scenarios ATP alerts enterprise customers about highly sophisticated and advanced attacks on devices and corporate networks that other preventive protection features have been unable to defend against. It uses rich security data, advanced behavioral analytics, and machine learning to detect such attacks. It can help detect fileless malware in a number of ways, including:

  • Exposing covert attacks that use fileless techniques like reflective DLL loading using specific instrumentations that detect abnormal memory allocations
  • Detecting script-based fileless attacks by leveraging AMSI, which provides runtime inspection capability into PowerShell and other script-based malware, and applying machine learning models

Microsoft Edge

According to independent security tester NSS Labs, Microsoft Edge blocks more phishing sites and socially engineered malware than other browsers. Microsoft Edge mitigates fileless malware using arbitrary code protection capabilities, which can prevent arbitrary code, including malicious DLLs, from running. This helps mitigate reflective DLL loading attacks. In addition, Microsoft Edge offers a wide array of protections that mitigate threats, fileless or otherwise, using Windows Defender Application Guard integration and Windows Defender SmartScreen.

Windows 10 S

Windows 10 S is a special configuration of Windows 10 that combines many of the security features of Microsoft 365 automatically configured out of the box. It reduces attack surface by only allowing apps from the Microsoft Store. In the context of fileless malware, Windows 10 S has PowerShell Constrained Language Mode enabled by default. In addition, industry-best Microsoft Edge is the default browser, and Hypervisor Code Integrity (HVCI) is enabled by default.

 

Zaid Arafeh

Senior Program Manager, Windows Defender Research team

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

January 10th, 2018 No comments

Adopting reliable attack methods and techniques borrowed from more evolved threat types, ransomware attained new levels of reach and damage in 2017. The following trends characterize the ransomware narrative in the past year:

  • Three global outbreaks showed the force of ransomware in making real-world impact, affecting corporate networks and bringing down critical services like hospitals, transportation, and traffic systems
  • Three million unique computers encountered ransomware; millions more saw downloader trojans, exploits, emails, websites and other components of the ransomware kill chain
  • New attack vectors, including compromised supply chain, exploits, phishing emails, and documents taking advantage of the DDE feature in Office were used to deliver ransomware
  • More than 120 new ransomware families, plus countless variants of established families and less prevalent ransomware caught by heuristic and generic detections, emerged from a thriving cybercriminal enterprise powered by ransomware-as-a-service

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Considering that Windows 10 has a much larger install base than Windows 7, this difference in ransomware encounter rate is significant.

Figure 1. Ransomware encounter rates on Windows 7 and Windows 10 devices. Encounter rate refers to the percentage of computers running the OS version with Microsoft real-time security that blocked or detected ransomware.

The data shows that attackers are targeting Windows 7. Given todays modern threats, older platforms can be infiltrated more easily because these platforms dont have the advanced built-in end-to-end defense stack available on Windows 10. Continuous enhancements further make Windows 10 more resilient to ransomware and other types of attack.

Windows 10: Multi-layer defense against ransomware attacks

The year 2017 saw three global ransomware outbreaks driven by multiple propagation and infection techniques that are not necessarily new but not typically observed in ransomware. While there are technologies available on Windows 7 to mitigate attacks, Windows 10s comprehensive set of platform mitigations and next-generation technologies cover these attack methods. Additionally, Windows 10 S, which is a configuration of Windows 10 thats streamlined for security and performance, locks down devices against ransomware outbreaks and other threats.

In May, WannaCry (Ransom:Win32/WannaCrypt) caused the first global ransomware outbreak. It used EternalBlue, an exploit for a previously fixed SMBv1 vulnerability, to infect computers and spread across networks at speeds never before observed in ransomware.

On Windows 7, Windows AppLocker and antimalware solutions like Microsoft Security Essentials and System Center Endpoint Protection (SCEP) can block the infection process. However, because WannaCry used an exploit to spread and infect devices, networks with vulnerable Windows 7 devices fell victim. The WannaCry outbreak highlighted the importance of keeping platforms and software up-to-date, especially with critical security patches.

Windows 10 was not at risk from the WannaCry attack. Windows 10 has security technologies that can block the WannaCry ransomware and its spreading mechanism. Built-in exploit mitigations on Windows 10 (KASLR, NX HAL, and PAGE POOL), as well as kCFG (control-flow guard for kernel) and HVCI (kernel code-integrity), make Windows 10 much more difficult to exploit.

Figure 2. Windows 7 and Windows 10 platform defenses against WannaCry

In June, Petya (Ransom:Win32/Petya.B) used the same exploit that gave WannaCry its spreading capabilities, and added more propagation and infection methods to give birth to arguably the most complex ransomware in 2017. Petyas initial infection vector was a compromised software supply chain, but the ransomware quickly spread using the EternalBlue and EternalRomance exploits, as well as a module for lateral movement using stolen credentials.

On Windows 7, Windows AppLocker can stop Petya from infecting the device. If a Windows 7 device is fully patched, Petyas exploitation behavior did not work. However, Petya also stole credentials, which it then used to spread across networks. Once running on a Windows 7 device, only an up-to-date antivirus that had protection in place at zero hour could stop Petya from encrypting files or tampering with the master boot record (MBR).

On the other hand, on Windows 10, Petya had more layers of defenses to overcome. Apart from Windows AppLocker, Windows Defender Application Control can block Petyas entry vector (i.e., compromised software updater running an untrusted binary), as well as the propagation techniques that used untrusted DLLs. Windows 10s built-in exploit mitigations can further protect Windows 10 devices from the Petya exploit. Credential Guard can prevent Petya from stealing credentials from local security authority subsystem service (LSASS), helping curb the ransomwares propagation technique. Meanwhile, Windows Defender System Guard (Secure Boot) can stop the MBR modified by Petya from being loaded at boot time, preventing the ransomware from causing damage to the master file table (MFT).

Figure 3. Windows 7 and Windows 10 platform defenses against Petya

In October, another sophisticated ransomware reared its ugly head: Bad Rabbit ransomware (Ransom:Win32/Tibbar.A) infected devices by posing as an Adobe Flash installer available for download on compromised websites. Similar to WannaCry and Petya, Bad Rabbit had spreading capabilities, albeit more traditional: it used a hardcoded list of user names and passwords. Like Petya, it can also render infected devices unbootable, because, in addition to encrypting files, it also encrypted entire disks.

On Windows 7 devices, several security solutions technologies can block the download and installation of the ransomware, but protecting the device from the damaging payload and from infecting other computers in the network can be tricky.

With Windows 10, however, in addition to stronger defense at the infection vector, corporate networks were safer from this damaging threat because several technologies are available to stop or detect Bad Rabbits attempt to spread across networks using exploits or hardcoded user names and passwords.

More importantly, during the Bad Rabbit outbreak, detonation-based machine learning models in Windows Defender AV cloud protection service, with no human intervention, correctly classified the malware 14 minutes after the very first encounter. The said detonation-based ML models are a part of several layers of machine learning and artificial intelligence technologies that evaluate files in order to reach a verdict on suspected malware. Using this layered approach, Windows Defender AV protected Windows 10 devices with cloud protection enabled from Bad Rabbit within minutes of the outbreak.

Figure 4. Windows 7 and Windows 10 platform defenses against Bad Rabbit

As these outbreaks demonstrated, ransomware has indeed become a highly complex threat that can be expected to continue evolving in 2018 and beyond. The multiple layers of next-generation security technologies on Windows 10 are designed to disrupt the attack methods that we have previously seen in highly specialized malware but now also see in ransomware.

Ransomware protection on Windows 10

For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files.

Controlled folder access, however, is but one layer of defense. Ransomware and other threats from the web can be blocked by Microsoft Edge, whose exploit mitigation and sandbox features make it a very secure browser. Microsoft Edge significantly improves web security by using Windows Defender SmartScreens reputation-based blocking of malicious downloads and by opening pages within low-privilege app containers.

Windows Defender Antivirus also continues to enhance defense against threats like ransomware. Its advanced generic and heuristic techniques and layered machine learning models help catch both common and rare ransomware families. Windows Defender AV can detect and block most malware, including never-before-seen ransomware, using generics and heuristics, local ML models, and metadata-based ML models in the cloud. In rare cases that a threat slips past these layers of protection, Windows Defender AV can protect patient zero in real-time using analysis-based ML models, as demonstrated in a real-life case scenario where a customer was protected from a very new Spora ransomware in a matter of seconds. In even rarer cases of inconclusive initial classification, additional automated analysis and ML models can still protect customers within minutes, as what happened during the Bad Rabbit outbreak.

Windows 10 S locks down devices from unauthorized content by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common entry points for ransomware and other threats.

Reducing the attack surface for ransomware and other threats in corporate networks

For enterprises and small businesses, the impact of ransomware is graver. Losing access to files can mean disrupted operations. Big enterprise networks, including critical infrastructures, fell victim to ransomware outbreaks. The modern enterprise network is under constant assault by attackers and needs to be defended on all fronts.

Windows Defender Exploit Guard locks down devices against a wide variety of attack vectors. Its host intrusion prevention capabilities include the following components, which block behaviors commonly used in malware attacks:

  • Attack Surface Reduction (ASR) is a set of controls that blocks common ransomware entry points: Office-, script-, and email-based threats that download and install ransomware; ASR can also protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware
  • Network protection uses Windows Defender SmartScreen to block outbound connections to untrusted hosts, such as when trojan downloaders connect to a malicious server to obtain ransomware payloads
  • Controlled folder access blocks ransomware and other untrusted processes from accessing protected folders and encrypting files in those folders
  • Exploit protection (replacing EMET) provides mitigation against a broad set of exploit techniques that are now being used by ransomware authors

Additionally, the industry-best browser security in Microsoft Edge is enhanced by Windows Defender Application Guard, which brings Azure cloud grade isolation and security segmentation to Windows applications. This hardware isolation-level capability provides one of the highest levels of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware.

For emails, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers against ransomware attacks that begin with email. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Integrated security for enterprises

Windows Defender Advanced Threat Protection allows SecOps personnel to stop the spread of ransomware through timely detection of ransomware activity in the network. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware attack kill-chain, enabling SecOps to promptly investigate and respond to ransomware attacks.

With Windows 10 Fall Creators Update, Windows Defender ATP was expanded to include seamless integration across the entire Windows protection stack, including Windows Defender Exploit Guard, Windows Defender Application Guard, and Windows Defender AV. This integration is designed to provide a single pane of glass for a seamless security management experience.

With all of these security technologies, Microsoft has built the most secure Windows version ever with Windows 10. While the threat landscape will continue to evolve in 2018 and beyond, we dont stop innovating and investing in security solutions that continue to harden Windows 10 against attacks. The twice-per-year feature update release cycle reflects our commitment to innovate and to make it easier to disrupt successful attack techniques with new protection features. Upgrading to Windows 10 not only means decreased risk; it also means access to advanced, multi-layered defense against ransomware and other types of modern attacks.

 

Tanmay Ganacharya (@tanmayg)
Principal Group Manager, Windows Defender Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

December 4th, 2017 No comments

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarues sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

  • 1,214 domains and IP addresses of the botnets command and control servers
  • 464 distinct botnets
  • More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnets servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarues global prevalence.

Figure 1. Gamarues global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

  • Bot-builder, which builds the malware binary that infects computers
  • Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
  • Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

  • Keylogger ($150) Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
  • Rootkit (included in crime kit) Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
  • Socks4/5 (included in crime kit) Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
  • Formgrabber ($250) Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer)
  • Teamviewer ($250) Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
  • Spreader Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

  • Removable drives
  • Social media (such as Facebook) messages with malicious links to websites that host Gamarue
  • Drive-by downloads/exploit kits
  • Spam emails with malicious links
  • Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarues attack kill-chain

Gamarues main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disks volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

  • Belarus
  • Russia
  • Ukraine
  • Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

  • Download EXE (i.e., additional executable malware files)
  • Download DLL (i.e., additional malware; removed in version 2.09 and later)
  • Install plugin
  • Update bot (i.e., update the bot malware)
  • Delete DLLs (removed in version 2.09 and later)
  • Delete plugins
  • Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

  • Time interval in minutes time to wait for when to ask the C2 server for the next command
  • Task ID – used by the hacker to track if there was an error performing the task
  • Command one of the command mentioned above
  • Download URL – from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victims machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

  • msiexec.exe (Gamarue versions 2.07 to 2.10)
  • wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update

Monetization

There are several ways hackers earn using Gamarue. Since Gamarues main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.

Remediation

To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.

 

 

Microsoft Digital Crimes Unit and Windows Defender Research team

 

 

Get more info on the Gamarue (Andromeda) takedown from the following sources:

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Malicious macro using a sneaky new trick

May 18th, 2016 No comments

We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M/Donoff – a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs).

However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).

Screenshot of VBA script editor showing the user form and list of modules

The VBA user form contains three buttons

 

The VBA modules look like legitimate SQL programs powered with a macro; no malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form.

It appeared to be some sort of encrypted string.

We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deault autoopen() macro to run the entire VBA project when the document is opened.

Screenshot of the VBA macro script in Module2 that decrypts the Caption string

The macro script in Module2 decrypts the string in the Caption field

 

The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).

The VBA project (and, therefore, the macro) will automatically run if the user enables macros when opening the file – our strongest suggestion for the prevention of Office-targeting macro-based malware is to only enable macros if you wrote the macro yourself, or completely trust and know the person who wrote it.

See our threat intelligence report on macros and our macro-based malware page for further guidance on preventing and recovering from these types of attacks.

-Marianne Mallen and Wei Li
MMPC

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

MSRT March 2016 – Vonteera

March 9th, 2016 No comments

As part of our ongoing effort to provide better malware protection, the March release of the Microsoft Malicious Software Removal Tool (MSRT) will include detections for Vonteera – a family of browser modifiers, and Fynloski – a family of backdoor trojans. In this blog, we’ll focus on the Vonteera family of browser modifiers.

BrowserModifier:Win32/Vonteera

We first detected BrowserModifier:Win32/Vonteera in August 2013, and the numbers have been pretty big; during the past six months, we’ve had over eight million detections. Encounters have been distributed among the following countries and regions:

Vonteera distribution numbers

We classify Vonteera as unwanted software because it violates the following objective criteria:

  • Lack of choice – the threat circumvents user consent dialogs from the browser or operating system. It installs, reinstalls, or removes software without your permission, interaction, or consent.
  • Lack of control – the threat prevents or limits you from viewing or modifying browser features or settings.
  • Installation and removal – the threat fails to use standard install/uninstall features, such as Add/Remove Programs.

Vonteera is usually distributed by software bundlers that offer free applications or games.

Once installed on your PC, it modifies your homepage and changes your search provider.

It uses Group Policy to install a plug-in into the following browsers in an effort to make it difficult to remove:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

This makes it more difficult to change the browser settings and remove the added Vonteera plug-in through the Manage Add-ons settings.

Search policy message

More recent versions of Vonteera began adding legitimate certificates that belong to a number of security and antimalware products to the untrusted certificates list that the Windows operating system maintains, which forces Windows to not trust legitimate security and antimalware products. This means that if Vonteera is present on your PC, you might not be able to run your security software.

It also runs a service, so even if you try to delete these certificates from the untrusted list, Vonteera just adds them back to this list, so you still might not be able to run your security software.​

DESCRIPTION

Our malware encyclopedia entry for Win32/Vonteera has more details about this malware family.

By adding Vonteera to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this unwanted software. However, as with all threats, prevention is the best protection.

Stay protected

To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

We also recommend you:

For more tips on preventing malware infections, including ransomware infections, see:

Social engineering tricks open the door to macro-malware attacks – how can we close it?

April 28th, 2015 No comments

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries

 

Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

      Trust Center settings

                                                                  

    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.

System Center Endpoint Protection MAPS settings

MMPC

Social engineering tricks open the door to macro-malware attacks – how can we close it?

April 28th, 2015 No comments

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

 Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries

 

Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:

 

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.

      Trust Center settings

                                                                  

    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block. 

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.

System Center Endpoint Protection MAPS settings

MMPC

Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months

April 13th, 2015 No comments

'Simda.AT' designed to divert Internet traffic to disseminate other types of malware.

Today Interpol and the Dutch National High Tech Crime Unit (DNHTCU) announced the disruption of Simda.AT, a significant malware threat affecting more than 770,000 computers in over 190 countries. The Simda.AT variant first appeared in 2012. It is a widely distributed malware that causes significant damage to users through the manipulation of internet traffic and spread of other malware. 

Interpol coordinated the operation and the DNHTCU, with the support of the Federal Bureau of Investigation (FBI), successfully took down Simda.AT's active command and control infrastructure across four countries including the Netherlands, Luxembourg, Russia and the United States.

The Microsoft Malware Protection Center (MMPC) and the Microsoft's Digital Crimes Unit (DCU) led the analysis of the malware threat in partnership with CDI Japan, Kaspersky Lab, and Trend Micro.

MMPC activated the Coordinated Malware Eradication (CME) platform to provide in-depth research, telemetry, samples, and cleaning solutions to law enforcement and our partners.  This information helped law enforcement take action against Simda.AT and its infrastructure, while providing easy remediation and recovery options for victim machines around the world.  

Since 2009, the Simda malware family has been a dynamic and elusive threat.  Simda's function has ranged from a simple password stealer to a complex banking trojan.  To read more about the Simda family, see Win32/Simda.

Encounters

Simda.AT makes up the vast majority of our current detections for this malware family. We've measured approximately 128,000 new cases each month over the last six months with infections occurring around the world. The 'Top 10' countries accounted for 54 percent of the detections our customers have experienced from February through March:

Simda.AT machine detections from October 2014 to March 2015

Figure 1: Simda.AT machine detections from October 2014 to March 2015

Percentage of Simda.AT machine detections by country from February to March 2015

Figure 2: Percentage of Simda.AT machine detections by country from February to March 2015

Simda.AT machine detections heat map from February to March 2015

Figure 3: Simda.AT machine detections heat map from February to March 2015

Distribution

Over time, the Simda family was distributed in various ways, including:

With Simda.AT, the most common infection vector we identified was compromised websites using embedded or injected JavaScript.  Compromised sites were used to redirect users' traffic to another website, named the "gate".  Figure 4 shows an example of an injected JavaScript which is detected as Trojan:JS/Redirector.  

This gate website is part of the exploit tool chain, which will redirect the browser to the exploit landing page. The "gate" in this Simda.AT example, is detected as Exploit:JS/Fiexp (aka  Fiesta Exploit kit). Fiesta can serve several types of exploits. For example, we have observed Fiesta delivering Simda.AT through malicious SWF files (Shockwave Flash), detected as Exploit:SWF/Fiexp, malicious Java applet files, detected as Exploit:Java/Fiexp and malicious Silverlight files, detected as Exploit:MSIL/CVE-2013-0074.  More specific details related to the exploits can be found in the following CVEs: 

Compromised website with injected malicious JavaScript

Figure 4: Compromised website with injected malicious JavaScript

 

The “gate” contains script that redirects the browser to the Fiesta landing page. From the landing page, Fiesta attempts to deliver one of three exploits to compromise the machine.  Figure 5 shows the general Simda.AT payload delivery process:

Fiesta exploit kit in action

Figure 5: Fiesta exploit kit in action          

Behaviors

Simda.AT provides two primary functionalities:

  • Internet traffic re-routing
  • Distribution and installation of additional software packages or modules

Anti-emulation/Anti-sandbox techniques

For years, Simda used anti-sandbox techniques to evade detection. In most cases, the malware will not run properly, or might sleep indefinitely when the malware suspects that it's being installed into a software security research environment like the one we have at MMPC.  

During installation, the binary checks against a list of black-listed programs and running processes.  The checks performed might seem standard and predictable, but Simda.AT collects information from machines it deems suspicious to update the list. Then it uses an automatic and sustainable process for releasing a new binary every couple of hours with updates that cannot be detected by the majority of the AV scanners.  See the Simda.AT encyclopedia page for details about the dozens of files, processes, and registry keys checked by Simda.AT at the time of installation.

HOSTS file manipulation

During installation, Simda.AT also modifies the file %SYSTEM32%driversetchosts by updating the content and changing the file attributes to be read-only and hidden.  The specific changes are hard-coded into each binary, and can cause the victim machine's internet traffic to be routed according to the new instructions for targeted hosts. 

After applying the updates, the installer creates a new and empty file %SYSTEM32%driversetchosts.txt to further obfuscate the changes made to the system. The most recent samples are targeting network communication from the following URLs:

  • connect.facebook.net
  • google-analytics.com
  • www.google-analytics.com

Older samples were also seen targeting Bing.com hosts for redirection (e.g. u.bing.com, bing.com, ca.bing.com, gb.bing.com, www.bing.com) and a portion of recent Simda.AT samples connecting to Bing.com using the following URL pattern:  http://www.bing.com/chrome/report.html?<encoded string> 

The malware authors might have intended to use the HOSTS file modifications to relay additional information about victim machines to the servers of their choosing.  However, from our research, Simda.AT samples stopped updating the HOSTS file with the Bing.com hosts in early February.  As a result, we've been able to monitor traffic to this, normally unused, location for the last several days, and we have observed an average of approximately 5,000 unique IPs reach out to us each day.

Software distribution and modules

Based on our research, we believe the primary monetization method for this is through a Pay-Per-Install (PPI) program in which the authors can be compensated for distributing and installing additional software packages or modules.  Over time, we have observed the following types of software to be distributed by Simda.AT:

Persistence

The initial infection modifies the system registry to execute during every system start-up.  There are no communications outside of the initial program execution. 

C&C communication

DGA/Command and Control Infrastructure

The Simda.AT command and control infrastructure is organized differently than similar malware families.  Each binary contains up to six hard-coded IPs that dictate the communication infrastructure for each bot.  The Domain-Generation-Algorithm (DGA) that's normally used to define the infrastructure is instead used to generate a seed for the encryption that is used by the host and the command and control servers.

Using RDTSC instruction, the DGA creates a random, 15-19 character long string that's embedded into a domain in one of the following formats:

  • report.<random>.com
  • update[1,2].<random>.com 

These domains are then injected as the 'Host' in the associated POST requests issued to the command and control servers.

To decrypt the 'report' HTTP request, append the query string to the hostname and use as the key. Then unquote the query value and enumerate each byte and get the decrypted byte with the following python code snippet:

decrypted_string += chr(ord(cipher[i]) – ord(hostname[i % len(hostname)]))

The third, or 'update' request, requires an additional step to base64 decode the query string.

Check-In and update

As alluded to earlier, Simda.AT has two primary functions while communicating with the command and control server:

  • 'report'
  • 'update'

These two functions are differentiated in the POST request sent to the servers, and they are normally issued to different servers through the hard-coded configuration in the binary.

The 'report' function acts as a simple check-in and provides the following type of information, from the victim machine, to the command and control server prior to terminating the connection ahead of the server response:

  • Adapter information
  • Assorted other system and registry information to distinctly identify the computer
  • Creation time of the folder "C:System Volume Information"
  • Computer name
  • Hard disk information
  • MAC address
  • Volume serial number

This information is used to provide a unique ID for the bot.

In some situations, the bots can also append information about installed applications and processes that are running that we suspect are used for anti-emulation updates for new samples.

The 'update' command is used when downloading modules or additional software packages.  Again, a small amount of machine and binary information is packaged from the victim machine and sent to a different, 'module', or server.  When the module servers receives the request and then responds with an 'Active' message, the bot drops an embedded component (TrojanDropper:Win32/Simdown.A) that handles the download and installation of all modules using hard-coded paths. 

Both functions are called at the initial infection and at every system restart.

It's interesting to note that Simda.AT has been using the same user agent strings in its command and control communication since 2012, which can provide a valuable signature for IPS/IDS engines:

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"

"Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"

While the disruption action can disable the ability of existing infections to download or update new software components, it will not disable modules that might have been installed by Simda.AT. 

If you have been infected by Simda.AT, run a comprehensive scan of your environment using Microsoft Safety Scanner, Microsoft Security Essentials, Windows Defender, or your preferred Anti-Malware Solution.

As a part of our cleaning solution, we will detect and remove any malware distributed by this family, and return your HOSTS file to the default, blank, state.

As always, we urge Windows users to be vigilant against malware:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

As a reminder to organizations invested in security, if your organization is interested in joining or initiating an eradication campaign, or you are just interested in participating in the CME program, please see the CME program page. You can also reach out to us directly through our contact page for more information. 

Tommy Blizard, Rex Plantado, Rodel Finones, and Tanmay Ganacharya

MMPC

Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months

April 13th, 2015 No comments

'Simda.AT' designed to divert Internet traffic to disseminate other types of malware.

Today Interpol and the Dutch National High Tech Crime Unit (DNHTCU) announced the disruption of Simda.AT, a significant malware threat affecting more than 770,000 computers in over 190 countries. The Simda.AT variant first appeared in 2012. It is a widely distributed malware that causes significant damage to users through the manipulation of internet traffic and spread of other malware. 

Interpol coordinated the operation and the DNHTCU, with the support of the Federal Bureau of Investigation (FBI), successfully took down Simda.AT's active command and control infrastructure across four countries including the Netherlands, Luxembourg, Russia and the United States.

The Microsoft Malware Protection Center (MMPC) and the Microsoft's Digital Crimes Unit (DCU) led the analysis of the malware threat in partnership with CDI Japan, Kaspersky Lab, and Trend Micro.

MMPC activated the Coordinated Malware Eradication (CME) platform to provide in-depth research, telemetry, samples, and cleaning solutions to law enforcement and our partners.  This information helped law enforcement take action against Simda.AT and its infrastructure, while providing easy remediation and recovery options for victim machines around the world.  

Since 2009, the Simda malware family has been a dynamic and elusive threat.  Simda's function has ranged from a simple password stealer to a complex banking trojan.  To read more about the Simda family, see Win32/Simda.

Encounters

Simda.AT makes up the vast majority of our current detections for this malware family. We've measured approximately 128,000 new cases each month over the last six months with infections occurring around the world. The 'Top 10' countries accounted for 54 percent of the detections our customers have experienced from February through March:

Simda.AT machine detections from October 2014 to March 2015

Figure 1: Simda.AT machine detections from October 2014 to March 2015

Percentage of Simda.AT machine detections by country from February to March 2015

Figure 2: Percentage of Simda.AT machine detections by country from February to March 2015

Simda.AT machine detections heat map from February to March 2015

Figure 3: Simda.AT machine detections heat map from February to March 2015

Distribution

Over time, the Simda family was distributed in various ways, including:

With Simda.AT, the most common infection vector we identified was compromised websites using embedded or injected JavaScript.  Compromised sites were used to redirect users' traffic to another website, named the "gate".  Figure 4 shows an example of an injected JavaScript which is detected as Trojan:JS/Redirector.  

This gate website is part of the exploit tool chain, which will redirect the browser to the exploit landing page. The "gate" in this Simda.AT example, is detected as Exploit:JS/Fiexp (aka  Fiesta Exploit kit). Fiesta can serve several types of exploits. For example, we have observed Fiesta delivering Simda.AT through malicious SWF files (Shockwave Flash), detected as Exploit:SWF/Fiexp, malicious Java applet files, detected as Exploit:Java/Fiexp and malicious Silverlight files, detected as Exploit:MSIL/CVE-2013-0074.  More specific details related to the exploits can be found in the following CVEs: 

Compromised website with injected malicious JavaScript

Figure 4: Compromised website with injected malicious JavaScript

 

The “gate” contains script that redirects the browser to the Fiesta landing page. From the landing page, Fiesta attempts to deliver one of three exploits to compromise the machine.  Figure 5 shows the general Simda.AT payload delivery process:

Fiesta exploit kit in action

Figure 5: Fiesta exploit kit in action          

Behaviors

Simda.AT provides two primary functionalities:

  • Internet traffic re-routing
  • Distribution and installation of additional software packages or modules

Anti-emulation/Anti-sandbox techniques

For years, Simda used anti-sandbox techniques to evade detection. In most cases, the malware will not run properly, or might sleep indefinitely when the malware suspects that it's being installed into a software security research environment like the one we have at MMPC.  

During installation, the binary checks against a list of black-listed programs and running processes.  The checks performed might seem standard and predictable, but Simda.AT collects information from machines it deems suspicious to update the list. Then it uses an automatic and sustainable process for releasing a new binary every couple of hours with updates that cannot be detected by the majority of the AV scanners.  See the Simda.AT encyclopedia page for details about the dozens of files, processes, and registry keys checked by Simda.AT at the time of installation.

HOSTS file manipulation

During installation, Simda.AT also modifies the file %SYSTEM32%driversetchosts by updating the content and changing the file attributes to be read-only and hidden.  The specific changes are hard-coded into each binary, and can cause the victim machine's internet traffic to be routed according to the new instructions for targeted hosts. 

After applying the updates, the installer creates a new and empty file %SYSTEM32%driversetchosts.txt to further obfuscate the changes made to the system. The most recent samples are targeting network communication from the following URLs:

  • connect.facebook.net
  • google-analytics.com
  • www.google-analytics.com

Older samples were also seen targeting Bing.com hosts for redirection (e.g. u.bing.com, bing.com, ca.bing.com, gb.bing.com, www.bing.com) and a portion of recent Simda.AT samples connecting to Bing.com using the following URL pattern:  http://www.bing.com/chrome/report.html?<encoded string> 

The malware authors might have intended to use the HOSTS file modifications to relay additional information about victim machines to the servers of their choosing.  However, from our research, Simda.AT samples stopped updating the HOSTS file with the Bing.com hosts in early February.  As a result, we've been able to monitor traffic to this, normally unused, location for the last several days, and we have observed an average of approximately 5,000 unique IPs reach out to us each day.

Software distribution and modules

Based on our research, we believe the primary monetization method for this is through a Pay-Per-Install (PPI) program in which the authors can be compensated for distributing and installing additional software packages or modules.  Over time, we have observed the following types of software to be distributed by Simda.AT:

Persistence

The initial infection modifies the system registry to execute during every system start-up.  There are no communications outside of the initial program execution. 

C&C communication

DGA/Command and Control Infrastructure

The Simda.AT command and control infrastructure is organized differently than similar malware families.  Each binary contains up to six hard-coded IPs that dictate the communication infrastructure for each bot.  The Domain-Generation-Algorithm (DGA) that's normally used to define the infrastructure is instead used to generate a seed for the encryption that is used by the host and the command and control servers.

Using RDTSC instruction, the DGA creates a random, 15-19 character long string that's embedded into a domain in one of the following formats:

  • report.<random>.com
  • update[1,2].<random>.com 

These domains are then injected as the 'Host' in the associated POST requests issued to the command and control servers.

To decrypt the 'report' HTTP request, append the query string to the hostname and use as the key. Then unquote the query value and enumerate each byte and get the decrypted byte with the following python code snippet:

decrypted_string += chr(ord(cipher[i]) – ord(hostname[i % len(hostname)]))

The third, or 'update' request, requires an additional step to base64 decode the query string.

Check-In and update

As alluded to earlier, Simda.AT has two primary functions while communicating with the command and control server:

  • 'report'
  • 'update'

These two functions are differentiated in the POST request sent to the servers, and they are normally issued to different servers through the hard-coded configuration in the binary.

The 'report' function acts as a simple check-in and provides the following type of information, from the victim machine, to the command and control server prior to terminating the connection ahead of the server response:

  • Adapter information
  • Assorted other system and registry information to distinctly identify the computer
  • Creation time of the folder "C:System Volume Information"
  • Computer name
  • Hard disk information
  • MAC address
  • Volume serial number

This information is used to provide a unique ID for the bot.

In some situations, the bots can also append information about installed applications and processes that are running that we suspect are used for anti-emulation updates for new samples.

The 'update' command is used when downloading modules or additional software packages.  Again, a small amount of machine and binary information is packaged from the victim machine and sent to a different, 'module', or server.  When the module servers receives the request and then responds with an 'Active' message, the bot drops an embedded component (TrojanDropper:Win32/Simdown.A) that handles the download and installation of all modules using hard-coded paths. 

Both functions are called at the initial infection and at every system restart.

It's interesting to note that Simda.AT has been using the same user agent strings in its command and control communication since 2012, which can provide a valuable signature for IPS/IDS engines:

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"

"Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"

While the disruption action can disable the ability of existing infections to download or update new software components, it will not disable modules that might have been installed by Simda.AT. 

If you have been infected by Simda.AT, run a comprehensive scan of your environment using Microsoft Safety Scanner, Microsoft Security Essentials, Windows Defender, or your preferred Anti-Malware Solution.

As a part of our cleaning solution, we will detect and remove any malware distributed by this family, and return your HOSTS file to the default, blank, state.

As always, we urge Windows users to be vigilant against malware:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

As a reminder to organizations invested in security, if your organization is interested in joining or initiating an eradication campaign, or you are just interested in participating in the CME program, please see the CME program page. You can also reach out to us directly through our contact page for more information. 

Tommy Blizard, Rex Plantado, Rodel Finones, and Tanmay Ganacharya

MMPC

Upatre update: infection chain and affected countries

March 12th, 2015 No comments

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.

 

The infection chain 

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.

  

Figure 1: Upatre infection chain since January 2015

 

Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.

A breakdown of the top 10 countries affected by the Upatre infections since January 2015

Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015

 

Detection rates for these countries is as follows:

A breakdown of the countries mostly affected by Upatre infections since January 2015

Figure 3: The data shows the United States having the most Upatre infection since January 2015

The data shows the United States having the most Upatre infection since January 2015

Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

 

How can you help protect your enterprise software security infrastructure from Upatre? 

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:

  2. Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.

  3. Make sure and keep all software up to date.

 

Patrick Estavillo

MMPC

Upatre update: infection chain and affected countries

March 12th, 2015 No comments

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.

 

The infection chain 

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.

  

Figure 1: Upatre infection chain since January 2015

 

Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.

A breakdown of the top 10 countries affected by the Upatre infections since January 2015

Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015

 

Detection rates for these countries is as follows:

A breakdown of the countries mostly affected by Upatre infections since January 2015

Figure 3: The data shows the United States having the most Upatre infection since January 2015

The data shows the United States having the most Upatre infection since January 2015

Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

 

How can you help protect your enterprise software security infrastructure from Upatre? 

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:

  2. Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.

  3. Make sure and keep all software up to date.

 

Patrick Estavillo

MMPC

MSRT January 2014 – Bladabindi

January 14th, 2014 No comments

This month the Malicious Software Removal Tool (MSRT) includes a new malware family – MSIL/Bladabindi. An interesting part of this family is that the author made three versions of this RAT, written in VB.NET, VBS and AutoIt. The malware builder is also publically available for download.

Because of this, there are many variants in this family, and they spread in many different ways, such as Facebook message and hacked websites. Once installed, malware in this family can be used to take control of a PC and steal sensitive information. We added Bladabindi to the MSRT due to its prevalence throughout 2013.

DESCRIPTION

Figure 1: Telemetry data showing the prevalence of Bladabindi

Bladabindi variants can be created by using the Remote Access Tool (RAT) known as "NJ Rat". We detect this RAT as VirTool:MSIL/Bladabindi.A. Bladabindi can also be downloaded by recent variants of Jenxcus family, which likely has the same author as Bladabindi.

Recently its author released a dedicated downloader to download Bladabindi and run it directly from memory – we detect this as TrojanDownloader:MSIL/Bladabindi.A.

Bladabindi variants are usually installed with an enticing name and icon to trick people into running it. The following are some sample file names:

  • فيس بوك.exe – (Facebook.exe)
  • فيديو قتلى المجموعات الإرهابية.exe – (Video killed the terrorist groups.exe)
  • ! My Picutre.SCR
  • Windows_7_Activators.exe
  • hot.exe
  • StartupFaster.exe

Below are some sample icons:

DESCRIPTION

Figure 2: Some file icons used by Bladabindi

Bladabindi is written in VB.NET, and usually obfuscated with various .NET obfuscators to avoid detection. It uses undocumented APIs to make itself a critical process, which will cause a system crash if it is terminated. This can make it difficult to remove from your PC when the malware is running. MSIL/Bladabindi also has backdoor functionality, including:

  • Using your camera to take picture
  • Running files
  • Registry manipulation
  • Remote shells
  • Key logging
  • Screen captures
  • Loading plugins dynamically
  • Updating
  • Uninstalling
  • Restarting

From information we collected, it seems Bladabindi's author tries to show their ability to develop malware, to help their chances of being hired on to other projects. They even use the following picture (showing infected machines) as the header photo of their Twitter page.

DESCRIPTION

Figure 3: Bladabindi author's Twitter page

Though there is no direct evidence connecting the author, distributor, and online account owner associated with the malware, the same user name is consistently used across multiple forums and social media. Do you remember the infamous Win32/Hupigon worm? – Another case where a malware author wrote a backdoor, but claims they didn't distribute it.

As usual, the best protection from Bladabindi, and other malware or potentially unwanted software is to have up-to-date security software installed and being aware of the risks of social engineering.

Zhitao Zhou, Steven Zhou, and Francis Allan Tan Seng
MMPC

Categories: malware research, MSRT Tags:

Korean gaming malware – served 3 ways

December 21st, 2012 No comments

Recently, we’ve seen similar activities being performed by different malware that monitor online Korean applications. Mostly, the applications they monitor are card games, such as those in Figure 1.

Examples of online Korean games that are being monitored. (Source: http://www.hangame.com)
Figure 1: Examples of online Korean games that are being monitored. (Source: http://www.hangame.com)

 

The following applications are monitored if found running on the system:

  • LASPOKER.EXE
  • highlow2.exe
  • baduki.exe
  • duelpoker.exe
  • HOOLA3.exe
  • poker7.exe
  • FRN.exe

The first malware is Trojan:Win32/Urelas.C. Written in Delphi, this malware uses a typical spying technique. It takes screenshots of a user’s gaming activity by looking for the processes listed above at certain positions on the screen; these screenshots could then be used to observe the gaming behavior of the compromised user. It sends copies of the screenshots it captures to a remote server in JPG, TIFF, or BMP picture format and also gathers other information from the compromised system, such as the computer name and user login details. 

The second malware is Trojan:Win32/Gupboot.A. This malware takes things a step further, introducing a bootkit component and reusing code from Urelas to overwrite the MBR (which we detect as Trojan:DOS/Gupboot.A). Part of this malware’s payload is to allow kernel-mode hooking to hide the malware process and its suspicious activities from the user, making the system run in a compromised state.

Like most malware that overwrites the MBR, the main intent is to use the malware’s 16-bit loader to execute the payload. The malware uses its own copy of explorer.exe (dropped as temp1234.dat) written on the physical sector and redirects execution of the system’s original explorer.exe to the malware copy (see Figure 2). This type of behaviour is also discussed in the Bitdefender LABS blog “Plite bootkit spies on gamers”

Portion of Trojan:DOS/Gubpoot.A written on disk with intenet to replace C:Windows\explorer.exe execution
Figure 2: Portion of Trojan:DOS/Gubpoot.A written on disk with intent to replace C:Windows\explorer.exe execution

Also found in the body of the malware code is a zip archive that contains an executable detected as Trojan:Win32/Gupboot.A.

The third and last malware is Backdoor:Win32/Blohi.B. The malware is compiled in VB and usually arrives disguised as a game bundled in an NSIS installer with names such as Plants vs. Zombies, StarCraft and others. Once installed, it pings http://blog.naver.com/PostView.nhn, a very popular Korean search engine, to test for an internet connection. It logs keystrokes, monitors the processes listed above (if they exist) and has predefined backdoor commands that can modify the process list, take screenshots and uninstall the malware. It can also display a fake blue screen (see Figure 3) – possibly to force the user into rebooting their computer so that the Blohi malware can install other malware.

Fake blue screen
Figure 3: Fake blue screen

 

We also observed that these threats are most prevalent in Korea compared to other geographical locations, as seen from the following reports for the month of November 2012.

Table 1: Urelas infection
Table 1: Urelas infection

 

Table 2: Gupboot infection
Table 2: Gupboot infection

 

Table 3: Blohi infection
Table 3: Blohi infection

 

The aim of the malware authors is to gather information, for example:

  • User login details
  • Credit card details – used for purchasing game money and avatar upgrades
  • Korean ID – similar to a social security number, required for registration and verification purposes
  • Screenshots – taken to observe the gaming behavior of the user and possibly to provide an advantage to the authors if they choose to play with the user

MMPC strongly recommends users be cautious with files downloaded from the internet. Always verify that it comes from a reputable source before executing the binary. In the case of Blohi and other malware posing as installers, instead of playing a full version of the game, you might end up getting played by malware authors.

Marianne Mallen
MMPC

Categories: malware research Tags:

An analysis of Dorkbot’s infection vectors (part 2)

November 21st, 2012 No comments

In part 1 of this series, we talked about Dorkbot and its spreading mechanisms that required user interaction. In this post, we’ll talk about how Dorkbot spreads automatically, via drive-by downloads and Autorun files.

Spreading vectors not requiring user interaction: Drive-by downloads and Autorun files

Dorkbot can also spread automatically, without user interaction. We recently encountered a malicious Java applet that exploits the vulnerability described in CVE-2012-4681 to distribute the Dorkbot worm. We detect the applet as Exploit:Java/CVE-2012-4681.HD. Let’s take a closer look at how this exploit works.

Java applets that are not digitally signed are considered untrusted. They are executed with limited permissions by the Java Runtime Environment. Before it can download and execute arbitrary files, Exploit:Java/CVE-2012-4681.HD has to disable the security manager, which defines the security policy of the applet. The security manager can be disabled with a call to System.setSecurityManager(null), but applets are restricted from calling this method directly.

The exploit relies on vulnerabilities in the implementation of the following two methods:

  • Method com.sun.beans.finder.ClassFinder.findClass(String,ClassLoader)
  • Method com.sun.beans.finder.MethodFinder.findAccessibleMethod(Class,String,Class[])

We decompiled the method ClassFinder.findClass to determine why it was vulnerable. As shown in Figure 8, ClassFinder.findClass calls the method Class.forName in its internal implementation. The method Class.forName in turn only looks at the immediate caller to perform security checks. As you can see, the vulnerability lies in the way Class.forName is used, and not in the method Class.forName itself.

The fix was to perform an additional package access check at the beginning of method ClassFinder.findClass, a check that fails if an applet attempts to access a restricted Java class (Figure 8).

Figure 8: The vulnerability in com.sun.beans.finder.ClassFinder.findClass(String,ClassLoader)

Another issue, this time in the implementation of the method sun.awt.SunToolkit.getField(Class,String), allows one to access private members of Java classes. The method SunToolkit.getField would not be accessible by default to user code, but the exploit calls it with the help of a java.beans.Expression object. java.beans.Expression.execute() is also vulnerable because it relies on the two vulnerable methods described above.

Exploit:Java/CVE-2012-4681.HD calls SunToolkit.getField to modify a private member of a java.beans.Statement object and set the access control context to “all permissions”. The class Statement can be used to invoke methods from arbitrary classes with modified access control context value. The exploit relies on a Statement object with modified access control context to invoke the privileged method System.setSecurityManager. After this, it has the permission to download additional malware (Figure 9).

Figure 9: Execution flow of Exploit:Java/CVE-2012-4681.HD

As is typical for Java exploits nowadays, the code of Exploit:Java/CVE-2012-4681.HD is heavily obfuscated to try to bypass AV detection. Figure 10 shows how the exploit retrieves the private field “acc” of the java.beans.Statement class, a field that defines the access control context.

Figure 10: Obfuscated code in Exploit:Java/CVE-2012-4681.HD

Exploits for CVE-2012-4681 are guaranteed to work if the Java Runtime Environment is vulnerable (unlike exploits for memory corruptions, for instance). They are also platform independent (so they can also infect *nix and Mac users) and target a huge base of Java installations.

Unsurprisingly, as shown in Figure 11, our telemetry indicates that exploits for CVE-2012-4681 have been widely used to distribute malware since the vulnerability was first made public in late August 2012. A security update to resolve it was released around the same time.

Figure 11: Infections attempts with CVE-2012-4681 Java exploits reported from September 15th to October 17th, 2012

To avoid getting infected through drive-by downloads, make sure your software is up to date – for Java specifically, we talked about that in a previous post.

Worm:Win32/Dorkbot can also infect removable drives, by creating an autorun.inf file that points to a copy of the worm. If you have Autorun enabled in your computer, Dorkbot automatically runs whenever the removable drive is accessed. Fortunately, this distribution method is not very effective anymore as explained in a previous blog post. Please keep your Windows up-to-date to deal with this infection vector.

Conclusion

As we previously mentioned, malware these days use a variety of ways to infect computers and Dorkbot is no exception. And its access to a C&C server allows for a certain level of dynamic behavior. Because of this, we advise users to be more vigilant against all the different channels that Dorkbot uses.

And finally, always make sure your definitions are up-to-date for your antivirus solution. If you don’t have one and you’re running Windows XP, Vista, or 7, you can download and install Microsoft Security Essentials for free. If you’re using Windows 8, make sure your antivirus program is enabled and running properly.

The following are the SHA1s of the samples that we’ve analyzed for this blog post:

  • Exploit:Java/CVE-2012-4681.HD – f624121d44b87369ba9ffa975db64fbb7bc395b3
  • Worm:Win32/Dorkbot spreading component – 11a2ddb73af46060802537dec0f8799e2a0dc13f
  • Worm:Win32/Dorkbot.A – 4176f4193b1ef64569bf0ab220113cce6074df4e
  • Worm:Win32/Dorkbot.I – 37c09e044ebe57eb66aa6c72cb039140b3b985f1

Horea Coroiu, MMPC Munich

An analysis of Dorkbot’s infection vectors (part 1)

November 14th, 2012 No comments

Malware nowadays benefits from the complexity of the Internet ecosystem to infect new computers through vectors such as browser plugins, social networks, and instant messaging programs.

In this two-parter series, we’ll look at Worm:Win32/Dorkbot, a prevalent worm with the capabilities of an IRC backdoor and a password stealer. Dorkbot relies both on social engineering attacks and on methods that don’t require human intervention, such as infected removable drives and drive-by downloads. This versatility has contributed to a spike in Dorkbot detections in the last year and a half: over 28 million detections of Dorkbot have been reported since we saw this malware family in April of 2011, as seen in Figure 1.

Figure 1: Number of Worm:Win32/Dorkbot detections since 2011 based on MAPS telemetry

Dorkbot uses IRC over SSL to communicate with its command-and-control (C&C) server. To find out what it’s transmitting to the remote attacker, we intercepted the SSL-encrypted traffic, as shown in Figure 2.

Figure 2: A machine infected with Dorkbot talking to the C&C server

Dorkbot hooks several Windows APIs related to network access to steal FTP and website login credentials. The network traffic capture in Figure 2 also shows Dorkbot stealing FTP credentials from Total Commander and login credentials for several websites: facebook.com, gmail.com and mail.yahoo.com. For a full list of the websites that are targeted, please see the Worm:Win32/Dorkbot description.

After it connects to an IRC channel, the worm is instructed to download its spamming component and additional malware, such as Worm:Win32/Gnoewin.A, Worm:Win32/Gnoewin.B, Trojan.Win32.Lethic.F, and Worm:Win32/Pushbot.gen.

This first post is about Dorkbot’s spreading vectors that require user interaction.

Spreading vectors requiring user interaction: Social engineering, IM programs, and social networks

Dorkbot relies on simple social engineering attacks to propagate with user interaction. Using its downloaded spamming component, it spams all the contacts on Windows Live Messenger and Skype with an enticing message, designed to trick them into downloading and running a Dorkbot copy.

Figure 3: Dorkbot posting a goo.gl short URL in a Skype window; the URL leads to a copy of the Dorkbot worm

The spreading mechanism is as follows: Dorkbot downloads a separate spamming component, which in turn spams the user’s contacts with a link to the main Dorkbot executable. If the contact opens the link and executes Dorkbot, the spamming component is downloaded again, and the cycle continues as shown in Figure 4.

Figure 4: The relationship between the spamming component and the main executable

The attack is made more effective by the localization of the spammed message in over 24 languages (Figure 5). Dorkbot picks up the language depending on your Windows locale from one of: English, French, Portuguese, Spanish, Hungarian, Dutch, German, Swiss German, Albanian, Swedish, Turkish, Serbian, Polish, Italian, Norwegian, Czech, Russian, Slovakian, Danish, Thai, Mandarin, Indonesian, Vietnamese, and Filipino.

Figure 5: Localized messages are hardcoded in the resource section of the Dorkbot component

We checked a goo.gl short URL link out of the hundreds that have been spammed by Dorkbot. As of this writing, it’s been clicked about 100,000 times. The access pattern shows a spike for a short period of time, until the link is flagged as malicious by Google.

Figure 6: Statistics for a spammed link leading to Dorkbot

Another way that it spreads using social engineering is by posting arbitrary messages, such as links to malware, on the following social networks: Facebook, Twitter, VKontakte, Friendster and Bebo, whenever it is instructed by its C&C server.

In the case of Firefox, Dorkbot hooks the function PR_Write exported by nspr4.dll. This function gets called every time the browser writes data to a remote socket. To take the example of Facebook, when a user writes an instant message to another user, an HTTP POST request containing details about the message is sent to facebook.com. The HTTP request triggers a call to the PR_Write hook and Dorkbot has a chance to inject additional content into it, such as malware URLs (see Figure 7).

Figure 7: Dorkbot hijacking Facebook messages

To avoid getting infected through Dorkbot’s social engineering attacks be careful about the links you click on, even if they’re from a trusted source – if possible, verify with your contacts first that they actually did send you the link. If you’re using Internet Explorer 8 and newer, SmartScreen checks the URLs that you open to make sure they don’t lead to malware.

Next week, spreading vectors not requiring user interaction.

Horea Coroiu, MMPC Munich

Categories: Dorkbot, malware research Tags:

Don’t fall for Folstart

November 13th, 2012 No comments

We use thumb drives in different ways – usually to transfer files from one computer to another. When we create folders in thumb drives, we have a certain level of confidence that the folder isn’t malicious or doesn’t contain malware. Unfortunately, this assumption is not always true. For the month of November, we added the Folstart family to the Microsoft Malicious Software Removal Tool (MSRT).

Folstart is a family of worms that copies itself using the same names as folders in your USB drives. In addition, it uses the folder icon to further its deception. Although this technique is not new, it still leads to infecting several thousand users mostly in the United States as shown in the graph below:

Figure 1: Distribution of Win32/Folstart

The following is the screenshot of a drive in which folders are set to hide known extension and not show hidden files, folders and drives. It seems to be a normal folder but is actually W32/Folstart. Executing this will lead to an infection.

Figure 2: Folstart sample named “new folder”

To avoid this scenario, it is a good practice to show hidden files and system files file extensions. To do this, in Windows Explorer, go to Organize >Folder and Search options and then click the View tab:

Figure 3: How to display hidden files and folders, and show file extensions

This way, your computer can reveal the real files that are actually there. Here’s the same folder as in Figure 2 with these settings enabled:

Figure 4: The same sample in Figure 2, with the file extension visible

For some users who prefer to hide files and extensions, there is an alternative – right-click on the file and check what’s written under “Type of file” in the General tab. Figure 5 shows a Folstart copy with the file type as an executable.

Figure 5: File type is .exe for a Folstart sample

A real folder type should be File folder:

Figure 6: File type is folder for a real folder

Most of the things we discussed were about preventing infection by Folstart. If you suspect that you were infected by Win32/Folstart we suggest running the MSRT. For more details about Win32/Folstart please visit our encyclopedia.

Francis, MMPC

Categories: Folstart, malware research, MSRT Tags:

All copy and paste makes Jack a bored boy

October 31st, 2012 No comments

We recently came across what appeared to be a new sample, but was actually part of malware discovered in 2010. This new-old sample is built from publicly available source code and, like many of its kind, is frequently rebranded. Because of all the changes that malware authors have made, we have detection for each customized iteration. One such iteration (SHA1 8d81462089f9d1b4ec4c7423710cf545be2708e7) is commonly deployed under private obfuscators (such as H1N1 or Umbra). We detect this threat as TrojanSpy:Win32/SSonce.C(the sample also has a message for antivirus researchers, asserting that our job is monotonous and boring.)

Other backdoors that originate from the same source code are currently detected as Backdoor:Win32/Bezigate.A and Backdoor:Win32/Talsab.C, and Backdoor:Win32/Nosrawec.C. What we are seeing here is rampant use of copy/paste in the code. Because of this, all these spying families share common features, such as: reverse-connection to an attacker’s server, plugins capable of file transfers, screen capture and anti-virus software disabling. Although the code is publicly available, there are some features, such as mouse/keyboard control, which are only available in private versions, as seen from the Facebook page of one of the authors.

A high number of version builds and obfuscator updates is characteristic of these types of threats, as the malware authors are constantly struggling to bypass our scanner’s detection.

So essentially, because antivirus researchers are doing their job well, malware authors have to copy/paste code over and over again. Well, we think that’s boring.

Mihai Calota
MMPC Munich

Categories: malware research Tags: