Thursday, January 18, 2018
Home Tags Zero-day attacks

Tag: zero-day attacks

Adobe Systems released security updates for its Flash Player, Adobe Reader and Acrobat products fixing critical vulnerabilities that could allow attackers to install malware on computers. The Flash Player update fixes 13 vulnerabilities, 12 that can lead to remote code execution and one that allows attackers to bypass a security restriction and disclose information.

Adobe is not aware of any exploit for these flaws existing in the wild. Users are advised to upgrade to Flash Player version on Windows, Mac and Linux.

The Flash Player plug-in bundled with Google Chrome, Microsoft Edge and Internet Explorer will be automatically upgraded through those browsers' respective update mechanisms. The Adobe Reader and Acrobat updates address 29 vulnerabilities, 28 of which can lead to arbitrary code execution. Like with the Flash Player flaws, Adobe is not aware of any of these vulnerabilities being exploited by attackers. The company advises Acrobat and Reader DC users to upgrade to version 15.023.20053 if they use the "continuous" release track or to version 15.006.30279 if they're on the "classic" track. Users of the older, but still supported, Acrobat XI and Reader XI should upgrade to version 11.0.19. Because of their security sandbox which makes exploits significantly harder to implement, Adobe Reader and Acrobat are rarely targeted by hackers today compared to be some years ago. However, Flash Player remains a hacker favourite, with zero-day attacks against it being relatively common and with exploits being integrated into widely used Web-based attack tools.
With the current Windows Insider cycle previewing the Creators Update for Windows 10, Microsoft has started talking about what it’s going to mean for the enterprise.

There’s a lot in the new release beyond the headline 3D features, with a strong focus on improving enterprise security and management. The current threat landscape is complex, with regular revelations of significant data breaches and an ever-evolving set of attacks and attackers.
It’s good to see Microsoft making a commitment to helping businesses deal with the aftermath of a network intrusion, with support for a new release of its Windows Defender Advanced Threat Protection (ATP) tool as part of the next major enterprise release of Windows 10, due sometime in the first half of 2017. What is Windows Defender ATP? There’s some confusion about the role of Windows Defender ATP, partly because it shares elements of its name with Windows’ Defender antivirus tools.

Although ATP is part of your overall security tools, alongside Defender, the Edge browser’s SmartScreen download manager, and the spam and malware filters built into Office 365, ATP is specifically a post-attack tool, using telemetry from managed PCs to track the path of an attacker through your network. Modern network security is about layering responses and having effective tools that work to prevent, detect, and clean up after breaches.

ATP won’t stop your network being breached, but it will help identify them after they’ve occurred and give you more understanding as to how they happened and what information might have been compromised.

That’s an important distinction from other security tools, one that makes ATP an increasingly important tool in a rapidly changing regulatory environment. Businesses with customers in the European Union will already be aware of the requirements of the U.S.-EU Privacy Shield agreement and the upcoming implementation of the EU’s General Data Protection Regulation breach notification rules—along with the possibility of heavy fines. Understanding what happened during an attack and any resulting breaches is a key component in any active security process. You can’t be prepared for every instance, not when zero-day attacks sell for more than the available security vulnerability bounties.

That means it’s not a matter of if but of when you’re attacked. ATP’s afterbreach analysis Tools like ATP analyze the behavior of possibly compromised systems to give you a picture of what happened and how it happened.

That’s key to developing your response to attacks, working out what policies must be implemented to prevent a reoccurrence, and figuring out what needs to be done to ensure that attackers no longer have access to your systems and you have as complete as possible trace of their actions. A set of endpoint sensors built into Windows 10 delivers behavioral information to Microsoft’s cloud services, which use machine learning to interpret the signals from your devices.

By understanding what the behavior of a normal PC looks like, ATP can then identify the signature of a compromised device—before drilling down to see what had been compromised and how.

The Windows 10 Creators Update version of ATP updates the existing sensors to handle a new generation of attacks, so it can detect in-memory malware, kernel-level attacks, and cross-process code injections. Note that when attack information is shared outside Microsoft, it’s anonymized and only used to build improved detection and response tools. One important consideration: These sensors aren’t delivering telemetry to Microsoft all the time.

They’re only accessed when you suspect you’ve been breached and are using Windows Defender ATP to respond to the attack. ATP is also “a backstop for when threat prevention fails,” says David Weston, the head of research at the Windows Defender ATP group. Using ATP to quarantine infected systems allows deeper forensic analysis, as well as the opportunity to remove malware and close down exploits.

The ability to quickly isolate suspected breaches is key, especially as it’s handled from outside your network, using a cloud service, which reduces the risk of attackers seeing your response to their intrusion because you are using uncompromised systems to manage your response. IT systems management in the cloud Windows 10 Creators Update’s ATP release will build on the cloud-based security tools released with the Windows 10 Anniversary Update, giving system administrators a single portal for examining the security state of all their managed devices, the Windows Security Center. Here, you get access to security intelligence from Microsoft and partners like FireEye, as well share details from your own forensic analysis to improve the ATP machine learning models. You can then pivot from Windows Defender ATP to Office ATP; once you’ve determined what PCs and users have been compromised, it’s then possible to track down the malware or phishing techniques that were used to gain the initial foothold. It’s all part of a renewed focus on Microsoft’s part of moving device management away from on-premises tools to the cloud.

Although that approach may seem to be at odds with traditional device management, it’s an approach that makes a lot of sense with changes in how PCs are deployed and used.

Cloud-based tools and analytics work nicely when used by distributed and remote staff, as well as with BYOD deployments. The days of the regularly replaced fleet of on-premises PCs are long gone, and cloud-based management makes it possible to manage devices wherever they are, as long as they are connected to the internet.

WinPatrol WinAntiRansom

Almost all the antivirus programs in my reviews are just updates of products I've examined many times over the years. I rarely see anything new, which is why I was excited to check out WinPatrol WinAntiRansom. Despite the name, this product aims to protect against all forms of malware, not just ransomware. Because it analyzes program behavior rather than relying on signatures, it should in theory be equally effective against all malware, including brand-new zero-day attacks. In practice, however, it both missed some malware and falsely identified many good programs as malicious.

At $19.95 per year, or $24.95 for three licenses, WinAntiRansom is decidedly less expensive than most. Looking strictly at the list price, Bitdefender Antivirus Plus 2017, Kaspersky, Norton, and Webroot all cost twice as much for a single license. McAfee runs three times the price of WinAntiRansom, but permits unlimited installations. On the other hand, paying a bit more gets you a lot more in the way of protection in this case.

WinAntiRansom is unusual in that it doesn't have a home screen or main window. At launch, it displays the settings page, with a ribbon across the top allowing access to logs, configuration, help, and so on. A set of icons at top right expands into a screen that lets you select from nearly four dozen skins, including several devoted to specific seasons or holidays. I can't quite fathom why an anti-malware program needs so many skins, though.

Immediately after installation, WinAntiRansom runs a scan to identify and list known good programs present on the system. Clicking the Programs icon displays this list, which flags digitally signed programs and Windows components with special icons. Once this scan finishes, WinAntiMalware is on the job.

Malware Blocking on Launch

The independent antivirus testing labs around the world have more resources than I do for putting security programs to the test. The fact that they test a program at all says that they consider it important enough, and that the vendor is up for participation. Good scores? Even better! Kaspersky Anti-Virus in particular earns excellent scores from all the labs that I follow.

Unfortunately, none of the labs include WinAntiRansom in testing. That doesn't mean it's bad, but it doesn't inspire confidence.

With no test results from the independent labs, I had to rely entirely on my hands-on testing of this utility's efficacy. Unlike most antivirus apps, WinAntiRansom looks only at program behavior, so there's no on-access scan. That made testing simple. I just launched each malware sample in my collection and recorded the app's reaction.

The antivirus detected 97 percent of my samples, the same as Norton, Trend Micro Antivirus+ Security, and a few others. In each case, it popped up a notification window with the title "PreEmptive Strike Block!" and a line stating "Performed a Ransomware/Malware like action" followed by a number in parentheses. The popup offered two choices, Allow Next Time and Quarantine. WinAntiRansom detected some of the samples immediately on launch, others after a little time had passed.

Those numbers intrigued me. During my testing, I encountered 15 different numbers, ranging from one to 3001. My contact at the company explained that the numbers represent the final action that pushed the program's aggregate behavior score over the top. "We've never made them public because we don't want to help the malware authors find a way to avoid detection, or competitors to improve their products," he explained.

WinAntiRansom's quarantine prevented most of the malware sample from installing anything at all. However, in a few cases I found a malware process not only installed but running. It's possible that the behavior-based detection system quarantined one process but missed another. This brought WinAntiRansom's overall score down to 9.2 points. Symantec Norton AntiVirus Basic and Trend Micro earned 9.7 points because they completely blocked every detected malware attack. Webroot ranks at the top in this test, with a perfect 10 points.

Many False Positives

I could write an antivirus program that absolutely blocks every malicious program. The only problem is, it would also block every non-malicious program. In the real world, antivirus utilities have two goals—to block all malicious programs, and to leave all valid programs alone. False positives, flagging valid programs as malicious, break down the user's trust in the accuracy of the antivirus.

For a false-positive sanity check, I tested WinAntiRansom's reaction to a collection of utility programs once published in PC Magazine. I keep these utilities in the same folder as the malware samples, going through the list alphabetically, and launching both good and bad programs.

The results were dismal. Only five of the 20 programs escaped WinAntiRansom's preemptive strike block. Yes, the user could choose to allow the program next time, and launch it again. But I'm not a fan of security programs that leave that sort of decision to the user. The fact that the popup notification doesn't identify its reason for classifying the program as malware makes that decision extra tough.

Blocking the Latest Threats

I couldn't apply my usual malicious URL blocking test to WinAntiRansom, because it doesn't attempt to block access to malware-hosting URLs and doesn't scan downloads until they run. I value this test, however, because the malware samples in the feed supplied by MRG-Effitas are very current, and the URLs themselves no more than a day old. So, I devised a modified test for WinAntiRansom.

Usually I use 100 samples, but for this more labor-intensive test I stopped once I had downloaded 50 of them. Then I simply went down the line, launching each and noting the application's response. The results were disappointing. WinAntiRansom only offered to quarantine 78 percent of the samples. Norton blocked 98 percent, mostly by wiping out the downloaded malware. Avira Antivirus Pro managed 95 percent protection, almost all by steering the browser away from the malware-hosting URL.

Just for a sanity check, I ran the MD5 hash of each sample through VirusTotal. VirusTotal checks each sample against more than 50 antivirus engines and reports how many deemed it malicious. I recorded the percentage that flagged each sample as malicious. For files that WinAntiRansom detected, the average VirusTotal detection rate was 59 percent. For those that it missed, the average was 53 percent, which isn't much of a difference.

To be fair, it's possible that some of those missed files simply hadn't started their malicious behaviors. That's a hazard of strict behavior-based detection—it can't identify a program that's just lurking in the background, waiting for an opportunity to misbehave. But Webroot SecureAnywhere AntiVirus also uses behavior-based detection, and it scored much better in all of my tests.

See How We Test Security Software

Other Features, and Flaws

WinAntiRansom has numerous additional layers to prevent damage by a malicious program that gets past its behavior-based detection. Network Lockdown works like a firewall's program control, blocking network connections by programs not on the trusted list. Registry protection prevents unknown programs from making changes to critical Registry areas. The company deliberately doesn't list the critical Registry areas, so as not to make things easy for hackers.

As a further bulwark against ransomware, WinAntiRansom denies unknown programs access to files in the SafeZone, which, by default, is a subfolder of your Documents folder. I thought it would make more sense to put the entire Documents folder in the SafeZone, but the app wouldn't let me. From the ribbon, you can click icons to view all recent actions by Registry protection, Network Lockdown, and SafeZone.

I tried to test Network Lockdown by surfing the Internet with my hand-coded tiny browser. However, WinAntiRansom identified it as malicious. The only way I could run it was to mark it as trusted, at which point it was no longer subject to Network Lockdown. Likewise, I thought I could test SafeZone using a tiny text editor that I wrote myself, but WinAntiRansom quarantined it. All three of my lists remained empty, just as they are in the help system's screenshots.

During my testing, the program froze several times, triggering a query from Windows about whether I wanted to just close it, or seek a solution first. It also crashed with an unhandled exception error message a couple times.

I also encountered a very bizarre behavior related to the skins feature. First, I selected the Valentine's Day skin, which turns the background pink, with little hearts scattered around. Then I resized the window. At this point, the background started cycling through three views, each one sweeping down slowly from the top. One was the correct pink-heart background, one was a window-filling grid of little gear icons, and one was just black. The peculiar display stopped after a while, but started again if I resized the window. This behavior was completely repeatable, and happened with some, but not all, of the other skins. I mentioned earlier that I'm baffled by the huge amount of design attention given to supplying dozens of skins, and the weird skin behavior just makes it more puzzling.

Needs Work

WinPatrol WinAntiRansom aims to keep you safe from known and unknown malware by basing its detection on behavior, not on predefined signatures. It's a noble goal, but as far as I could see in testing, the program has a long way to go. It missed some malicious programs, blocked many valid programs, and exhibited oddly buggy behavior in testing.

Out of the huge number of antivirus products out there, we've identified five as Editors' Choice: Bitdefender Antivirus Plus, Kaspersky Anti-Virus, McAfee AntiVirus Plus, Symantec Norton AntiVirus Basic, and Webroot SecureAnywhere Antivirus. Each has its own virtues; for example, McAfee offers unlimited installations, and Webroot uses behavior-based detection successfully. You pay more for one of these antivirus utilities, but you get significantly better protection.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

Microsoft has singled out Sofacy, an APT group long thought to have ties to Russia’s military intelligence arm GRU, as the entity behind targeted attacks leveraging Windows kernel and Adobe Flash zero days in targeted attacks. The group, which Microsoft calls Strontium, is also known as APT28, Tsar Team and Sednit among other identifiers. Microsoft said the zero day vulnerability, the existence of which along with limited details were disclosed on Monday by Google, will be patched Nov. 8.

Google said yesterday it privately disclosed both zero days, which were used in tandem in these targeted attacks against unknown victims, to Microsoft and Adobe on Oct. 21.

Adobe rushed an emergency patch for Flash Player on Oct. 26, while Microsoft had yet to acknowledge the vulnerability until Google’s disclosure. Microsoft was critical of Google’s action yesterday and reiterated its stance today in a post, providing some details on the vulnerability and attacks. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” said Terry Myerson, executive vice president Windows and Devices Group at Microsoft. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.” Microsoft added that it is coordinating with Google and Adobe on the patch, which is being tested by partners. Nov. 8 is Microsoft’s next scheduled patch release. Microsoft said that the attacks were spreading in what it called a “low volume” spear phishing campaign.
Sofacy’s targets are largely strategic: government agencies, diplomatic institutions, military organizations, defense contractors and public policy research institutes. “Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016,” Myerson said. Sofacy has been blamed by the U.S. government for attacks against the Democratic National Committee, and Russia has been accused of allegedly attempting to influence the U.S. presidential election via these hacks. The attacks chained the two zero days in order to gain persistent access to the targeted computers, Microsoft said.

First, an exploit was used against the Flash vulnerability, a use-after-free flaw in ActionScript runtime code running in the software. Once Flash was compromised in order to gain control of the browser process, the attackers used a second exploit to target a Windows kernel vulnerability, present in Windows Vista through current versions of Windows 10, to elevate privileges and escape the browser sandbox.

From there, they were able to install a backdoor and gain persistent access on the victim’s computer in order to send more commands to move stolen data off the machine. Microsoft said that the particular win32k kernel component targeted in these attacks had been recently updated with new exploit mitigations that should prevent the exploits from working. Microsoft also said that the backdoor DLL used in these attacks can be blocked via strict Code Integrity policies, which Microsoft’s Edge browser does natively.
It’s unknown whether the attacks were successful. “This does not guarantee that attackers will not find an alternative workaround, but Microsoft will issue a comprehensive update to address the issue soon,” Myerson said. Yesterday’s abrupt disclosure by Google was in accordance with its internal policies, which gives vendors 60 days to patch critical vulnerabilities, or notify users about the risk and any workarounds or temporary mitigations, and seven days to at a minimum report on critical flaws under active exploitation. “Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information,” Google said in 2013 upon publicizing its disclosure policy.
A few days ago, Microsoft published the “critical” MS16-120 security bulletin with fixes for vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. One of the vulnerabilities – CVE-2016-3393 – was reported to Microsoft by Kaspersky Lab in September 2016. Here’s a bit of background on how this zero-day was discovered. A few of months ago, we deployed a new set of technologies in our products to identify and block zero-day attacks. These technologies proved their effectiveness earlier this year, when we discovered two Adobe Flash zero-day exploits – CVE-2016-1010 and CVE-2016-4171. Two Windows EoP exploits have also been found with the help of this technology. One is CVE-2016-0165. The other is CVE-2016-3393. Like most zero-day exploits found in the wild today, CVE-2016-3393 is used by an APT group we call FruityArmor. FruityArmor is perhaps a bit unusual due to the fact that it leverages an attack platform that is built entirely around PowerShell. The group’s primary malware implant is written in PowerShell and all commands from the operators are also sent in the form of PowerShell scripts. In this report we describe the vulnerability that was used by this group to elevate privileges on a victim’s machine. Please keep in mind that we will not be publishing all the details about this vulnerability because of the risk that other threat actors may use them in their attacks. To achieve remote code execution on a victim’s machine, FruityArmor normally relies on a browser exploit. Since many modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access to a targeted machine. Most of the recent attacks we’ve seen that rely on a browser exploit are combined with an EoP exploit, which allows for a reliable sandbox escape. In the case of FruityArmor, the initial browser exploitation is always followed by an EoP exploit. This comes in the form of a module, which runs directly in memory. The main goal of this module is to unpack a specially crafted TTF font containing the CVE-2016-3393 exploit. After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C. The vulnerability is located in the cjComputeGLYPHSET_MSFT_GENERAL function from the Win32k.sys system module. This function parses the cmap table and fills internal structures. The CMAP structure looks like this: The most interesting parts of this structure are two arrays – endCount and startCount. The exploit contains the next cmap table with segments: To compute how much memory to allocate to internal structures, the function executes this code: After computing this number, the function allocates memory for structures in the following way: The problem is that if we compute the entire table, we will achieve an integer overflow and the cnt variable will contain an incorrect value. In kernel, we see the following picture: The code allocates memory only for 0x18 InternalStruct but then there is a loop for all the segments range (this value was extracted from the file directly): Using the cmap table, the v44 variable (index) could be controlled and, as a result, we get memory corruption. To achieve it, the attacker can do the following: Make an integer overflow in win32k!cjComputeGLYPHSET_MSFT_GENERAL Make a specific segment ranges in font file to access interesting memory. What about Windows 10? As most of you know, the font processing in Windows 10 is performed in a special user mode process with restricted privileges. This is a very good solution but the code has the same bug in the TTF processing. As a result, if you load/open this font exploit in Windows 10, you will see the crash of fontdrvhost.exe: Kaspersky Lab detects this exploit as: HEUR:Exploit.Win32.Generic PDM:Exploit.Win32.Generic We would like to thank Microsoft for their swift response in closing this security hole. * More information about the FruityArmor APT group is available to customers of Kaspersky Intelligence Services. Contact:
Windows Defender Application Guard isolates the browser, making Windows 10 Enterprise PCs harder to hack. Microsoft is giving its Edge browser a security boost with Windows Defender Application Guard for Windows 10 Enterprise. Other browsers use soft...