Tuesday, May 23, 2017

Description on Ransomware Attack Measures:

Description on Ransomware Attack Measures
  • ·         Make sure to have adequate backup processes on place and frequently test a restore of these backups ("Schrödinger's backup - it is both existent and non-existent until you've tried a restore")
  • ·         Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes: 
       Open downloaded documents in 'Protected View'
       Open downloaded documents and block all macros
  • ·         Disable Windows Script Host
  • ·         Filter the following attachments on your mail gateway:.386, .ace, .acm, .acv, .ade, .adp, .adt, .ani, .app, .arc, .arj, .asd, .asp, .avb, .ax, .bas, .bat, .boo, .btm, .cab, .cbt, .cdr, .cer, .chm, .cla, .cmd, .cnv, .com, .cpl, .crt, .csc, .csh, .css, .dll, .drv, .dvb, .email, .exe, .fon, .fxp, .gms, .gvb, .hlp, .ht, .hta, .htlp, .htt, .inf, .ini, .ins, .iso, .isp, .its, .jar, .job, .js, .jse, .ksh, .lib, .lnk, .maf, .mam, .maq, .mar, .mat, .mau, .mav, .maw, .mch, .mda, .mde, .mdt, .mdw, .mdz, .mht, .mhtm, .mhtml, .mpd, .mpt, .msc, .msi, .mso (except oledata.mso), .msp, .mst, .nws, .obd, .obj, .obt, .obz, .ocx, .ops, .ovl, .ovr, .pcd, .pci, .perl, .pgm, .pif, .pl, .pot, .prf, .prg, .ps1, .pub, .pwz, .qpw, .reg, .sbf, .scf, .scr, .sct, .sfx, .sfx, .sh, .shb, .shs, .shtml, .shw, .smm, .svg, .sys, .td0, .tlb, .tmp, .torrent, .tsk, .tsp, .tt6, .url, .vb, .vbe, .vbs, .vbx, .vom, .vsmacro, .vss, .vst, .vsw, .vwp, .vxd, .vxe, .wbk, .wbt, .wIz, .wk, .wml, .wms, .wpc, .wpd, .ws, .wsc, .wsf, .wsh
  • ·         Filter the following attachments on your mail gateway:  (Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm, .bin
  • ·         Block all program executions from the %LocalAppData% and %AppData% folder
  • ·         Set the registry key "HideFileExt" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. "not_a_virus.pdf.exe")
  • ·         Enforce administrative users to confirm an action that requires elevated rights
  • ·         Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.
  • ·         Activate the Windows Firewall to restrict workstation to workstation communication
  • ·         Using sandbox that opens email attachments and removes attachments based on behavior analysis
  • ·         Software that allows to control the execution of processes - sometimes integrated in Antivirus software- Free: AntiHook, ProcessGuard, System Safety Monitor
  • ·         Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer
  • ·         Server-side file screening with the help of File Server Resource Manager
  • ·         Block program executions (AppLocker)
  • ·         Detect and block exploitation techniques
  • ·         Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring 

post made by 

Measures To be taken care on Ransomware attacks:

Measures To be taken care on Ransomware attacks:
  • ·         Backup and Restore Process
  • ·         Block Macros
  • ·         Disable WSH
  • ·         Filter Attachments Level 1
  • ·         Filter Attachments Level 2
  • ·         Restrict program execution
  • ·         Show File Extensions
  • ·         Enforce UAC Prompt
  • ·         Remove Admin Privileges
  • ·         Restrict Workstation Communication
  • ·         Sandboxing Email Input
  • ·         Execution Prevention
  • ·         Change Default "Open With" to Notepad
  • ·         File Screening
  • ·         Restrict program execution #2
  • ·         EMET
  • ·         Sysmon
Post made by 

Monday, May 15, 2017

Possible Way To Fight Back WannaCry Ransomware

In the last post, we shown the steps to be followed in order to prevent ransomware attack. (check for the previous post: http://www.edison-newworld.com/2017/05/ransomware-exploiting-nsa-tools.html).
In this post, we moved one more step ahead to fight this ransomware attack (wannaCry).
WannaCry Ransomware
Our researcher collected the ransomware sample (wannacry variants) and executed it in control environment. It clearly showed the behaviour of file encryption and demanding bitcoins. We tested with few decryption routines, but no success. Today, we got an opensource vaccine for this wannacry ransomware. That tool is called WannaCry Vaccine Tool. 

WannaCry Vaccine Tool
This vaccine tool created to overcome the infection of wannacry. But the catch is this tool need to be executed in our system first, so it will stop the wannacry ransomware variant. The WannaCry Vaccine Tool gets installed and prevent system from being affected by WannaCry Ransomeware. 

Tested by our researcher
Our researcher run this vaccine tool in windows xp environment and windows 7 OS environment (this two environments are attacked in the wild by wannacry ransomware). After executing the vaccine tool, our researcher executed the malware (wannacry), it drops the encryptor files and other handles, but this time, no files get encrypted. No infections found. This vaccine actually stops encryption of files in the system.

Want those files in your system, please check the following Github link:

Trustlook WannaCry Toolkit
  • Please check the python tool- WannaCry Ransomware scanner tool, use this tool for presence of wannacry ransomware scanner tool.
  • Wannacry vaccine tool is used to prevent the ransomware attack from file encryption and can't demand for ransom.
  • Most important thing is update the security patch from microsoft.

Post made by

MSIL Agent Sample - Malware Analysis

MSIL Agent Malware Analysis

In malware sample cluster, we found “MSIL agent -detection” as found in the top of the clusters. Clustering process is collecting or grouping similar set of samples under one set. We fired up our VM with all malware analysis tools and for the analysis purpose, we taken 2 samples by picking it random from that MSIL agent cluster.
We got the following two files:
Sample1 –
MD5:                     6c11ccfc559946574f4d2401ba040515
SHA-1                    f7a891ad465f3587ecc387f74d0c2095f214c108
SHA-256               6ab529495eeedb0f2521aba633d3f00ddf1706dd8759a0dd981ea1a824c89cd0

Sample2 –
MD5:                     f5371ef52e97bc46b5e73ca6ece14e65
SHA-1:                  3ee5801d76345a0a77cc2bca5a76599ff4708722
SHA-256:              2a5692c4f72a1148926bbdbe0ae93489b85aff5af68a35655cb8300415e8f61f

These two samples are comes under same set, we checked one important factor. Import hashing is that important factor in tracking malware samples. So we checked the import hashing of the two files and it is actually same.
And size is 7.0 KB (7168 bytes) for both the files. Even trid is same for the both files.
Generic CIL Executable (.NET, Mono, etc.) (82.9%)
Win32 Dynamic Link Library (generic) (7.4%)
TrID                      Win32 Executable (generic) (5.1%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)

TrID is same for both the file.

Sample 1

Sample 2
Analysis of the samples:
We looked in to the sample and started dissecting the file using IDA pro. The samples function names are:

Function Names

Traversing to the main function code, it shows code of adding auto start entry (run entry) and physical location of file. Usually, malware samples use run entry to keep persistence. The same thing used here, refer the below snapshots.

Run entry points to physical location
Run entry with MozillaFirefox as value, chrome as value and both these entries points to .lnk files inside the folder called Googlechrome. From the above the code, we found two .lnk files, windowsupdate.lnk and googleupdate.lnk.
When we further look in to the code, we found some other values in the run entry. Please refer the below snapshot:

Run entry points to physical location

In this part, we seen run entry with values such as Calculator and MediaPlayer. In both values, pointing to the same files under googlechrome folder. For comparison reason, we did quick analysis with the second file and we find the same value code, registry entries and file locations in the strings.
Interesting strings:
·         00000000110B   000000402F0B      0   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
·         00000000118B   000000402F8B      0   MozillaFirefox
·         0000000011AB   000000402FAB      0   C:\GoogleChrome\WindowsUpdate.lnk
·         0000000011EF   000000402FEF      0   Chrome
·         0000000011FD   000000402FFD      0   C:\GoogleChrome\GoogleUpdate.lnk
·         000000001247   000000403047      0   Microsoft
·         00000000125B   00000040305B      0   MediaPlayer
·         000000001273   000000403073      0   Calculator
These interesting strings clearly matches with the first sample set.
Indicator                                                                                                                                 Severity
The time stamp (Year:2017)of the File Header reached the maximum (Year:2015) threshold
The size (7168 bytes) of the file reached the minimum (10240 bytes) threshold
The file opts for Address Space Layout Randomization (ASLR) as mitigation technique
The file checksum (0x00000000) is invalid
The original filename (Mozilla.exe) is different than the file name (2a5692c4f72a1148926bbdbe0ae93489b85aff5af68a35655cb8300415e8f61f)
The file is not signed with a Digital Certificate

This table is the indicator for one of the file from a malware analysis tool. We checked the other file with the same tool for indicator and it is as follows:
Indicator                                                                                                                                 Severity
The time stamp (Year:2017)of the File Header reached the maximum (Year:2015) threshold
The size (7168 bytes) of the file reached the minimum (10240 bytes) threshold
The file opts for Address Space Layout Randomization (ASLR) as mitigation technique
The file checksum (0x00000000) is invalid
The original filename (Mozilla.exe) is different than the file name (6ab529495eeedb0f2521aba633d3f00ddf1706dd8759a0dd981ea1a824c89cd0)
The file is not signed with a Digital Certificate

Dynamic Analysis:
Till this point, we ran all the static malware analysis tools and checked the behaviour of the file based on the codes inside of the file. Let’s try dynamic analysis by executing any one of the sample and use diffing tools (ie differentiating tool or comparison tool). Comparing clean state of the OS with infected OS state, this is the purpose of the diffing tools in dynamic analysis.
At first stage,
                Executed the file and observed its behaviour, also collected the memory strings of the executed files. Once the file execution done, we ran the comparison tool (inctrl) and find the created registry traces, file created, folder created and even modified traces (like modification, deletion).
Observed registry trace,
                The same registry traces we seen in the code were found in the inctrl logs.
o                 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run             "Calculator"
§  Type: REG_SZ
§  Data: C:\GoogleChrome\GoogleUpdate.lnk
o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Chrome"
§  Type: REG_SZ
§  Data: C:\GoogleChrome\GoogleUpdate.lnk
o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
§  Type: REG_SZ
§  Data: C:\GoogleChrome\WindowsUpdate.lnk
o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MediaPlayer"
§  Type: REG_SZ
§  Data: C:\GoogleChrome\WindowsUpdate.lnk
o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft"
§  Type: REG_SZ
§  Data: C:\GoogleChrome\GoogleUpdate.lnk
o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MozillaFirefox"
§  Type: REG_SZ
§  Data: C:\GoogleChrome\WindowsUpdate.lnk
We observed the same entry in regedit (checked manually):
Run Entries

We ran the autorun tool (from sysinternals) and found the logon entries.
Autorun tool showing Run entries
Both the inctrl logs and autoun shows that file not found in the folder googlechrome. And even the folder is not created. We unable to find the folder and file creation routines in these samples.
We wrote yara rules for detecting these files. So, just need to run the following yara rule in your system and check whether the system is infected with this variants or not.
YARA rules:
rule MSIL_AGENT_Chrome_Mozilla
                $string0= {43003A005C0047006F006F0067006C0065004300680072006F006D0065005C00570069006E0064006F00770073005500700064006100740065002E006C006E006B}
                $string1= {43003A005C0047006F006F0067006C0065004300680072006F006D0065005C0047006F006F0067006C0065005500700064006100740065002E006C006E006B}
                2 of them


This yara rule is more than enough for detecting this whole cluster samples. We scanned with the whole set of samples, this rule pick all the files without fail.

Post made by

Saturday, May 13, 2017

Ransomware Exploiting NSA Tools (ShadowBroker Leak)

Last couple of days, we seen massive ransomware attacks which is actually exploiting a vulnerability in SMB, EternalBlue, DoublePulsar are used by attacker to exploit and executed the malicious code. Ransomware exploiting MS17-010 ( Microsoft Windows Vulnerability) has been wreaking havoc worldwide.
Two ransomware variant seen in wild:
  • Wannacry ransomware
  • AES-NI ransomware
Wanna cry ransomware sample during debugging

Wanna cry ransomware attacked many hospitals and forced them to operate at very limited service and list is very massive.
Wanna cry

AES-NI Ransomware

Precautions to be taken

Patch Management
Ensure all Workstations and Servers have the latest Microsoft patches, especially the ones related to MS17-010.
Ensure AV signatures are updated on all assets. Identify critical assets and target them first. Block IOCs on AV solution.
Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week.
Ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode.
Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week.
EMail Gateway
Ensure EMail Gateway solutions has all relevant updates for detecting possible mails that may bring the Trojan in the environment.
Ensure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy.
Verify last one week logs for the IOCs on Proxy and take action on sources of infection.
Block the IP addresses on Perimeter Firewall.
Verify logs for last one week.
Anti - APT Solutions (FireEye, Trend Micro)*
Ensure signatures are up to date.
Check for possible internal sources of infection and take actions.
Check logs to verify if any of the IOCs have been detected in 1 week logs.
a - If required, raise case with OEM for getting details
b - All changes to follow proper approvals and change management process

Post made by

Wednesday, May 10, 2017

APT Turla - Kazuar (MacOS Version of Uroburos Espionage Rootkit)

Malware researchers have found a new backdoor malware called Kazuar, and it functions in MacOS version of Uroburos espionage rootkit. The actor behind this malware is infamous APT actor called Turla APT (Advanced Persistent Threat) actor.

Uroburos Dragon

Uroburos has been nurtured by Turla since 2014 to executed commands in the infected system aka zombie systems. In 2014, GDATA published paper on Uroburos and it was titled as Uroburos Highly complex espionage software with Russian roots. We recommend the readers to go through the paper which gives lot of information on the espionage by reverse engineering with deep dissection cuts.
GDATA Paper on Uroburos

 The Uroburos rootkit is composed of two files, a driver and an encrypted virtual file system. The Mac version of Uroburos known as Snake, Turla and Agent.BTZ is a sophisticated malware framework employed in targeted attacks.

Analysis of Uroburos by GDATA

Rootkit Framework

 Snake was discovered by researchers at Netherlands-based cyber security firm FOX-IT. Experts state that this new variant dubbed Snake is a port of the Windows version and contains debug functionalities. Kazuar is suspected to be a replacement for the second stage backdoor Carbon, implanted in systems already compromised by Turla. Kazuar is a Microsoft .NET framework based Trojan that grants actors complete access to compromised systems targeted by its operator.

Post made by

Tuesday, May 9, 2017

Intel Patches Privilege Escalation Vulnerability In Firmware - CVE-2017-5689


Lot of buzz and updates in cyber security space and tech media regarding privilege escalation vulnerability in Intel products. It is noted that remote attacker can exploit this vulnerability and gain access. Intel AMT, Intel ISM, and Intel SBA are affected with this vulnerability and the attacker who exploited successfully might get the control of manageability features provided by these products. Intel based consumer PCs with consumer firmware, Servers with Intel SPS or Xeon Processor E3 and E5 workstations are not affected with this vulnerability.

Intel Support

Summary And Detail of the Vulnerability

There are two ways this vulnerability may be accessed and Intel small business technology is not vulnerable to the first one.

  1. · An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). 
  2. An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel AMT, Intel ISM, and Intel SBT. 
CVSS 3.0: Base score as 9.8 for the first issue and Base score as 8.4 for the second issue. The severity is rated as critical and high respectively. The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability. Versions before 6 or after 11.6 are not impacted.

Intel issued a tool to check whether the system is affected with this vulnerability or not. And gave the proper guide to follow.

Intel Recommendations: 
Intel has released a downloadable discovery tool located at https://downloadcenter.intel.com/download/26755, which will analyse your system for the vulnerability. IT professionals who are familiar with the configuration of their systems and networks can use this tool or can find more details below.
Step 1: Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable system.  If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.
Step 2: Utilize the INTEL-SA-00075 Detection Guide to assess if your system has the impacted firmware. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.
Step 3: Intel highly recommends checking with your system OEM for updated firmware.  Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex:
Step 4: If a firmware update is not available from your OEM, mitigations are provided the INTEL-SA-00075 Mitigation Guide.
For assistance in implementing the mitigations steps provided in this document, please contact Intel Customer Support; from the Technologies section, select Intel® Active Management Technology (Intel® AMT).
Intel manageability
CPU Generation
1st Gen Core
2nd Gen Core
3rd Gen Core
4th Gen Core
5th Gen Core
6th Gen Core
7th Gen Core

- Recommendation and table are copied from Intel page. Follow the Intel support guide for this and contact Intel support team for assistance. 

Post made by

Enhancing Embedded Device Security with MITRE EMB3D™

In today's interconnected world, the security of embedded devices has become crucial. Embedded devices, integral to various industries, ...