Monthly Archives: June 2016

Bypassing Application Whitelisting

Application whitelisting is a useful defense against users running unapproved applications. Whether you're dealing with a malicious executable file that slips through email defenses, or you have a user that is attempting to run an application that your organization has not approved for use, application whitelisting can help prevent those activities from succeeding.

Some enterprises may deploy application whitelisting with the idea that it prevents malicious code from executing. But not all malicious code arrives in the form of a single executable application file. Many configurations of application whitelisting do not prevent malicious code from executing, though. In this blog post I explain how this is possible.

Application Whitelisting Basics

Application whitelisting tools, such as Microsoft AppLocker, provide enterprises with the ability to specify applications that are approved for use. Applications that are not on the approved list will simply not execute. In the case of AppLocker, the approved list is based on three primary rule conditions:

  1. Publisher
  2. Path
  3. File hash

Let's consider the case where somebody is using the AppLocker Automatically Generate Rules wizard, which analyzes programs in the Program Files directory. Using this wizard results in rules that allow Microsoft-signed applications to be run, regardless of their location. The importance of the fact that the applications are allowed to be executed from any location will become clear.

DLL Hijacking

Eight years ago, I published a blog post called Carpet Bombing and Directory Poisoning. In that post, I described how executing an application from an untrusted directory (such as Downloads) can have disastrous consequences. When a trusted application is executed from an untrusted directory, Windows can cause untrusted code to be executed due to the way that it locates and loads libraries. The same concept can allow an attacker to bypass application whitelisting.

Testing DLL Hijacking as an Application Whitelisting Bypass

Let's start out with a fully-patched 64-bit Windows system. We place a copy of c:\windows\system32\notepad.exe into a new directory called c:\asdf\. You can choose any target directory name, but we use "asdf" to make it clear when the directory is being accessed.

notepad_asdf.png

Now that our sample application is in place, we run Sysinternals Process Monitor and filter the results to only display when notepad.exe accesses the c:\asdf\ directory.

procmon_filters.png

When we run notepad.exe from that directory, we now see what files notepad.exe is looking for.

procmon_asdf.png

Any file that it attempts to access in the c:\asdf\ directory that results in a NAME NOT FOUND result is a candidate for DLL hijacking. If an attacker can place a copy of a malicious library that has the same name that an application is looking for, this can cause the malicious code to execute.

In our case, we're not using malicious code, but rather a library called SENTINEL.DLL by Stefan Kanthak. When certain exported functions are executed, this library displays a dialog that indicates the vulnerable behavior. Versions of this DLL are available for several architectures in the SENTINEL.CAB file provided by Stefan. As with any untrusted code, this testing should take place only in an isolated environment, such as a standalone virtual machine.

We save a copy of the AMD64 version of SENTINEL.DLL as c:\asdf\bcryptPrimitives.dll. (On other platforms, the library may need to be named differently. For example, on a 32-bit Windows 7 system, the i386 version of SENTINEL.DLL should be saved as c:\asdf\CRYPTBASE.dll.)

poisoned.png

Now we run notepad.exe:

hijacked.png

It's very clear here that we've run an executable file (notepad.exe), which is signed by Microsoft, but the code that executed was definitely not the expected notepad.exe code!

AppLocker also provides the ability to perform DLL whitelisting, which can help prevent the type of DLL hijacking attack outlined above. However, this feature is disabled by default, presumably because it degrades performance and requires rigorous testing, as outlined in the AppLocker Design Guide [pdf].

Other Whitelisting Bypasses

The following utilities can also be exploited by attackers and should be avoided or used with caution.

rundll32.exe

Even if we configured our application whitelisting to be more locked down, by restricting application execution to paths not writable by normal user accounts, it still doesn't protect us against exploitation. The utility rundll32.exe comes with Microsoft Windows and is designed to load and run code in DLLs.

regsvr32.exe

The utility regsvr32.exe comes with Microsoft Windows and is used to register and unregister OLE controls in the Windows registry. As it turns out, regsvr32.exe can also be used to download and execute arbitrary code!

PowerShell

PowerShell is a utility that comes with Microsoft Windows and can be used for system administration or just about anything else that somebody would want to do on a Windows system. You might be thinking that eliminating powershell.exe from the whitelist might help fix this loophole. But actually, PowerShell functionality can still be leveraged without powershell.exe by using something like PowerShell Empire.

Conclusions

Application whitelisting is a useful capability that can help prevent users and attackers from running unexpected applications. Application whitelisting should not, however, be treated as a feature that prevents malicious code from executing. Microsoft admits that "AppLocker is not a security feature and was never designed as a security boundary." Other vendors may not be as forthcoming about what their application whitelisting products can and cannot practically achieve.

The above list of application whitelisting bypasses is in no way meant to be exhaustive. It is prudent to assume that there are other ways to achieve code execution in an environment that uses application whitelisting. For example, if Microsoft Office macros aren't disabled, the attacker just needs to use an Office document with a macro. Microsoft Office is whitelisted after all, right?

Recommendations

  • System administrators should test their environments' whitelisting capabilities using the above techniques.
  • Don't consider application whitelisting to be a silver bullet. While it is a valuable part of any enterprise's protections, application whitelisting will not stop a motivated attacker.

Updated PhD Thesis Title

Yesterday I posted Latest PhD Thesis Title and Abstract. One of my colleagues Ben Buchanan subsequently contacted me via Twitter and we exchanged a few messages. He prompted me to think about the title.

Later I ruminated on the title of a recent book by my advisor, Dr. Thomas Rid. He wrote Cyber War Will Not Take Place. One of the best parts of the book is the title. In six words you get his argument as succinctly as possible. (It could be five words if you pushed "cyber" and "war" together, but the thought alone makes me cringe, in the age of cyber-everything.)

I wondered if I could transform my latest attempt at a thesis title into something that captured my argument in a succinct form.

I thought about the obsession of the majority of the information security community on the tool and tactics level of war. Too many technicians think about security as a single-exchange contest between an attacker and a defender, like a duel.

That reminded me of a problem I have with Carl von Clausewitz's definition of war.

We shall not enter into any of the abstruse definitions of war used by publicists. We shall keep to the element of the thing itself, to a duel. War is nothing but a duel on an extensive scale.

- On War, Chapter 1

Clausewitz continues by mentioning "the countless number of duels which make up a war," and then makes his famous statement that "War therefore is an act of violence to compel our opponent to fulfill our will." However, I've never liked the tactically-minded idea that war is a "duel."

This concept, plus the goal to deliver a compact argument, inspired me to revise my thesis title and subtitle to the following:

Campaigns, Not Duels: The Operational Art of Cyber Intrusions

In the first three words I deliver my argument, and in the subtitle I provide context by including my key perspective ("operational art"), environment ("cyber," yes, a little part of me is dying, but it's a keyword), and "intrusions."

When I publish the thesis as a book in 2018, I hope to use the same words in the book title.

Great List of Hack Sites



The SANS Pen Test group has a poster they hand out at SANS conferences and put in mailings that has an awesome mind map of hacking challenge/skills sites.

Won't be going to conference soon or not on the mailing list? No worries, the poster can be downloaded here and all of the SANS posters are located here, including  DFIR, Threat Intelligence, CIS and some general information posters.

If you're not familiar with SANS posters, they're not just marketing tools (but of course they advertise an event, too) but are full of good, useful information. Like the hack sites mind map.

Enjoy!

Security is Not, and Should not be Treated as, a Special Flower

My normal Wednesday lunch yesterday was rudely interrupted by my adequate friend and reasonable security advocate Javvad calling me to ask my opinion on something. This in itself was surprising enough, but the fact that I immediately gave a strong and impassioned response told me this might be something I needed to explore further… The UK … Read More

Enterprise Security Weekly #7 – Web Application Scanning

This week on Enterprise Security Weekly, tenable makes a strategic partnership to ease authenticated vulnerability scanning, avast announces a much faster antivirus engine, Risksense unveils cyber risk scoring that allows some other kind of scoring that you might be familiar with, and alert logic goes into the cloud. All that and more, so stay tuned!

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode7

From ROP to LOP bypassing Control FLow Enforcement

Once upon a time breaking the Stack (here) was a metter of indexes and executables memory areas (here). Then it came a DEP protection (here) which disabled a particular area from being executable. This is the fantastic story of ROP (Return Oriented Programming) from which I've been working for long time in writing exploiting and re-writing "resurrectors" (software engines able to convert old exploits into brand new ROP enabled exploits), please take a look: here, here, here, here, here and here. Now it's time to a new way of stack protection named Control-Flow Enforcement designed by Intel. CFE aims to prevent stack execution by using a "canary" stack .. ops this was the old way to call it.. right let me repeat the sentence... by using a "shadow stack" aiming to compare return addresses and a "Indirect Branching Tracking" aiming to track down every valid indirect call/jmp on target program.

Well, I made a joke mentioning the ancient canary words which might remind you how useless it was adding a canary control Byte (or 4 bits, actually) to enforce the entire stack, but this time is structurally  different. We are not facing a canary stack which could be adjusted by user by using "stores commands" such as: MOV, PUSH, POP, XSAVE, but is a user/kernel memory space exclusively used by "control flow commands" such as: CALL, RET, NEAR, FAR, etc.



When shadow stacks are enabled, the CALL instruction pushes the return address on both the data and shadow stack. The RET instruction pops the return address from both stacks and compares them. If the return addresses from the two stacks do not match, the processor signals a control protection exception (#CP). Note that the shadow stack only holds the return addresses and not parameters passed to the call instruction. To provide this protection the page table protections are extended to support an additional attribute for pages to mark them as “Shadow Stack” pages.  (Figure1 from here)
Just to make things a little harder (but it's going to be very useful to introduce a way to bypass Stack Shadow) let me introduce to you a more comprehensive stack defencing framework, defined by Abadi et al  and called Control-Flow Integrity framework. Following I borrow the classification described by Bingchen Lan et Al. on their paper (available here) reporting 4 kinds of Control Flow Integrity Policies (CFI):
  • CFI-call. The target address of an indirect call has to point to the beginning of a function. For instance, indirect call is constrained to the limited addresses, which are specified through statically scanning the binary for function entries.
  • CFI-jump. The target address of an indirect jump should be either the beginning of another function or inside the function where this jump instruction lies. For instance, Branch Regulation prevents jumps across function boundaries to stop attackers from modifying the addresses of indirect jumps.
  • CFI-ret. In coarse-grained CFI, the target address of a ret instruction should point to the location right after any call site. Shadow stack further enhances this constraint, i.e. the ret instruction accurately corresponds to the location after the legitimate call site in its caller.
  • CFI-heuristics. Apart from enforcing specific policies on indirect branches as CFI-call, CFI-jump and CFI-ret do, some CFI solutions tend to detect attacks by validating the number of consecutive sequences of small gadgets.
During the past few years many attack mechanisms bypassed the CIF policies, let me sum they up on the following table.

Figure 2 Comparing attack strategies the green "check" means the technique can bypass the defence policy, the red "x" means it cannot

Lets assume to be able to implement CFI-Ret and CFI-Jump (or CFI-Heuristics ) techniques in a single system. We might apparently guarantee Control Flow Integrity ! Well, it was "kind of true" since Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng introduced in a well done paper (here) a LOP Loop Oriented Programming technique.  The main idea is to choose entire functions as gadget instead of using short code fragments or unaligned instructions. In this way the call instruction targets the beginning of a function bypassing CFI-call policy. Moreover CFI-heuristics expects the execution flow on a victim application consists of multiple short code fragments as ROP and JOP does. Since no short code is involved in LOP and it is possibile to select long gadget with many instructions on it LOP can also bypass CFI-Heuristics. The process of chaining gadgets exactly follows the normal carrer-callee (call-ret-pairing) paradigm. The loop gadget acts as proxy (dispatcher) invoking different functional gadgets repeatedly which eventuallu return to the original caller bypassing the CFI-ret policy. Meanwhile there is only one jump instruction used by LOP. This jump instruction works originally for loop functionality and it is untouched by LOP. Hence, CFI-jump is also ineffective towards LOP. The following picture shows the difference between CPROP and LOP.
Figure 3. CROP VS LOP (from here)


It's now interesting defining how a Loop gadget looks like. So, lets define a loop gadget as a complete working function having 3 keys elements such as :

  1. A loop statement
  2. An indirect call instruction within the loop
  3. An index instruction within the loop statement.
The following example is taken from initterm() in msvcrt.dll a Microsoft Windows dynamic library.

Figure 4: Example of LOP gadget


The LOP gadget make possible to set up starting address and ending address. Then Hijacks the control flow to the loop gadget. Then the LOP gadget makes the index pointer pointing to start to start address of the dispatch "table". It takes the next gadget address and uses an indirect call to invoke the addressed lop gadget. Just after the call it returns to the instruction located right after the indirect call in the loop by a legal ret instruction. Later the gadgets modifies the pointing index making it addressing the next gadget. It ends up by comparing the index value and the "end address".

Figure 5 Comparing attacks strategies the green "check" means the technique can bypass the defence policy, the red "x" means it cannot

We can now add an additional raw on the attack-comparing–table as shown in Figure5 introducing LOP as the ultimate way to bypass Control Flow Integrity Techniques. Happy hunting !

Hack Naked TV – June 21, 2016

This week on Hack Naked TV, Beau Bullock talks about Bad Tunnel, GoToMyPC, and how Ransomware is all Javascript. Watch for full stories, here on Hack Naked TV!

Beau teaching SANS SEC504 in Marina del Rey, CA August 15, 2016: http://tinyurl.com/beau-sec504-aug16

Bad analogy, bad. No biscuit.

If you use the “If I leave my door unlocked you don;t have the right to walk in…” analogy when discussing web disclosures, you really need to stop.  Bad analogies are bad.

You know the cases, folks find things on the Internet that people didn’t mean to make public, and a storm ensues and all kinds of people say all kinds of naïve stuff, including people who should know better.

Your website is not a house, and not just because of the physical vs. virtual difference.  If we have to use this analogy, let’s at least get it more accurate.

You live on a road, it may be public, or it may be private, but either way it is open to the public- in fact public use is encouraged.  That’s why you put your house there, because of good access in and out to the rest of the world.  You put sensitive data on signs in your yard, visible from the road.  There might even be a sign that says “only read your own data”, but it is all visible.  Someone drives by and reads someone else’s sign from the road.  Maybe they take pictures of the signs.

Still imperfect, but much more accurate.  And so convoluted it doesn’t help make any point.  These issues are not simple and misrepresenting them and oversimplifying things does not help.

Note that I have not made any judgements about who exposed what where, and who drove by and looked at it.  If it is your house and you post my data in an irresponsible manner, you are being irresponsible.  If someone feels the need to copy everything to prove a point, that causes problems, even when their intentions are good.

Without picking any specific cases, most of the ones that make the news are a combination of errors on both sides.  You should act like sensitive data is, I don’t know, sensitive.  And when you stumble across things like that (and you will if you use the Internet and pay attention), you should think about how folks will react, and keep the CFAA in mind.  Right or wrong, that’s the world we live in.  I think the CFAA is horrible and horribly out of date, as is the DMCA- but while they are the law and enforced, ignore them at your peril.  It is worth considering that when people find stuff that shouldn’t be posted publicly, it generally doesn’t require downloading the entire dataset to report the problem, in fact that is likely to create problems for everyone.

And yes, that’s a gross oversimplification from me in a post where I decry gross oversimplification.  Literary license or something.

And because I actually care about this mess we’re in, I’ll make an offer I hope I don’t regret: if you stumble across things which are exposed and you really don’t know how to handle it please pause and reach out to me.  I’ll ask friends in law enforcement for guidance for you if you wish to remain anonymous, or I’ll try to help you find the right folks to work with.  If you are outside of the US, I’m unlikely to be if much help, but I’ll still make inquiries.

Note that if you are on any side of one of these situations and act like a dumbass, I reserve the right to call you a dumbass.  I’ll still try to help, but I’m calling you a dumbass if you deserve it.  That’s as close to idealistic as you’ll get from me.

 

Jack

Attack Research is Hiring!

It is very rare we post a public job ad.  Right now we have one position open with more on the way.  

http://www.attackresearch.com/jobs.html

Please take a look and apply if interested.  Or if you know anyone interested, please pass the word along.

Security Weekly #468 – Chris Poulin, X-Force

This week on Security Weekly, Larry serves as our interim host alongside co-host Russell Beauchemin, who will be in studio with our guest Chris Poulin. Larry will discuss with Russell about his new Hololens! They talk about Typo squatting package managers, 20 years of red teaming, Spear Phishing, how InfoSec is a sham, and GPS DoS.

Is it the End of Angler ?




Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th,  Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.

---
On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)

EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber Ransomware
On the 6th I noticed several group migrating to RIG, Neutrino or even Sundown.
But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.
They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.

Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.

Last Angler pass I captured on 2016-06-07
EITest into Angler dropping CryptXXX 3.200 U000017
On June 7th around 5:30 AM GMT my tracker recorded its last Angler hit :

Last Hit in my Angler tracker.

After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]
Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already

"WordsJS"  (named NTL/NTLR by RiskIQ) into Neutrino > CryptXXX U000010
2016-06-10
"ScriptJS" (Named DoublePar by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011
This gang  was historically dropping Necurs, then Locky Affid13 before going to CryptXXX
Illustrating with a picture of words and some arrows:

MISP : select documented EK pass with associated tags.
1 arrow where you would have find Angler several days before.
(+ SadClowns + GooNky not featured in that selection)


With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back.

Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.

So is this the End of Angler ? The pages to be written will tell us.

“If a book is well written, I always find it too short.” 
― Jane Austen, Sense and Sensibility



Post publication notes:

[2016-06-12]
RIG : mentioned they were sill alive and would not change their Price.
Maybe unrelated to RIG mention, Neutrino updated his thread as announced previously on underground but conditions are revisited :
------Google translate:-----
Tarif week on a shared server:
Rent: $ 1500
Limit: 100k hosts per day
One-time daily discharge limits: $ 200

Rate per month on a dedicated server:
Rent: $ 4000
Limits: 500k hosts per day, and more - on an individual basis.
One-time daily discharge limits: $ 200
----------------
So now only price per week is doubled and month rate + ~20%

[2016-06-13]

Acknowledgement:
Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for their help on several points.

Read More :
XXX is Angler EK - 2015-12-21
Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News
Neutrino EK and CryptXXX - 2016-06-08 - ISCSans
Lurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - Kaspersky

How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

Dorking

There's a good article on Google Dorking on DarkReading here. If you're not sure what Google Dorking is, in essence, it's using Google (you can do the same with other search engines) with advanced operators to find information on the Internet that shouldn't be exposed. You can find files, passwords, user accounts, open webcams and all sort of other data. The concept was made popular by Johnny Long, who now resides in Uganda with his family helping educate needy kids (Hackers For Charity is his organization and and a worthy place to donate funds, equipment or time). http://www.hackersforcharity.org/

A Close Look at TeslaCrypt 3.0 Ransomware

TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success.

TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files irrecoverable via normal means.

Infection Indicator/s
Machines infected by TeslaCrypt will usually have the following files present in almost every directory:

  • +REcovER+[Random]+.html
  • +REcovER+[Random]+.txt
  • +REcovER+[Random]+.png

The recovery instructions for the encrypted files can be found inside these files.

TeslaCrypt ransom note

TeslaCrypt ransom note

Technical Details
Note: The file used for this analysis has an MD5 value of 1028929105f1e6118e06f8b7df0b3381.

The malware starts by ensuring it’s in its intended directory. For this sample, it checks if it is located in the Documents directory. If it’s not, it copies itself to that directory and executes its copy from there. It deletes itself after executing the copy.

The ransomware creates multiple threads that do the following:

  • Monitors processes and terminates those that contain the following strings:
    • taskmg
    • regedi
    • procex
    • msconfi
    • cmd
  • Contacts the C&C server and sends certain information like system information and the unique system ID.
  • File encryption routine

Obfuscation
TeslaCrypt is not immune to recycling code from older malware families. The initial code is an encryption of the compressed binary. Upon decryption, the malware will call the RtlDecompressBuffer API and finally write the decompressed data into its own memory.

Call to RtlDecompressBuffer

Call to RtlDecompressBuffer

The malware also uses a technique to obscure API calls by using the hash of the API name and passing it to a function that retrieves the API address.

The malware passes an API hash to a function that returns the procedure address of the API.

The same code but labeled properly in a disassembler

The same code but labeled properly in a disassembler.

File Encryption
TeslaCrypt uses AES encryption and will send one part of the key to its C&C server, which will render the files irrecoverable on its own.

It will start by checking if the system already has its own recovery key. If not, it will begin generating the necessary encryption keys. These keys will be used for the encryption routine.

Figure 5

Checks if the recovery key already exists and generates it if it doesn’t.

TeslaCrypt will traverse all fixed, remote and removable drives for files with the following extensions:

.3FR .7Z .ACCDB .AI .APK .ARCH00 .ARW .ASSET .AVI .BAK .BAR .BAY .BC6 .BC7 .BIG .BIK .BKF .BKP .BLOB .BSA .CAS .CDR .CER .CFR .CR2 .CRT .CRW .CSS .CSV .D3DBSP .DAS .DAZIP .DB0 .DBA .DBF .DCR .DER .DESC .DMP .DNG .DOC .DOCM .DOCX .DWG .DXG .EPK .EPS .ERF .ESM .FF .FLV .FORGE .FOS .FPK .FSH .GDB .GHO .HKDB .HKX .HPLG .HVPL .IBANK .ICXS .INDD .ITDB .ITL .ITM .IWD .IWI .JPE .JPEG .JPG .JS .KDB .KDC .KF .LAYOUT .LBF .LITEMOD .LITESQL .LRF .LTX .LVL .M2 .M3U .M4A .MAP .MCMETA .MDB .MDBACKUP .MDDATA .MDF .MEF .MENU .MLX .MOV .MP4 .MPQGE .MRWREF .NCF .NRW .NTL .ODB .ODC .ODM .ODP .ODS .ODT .ORF .P12 .P7B .P7C .PAK .PDD .PDF .PEF .PEM .PFX .PKPASS .PNG .PPT .PPTM .PPTX .PSD .PSK .PST .PTX .PY .QDF .QIC .R3D .RAF .RAR .RAW .RB .RE4 .RGSS3A .RIM .ROFL .RTF .RW2 .RWL .SAV .SB .SID .SIDD .SIDN .SIE .SIS .SLM .SNX .SQL .SR2 .SRF .SRW .SUM .SVG .SYNCDB .T12 .T13 .TAX .TIFF .TOR .TXT .UPK .VCF .VDF .VFS0 .VPK .VPP_PC .VTF .W3X .WALLET .WB2 .WMA .WMO .WMV .WPD .WPS .X3F .XF .XLK .XLS .XLSB .XLSM .XLSX .XXX .ZIP .ZTMP

The exception, however, is if the file contains the string “recove” or if it is found in the following directories:

  • %WINDIR% (C:\Windows)
  • %PROGRAMFILES% (C:\Program Files)
  • %COMMONAPPDATA% (C:\Documents and Settings\All Users\Application Data for Windows XP and C:\ProgramData for Windows Vista and above)
  • %LOCALAPPDATA%\Temporary Internet Files (C:\Documents and Settings\[USERNAME]\Local Settings for Windows XP and C:\Users\[USERNAME]\AppData\Local for Windows 7 and above)
Figure 6

Checking for fixed, removable and remote drives

 Once a file passes the extension check, the malware will proceed with the encryption. The ransomware variant first checks for its encryption header. If the file is not yet encrypted, it will proceed with the encryption.

Encrypted files’ headers contain data that includes – but isn’t limited to – the global recovery key, the global public key, the original file size and the encrypted data itself.

Sample of an encrypted file

Sample of an encrypted file

C&C Servers
The malware tries to connect to one of the following domains:

  • hxxp://naturstein-schubert.de
  • hxxp://csskol.org/wp-content
  • hxxp://casasembargada.com
  • hxxp://mahmutersan.com.tr
  • hxxp://forms.net.in
  • hxxp://kknk-shop.dev.onnetdigital.com

If it manages to connect to a server, it then sends a POST request using encoded data. The data it will send includes the following:

  • The shared key for the encryption
  • Bitcoin address
  • OS version
  • TeslaCrypt version
  • Unique ID for the infected system
HttpSendRequest with the encrypted data

HttpSendRequest with the encrypted data

Other Details
To ensure the malware only has one instance running, it creates a mutex as “8_8_8_8.”

Figure 9

CreateMutex function

It creates an auto start registry entry to ensure execution every startup.

Autostart registry

Autostart registry

It also adds a policy in the registry to remove permission restrictions on network drives, essentially allowing any user to access these network drives.

EnableLinkedConnections registry value

EnableLinkedConnections registry value

Interestingly enough, though, it appears the gang behind TeslaCrypt has had a change of heart and have publicly shared their master decrypt key. Before they shut down, the now-defunct payment site required a minimum of $500 in the form of bitcoin.

TeslaCrypt payment page

TeslaCrypt payment page

Advanced threat defense products like those used in this analysis help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage.  You’ve got two great lines of defense: The first is via email and the next is your network.

Advanced email defense solutions like ThreatSecure Email are designed to catch malware that evades traditional defenses. It’s a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop TeslaCrypt from encrypting and taking the data from you.

The next stop is bolstering your network. Adding an advanced defense solution that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. ThreatTrack’s ThreatSecure Network, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&C.

 

The post A Close Look at TeslaCrypt 3.0 Ransomware appeared first on ThreatTrack Security Labs Blog.

Enterprise Security Weekly #6 – IDS/IPS

This week is, well, rough, ServiceNow buys threat intelligence company, memory scanning in the hypervisor, and next-generation network segmentation and NAC, and John and I discuss the evolution of IDS and IPS!

Full Show Notes Here: http://wiki.securityweekly.com/wiki/index.php/ES_Episode6

Visit http://securityweekly.com/esw for all the latest episodes!

Security Weekly #466 – “8-Inch Floppy”

This week on Security Weekly, we interview Wade Baker, Vice President of ThreatConnect! Paul, Jack, Jeff, and Larry address listener feedback and questions. Paul discusses, Jeremiah Grossman, Apple hiring crypto-wizard Jon Callas to beef up security, Google killing passwords on Android, and lots more in Security News.