Elastic boundaries - Elevation by environment variable expansion

Elastic Boundaries – Elevating privileges by environment variables expansion

Even though any process is provided variables from its environment – they are often overlooked by users, developers and sometimes even the OS itself.

Environment variables are an essential part of any decent operating system, including but not limited to all flavors of Unix (Linux, BSD), Windows and OS X.

In the world of Microsoft operating systems they existed in the first version of DOS, made their way into the first appearance of Windows and are naturally still around in current versions as well.

(more…)

Hooking_vulnerabilities

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

tl;dr: We found 6(!) different common security issues that stem from incorrect implementation of code hooking and injections techniques. These issues were found in more than 15 different products. The most impactful discovery was that 3 different hooking engines also suffer from these kind problems, including the most popular commercial hooking engine in the world – Microsoft Detours (scheduled patch, August 2016). Practically it means that thousands of products are affected.
The full security issues will be presented at Black Hat 2016. For the eager reader, we’ll start already with some background info.

(more…)

CFG Exceptions

Documenting the Undocumented: Adding CFG Exceptions

TL;DR Microsoft’s Control Flow Guard (CFG) is a security feature that prevents the abuse of indirect calls from calling addresses that are not marked as safe. CFG can cause problems for anyone trying to execute malicious memory manipulations on Windows. In such cases, this can be bypassed by adding an exception to the CFG bitmap (a mapping of all the “safe” addresses). How can we add such an exception? There are actually two ways: one documented, the other undocumented. In this post, we’ll walk you through both while analyzing the undocumented syscall in depth.

(more…)

furtim_malware_stealth_bm2

Analyzing Furtim: Malware that Avoids Mass-Infection

Overview

Recently we came across a new malware strain, first discovered by @hFireF0X, and at point of discovery, it was not detected by any of the 56 anti-virus programs tested by VirusTotal service.

It is not yet known who is behind this malware, and as no string in the file disclosed its original name we code-named it “Furtim”, which is the Latin translation for “stealthy”. In fact, Furtim, as we’ll show, goes through great lengths to avoid being caught by security parties. For example, Furtim won’t install itself if it identifies on the target machine one of an extensive list of security products (both common and esoteric), sandbox or virtualization environments.

These threat actors would rather give up on a target, than take the chance of being exposed.

Given these interesting facts, we decided to perform a deep analysis of this new malware sample.

(more…)

watchdog_avulnerability

Sedating the Watchdog: Abusing Security Products to Bypass Mitigations

tldr; design issues in various security products, such as anti-virus, make it significantly easier for threat actors to bypass exploit mitigations. In particular, we found a prevalent flaw where anti-virus products allocate memory with RWX permissions at a predictable address.

We released a tool that checks whether your computer is likely to be vulnerable to exploitable constant, RWX addresses. Download AVulnerabilityChecker here – https://github.com/BreakingMalware/AVulnerabilityChecker

(more…)

os hooks

Moker, Part 1: dissecting a new APT under the microscope

Recently, we came across Moker, an advanced malware residing in a sensitive network of a customer. Since the malware did not try to access an external server, but rather tamper with the system inner workings, we decided to give this malware a second look.

Indeed, we found that there is more to this malware than meets the eye.

First, it was obvious that the malware authors placed many anti-research measures, beyond those of the so-called usual anti-debugging techniques.

Second, once we started analyzing the malware itself, we were also able to analyze its capabilities and the advanced techniques it uses to remain stealthy, hook itself into the operating system, and its sophisticated inter-process communication.

(more…)

power

Injection on Steroids: Code-less Code Injections and 0-Day Techniques

tldr; You’ll find the talk deck embedded within this post.

The relevant code is posted on Github – https://github.com/BreakingMalware/PowerLoaderEx

The folks at BSides were also kind enough to publish the video of our talk – https://www.youtube.com/watch?v=0BAaAM2wD4s

(more…)