Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"WoW! Want to beat Microsoft's Windows security defenses?", The Register


  • Please log in to reply
6 replies to this topic

#1 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 AM

Posted 03 November 2015 - 11:49 AM

Two chaps claim to have discovered how to trivially circumvent Microsoft's Enhanced Mitigation Experience Toolkit (EMET) using Redmond's own compatibility tools.

A report [PDF] by the duo at Duo Security describes how the Windows on Windows (WoW64) environment can be abused to bypass builtin security tools.

WoW64 allows 32-bit applications to run on 64-bit Windows installations. At its core, it works by trapping system calls made by code running in 32-bit mode, and jumping to 64-bit long mode before letting Windows handle the call. By taking advantage of the mode changes, we're told, it is possible to smuggle malicious code past EMET's barriers, which ordinarily do a good job of blocking vulnerability exploits.


WoW! Want to beat Microsoft's Windows security defenses? Poke some 32-bit software

That's an interesting vulnerability. Abusing of a software made to protect against exploits on a Windows system, to exploit it in the end.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


BC AdBot (Login to Remove)

 


#2 dannyboy950

dannyboy950

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:12:42 AM

Posted 03 November 2015 - 12:12 PM

Is that not how most malware works?  By finding a way to corrupt or circumvent most commonly used anti anything programs.

Supposedly not easy to do but never the less do-able.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#3 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 AM

Posted 03 November 2015 - 12:43 PM

No. Most malware wants to remain undetected by an Antivirus or Antimalware program by hiding from it, or escaping it. This vulnerability uses a flaw in a security product (EMET) to exploit a system.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:11:42 PM

Posted 03 November 2015 - 01:10 PM

Reminds me of a vulnerability in the subsystem that runs 16-bit programs in 32-bit Windows.



#5 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 AM

Posted 03 November 2015 - 01:39 PM

What will happen the day we go over 64-bit? They should start looking for that kind of vulnerability as soon as the technology for it arrives.

Also thanks Andrew, was looking for websites to add to my "News" bookmark folder and I forgot about ArsTechnica, added!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 dannyboy950

dannyboy950

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:12:42 AM

Posted 03 November 2015 - 02:51 PM

That is kind of funny a  site similar to the one  Andrew linked to explains how to do almost the same thing with 64 programs and tool written in 32 bit.

 

The author did not directly/openly explain how to do it but did provide links to just exactly how to do it.  I will not give the name of the site, besides I all ready forgot what it actually was.  It however was a site discussing codeing.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 AM

Posted 03 November 2015 - 06:18 PM

Not the first time...EMET Security Technology is not impenetrable.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users