Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Code Exposes Windows To Cyberattacks


  • Please log in to reply
9 replies to this topic

#1 sikntired

sikntired

  • Members
  • 1,020 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:56 AM

Posted 28 October 2016 - 07:52 AM

This article, which I came across, affects all versions of Windows OS. Didn't know exactly where to post this, so I posted here. If not appropriate please fell free to relocate.

 

http://www.zdnet.com/article/code-injection-exposes-all-versions-of-windows-to-cyberattack/?ref=yfp

 

 

It is simply one more attack in the hacking toolbox, and so as problems like this design flaw will always be exploited if they can be, the best defense is knowing about it -- especially when there is no solution available.

 

Maybe it is time to change OS.



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 AM

Posted 28 October 2016 - 08:27 AM

That is just plain freaking scary as it uses legitimate Windows mechanisms. I NEVER have a browser store my passwords but still. This makes it more imperative you never open files from someone you do not know or even those you know unless you verify it first.

 

As noted by the research team, the only way to potentially mitigate attacks using this tool is to dive deeply into the API and monitor for any suspicious changes.

 

Hopefully the AV vendors will jump on this and provide protections. 

 

Maybe it's getting to the point where if you want to run Windows it needs to be in a virtual machine on a linux box.  :)

 

The thread should be moved to General Security.


Edited by JohnC_21, 28 October 2016 - 08:28 AM.


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 AM

Posted 28 October 2016 - 01:33 PM

Quote from ensilo to darkreading article:

 

 

But it is not a privilege-escalation attack, meaning it cannot be used to inject an administrative account from a non-administrative one, he says.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 AM

Posted 29 October 2016 - 09:28 AM

Here's what we have to say about this at the Internet Storm Center:

 

https://isc.sans.edu/forums/diary/Windows+Atom+Bombing+Attack/21651/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:56 AM

Posted 29 October 2016 - 11:15 AM

Overall, there is no fix expected for this problem. This isn't even a security vulnerability in its current form. Users can always run code and code a user runs typically does have some access to other processes run by the same user (sometimes limited by sandboxing).

So what does this all mean for you? Not much.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 JohnC_21

JohnC_21

  • Members
  • 24,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 AM

Posted 29 October 2016 - 11:47 AM

Just curious. Would it be possible to inject code into the AV itself thereby allowing access to the kernel if the AV does also? Most AVs have self-protection but I was wondering.



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 AM

Posted 29 October 2016 - 01:10 PM

To start, you would need to have or obtain admin rights. And if you have admin rights, you can access the kernel. No need to go via AV.


Edited by Didier Stevens, 29 October 2016 - 01:13 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 AM

Posted 29 October 2016 - 01:13 PM

For the technical details: https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,020 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:56 AM

Posted 29 October 2016 - 05:12 PM

Well the aforementioned links and articles have helped immensely in clarifying and will put a lot of us at ease.

 

Thanks for the responses



#10 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:05:56 PM

Posted 30 October 2016 - 11:41 PM

Why you should HAVE Malware Hash Registry (MHR) in your arsenal.

The Malware Hash Registry (MHR) project is a look-up service similar to the Team Cymru IP address to ASN mapping project. This project differs however, in that you can query our service for a computed MD5 or SHA-1 hash of a file and, if it is malware and we know about it, we return the last time we've seen it along with an approximate anti-virus detection percentage. https://www.team-cymru.org/MHR.html

BLOG: https://bartblaze.blogspot.com.au/2010/10/winmhr-free-malware-detector.html

 
Hunting Malware with Memory Analysis. https://www.solutionary.com/resource-center/blog/2012/12/hunting-malware-with-memory-analysis/

You can use advanced task manager like System Explorer to see what services are running in the svchost.exe process. You can also check the svchost.exe md5/sha via online database. As you can see here http://systemexplorer.net/file-database/file/svchost-exe there are many variants of threats.

http://forum.sysinternals.com/svchostexe-on-windows_topic29957.html
http://systemexplorer.net/file-database/file/svchost-exe

http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf

The default configuration includes the following events:

Process create (with SHA1)
Process terminate
Driver loaded
File creation time changed
RawAccessRead
CreateRemoteThread
Sysmon service state changed

https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/
https://blogs.msdn.microsoft.com/ieinternals/2014/09/04/caveats-for-authenticode-code-signing/

http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf

Edited by Crazy Cat, 30 October 2016 - 11:46 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users