New RAT Hijacks COM Objects for Persistence, Stealthiness
Posted on October 31, 2014 by Kara Dunlap in Security
Researchers have uncovered a remote administration tool (RAT) that uses a novel technique to stay persistent on infected systems and avoid detection.
The RAT, dubbed “COMpfun,” has been analyzed by experts from G DATA Software’s SecurityLabs. When it comes to functionality, the malware is not out of the ordinary. It can be used to log keystrokes, take screenshots, download and upload files, execute code, and for other specific tasks.
The threat can run on both 32 and 64-bit versions of Microsoft Windows (up to Windows 8), and it relies on HTTPS and RSA encryption to communicate with its command and control (C&C) server.
What makes COMpfun interesting is the fact that it injects itself into the processes running on compromised systems by hijacking legitimate Component Object Model (COM) objects.
COM allows developers to manipulate and control the objects of other applications. Each of these objects has a unique identifier called CLSID.
When it’s installed on a system, the RAT creates two files, after which it creates two registry entries to define COM objects with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. These IDs are already assigned to two Microsoft libraries that are used by several applications, including the Web browser. However, by defining objects with the same CLSIDs, the originals are replaced with the new ones.
Once this is done, the malicious libraries are loaded into processes instead of the legitimate Microsoft libraries. This ensures not only that the RAT is persistent, but it also makes it more difficult to detect.
“As soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of the infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly silent. It is not even detected by Sysinternals’ Autoruns,” G DATA researcher Paul Rascagnères wrote in a blog post.
Many antiviruses monitor systems for DLL injections, but since COMpfun doesn’t rely on DLL injections, some security solutions might miss the threat. Rascagnères has warned that any type of malware could leverage this technique to become stealthy.
COMpfun is not the only RAT that abuses COM. Back in August, G DATA detailed IcoScript, a piece of malware that leveraged COM to control Internet Explorer. By taking control of the Web browser, cybercriminals have been able to carry out various actions, such as accessing websites, entering credentials, pressing buttons on pages, and exfiltrating data.
In the case of IcoScript, cybercriminals leveraged the technique to access Yahoo Mail accounts and use them for C&C communications. Researchers noted at the time that the attackers could have used other webmail services as well, such as Gmail.
Massive Oracle Security Update Lands on Microsoft Patch Tuesday
Posted on October 15, 2014 by Kara Dunlap in Security
Microsoft and Oracle customers will have their hands full applying a spate of security updates that were issued today.
Microsoft released eight security bulletins as part of Patch Tuesday, including critical updates for Internet Explorer, Windows and the .NET Framework. The bulletins address a total of 24 vulnerabilities, including a handful that is known to have already come under attack.
But the Microsoft release is dwarfed in size by the more than 150 security fixes issued today by Oracle. Within those patches are 31 fixes for the Oracle Database, several of which have a CVSS Base Score of 9.0.
“This CVSS 9.0 Base Score reflects instances where the user running the database has administrative privileges (as is typical with pre-12 Database versions on Windows),” explained Oracle Software Security Assurance Director Eric Maurice in a blog post. “When the database user has limited (or non-root) privilege, then the CVSS Base Score is 6.5 to denote that a successful compromise would be limited to the database and not extend to the underlying Operating System. Regardless of this decrease in the CVSS Base Score for these vulnerabilities for most recent versions of the database on Windows and all versions on Unix and Linux, Oracle recommends that these patches be applied as soon as possible because a wide compromise of the database is possible.”
The Oracle update also provides fixes for 25 new Java SE vulnerabilities, the most severe of which has a CVSS Base Score of 10.0. Out of the 25, 20 affect client-only deployments of Java SE, and two of these are browser specific. Four vulnerabilities meanwhile affect client and server deployments of Java SE, while on affects client and server deployments of JSSE, Maurice noted.
The remaining vulnerabilities impact: Oracle Fusion Middleware; Oracle Enterprise Manager Grid Control; Oracle E-Business Suite; Oracle Supply Chain Product Suite; Oracle PeopleSoft Enterprise; Oracle JDEdwards EnterpriseOne; Oracle Communications Industry Suite; Oracle Retail Industry Suite; Oracle Health Sciences Industry Suite; Oracle Primavera; Oracle and Sun Systems Product Suite; Oracle Linux and Virtualization and Oracle MySQL.
In the case of Microsoft, customers will have their hands full with issues of their own. Three of the bulletins released today by Microsoft are rated ‘critical’ – MS14-056, MS14-057 and MS14-058.
MS14-056 is the biggest of the updates, and addresses 14 privately-reported issues in Internet Explorer. The most severe of these could allow remote code execution of a user views a specially-crafted webpage using Internet Explorer.
“This is another Patch Tuesday that easily fuels future drive-by web attacks for the months ahead,” said Marc Maiffret, CTO of BeyondTrust. “Beyond just code execution there also exists the ability to bypass ASLR (Address Space Layout Randomization) which is a helpful OS security migration for exploitation. This ASLR bypass can be used in conjunction with other vulnerabilities for more successful exploitation where it had might not been possible in the past. It should be noted that Microsoft’s EMET technology will help mitigate some of these attacks and even more importantly these client application vulnerabilities are a great reminder of the need for Least Privilege in making sure users are not running as Administrator.”
MS14-56, he said, should be prioritized first, with the remaining critical updates coming next. MS14-058 contains fixes for two issues in Windows that are already known to be under attack.
“The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts,” according to Microsoft. “In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an email message or Instant Messenger message.”
The final critical bulletin is MS14-057, which addresses vulnerabilities in the .NET Framework. According to Microsoft, the most severe of these could allow remote code execution if an attacker sends a specially-crafted URI request containing international characters to a .NET web application. In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an application has to explicitly enable this functionality. In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.
The remaining bulletins are rated ‘Important’ and cover issues in Microsoft Windows, Developer Tools and Microsoft Office.
Adobe Systems also released patches today to address issues in Adobe Flash Player.
“Adobe is releasing an update to their Flash player with advisory APSB14-22, which addresses three RCE [remote code execution] type vulnerabilities,” blogged Qualys CTO Wolfgang Kandek. “Installations that run the newer Internet Explorer 10 and 11 get this update automatically. Users of older browsers or on other operating systems should apply this critical update manually.”
Microsoft Preps Critical Internet Explorer Security Update for Patch Tuesday
Posted on September 4, 2014 by Kara Dunlap in Security
Microsoft is set to release four security bulletins next Tuesday covering issues in Windows, Internet Explorer and other products.
Only one of the bulletins – the one dealing with Internet Explorer – is rated ‘Critical.’ The other three are classified by Microsoft as ‘Important.’
“Looks like a very light round of Microsoft Patching this month,” said Ross Barrett, senior manager of security engineering at Rapid7. “Only four advisories, of which only one is critical. The sole critical issue this month is the expected Internet Explorer role up affecting all supported (and likely some unsupported) versions. This will be the top patching priority for this month.”
Many organizations do not routinely stay up-to-date with the latest version of the browser, noted Eric Cowperthwaite, vice president of advanced security and strategy at Core Security.
“I checked with a couple recently and they are still running two or three versions of IE behind the current version,” he said. “The IE vulnerabilities are likely to impact significant portions of the enterprise computing space. Clearly the IE vulnerabilities that will allow remote code execution on every desktop OS and most server OS is the vulnerability that should be addressed first. Because it is so widespread and requires system restarts, this is going to be challenging for most IT organizations.”
The three non-critical bulletins address issues in Windows, the .NET Framework and Microsoft Lync Server. Two of the bulletins deal with denial of service issues, while the other addresses an escalation of privilege.
“The few number of patches expected out next week doesn’t mean you can take a pass on patching this month however,” noted Russ Ernst, director of product management at Lumension. “The critical class patch is for at least one remote code execution vulnerability in IE – likely another cumulative update for the browser.”
The updates are slated to be released Tuesday, Sept. 9.
Microsoft Plans Critical Internet Explorer, Windows Updates for Patch Tuesday
Posted on July 4, 2014 by Kara Dunlap in Security
Microsoft announced plans today to release six security bulletins as part of this month’s Patch Tuesday.
Of the six, two are rated ‘critical’, while three are rated ‘important’ and one is considered ‘moderate.’ The updates are for Microsoft Windows, and Microsoft Server Software and Internet Explorer, with the critical ones targeted at IE and Windows.
It’s the time of year where many people take vacation away from the office but this won’t be the month to push off patching, blogged Russ Ersnt, director of product management for Lumension.
“Datacenter administrators shouldn’t plan to be away too much next week since every bulletin impacts nearly every supported Windows Server version,” he added. “Two of the bulletins even impact Windows Server set to Core mode.”
Wolfgang Kandek, CTO of Qualys, called the IE bulletin the most critical, and noted it affects all versions of the browser from Internet Explorer 6 to Internet Explorer 11.
“This patch should be the top of your list, since most attacks involve your web browser in some way,” he blogged. “Take a look at the most recent numbers in the Microsoft SIR (Security Intelligence Report) report v16, which illustrated clearly that web-based attacks, which include Java and Adobe Flash are the most common.”
Bulletin 3, 4, and 5, he added, are all elevation of privilege vulnerabilities in Windows and affect all versions of Windows.
“They are local vulnerabilities, i.e they cannot be used to achieve code execution remotely through the network, but require that the attacker already haves a presence on the targeted machine as a normal or standard user,” Kandek blogged. “Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attackers get an account on the machine, say through stolen credentials. In any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in – we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.”
The final bulletin is rated ‘moderate’ and impacts Microsoft Service Bus for Windows Server, Ernst explained.
“Microsoft Service Bus is a messaging service used by many third-party web applications as well as by Microsoft Azure, so even though this is rated as Moderate, it is probable that this vulnerability would be used in conjunction with other vulnerabilities to target those applications,” he blogged.
The Patch Tuesday updates will be released July 8 at approximately 10 am PT.
Nasty IE Zero-Day Used in Attacks Against Defense, Financial Sectors: FireEye
Posted on April 27, 2014 by Kara Dunlap in Security
Researchers from FireEye have discovered a nasty zero-day exploit that bypasses the ASLR and DEP protections in Microsoft Windows and is being used in targeted attacks.
The security flaw is a remote code execution vulnerability (CVE-2014-1776) that affects versions of IE6 through IE11, which in total accounted for 26.25% of the browser market in 2013.
The campaign is currently targeting US-based firms tied to the defense and financial sectors, a FireEye spokesperson told SecurityWeek, and is specifically targeting IE9 through IE11.
“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” FireEye wrote in a blog post Saturday.
Microsoft also issued a security advisory on Saturday and said they were working with partners in its Microsoft Active Protections Program (MAPP) to extend broader protections to customers as soon as possible.
If successfully exploited, an attacker could gain the same user rights on the impacted system as the current user, Microsoft said. Accounts configured with fewer rights on the could be less impacted than users who operate with administrative privilages.
FireEye has named the campaign “Operation Clandestine Fox,” but has shared very little details other than saying the group behind the exploit has been the first to have access to a select number of browser-based 0-days in the past.
FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
“They have a number of backdoors including one known as Pirpi that we previously discussed here,” the researchers wrote. “CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.”
“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray,” FireEye explained. “The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”
Because the attack leverages Adobe Flash, users who do not have Flash installed or have the Flash plugin for IE disabled, will be protected. Additionally, several versions of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) will break the exploit.
Additional technical details are available from FireEye. Microsoft also has provided some mitigation information.
Related: ASLR Bypass Techniques Appearing More Frequently in Attacks
Microsoft to Release Critical IE Patch Next Week
Posted on March 7, 2014 by Kara Dunlap in Security
Microsoft plans to release five security bulletins next week for this month’s Patch Tuesday, including a fix for a security vulnerability used in attacks against Internet Explorer 10.
That vulnerability, which was described in Security Advisory 2934088, was spotted being used in watering hole attacks during the past few weeks. The bug also affects Internet Explorer 9, and could be exploited if the victim is tricked into visiting a compromised Website. Customers using other versions of IE are not impacted, Microsoft noted.
In addition to the IE bulletin, Microsoft will release one other critical bulletin for Windows. The other three bulletins are rated ‘important’ and affect Microsoft Windows and Microsoft Silverlight.
“The March patch list is small, with only five bulletins, but they are certainly significant,” said Ken Pickering, director of engineering at CORE Security. “There are two bulletins listed as ‘critical’ with remote code executions, one on Internet Explorer and one on a series of Windows versions. These types of bulletins need immediate attention and a reboot, which is always a headache for IT teams. Bulletin 5 only affects Silverlight, and aside from using it to stream House of Cards on Netflix, doesn’t have a big impact.”
“Windows XP is affected by all five updates, and there is really no reason to expect this picture to change; Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore,” blogged Wolfgang Kandek, CTO of Qualys. “Windows XP is getting its penultimate update and is now very close (just over 30 days) to its declared end-of-life date…so you need a strategy for the XP machines remaining in your infrastructure.”
The Patch Tuesday updates will be released March 11.