Drive-By Exploits Pushing Ransomware Now Able To Bypass Microsoft EMET

An anonymous reader writes from a report via Ars Technica: Ars Technica reports that drive-by attacks that install the TeslaCrypt crypto ransomware are now able to bypass Microsoft's Enhanced Mitigation Experience Toolkit (EMET), which is designed to block entire classes of Windows-based exploits. The EMET-evading attacks are included in Angler, a toolkit for sale online that provides ready-to-use exploits that can be stitched into compromised websites. Researchers from FireEye published a blog post Monday that says the new Angler attacks are significant because they're the first exploits found in the wild that effectively pierce the mitigations. The exploits' code is based on the Adobe Flash and Microsoft Silverlight browser plugins that bypass data execution prevention, a protection that prevents computers from running data loaded into memory. The new Angler exploits rely on techniques other than Data Execution Prevention (DEP) that are harder to detect and contain fewer limitations. FireEye researchers have observed the exploits working only on Windows 7 and not on Windows 10, which is more resistant to exploits. They also only work when targeted computers have either Flash or Silverlight installed. Microsoft created EMET to largely block entire classes of memory-based software exploits that had existed for decades. Now, Angler developers have struck back with techniques that can undo some of those protections. Recently, the TeslaCrypt ransomware makers closed down shop and released a master key and an apology.

My question

[TheDarkener]

Why does Adobe Flash and Microsoft Silverlight browser plugins bypass data execution prevention?

Re:My question

Why does Adobe Flash and Microsoft Silverlight browser plugins bypass data execution prevention?

Because... Microsoft....

The real answer is Bill Gates is such a visionary that he rejected commonly held principle of least privilege to run a given task, and instead went with root with masks. Yep, real genius, that guy.

Re:My question

Get back to TempleOS,Terry.

Re:My question

[Dog-Cow]

Anything with a JIT needs to bypass DEP.

Re:My question

That is not an answer at all, and is so dated that it's completely irrelevant info anyway.

Re:My question

[DigiShaman]

And therein lies the problem! The entire paradigm of running JIT code from a web browser is uber fucking stupid! JAVA, FLASH, SILVERLIGHT, it's not platform insomuch as the philosophy of taking code from the internet, and executing it in a way that's not sandboxed.

Re:My question

Good job. You have now described the problem. And just like many others, you have done only that. As your next step, please devise and describe a feasible solution. That would actually be helpful.

I do not know what a feasible solution looks like. Then again, I do not run around pointing out a well known problem to everyone all the time, either.

Re:My question

Enable EMET system wide DEP OptOut in the latest Futuremark test which uses Java and you got a complete system crash at test load time for some systems with Windows 10. EMET DEP has been a precarious child from the beginning, as it changes the way Windows DEP protection works across processes.

Re:My question

[DigiShaman]

Solution is to *NOT* use JIT code in a NON-SANDBOXED environment. If you must, run native apps.

Re:My question

No, that's completely wrong. VirtualProtect() can be used to mark regions as executable regardless of DEP setting, and this is the preferred behavior for any competently written JIT, because you know exactly what sections you need marked as executable.

Re:Huh

and not on Windows 10, which is more resistant to exploits."

Which the FireEye didn't actually say.. Nice summary, nice summary, lets be friends.

Daily backups, never pay a red cent

Make daily back-ups. Never pay a red cent to that filth. It'll go away if we stop paying them. Maybe we should make it illegal to pay them, as well as for them to do what they do.

Re:Daily backups, never pay a red cent

[toejam13]

That works for ransomware programs that simply encrypt and then immediately extort, but there are others that will silently encrypt for weeks before issuing a ransom. So unless you validate your backups with another clean computer, you might not know.

Re:Daily backups, never pay a red cent

That works for ransomware programs that simply encrypt and then immediately extort, but there are others that will silently encrypt for weeks before issuing a ransom. So unless you validate your backups with another clean computer, you might not know.

Might not know if your data is secure? Yes it's certain. You're another satisfied Microsoft customer!

Re:Daily backups, never pay a red cent

I'm kinda surprised the US government hasn't started a massive propaganda campaign about "ransomware funds terrorism." Considering government bodies have paid the damn ransom, I guess they have to keep their options open.

Re:Daily backups, never pay a red cent

Fake support scammers are catching on to this.
They are beginning to ask for gift card codes for iTunes now instead of Credit Card numbers.

Re:Daily backups, never pay a red cent

They are waiting to get them for tax evasion.

Well, DUH!

[jcr]

The exploits' code is based on the Adobe Flash and Microsoft Silverlight browser plugins

So don't run crapware in your browser, and you're all set.

-jcr

Well cancelled the netflix awhile back

[Crashmarik]

That was my one reason for Silverlight.
Flash disabled for awhile now just too damn dangerous.

Well if pop up upgrades don't succeed

Create a ransomware to force upgrade/make some pocket money.

I am shocked!!!

[mspohr]

OMG! I just can't believe it! Does this mean that Windows is not secure???
What should I do???!!?!?

Re:I am shocked!!!

[Opportunist]

Hey, don't worry, Windows is as secure as ever!

How Convenient!

[Pant$H8r]

If this doesn't get you to upgrade to Windows 10, nothing will!

Re:How Convenient!

[Opportunist]

At this point I'm honestly waiting for MS to push the Win10 update by means of a drive-by infecting trojan.

Impossible

[melting_clock]

A Microsoft product vulnerable to exploits? That just can't true... Putting aside the sarcasm for a moment, this really should not come as a surprised to anyone. MS products are constantly targeted because MS makes them easy targets and their latest OS version has spyware and adware built in.

Anyone foolish enough to trust MS to fight against malware, when MS are pushing their own spyware/adware in Windows 10, is crazy and deserves whatever they get.

Re:Impossible

These exploits work on some unpatched Windows 7 which was released in 2009. Windows 10 is not vulnerable to them at all. At least RTFM and get a clue before making blanket statements that make you sound like you don't know what you're talking about.

MS can fix this easily

[lord+merlin]

Microsoft has lots of money. Why don't they just actively buy these exploits as they hit the market (through an 'agent' if they must), reverse engineer them, update EMET & issue a patch that closes the flaw, and move on, long before anyone is hacked ???

Re: MS can fix this easily

Seriously? +1 for "enter the market for buying exploits from blackhats"? On a par with a drugs policy that says "the goverment should just buy all the drugs at street prices" Pathetic.

Re: MS can fix this easily

[Opportunist]

False analogy. You cannot simply up the production of 0day exploits when you see an increase in demand, unlike drugs.

Re: MS can fix this easily

Um, yes, yes you can. An increased financial incentive, and much more importantly a guarenteed and stable one, means there will be a lot more people spending a lot more time looking for exploits and producing exploit code. This means more 0 days.

These things don't just spontaneously pop into existence from the ether, or do you think that they just appear at a random predetermined rate?

Re: MS can fix this easily

It's not a false analogy. More people would join the search for exploits.

Re: MS can fix this easily

Not just more people, but existing people who already find bugs that turn out to be exploitable are going to see this as an easy revenue stream. The choice becomes:

1. Report the problem and maybe it gets acknowledged in 6 months or 3 years time, most likely its buried inside some non-descriptive update and you'll be lucky to get credit.
2. Construct some 0day exploit code from the bug, sell it on to the vendor with a clean conscious, get a lot of money and also 1.

Once you're doing 2., there's a new temptation that since you've gone that far, with no extra effort you might as well do 0. and also start selling your exploit code on the black market as well for even more money.

Re: MS can fix this easily

[swb]

On a par with a drugs policy that says "the goverment should just buy all the drugs at street prices" Pathetic.

I've read more than once that in the mid 1970s several warlords in the Golden Triangle offered to sell the US government their entire opium production.

And I think it's been suggested as a counter-insurgency tactic in Afghanistan. Rather than spending even more to convince local farmers to grow lower-value cash crops and an eradication by force campaign, simply corner the market and buy up the supply.

I'm sure there are problems, both in terms of academic economics and unintended consequences, but it's an interesting idea. And I think that it's never been tried tells me something about the other motivations of drugs policy that have nothing to do with inhibiting drug use.

(Don't get me wrong, I think that prohibitionist drugs policy is broken and nonworkable, but cornering the market on supply is an intriguing idea that's dismissed too easily.)

Re: MS can fix this easily

[gtall]

And create a growth market for the supply of opium. If you are guaranteed a price which makes it worth your while to grow opium, then you have every incentive to maximize your acreage. And there's nothing stopping you from siphoning some off for the local warlords you need to keep happy for the privilege of growing opium. To stop the siphoning means ramping up enforcement. If you, as an opium grower, is faced with enforcement from the U.S. or local governments, that still will fail to compete against death from your friendly neighborhood warlord.

The fun wouldn't stop there though. A guaranteed money supply will encourage the local authorities to look the other way and siphon a bit off for themselves.

I find your idea not very intriguing, but then it wouldn't be the first bright idea run into the shoals by human behavior.

Re: MS can fix this easily

So the solution is to hire killers to find these ass hats and give them hot lead poisoning. That was the solution to the Heroin growers.
NEVER PAY the ransom!

Re: MS can fix this easily

And that's worked so well.

Re:Vendors can bypass DEP?

You can do it at link time with this: https://msdn.microsoft.com/en-... Or by setting the proper AppCompatFlags. Or by calling SetProcessDEPPolicy. Or half a dozen other ways documented on MSDN and technet.

The internet isn't very useful

It isn't suitable for anything serious, it's a constant battle that will never end.
I'm pretty sure that "The Clapper" was a more beneficial invention than the internet.(saw one on clearance the other day, haha)
It's useful to download some files or documents and send some email, but that's about it, connect - get your stuff -then disconnect. Other than that it's a sad joke but it is amusing to sit back and watch the never ending failures.

"EMET evading"

EMET isn't a technology, its a package containing a number of security enhancing techniques (none invented by Microsoft), so "bypasses EMET" at best is uninformative, at worse makes little sense.

Re:Vendors can bypass DEP?

And you can allocate executable blocks with VirtualAlloc and change protection settings using VirtualProtect. The reasons that it's possible to bypass DEP in various ways fall broadly in two categories: backward compatibility and scripting.
1. Backward compatibility
DEP was introduced in Windows XP and didn't exist before then. Even in Windows XP it isn't turned on by default for most processes. A lot of software has been written that executes data. A few common examples:
- Certain compilers (including GCC) allocate trampolines on the stack for certain operations. Trampolines are essentially bits of executable code that do a bit of bookkeeping and then jump to the actual function. An example use case is where you take a pointer to a nested function. Nested functions have access to locals from the function they're nested in, so they need to know where to find them. A common, but dangerous, way to do this is to allocate a trampoline on the stack that fixes the stack pointer so the trampoline sees the correct locals when it's called. GCC later ‘fixed’ this IIRC by marking the page with the trampoline executable, which is the worst solution imaginable since it effectively disables DEP for at least 4 kB of stack. It would have been better to either disable trampolines and the language features that require them (after all, you cannot safely use them now anyway) or to allocate them from a special heap.
- Certain popular libraries (including ATL) generate thunks, bits of executable code that convert input parameters into a form in which they can be consumed by the actual function. An example use case is where a callback is called by the operating system using a handle, but the actual function needs a pointer to a C++ object. So for example in ATL this is used to convert a window handle into a pointer to the object that implements the window's behaviour for use as a this pointer. In principle this can be fixed by allocating thunks from a special heap, but not all software has been recompiled and / or relinked with a newer library that does that.
- And then there are old scripting engines and the software that uses them. Next section.
2. Scripting
Scripting engines often aren't completely interpreted, because that makes them slow. Instead they translate the scripting code they want to execute, for example JavaScript or Java / .Net byte code into native code. In addition even pure interpreters often still need to generate code, like thunks when the interpreted code needs to interface with the native environment, for example when a callback in interpreted code needs to be called from native code.
Nowadays it's possible to allocate this executable code from a special heap with modified permissions so code can execute even with DEP for the process as a whole turned on. It is an extra bit of executable memory though and care must be taken to avoid making it easy for attackers to exploit that.
And of course, older scripting engines were written before DEP was a thing and they don't know that they need to jump through the hoops and therefore don't work if DEP is enabled.

Why is this news?

This DEP bypass has been known about for over 10 years. I guess people in security theatre land love their false sense.

Re:Why is this news?

[Opportunist]

Hey, WE have been telling people for at least 10 years now that DEP is a problem. It just takes the idiots in management roughly a decade to get their head out of their ass (or off the coke table) and realize there is a problem. Currently we're waiting for them to notice that social engineering could be a problem and that we should implement steps to ensure that mails that allegedly come from management really do, but I don't hold my breath for this to arrive with them.

Like every other problem on this planet, it has to go through the 9 steps of management problem treatment:

1. Ignoring it, hoping it will simply go away.
2. Realizing, after some considerable damage, that it does not.
3. Designing mitigation strategies that continue to ignore the problem, with the core requirement of those strategies being that they make them seem like they do something and not cost anything.
4. Realizing that the problem still doesn't go away despite their "strategic decisions".
5. Designing other mitigation strategies that shift the blame on the staff.
6. Realizing that it's not human error after firing key personnel, hiring new duds and finding out that this lowers productivity considerably because the new guys lack the experience with the company's internal workflows.
7. Asking their IT security staff.
8. Not liking ITSEC's answer and ignoring it.
9. Demanding better laws from government.

10 should be that they find out that laws only apply within the borders of their own country and that people in countries that have real problems and don't give a fuck about "cyber crime" are pretty safe from anything, but usually it doesn't get that far before a new problem arrives at the horizon. And no, I have no idea what 11 could be.

It never happened.

Re:Why is this news?

Since I'm the same AC responsible for both posts you replied to, I'd like to say I can't argue with this one! Unfortunately, due to the limited political lifecycle, we find that we're lucky if it gets as far as 7. down that list before the whole thing resets and starts again.

At a guess, 11 might be "closing electronic borders" to countries that don't enforce "cyber crime" or have treaties in place, although by the time 11. comes the rule of nation states will officially at an end and we'll have long since degenerated to corporate serfdoms.