Drive-By Exploits Pushing Ransomware Now Able To Bypass Microsoft EMET

An anonymous reader writes from a report via Ars Technica: Ars Technica reports that drive-by attacks that install the TeslaCrypt crypto ransomware are now able to bypass Microsoft's Enhanced Mitigation Experience Toolkit (EMET), which is designed to block entire classes of Windows-based exploits. The EMET-evading attacks are included in Angler, a toolkit for sale online that provides ready-to-use exploits that can be stitched into compromised websites. Researchers from FireEye published a blog post Monday that says the new Angler attacks are significant because they're the first exploits found in the wild that effectively pierce the mitigations. The exploits' code is based on the Adobe Flash and Microsoft Silverlight browser plugins that bypass data execution prevention, a protection that prevents computers from running data loaded into memory. The new Angler exploits rely on techniques other than Data Execution Prevention (DEP) that are harder to detect and contain fewer limitations. FireEye researchers have observed the exploits working only on Windows 7 and not on Windows 10, which is more resistant to exploits. They also only work when targeted computers have either Flash or Silverlight installed. Microsoft created EMET to largely block entire classes of memory-based software exploits that had existed for decades. Now, Angler developers have struck back with techniques that can undo some of those protections. Recently, the TeslaCrypt ransomware makers closed down shop and released a master key and an apology.

My question

[TheDarkener]

Why does Adobe Flash and Microsoft Silverlight browser plugins bypass data execution prevention?

Re:My question

Get back to TempleOS,Terry.

Re:My question

[Dog-Cow]

Anything with a JIT needs to bypass DEP.

Re:My question

[DigiShaman]

And therein lies the problem! The entire paradigm of running JIT code from a web browser is uber fucking stupid! JAVA, FLASH, SILVERLIGHT, it's not platform insomuch as the philosophy of taking code from the internet, and executing it in a way that's not sandboxed.

Re:My question

Good job. You have now described the problem. And just like many others, you have done only that. As your next step, please devise and describe a feasible solution. That would actually be helpful.

I do not know what a feasible solution looks like. Then again, I do not run around pointing out a well known problem to everyone all the time, either.

Re:My question

[DigiShaman]

Solution is to *NOT* use JIT code in a NON-SANDBOXED environment. If you must, run native apps.

Re:Daily backups, never pay a red cent

[toejam13]

That works for ransomware programs that simply encrypt and then immediately extort, but there are others that will silently encrypt for weeks before issuing a ransom. So unless you validate your backups with another clean computer, you might not know.

Well cancelled the netflix awhile back

[Crashmarik]

That was my one reason for Silverlight.
Flash disabled for awhile now just too damn dangerous.

MS can fix this easily

[lord+merlin]

Microsoft has lots of money. Why don't they just actively buy these exploits as they hit the market (through an 'agent' if they must), reverse engineer them, update EMET & issue a patch that closes the flaw, and move on, long before anyone is hacked ???

Re: MS can fix this easily

[Opportunist]

False analogy. You cannot simply up the production of 0day exploits when you see an increase in demand, unlike drugs.

Re: MS can fix this easily

[swb]

On a par with a drugs policy that says "the goverment should just buy all the drugs at street prices" Pathetic.

I've read more than once that in the mid 1970s several warlords in the Golden Triangle offered to sell the US government their entire opium production.

And I think it's been suggested as a counter-insurgency tactic in Afghanistan. Rather than spending even more to convince local farmers to grow lower-value cash crops and an eradication by force campaign, simply corner the market and buy up the supply.

I'm sure there are problems, both in terms of academic economics and unintended consequences, but it's an interesting idea. And I think that it's never been tried tells me something about the other motivations of drugs policy that have nothing to do with inhibiting drug use.

(Don't get me wrong, I think that prohibitionist drugs policy is broken and nonworkable, but cornering the market on supply is an intriguing idea that's dismissed too easily.)

Re: MS can fix this easily

[gtall]

And create a growth market for the supply of opium. If you are guaranteed a price which makes it worth your while to grow opium, then you have every incentive to maximize your acreage. And there's nothing stopping you from siphoning some off for the local warlords you need to keep happy for the privilege of growing opium. To stop the siphoning means ramping up enforcement. If you, as an opium grower, is faced with enforcement from the U.S. or local governments, that still will fail to compete against death from your friendly neighborhood warlord.

The fun wouldn't stop there though. A guaranteed money supply will encourage the local authorities to look the other way and siphon a bit off for themselves.

I find your idea not very intriguing, but then it wouldn't be the first bright idea run into the shoals by human behavior.

Re:Vendors can bypass DEP?

You can do it at link time with this: https://msdn.microsoft.com/en-... Or by setting the proper AppCompatFlags. Or by calling SetProcessDEPPolicy. Or half a dozen other ways documented on MSDN and technet.

Re:Impossible

These exploits work on some unpatched Windows 7 which was released in 2009. Windows 10 is not vulnerable to them at all. At least RTFM and get a clue before making blanket statements that make you sound like you don't know what you're talking about.

Re:I am shocked!!!

[Opportunist]

Hey, don't worry, Windows is as secure as ever!

Re:How Convenient!

[Opportunist]

At this point I'm honestly waiting for MS to push the Win10 update by means of a drive-by infecting trojan.

Re:Why is this news?

[Opportunist]

Hey, WE have been telling people for at least 10 years now that DEP is a problem. It just takes the idiots in management roughly a decade to get their head out of their ass (or off the coke table) and realize there is a problem. Currently we're waiting for them to notice that social engineering could be a problem and that we should implement steps to ensure that mails that allegedly come from management really do, but I don't hold my breath for this to arrive with them.

Like every other problem on this planet, it has to go through the 9 steps of management problem treatment:

1. Ignoring it, hoping it will simply go away.
2. Realizing, after some considerable damage, that it does not.
3. Designing mitigation strategies that continue to ignore the problem, with the core requirement of those strategies being that they make them seem like they do something and not cost anything.
4. Realizing that the problem still doesn't go away despite their "strategic decisions".
5. Designing other mitigation strategies that shift the blame on the staff.
6. Realizing that it's not human error after firing key personnel, hiring new duds and finding out that this lowers productivity considerably because the new guys lack the experience with the company's internal workflows.
7. Asking their IT security staff.
8. Not liking ITSEC's answer and ignoring it.
9. Demanding better laws from government.

10 should be that they find out that laws only apply within the borders of their own country and that people in countries that have real problems and don't give a fuck about "cyber crime" are pretty safe from anything, but usually it doesn't get that far before a new problem arrives at the horizon. And no, I have no idea what 11 could be.

It never happened.