Tweet

In announcing the release of the 64-bit version for Chrome last month, Google mentioned that one of the primary drivers of the move was that majority of Windows users are now using 64-bit operating systems. The adoption rate for 64-bit for Windows has been a tad slower than what Microsoft had initially predicted, but it has been steady, and it is evident in the availability of support by software developers. Unfortunately, however, we’ve been seeing the same adoption being implemented by attackers through 64-bit malware.

We’ve documented several instances of malware having 64-bit versions, including a 64-bit version of ZeuS, and we’ve been seeing the same in terms of targeted attacks. In fact, in our 2H 2013 Targeted Attack Trends report, almost 10% of all malware related to targeted attacks run exclusively on 64-bit platforms.

KIVARS: Earlier Versions

One of these malware we’ve found running on 64-bit systems is KIVARS. Based on our findings, early versions of this malware affects only 32-bit systems and is dropped by a malware we detect as TROJ_FAKEWORD.A (SHA1 218be0da023e7798d323e19e950174f53860da15). However, note that all versions of KIVAR used this dropper to install both the loader and backdoor.

Once executed, TROJ_FAKEWORD.A drops 2 executable files and a password-protected MS Word document which also serves as  a decoy:

• %windows system%\iprips.dll – TROJ_KIVARSLDR
• %windows system%\winbs2.dll – BKDR_KIVARS
• C:\Documents and Settings\Administrator\Local Settings\Temp\NO9907HFEXE.doc – decoy document

Figure 1.  TROJ_KIVARSLDR is installed as a service with an active name of “iprip”.

TROJ_KIVARSLDR will load and execute BKDR_KIVARS in memory. BKDR_KIVARS is capable of the following routines:

• Download\upload Files
• File manipulation\execution
• List drives
• Uninstall malware service
• Take screenshot
• Activate\deactivate keylogger
• Manipulate active windows (show,hide)
• Trigger left, right, and double left click,
• Trigger keyboard input

TROJ_FAKEWORD.A uses the RTLO technique as well as a MS Word document icon to convince the user that it is just a normal document — both techniques seen in previous campaigns such as PLEAD.

BKDR_KIVARS uses a slightly modified version of RC4 to decrypt it strings\configuration. It adds an extra byte parameter and checks this byte if it is equal\greater than 80h. If the condition is true, it will add the byte to RC4’s XOR’red output. It will also use this function to decrypt the 10h byte key.

Figure 2. The decryption of the malware string.

The dropped files were initially encrypted using an XOR key “55h”. The same goes for the key logger log file, which has the file name klog.dat.

Figure 3. Decrpyted klog.dat

The encryption for the initial packets sent by the BKDR_KIVARS uses RC4 as the encryption. It includes the following information:

• Victim’s IP
• Possible Campaign ID
• OS version
• Hostname
• Username
• KIVARS version
• Recent Document\Desktop folder
• Keyboard Layout

Figure 4. Decrypted packet sent by BKDR_KIVARS

64-bit Support

The newer versions of KIVARS, which consists of 32 bit and 64 bit versions, show slight differences when installed on a victim’s machine. For example, the loader and the dropped backdoor payload have random file names.

• %Windows%system32%\{random}.dll
• %Windows%system32%\{random}.{tlb|dat} – uses either tlb or dat as its file extension

In this version, the loader is still installed as a service and uses one of the following Service Active names:

• Iprip
• Irmon
• ias

The earlier versions of this BKDR_KIVARS only encrypts the “MZ” magic byte for the backdoor payload. As for the newer versions, the backdoor payload is now encrypted using the modified RC4.

Figure 5.  This code snippet show the 64-bit loader decrypting the key for the modified RC4. Same procedure with the early versions of the malware.

C&C Communication

The new version sends a random generated packet. Based on this packet, a key is generated which serves as the checking for the C&C reply. Once it verifies the reply, it will send the same RC4 encrypted information, however the difference is that the 1^st 4 bytes value is the size of the information.

Figure 6. The decrypted packet from the new version.

Here are the IOCs for KIVARS:

Connections to POISON

We’ve found that the threat actors using KIVARS are also using the POISON malware RAT as part of this campaign. Below are some of hashes connected to one of the C&C’s used by KIVARS:

With additional analysis by Ronnie Giagone

Tweet

DOWNAD , also known as Conficker  remains to be one of the top 3 malware that affects enterprises and small and medium businesses.  This is attributed to the fact that a number of companies are still using Windows XP, susceptible to this threat.

It can infect an entire network via a malicious URL, spam email, and removable drives. It is known to exploit MS08-067 Server service vulnerability in order to execute arbitrary codes. In addition, DOWNAD has its own domain generation algorithm that allows it to create randomly-generated URLs.  It then connects to these created URLs to download files on the system.

During our monitoring of the spam landscape, we observed that in Q2, more than 40% of malware related spam mails are delivered by machines infected by DOWNAD worm.  Spam campaigns delivering FAREIT , MYTOB , and LOVGATE  payload in email attachments are attributed to DOWNAD infected machines.   FAREIT is a malware family of information stealers which download ZBOT .  On the other hand, MYTOB is an old family of worms known for sending a copy of itself in spam attachments.

Table 1. Spam sending malware

Based on this data, CUTWAIL (Pushdo) botnet together with Gameover ZeuS (GoZ) are the other top sources of spam with malware. Interestingly, CUTWAIL was previously used to download GoZ malware. However, now UPATRE employs GoZ malware or variants of ZBOT which have peer-to-peer functionality.

In the last few weeks we have reported various spam runs that abused Dropbox links to host malware like NECURS and UPATRE.  We also spotted a spammed message in the guise of voice mail that contains a Cryptolocker variant. The latest we have seen is a spam campaign with links that leveraged CUBBY, a file storage service, this time carrying a banking malware detected as TSPY_BANKER.WSTA.  Cybercriminals and threat actors are probably abusing file storage platforms so as to mask their malicious activities and go undetected in the system and network.

As spam with malware attachment continues to proliferate, so is spam with links carrying malicious files. The continuous abuse of file hosting services to spread malware appears to have become a favored infection vector of cyberciminals most likely because this makes it more effective given that the URLs are legitimate thereby increasing the chance of bypassing Antispam filters.

Although majority of the above campaigns are delivered by the popular GoZ, it is important to note that around 175 IPs are found to be related with DOWNAD worm. These IPs use various ports and are randomly generated via the DGA capability of DOWNAD. A number of machines are still infected by this threat and leveraged to send the spammed messages to further increase the number of infected systems. And with Microsoft ending the support for Windows XP this year, we can expect that systems with this OS can be infected by threats like DOWNAD.

Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious files and spam emails and blocks all related IPs. Users are also advised to upgrade their Windows OS and be cautious in opening email messages even though the source is seemingly legitimate.

With additional insights from Maydalene Salvador

Tweet

In the recent Microsoft security bulletin for Internet Explorer, we found an interesting improvement for mitigating UAF (User After Free) vulnerability exploits.  The improvement, which we will name as “isolated heap”, is designed to prepare an isolated heap for many objects which often suffers from UAF vulnerabilities.

Let’s use Internet Explorer 11 as an example. Before it was patched, the function CHeadElement::CreateElement allocates memory space from the heap. The code is as follows:

Figure 1. The function CHeadElement::CreateElement

From Figure 1, we can see the memory space is allocated from the heap g_hProcessHeap, which is the IE default heap. In other words, all these IE objects share the same heap.  After the patch, in the sample location, the code was changed to the following:

Figures 2 and 3. The function CHeadElement::CreateElement after the patch

From Figures 2 and 3, we can see that Internet Explorer now allocates memory space from the heap g_hIsolatedHeap. In other words, these class objects which use the isolated heap do not share the same heap with IE’s other objects.

How can an isolated heap mitigate UAF vulnerability exploits?

The first routine of UAF vulnerability exploits is to use controlled objects to occupy the memory space which is owned by the UAF object. Some recent Internet Explorer zero-day vulnerabilities such as CVE-2014-0322 and CVE-2014-1776 used this technique.

We can summarize the technique of occupying space in the following steps:

1. Use String or Array to make a buffer which can be controlled by attacker.  For example: “var d=b.substring(0,(0×340-2)/2);”
2. Create an IE element object.  For example: “g_arr[a]=document.createElement(‘div’)”
3. Trigger vulnerability to free the target object.
4. Set the attribute of the objects which is created by step 2 for many times with the String which is created in step 1. For example:

for(a=0;a<arrLen;++a)
{
g_arr[a].className=d.substring(0,d.length);

}

In step 4, IE will allocate memory space in the heap g_hProcessHeap.  In the example for step 4, we can see the following part of the call stack:

 Figure 4. The function CAttrArray::Set() calling the function RtlAllocateHeap()

In figure 4 we see CAttrArray::Set() calling the function RtlAllocateHeap(). The call stack is done with the following code:

Figure 5. It uses RtlAllocateHeap with heap “g_hProcessHeap” and then copies the String ‘s data to this buffer.

Before the latest patch, if the RtlAllocateHeap has the correct size, the probability that an attacker-controlled buffer could occupy the freed object’s memory space is high. But after the latest patch, the freed object is allocated in heap g_hIsolatedHeap, so there is no probability that the freed object memory space is occupied by the attacker-controlled buffer. The solution is a good way to mitigate UAF vulnerability exploits.

From the patch‘s code,the heap g_hIsolatedHeap is used by HTML and SVG DOM Elements (CXXXElement) and supporting elements such as CTreeNode, CMarkup, CAttribute and so on. These objects have a high probability of having the UAF vulnerability, so it is important that they are secured through the isolated heap.

Can the isolated heap solution mitigate UAF vulnerabilities completely?

No solution is perfect. The improvement implemented by Microsoft raises the difficulty in creating an exploit, but it does not eliminate the vulnerability completely. There are two theoretical ways to bypass this protection:

1. If attackers can find an object which meets the following three criteria instead of String:
   1. Allocated with the isolated heap.
   2. Correct size for the UAF object.
   3. Easily control the content of the object.

   What is not clear is if attackers can find a reasonable way to perform the above attack.

2. Many objects are still using the process heap, not the isolated heap. If these objects encounter UAF vulnerability, the isolated heap solution doesn’t work. However, Microsoft can easily add objects to use the isolated heap if this becomes a problem down the road.

We are glad that Microsoft is continuing to improve the security of Internet Explorer and mitigating the abuse of vulnerabilities. While the isolated heap is not a perfect solution, it represents a significant improvement that will help mitigate attacks of this type moving forward.

Tweet

When people discuss the Internet of Everything (IoE), it refers to the introduction of computing power and networking capabilities to previously “dumb” devices like television sets, cars, pedometers, and appliances. Many believe that it is the next big thing in tech, and it offers users a wide array of benefits, allowing them to save time, money, or even improve their lives.  These gadgets range from the merely nice to have, all the way to mission critical tools.

However, the Internet connectivity and computing power of these devices – the very things that makes them “smart” – introduces security risks as well. For instance, in smart TVs facial and speech recognition features are problematic in terms of privacy. Self-driving cars may be hacked and cause injure to their occupants or passers-by. Pervasive wearable tech, while useful to their owners, may be considered a privacy threat by bystanders.

We’ve earlier talked about the factors that will influence the proliferation of smart devices in homes. These factors include market pressures, regional availability and cultural acceptance. Smart home devices are being marketed and are readily available, whether in stores or online. In addition, in some markets broadband providers are also selling these devices to their existing customers, adding home automation to existing Internet and cable TV plans.

Cybercriminals go after the platforms and devices that are popular with users. However, while smart devices may be the “next big thing”, they have not yet been broadly adopted. In our 2014 predictions, we noted that there is no “killer app” that many users will consider a must-have; such an “killer app” would lead to a wide-scale adoption of smart devices.

However, the numbers of people adopting smart devices will only grow. These early adopters need to be aware of the various security risks of these devices – not only to their personal information and privacy, but also to their safety and well-being.

For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

Tweet

Evolution is a continuous process, and nothing can exemplify the process better in our industry than the threats we defend against. From simple pranks and nuisances, they’ve become thieves of information, violators of privacy, destroyers of reputations and even saboteurs of businesses, all for the sake of money. They’ve also become tools for activists and terrorists of the cyber variety, used to make strong statements against governments or organizations.

But as such threats evolve, so must the security solutions that defend against them, or be left in the dust. This is our ethos in Trend Micro – that the protection we provide for our customers not only improve with every version we come out with, but continuously evolve into more powerful, more efficient and more impenetrable to cybercriminal attacks.

Our latest infographic, Trend Micro Endpoint Security Technology Evolution: A Complete Approach to Security, illustrates this. Using the visualization of a tree taking root and sprouting branches from its tree trunk, we catalog the evolution of cybercrime as well as the technologies we developed to address those malicious evolutions.

Take malware, for example, one of the main tools of cybercrime.From its primal state as a prank program to how it’s become a money-making machine, we’ve not only developed one but three technologies to address it:

• Signature-based Scanning, which identifies, isolates and deletes malware by matching it to a specific malware signature/pattern;
• Heuristic Behavior Scanning, which detects polymorphic malware  through its malicious behavior, and;
• File Reputation Services, which identifies and blocks malware through their history, sources, behavior and reputation.

Each of these technologies work in conjunction with each other, as well as those that address the other tools of cybercrime – to provide a well-rounded and balanced approach to security that families and businesses deserve.