Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Internet Explorer is possibly the most popular target for vulnerabilities around today. In 2014 alone, a total of 243 memory corruption vulnerabilities in Internet Explorer were disclosed and patched.

    Every Microsoft Patch Tuesday cycle contains one bulletin that covers multiple IE vulnerabilities – the monthly “Cumulative Security Update for Internet Explorer”, as it is called by Microsoft. There have been many zero-day attacks that specifically targeted vulnerabilities in Internet Explorer, such as:

    As a result, the reputation of Internet Explorer is a bit tarnished. Its reputation for lack of security has become an obstacle to its development. For Windows 10, Microsoft decided to release a “new” browser (Microsoft Edge), with improved security as an important feature.

    Security Improvements in Microsoft Edge

    Edge is not entirely all-new. Its HTML rendering engine is a forked version of Trident (the engine found in Internet Explorer), which is now called Microsoft Edge HTML. However, much of the underlying code has been modified to remove IE-specific technologies that will not be a part of Edge. In addition, several new features have been introduced to the browser as well.


    MemGC uses mark-and-sweep garbage collection to help defeat use-after-free (UAF) exploits. Edge uses MemGC to manage DOM and supporting objects’s memory.

    In the past two years, UAF vulnerabilities have been a significant problem for Internet Explorer. Each Patch Tuesday cumulative update contains various fixes for UAF vulnerabilities. To help remedy the situation, in the summer of 2014 Microsoft added two mitigation techniques to IE: one is called the Isolated Heap, which manages most DOM objects and their supporting objects. The second is MemoryProtection.

    The Isolated Heap makes it harder for attackers to fill the free object. MemoryProtection can prevent UAF exploits where the free object pointer remain in the stack. In other situations, MemoryProtection can make UAF exploits more difficult.

    Figure 1. MemoryProtection flow chart (Click to enlarge)

    These two mitigations increased the difficulty of UAF exploits, but there are still many ways to bypass these, especially in cases where the pointer to the free block didn’t remain on the stack.

    Figure 2. UAF exploit steps

    UAF exploits frequently follow the following steps:

    1. Object A’s heap block is allocated.
    2. Object A is freed.
    3. Attacker fills the heap block with their own data.
    4. Object B references Object A. This means the attacker can access object A with attacker controlled data.

    MemGC is designed to mitigate these attacks. When a heap block is freed, MemGC will first attempt to detect whether there is an existing object reference to it. If that is the case, the heap block won’t be freed. This helpes prevent UAF vulnerability exploits from being successful.

    Figure 3. How MemGC prevents UAF exploits


    Memory corruption is a common class of vulnerabilities which deserves special attention. The Microsoft Edge HTML rendering engine found in the file edgehtml.dll introduced a new class called Abandonment.

    Abandonment detects exception and throws a FAIL_FAST_EXCEPTION exception if one is detected. This prevent the error from spreading further, stopping any potential exploits.

    Figure 4. Abandonment class

    The Abandonment class can detect and deal with the following abnormalities:

    • Double Free
    • Out Of Memory
    • Overflow
    • Invalid Pointer
    • Invalid Arguments
    • Unreachable Code
    • Not Yet Implemented Function
    • Excepted return value

    Default EPM (Enhanced Protected Mode) Sandbox and 64-bit usage

    Windows Vista first introduced mandatory integrity control to Windows. Internet Explorer 7 on Vista was the first to provide a sandbox for the browser called Protected Mode. The PM sandbox provided a limited degree of protection.

    Windows 8 introduced app containers, and IE 10 on Windows 8 provided a sandbox based on this technology called Enhanced Protected Mode (EPM).

    However, there was a problem. IE plugins would need to be re-written to support EPM, as these didn’t support app containers. To retain compatibility, the EPM sandbox was disabled by default. For similar reasons, the IE rendering process ran in 32-bit mode in 64-bit systems, even if the broker process was in 64-bit mode.

    As a new browser, Edge does not have the backward compatibility concerns that hamstrung IE. By default, the EPM sandbox is now enabled. In addition, the rendering process now users 64-bit mode on supported systems.

    Removal of legacy features

    As mentioned earlier, Edge removed several features that Microsoft felt were no longer required in a modern browser. One of these features that was removed was support for previous ways to extend IE, such as Browser Helper Objects (BHOs) and toolbars. However, both of these have been used to attack IE in the past. Neither of these are supported in Edge; Microsoft has indicated that Edge will use an extensions model similar to Google Chrome and Mozilla Firefox. However, this will not be introduced until later this year.

    Support for several scripting languages has also been deprecated. ActiveX is a way to run native binaries via the browser which was introduced almost two decades ago with IE 3. Historically, plug-ins (such as Flash and Java) in IE have needed ActiveX to run on Internet Explorer.

    VBScript is an alternative scripting language which was never supported by other browsers; IE’s VBScript support has been the source of vulnerabilities such as CVE-2014-6332. VML (Vector Markup Language) is a markup language used to display vector graphics; HTML5 can now be used to do this as well. Another vulnerability (CVE-2013-2551) was found in the code that supported this language as well.

    Edge will no longer include support for any of these languages, which Microsoft considers legacy technologies. This reduces the possible ways that Edge can be subject to various attacks. One key consequence of the elimination of ActiveX is that Java support has been completely removed for the time being, removing one potential threat vector.

    Another feature that has been dropped from Edge as legacy technology is the X-UA -Compatible header. This was a mode that allows developers to specify a legacy document mode that Windows Internet Explorer should use to display a webpage. However, this has been the source of multiple vulnerabilities, such as:

    All of these removed features have a similar goal: reduce the potential attack surface by removing features (and corresponding code) that is no longer necessary in today’s usage environment.

    To summarize, Microsoft has made significant under-the-hood changes and improvements to Edge compared to Internet Explorer. This will improve the security of what is still the default browser for Windows, and accordingly is used by many users. However, some of the changes introduced in Edge will also introduce new potential attack vectors – which we will document in a succeeding post.

    Updated July 22, 2015 3:05 AM PM UTC-7 to clarify some technical information about the Abandonment class.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Following news that iOS devices are at risk of spyware related to the Hacking Team, the saga continues into the Android sphere. We found that among the leaked files is the code for Hacking Team’s open-source malware suite RCSAndroid (Remote Control System Android), which was sold by the company as a tool for monitoring targets. (Researchers have been aware of this suite as early as 2014.)

    The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed. The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations.

    Based on the leaked code, the RCSAndroid app can do the following intrusive routines to spy on targets:

    • Capture screenshots using the “screencap” command and framebuffer direct reading
    • Monitor clipboard content
    • Collect passwords for Wi-Fi networks and online acco;.unts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn
    • Record using the microphone
    • Collect SMS, MMS, and Gmail messages
    • Record location
    • Gather device information
    • Capture photos using the front and back cameras
    • Collect contacts and decode messages from IM accounts, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.
    • Capture real-time voice calls in any network or app by hooking into the “mediaserver” system service

    RCSAndroid in the Wild

    Our analysis reveals that this RCSAndroid (AndroidOS_RCSAgent.HRX) has been in the wild since 2012. Traces of its previous uses in the wild were found inside the configuration file:

    • It was configured to use a Command-and-control (C&C) server in the United States; however, the server was bought from a host service provider and is now unavailable.

    Figure 1. C&C host in configuration file

    • It was configured to activate via SMS sent from a Czech Republic number. Attackers can send SMS with certain messages to activate the agent and trigger corresponding action. This can also define what kind of evidences to collect.

    Figure 2. Czech phone number in configuration file

    • Based on emails leaked in the dump, a number of Czech firms appear to be in business with the Hacking team, including a major IT partner in the Olympic Games.

    Figure 3. Upgrading support for a Czech customer

    Dropping Cluster Bombs

    RCSAndroid is a threat that works like a cluster bomb in that it deploys multiple dangerous exploits and uses various techniques to easily infect Android devices. While analyzing the code, we found that the whole system consists of four critical components, as follows:

    1. penetration solutions, ways to get inside the device, either via SMS/email or a legitimate app
    2. low-level native code, advanced exploits and spy tools beyond Android’s security framework
    3. high-level Java agent – the app’s malicious APK
    4. command-and-control (C&C) servers, used to remotely send/receive malicious commands

    Attackers use two methods to get targets to download RCSAndroid.

    The first method is to send a specially crafted URL to the target via SMS or email. The URL will trigger exploits for arbitrary memory read (CVE-2012-2825) and heap buffer overflow (CVE-2012-2871) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean, allowing another local privilege escalation exploit to execute. When root privilege is gained, a shell backdoor and malicious RCSAndroid agent APK file will be installed

    Figure 4. Remote exploits demonstrated for customers in leaked mails

    The second method is to use a stealthy backdoor app such as ANDROIDOS_HTBENEWS.A, which was designed to bypass Google Play.

    The role of ANDROIDOS_HTBENEWS.A and the malicious APK mentioned in the first method is to exploit a local privilege escalation vulnerability in Android devices. Hacking Team has been known to use both CVE-2014-3153 and CVE-2013-6282 in their attacks. The said exploits will root the device and install a shell backdoor.

    Figure 5. Commands list of shell backdoor

    The shell backdoor then installs the RCSAndroid agent. This agent has two core modules, the Evidence Collector and the Event Action Trigger.

    • The Evidence Collector module is responsible for the spying routines outlined above. One of its most notable routines is capturing voice calls in real time by hooking into the “mediaserver” system service. The basic idea is to hook the voice call process in mediaserver.
      • Take voice call playback process for example. The mediaserver will first builds a new unique track, start to play the track, loop play all audio buffer, then finally stop the playback. The raw wave audio buffer frame can be dumped in the getNextBuffer() function. With the help of the open-source Android Dynamic Binary Instrumentation Toolkit and root privilege, it is possible to intercept any function execution.

    Figure 6. Timing in voice call playback to hook

    • The Event Action Trigger module triggers malicious actions based on certain events. These events can be based on time, charging or battery status, location, connectivity, running apps, focused app, SIM card status, SMS received with keywords, and screen turning on.
      • According to the configuration pattern, these actions are registered to certain events:
        1. Sync configuration data, upgrade modules, and download new payload (This uses transport protocol ZProtocol encrypted by AES/CBC/PKCS5Padding algorithm to communicate with the C&C server.)
        2. Upload and purge collected evidence
        3. Destroy device by resetting locking password
        4. Execute shell commands
        5. Send SMS with defined content or location
        6. Disable network
        7. Disable root
        8. Uninstall bot

    To avoid detection and removal of the agent app in the device memory, the RCSAndroid suite also detects emulators or sandboxes, obfuscates code using DexGuard, uses ELF string obfuscator, and adjusts the OOM (out-of-memory) value. Interestingly, one unused feature of the app is its ability to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon.


    Popular mobile platforms like Android are common targets for organized or commercialized monitoring operations. Attackers know that rooting devices via malware exploits is an effective means to control devices and gather information from them. In a root broken device, security is a fairy tale.

    Take note of the following best practices to prevent this threat from getting in your device:

    • Disable app installations from unknown, third-party sources.
    • Constantly update your Android devices to the latest version to help prevent exploits, especially in the case of RCSAndroid which can affect only up to version 4.4.4 KitKat. Note, however, that based on the leak mail from a customer inquiry, Hacking Team was in the process of developing exploits for Android 5.0 Lollipop.
    • Install a mobile security solution to secure your device from threats.

    The leaked RCSAndroid code is a commercial weapon now in the wild. Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.

    Should a device become infected, this backdoor cannot be removed without root privilege. Users may be required the help of their device manufacturer to get support for firmware flashing.

    Trend Micro offers security for Android mobile devices through Mobile Security for Android™ to protect against these types of attacks. Find out more about the 7 Android Security Hacks You Need to Do Right Now to keep your mobile data safe.

    Update as of July 23, 2015 1:00 AM PDT (UTC-7)

    We have added a link to a previous report discussing this threat.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Another zero-day vulnerability has been found by Trend Micro researchers from the Hacking Team trove of data. We reported this vulnerability to Microsoft, and it has been designated as CVE-2015-2426. It has also been patched in an unusual out-of-band patch. It could be used to carry out a Windows local privilege escalation (LPE).  By exploiting this vulnerability, attackers could infect the victims’ systems with rootkits or bootkits under unexpected system privilege without any notification. The vulnerability can allow attackers remote control over the affected system.

    The leaked documents stated that the memory corruption of atmfd.dll (an Adobe kernel module) would lead to privilege escalation on Windows 8.1 x64. This is a complete exploit which allows even an escape of the Chrome sandbox through a kernel bug; the proof0of-concept exploit code runs the Windows calculator calc.exe with system privileges under winlogon.exe.

    Microsoft has released an out-of-band patch for this vulnerability, with the bulletin designated as MS15-078. All supported Windows versions (Windows Vista/Server 2008 and later) are affected. The bulletin also makes it clear that the underlying flaw could be used to run arbitrary code as well, not just privilege escalation. In addition, the fixes in this bulletin supersede those in MS15-077, which included Windows Server 2003 (which is not a part of this patch). Therefore, it is likely that the now-unsupported server OS is also at risk.

    Figure 1 below shows an overview, based on information found in the document and our own source code analysis.

    Figure 1. Attack vector overview

    A maliciously constructed OTF font data file embedded with a binary payload could either be injected into or triggered from the target victim process, such as Chrome browser. The essential Out-Of-Boundary (OOB) Write bug exists in the atmfd.dll in kernel mode, which would be triggered by ZwGidAddFondMemReosurceEx to resolve the maliciously constructed OTF font data. Leveraging on this OOB bug, the controlled kernel GUI related object (CHWndTargetProp) could be overwritten including its virtual table in kernel mode.

    The ROP chain containing the kernel mode gadget address of both win32k.sys and the kernel is prepared in user mode in advance. To gain the address of win32k.sys, another kernel information leakage bug is used in the POC. These ROP chains could be easily triggered by the faked virtual function from the user mode call.  By turning off the Supervisor Mode Execution Protection (SMEP) mechanism from the ROP stage, the escalation of privilege (EOP) shellcode in user mode could be executed in kernel to grant any process with system privilege.

    As for OOB write bug, it is triggered when atmfd.dll, handling the inner structure of OTF font resources in the system, calls NtGdiAddFondResrouceW in kernel mode.  Below is the call-stack backtrack when the kernel heap buffer first overflows in Windows 7 (x64, build 7601 of my testing environment).


    fffff960`009af071 4c8951e8        mov     qword ptr [rcx-18h],r10 ds:84af:d000=????????????????

    Figure 2. OOB write callstack

    Figure 3. Version of atmfd.dll

    This bug is another critical zero-day in the Adobe component (atmfd.dll) leading to LPE, which especially useful for escaping browser sandboxes. The previous one is an integer overflow, which could be triggered by calling one inner function of atmfd.dll, whereas this bug is an OOB write when handling maliciously constructed OTF font data.

    While there is a proof-of-concept sample from Hacking Team, there are no known samples in the wild. We will update this entry as soon as more information is available.

    Microsoft has just released a security bulletin (MS15-078) for this vulnerability. We advise users to install the patch as soon as possible. Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006903 – Adobe Font Driver Memory Corruption Vulnerability (CVE-2015-2426)

    Trend Micro Smart Protection Suites also include vulnerability protection to protect users and their data from threats that may exploit vulnerabilities. The following Vulnerability Protection rule corresponds to protection for threats that may leverage this specific vulnerability:

    • 1006903 – Adobe Font Driver Memory Corruption Vulnerability (CVE-2015-2426)

    Updated as of July 21, 2015, 11:35 A.M. PDT (UTC-7) to include relevant solutions for Trend Micro Smart Protection Suites.


    Timeline of posts related to the Hacking Team

    July 5 The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.
    July 7

    Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.

    The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.

    The Flash zero-day exploit (CVE-2015-5119) was added into the Angler Exploit Kit and Nuclear Exploit Pack. It was also used in limited attacks in Korea and Japan.

    July 11 Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.
    July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.
    July 14 A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.
    July 16 On the mobile front, a fake news app designed to bypass Google Play was discovered.
    July 20 A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.
    July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    One of the challenges in fighting cybercrime is that it is borderless; cybercriminals can conduct their malicious activities in countries that do not have strict implementation of cybercrime laws.   However, no matter how difficult and perilous the task of arresting attackers and taking down cybercriminal operations is, it can be achieved through collaboration between security researchers and various law enforcements (LE) across the globe.

    Darkode, an underground forum that sells and buys stolen data and malicious tools of the trade among others was taken down last July 15, 2015, following the indictment of 12 people, including the forum’s administrator.  Dubbed as Operation Shrouded Horizon, the investigation and arrests were led by Federal Bureau of Investigation (FBI) and Department of Justice in collaboration with law enforcement agencies in 20 countries.

    Ties to bulletproof hosting service providers

    Our researchers have been monitoring bulletproof hosting service providers (BPHS), which play a crucial role in the proliferation of cybercriminal activities.  BPHS serves as ‘hideouts’ to store tools, stolen goods, and malicious content such as pornography, phishing, and command-and-control (C&C) infrastructure among others.  In essence, BPHS function as hosting facilities for hardware, software, and applications.

    Figure 1. Business models for BPHS (click the image to enlarge)

    Darkode was reportedly using bulletproof hosting services to go under the radar and avoid being detected by security researchers. Based on our investigation, the website, darkcode[.]com which became available as early as 2004, has hosting providers that were used  host it (Darkode).  Please take note that some of these may have been abused for hosting.

    Figure 2. IPs used to host darkode[.]com

    However, the following hosting providers are confirmed BPHS employed by Darkode:

    • 94[.]102[.]48[.]107
    • 93[.]174[.]93[.]246

    The importance of collaboration

    In our research paper, “Criminal Hideouts for Lease: Bulletproof Hosting Services”, on bulletproof hosting services, we highlighted the various security challenges preventing security vendors and LE from doing takedowns and arrests. One of which is how BPHS leverages countries with minimal cybercrime laws to continue or transfer their operations.  Because of the complex nature of BPHS and how it attempts to legitimize some of its activities particularly those following the third business model (abuse cloud hosting services), it may be arduous to shut down.

    Figure 3. Role that law enforcement agencies and security vendors play in BPHS takedowns (click the image to enlarge)

    However, as seen in the case of Darkode takedown, such task is possible, especially if law enforcement agencies in different countries will work together with the security researchers that provide intelligence and findings.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Java used to be a favored vulnerability target for cybercriminals. However, in recent years that has not been the case. The now-fixed Java zero-day that was used in the Pawn Storm campaign was, in fact, the first time in nearly two years that a zero-day had been found and reported in Java.

    This can be attributed, in part, to stepped up security measures for Java. As Oracle notes on the Java home page itself, out of date Java plugins are now disabled by major browsers. In addition, Java 7 Update 51 (released in January 2014) tightened the rules on what kind of applets could be run. By default, self-signed and unsigned applets (the ones most likely to be used by attackers) would not run by default in browsers. JRE also has click-to-play protection for all applet (signed and unsigned). Taken together, these have made Java a far less attractive platform for attackers.

    Now that the Java zero-day (designated as CVE-2015-2590) has been patched, we can talk about some more technical details. This exploit has two components: one bypasses the click-to-play protection in Java. We will not disclose this portion of the vulnerability, but we can discuss the other component. As we noted earlier, this has now been fixed in the newest Java version (Java 8 Update 51).

    Java provides a class ObjectInputStream to deserialize buffers to objects. The buffer (which is to be deserialized) contains the object’s class information and filed data. More details about this class can be found in the Official Java documentation.

    The vulnerability is in how these objects are deserialized. An attacker can use this vulnerability to modify a field in the deserialized object (even if it is private) and introduce other class information. The Java Runtime Environment allows an attacker (in some cases) to read an object’s fields from a stream buffer even if the object or the object’s outer object’s class type is not found in the serialized buffer. The figure below shows the impact of the vulnerability:

    Figure 1. Vulnerability impact

    In Figure 1, the objects in the serialized objects buffer will be desterilized. During the process, Object A can intercept the desterilized process with an overriding function (for example, readResolve). In the function, the attacker coder can return to other object with other class which are not in the serialized object buffer (see the red word in F.1) to overwrite the original private field. In most cases, JRE can find it and raise exception. But if the objects, which are the outer objects of A, are crafted and overload readObject function to raise “Class Not Found ” exception. The vulnerability will trigger. In one words, the vulnerability give attacker a way to change directly one deserialized object ‘s private filed with class type which is not in the stream buffer.

    How does an attack proceed?

    First, an attacker crafts a serialized buffer. This contains an AtomicReferenceArray object. After exploiting the vulnerability, an AtomicReferenceArray class object’s private field array points to a Help type object array. After this step, memory layout like this:

    Figure 2. Memory layout

    In the above figure, the rar variable is a reference to the AtomicReferenceArray object which is deserialized and the AtomicReferenceArray object’s array references the array variable. Help is a subclass of the ClassLoader class. In other words the array variable control the AtomicReferenceArray object’s private field array.

    Next, the attacker gets a current ClassLoader object.

    The rar variable’s element is set to the acquired ClassLoader Object. (The attacker uses an index of 0.) Because rar.array is a reference to the Helper[] array, the real object of array[0] is changed.

    The type of array[0] in this case is Help. In the Help class, an attacker can use array[0] to access the function ClassLoader.defineClass. (This is a protected function; if an attacker directly uses the ClassLoader object to call defineClass in the current class scope, it will raise a compile error.)

    An attacker can use this access to define a privileged class and close SecurityManager. This allows the attacker to run their malicious code. One can ask why the attacker didn’t use the AtomicReferenceArray public API  to get the field array’s content? This is because the JRE will check whether the type’s element is correct for the type that it is to be cast to.

    Overall, the steps necessary to perform this exploit are similar to other previous exploits. For example, CVE-2012-0507 used a similar technique many years ago.

    Because of the severity of this vulnerability, we highly recommend that Java users update to the latest version.

    Other posts related to Operation Pawn Storm can be found here:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice