The security is still secure

no-image

Recently WikiLeaks published a report that, among other things, claims to disclose tools and tactics employed by a state-sponsored organization to break into users’ computers and circumvent installed security solutions.

The list of compromised security products includes dozens of vendors and relates to the whole cybersecurity industry. The published report includes a description of vulnerabilities in software products that can be used to bypass protection and jeopardize users’ security.

Customers’ security is a top priority for Kaspersky Lab, and as such we take any information that could undermine users’ protection very seriously. We thoroughly investigate all reported vulnerabilities.

The published report contains descriptions of two vulnerabilities in Kaspersky Lab’s products that have already been fixed. It also includes a number of mentions related to the company’s technologies and past Advanced Persistent Threat (APT) research. I’d like to take this opportunity to address possible concerns regarding the report and provide reliable first-hand information to demonstrate that no current Kaspersky Lab products and technologies are vulnerable.

Vulnerabilities in security solutions

First of all, I’d like to emphasize that the vulnerabilities in Kaspersky Lab’s products listed in the report are related to older versions of the products, and they were publicly disclosed and fixed some time ago. The current versions of our products are not vulnerable to the tools and tactics listed.

The “heapgrd” DLL inject vulnerability was discovered and fixed in Kaspersky Lab products back in 2009. The vulnerability allowed a malefactor to load a third-party DLL instead of the WHEAPGRD.dll file and thus bypass protection. It was patched starting with Kaspersky Internet Security 9 and Kaspersky Antivirus for Workstations MP4. The products that were mentioned in relation to these vulnerabilities (Kaspersky Internet Security 7 and 8 and Kaspersky Antivirus for Workstations MP3) are outdated and no longer supported. All current Kaspersky Lab solutions are subject to mandatory testing against these vulnerabilities prior to release.

The TDSS Killer’s DLL inject vulnerability mentioned in the WikiLeaks report was fixed in 2015.

Product behavior specifics

The report also says Kaspersky Lab’s security solutions do not block DLL injections into user processes and svchost.exe. In fact, we do protect against this sort of attack — in a smarter way that elegantly combines protection and a better user experience.

Nowadays, it’s common practice for legitimate applications to inject their code into user processes. To effectively distinguish legitimate from malicious actions, track changes, and restore unwanted amendments an application may make to the system, Kaspersky Lab’s products have included the System Watcher component since 2011. System Watcher monitors all processes on a device, including svchost.exe, and is capable of detecting malicious behavior, blocking it, and rolling back malicious changes.

The report also describes several tools and malicious programs that were used to collect data and infiltrate the users’ computers. However, all of them can be neutralized with Kaspersky Lab’s products. Let’s take a closer look at them.

First, the RickyBobby fileless Trojan is allegedly not detected by Kaspersky Lab’s products, which is not the case. All personal and enterprise level products can detect this Trojan, prevent the infection, and disinfect a system that was protected by a third-party or outdated security solution.

Second, the report mentions two other malware samples (Fine Dining and Grasshopper) that allegedly are not detected by Kaspersky Lab’s products. However, the report doesn’t provide further details of the malware. We will keep investigating the issue and report the findings as soon as details are available.

That said, we are skeptical: It’s said Fine Dining relies on the aforementioned DLL inject vulnerability in TDSS Killer, which is already fixed. Also it’s worth mentioning that Kaspersky products provide multiple layers of protection — such as emulation, heuristics, System Watcher, and Automatic Exploit Prevention — including those powered by industry-leading machine learning. These technologies are capable of detecting cyberthreats proactively based on their behavior and are constantly improved to address new techniques employed by malicious actors. The analysis of the report makes us optimistic that our customers are already protected against both Fine Dining and Grasshopper.

Third, the report mentions HammerDrill, API Memcry, and Trojan Upclicker, which use a variety of techniques to try to avoid detection by the emulator technology.

Kaspersky Lab’s emulator’s history dates back to the early 90s. It’s rated one of the best in the cybersecurity industry, and it’s continuously improved. The functionality to address the described Trojan Upclicker cloaking method was included in the emulator more than a year ago, for example. The other two tools are effectively managed by the multilayer protection available in Kaspersky Lab’s products both for home users and enterprise customers.

Fourth, the report mentions an MBR File Handle component that is able to circumvent security solutions’ drivers and thus upload malware into the Master Boot Record of the operating system.

In fact, this trick is foiled by the antirootkit technology included in Kaspersky Lab products, which enables them to reliably detect and remove infections — even the most advanced bootkits.

Fifth, another tool mentioned in the report is the Bartender program, which collects data on installed software. This functionality is not malicious and is used by many legitimate applications. However, Kaspersky Lab’s products do provide protection against such activity should a user select the high security level setting.

Fun facts

The other two mentions of Kaspersky Lab in the context of malware creation are actually fun facts.

First, the tool called DriftingShadows checks if Kaspersky Lab’s products are installed on the device, and if it finds them, it does … nothing. This means that the malware creators failed to sneak past our products. They now avoid protected devices so that their malware doesn’t get caught.

Second, the documents also describe a game called “Bonus: Capture the Flag” played among malware creators. It involves attempts to create a malware sample that bypasses Kaspersky Lab’s protection. In other words, malefactors consider our products a gold standard of cybersecurity.

Wrap-up

Investigating the existing report thoroughly, we found two vulnerabilities and several other mentions of Kaspersky Lab, including discussions regarding our reports on the Duqu 2.0 and Equation cyberespionage campaigns. Both vulnerabilities were fixed quite some time ago and pose no threat to our customers. The same goes for the other malicious tools and techniques mentioned.

However, we are staying vigilant and continuously monitoring the situation. WikiLeaks may yet publish more details. In any case, we’d like to reassure customers that addressing any possible vulnerabilities will be our top priority.

No development process guarantees immediate, perfect, permanent invincibility. We are committed to constantly improving the development process, and we also make significant efforts to perfect the process of fixing newly discovered vulnerabilities.

Old Malware Tricks To Bypass Detection in the Age of Big Data

no-image

Kaspersky Lab has been tracking a targeted attack actor’s activities in Japan and South Korea recently. This attacker has been using the XXMM malware toolkit, which was named after an original project path revealed through a pdb string inside the file: “C:\Users\123\documents\visual studio 2010\Projects\xxmm2\Release\test2.pdb”. We came across an unusual technique used by a sample which contained no pdb strings but was very similar to a variant of XXMM malware in terms of code similarity, malware functionality, crypto-algorithm, data structures and module configuration.

The malware sample we observed was named “srvhost.exe” to resemble a standard system process name. It came from one of our partners at the beginning of 2017. One of the most surprising features of the malware was its file size, which is not commonly seen in malware – it was over 100MB. According to our analysis, this malware is a Trojan loader component that activates a backdoor. We could not confirm pdb strings from this malware, however the backdoor module seems to be named “wali” by the author, according to strings from the embedded config block.

Fig. config strings with “[wali]” section

Fig. “wali.exe” name in the malware body

The wali loader decrypts the embedded wali backdoor using the “\x63” byte and a simple XOR operation. The XOR key is not only  . Then, the wali backdoor module is injected into the memory of the iexplore.exe process by the loader.

What is inside the wali loader that makes it so big in size? The reason is that this sample has a very big overlay of junk data. We found more than 20 other similar samples (wali loader + overlay) using open source intelligence and by searching our malware collection using YARA rule. After removing the overlay, there were only six unique samples.

md5_payload md5_payload+overlay size
d1e24c3cc0322b22988a1ce366d702e5 8bd0ddeb11518f3eaaddc6fd82627f33 105982049
e4811950899f44f9d14a786b4c5b1faa 2871ec229804a6e872db55dafa5c9713 105997178
3e24710d7ade27316d367dd8cb2a0b1a 105996860
3e9feea893482b65a68b1feecb71cd4d 105997043
558ca7fa8ed632fa4f8c69e32888af0f 105997191
d11f7b25823ce474e30e8ab9c8d567b0 105996847
f4c3f06faf53ad2bbc047818344a2323 105997181
f7cc6a5a06cd032c6172d14c1568b976 105997102
e7492f11c88d32e1e0b43f6b29604ec8 6a5558e4ab530f9b5c2d5bcc023d3218 105997658
bb8cef31cf6211c584d245be88573e1f 105997755
Table. Some samples of 100M+ bytes wali loader + overlay

 
The overlay data is generated by the wali dropper when the wali loader is installed onto the victim’s machine. The following figure shows the structure of malware components and how they are related to each other:

Fig. Structure of wali modules

Wali dropper1 checks the CPU architecture. If the CPU is 64-bit, this malware decrypts the 64-bit version of the wali loader from resource id 101. Otherwise, it decrypts the 32-bit version of the wali loader from resource id 102. To extract the resource data it uses RC4 with “12345” as the cryptokey, and LZNT1 to decompress the data after that. Dropper1 creates a file named “win${random4 chr}.tmp.bat” in the current temp directory from the decrypted wali dropper2 data. Finally, it appends generated garbage data to the overlay of the dropped file and runs wali dropper2

Wali dropper2 checks if the user account has admin privileges, and decrypts the wali loader using the same algorithm and the same key as of dropper1, and creating new files using the following file paths:

  • %ProgramFiles%\Common Files\System\Ole DB\srvhost.exe
  • %appdata%\Microsoft\Windows\Start Menu\Programs\srvhost.exe

It also appends generated garbage data to the overlay as well, using the same function. Finally, it creates a registry value of “sunUpdate” in  “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” to ensure malware persistence.

Generation of Junk Data

The feature to appending junk data to the malware executable to inflate the file size is quite unique to wali dropper1 and wali dropper2. We assume that by creating a large file the authors wanted to avoid AV detection, complicate sample exchange and stay below the radar of the most commonly used YARA rules. The function that generates the junk data is shown below:

Fig. Function to create junk data (create_garbage_data).

The create_garbage_data function generates a random byte in a loop with 1,000 iterations. In every iteration it fills blocks of data of random length within certain dynamically calculated limits. After that the result of create_garbage_data is written to the overlay of the decrypted wali loader and the process is repeated 100 times. This produces junk data of ~100MB which is appended to the executable.

Fig. Loop to append the junk data to overlay.

The size of one wali loader (MD5: d1e24c3cc0322b22988a1ce366d702e5) was initially 1,124,352 bytes. The function that appends garbage produced a new malware file in a real attack (MD5: 8bd0ddeb11518f3eaaddc6fd82627f33) and the file size was increased to 105,982,049 bytes.

As the appended junk data is created dynamically and depends on random values, the size of it may vary. We have seen 100MB files as well as 50MB samples used in real world attacks. The largest we observed was a 200MB malware sample created with the same trick. This technique currently doesn’t affect detection of the malware by Kaspersky Lab products. The malware is detected as:

  • Trojan.Win32.Xxmm
  • Trojan.Win64.Xxmm
  • Trojan-Downloader.Win32.Xxmm
  • Trojan-Downloader.Win64.Xxmm
  • Trojan-Dropper.Win32.Xxmm
  • Trojan-Dropper.Win64.Xxmm

Inflating file size with garbage data is not a completely new technique. Previously polymorphic viruses and worms used this technique a lot to mix original code with garbage data spread across the malware file, sometime increasing the file size by hundreds of kilobytes and even megabytes. Certain software protectors may also insert decoy files into packed files and inflate file size up to 1MB. We have also seen executable malwares disguised as movie files and ISO files spread over torrents, which in these cases, the malware size is inflated to a few gigabytes in order to mimic true content .

What is quite unique in using this method and appending junk data to a file is that in this case this technique is used in targeted attacks and is happening after the initial infection, during the later phases of attack with the intention of increasing file size to avoid detection.

While this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain cases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to scan harddrives. The reason is that one of the common practices for YARA rule authors is to limit the size of scanned files, which is aimed mainly at improving performance of the scanning process. Large files, like the ones produced by XXMM malware, may become invisible for such rules, which is why we would like to recommend security researchers to consider this when creating rules for dropped malwares.

Indicators of Compromise

SHA256sum of samples

Wali dropper1:

  • 9b5874a19bf112832d8e7fd1a57a2dda180ed50aa4f61126aa1b7b692e6a6665

Wali dropper2:

  • da05667cd1d55fa166ae7bd95335bd080fba7b53c62b0fff248ce25c59ede54a
  • 10fca84ae22351356ead529944f85ef5d68de38024d4c5f6058468eb399cbc30

Wali loader + overlay:

  • 1f73d3a566ab7274b3248659144f1d092c8a5fc281f69aa71b7e459b72eb6db2
  • 24835916af9b1f77ad52ab62220314feea91d976fdacad6c942468e20c0d9ca1
  • 303c9fabf6cff78414cebee9873040aeb9dcf6d69962bd9e0bbe1a656376ed16
  • 3ffd5d3579bddbfd7136a6969c03673284b1c862129cfafe7a40beea1f56e790
  • 803a5a920684a5ab1013cb73bf8581045820f9fc8130407b8f81475d91ff7704
  • d2126d012de7c958b1969b875876ac84871271e8466136ffd14245e0442b6fac
  • d7b661754cae77aa3e77c270974a3fd6bda7548d97609ac174a9ca38ee802596
  • dc5e8c6488f7d6f4dcfac64f8f0755eb8582df506730a1ced03b7308587cdc41
  • f4a07e6dcb49cb1d819c63f17a8250f6260a944e6e9a59e822e6118fb1213031
  • ffd45bde777b112206b698947d9d9635e626d0245eb4cfc1a9365edc36614cbe

Wali loader:

  • a24759369d794f1e2414749c5c11ca9099a094637b6d0b7dbde557b2357c9fcd
  • b55b40c537ca859590433cbe62ade84276f3f90a037d408d5ec54e8a63c4ab31
  • c48a2077e7d0b447abddebe5e9f7ae9f715d190603f6c35683fff31972cf04a8
  • 725dedcd1653f0d11f502fe8fdf93d712682f77b2a0abe1962928c5333e58cae
  • cfcbe396dc19cb9477d840e8ad4de511ddadda267e039648693e7173b20286b1

C2 (compromised web sites) of wali:

  • hXXp://******essel[.]com/mt/php/tmpl/missing.php
  • hXXp://******essel[.]com/mt/mt-static/images/comment/s.php
  • hXXp://******hi[.]com/da******/hinshu/ki******/ki******.php
  • hXXp://******an[.]jp/_module/menu/menug/index.php
  • hXXp://******etop.co[.]jp/includes/firebug/index.php
  • hXXp://******etop.co[.]jp/phpmyadmin/themes/pmahomme/sprites.html
  • hXXp://******usai[.]com/ex-engine/modules/comment/queries/deleteComment.php
  • hXXp://******1cs[.]net/zy/images/patterns/preview/deleteComments.php
  • hXXp://******1cs[.]net/zy/images/colorpicker/s.php

Filename (over 50MB size):

  • srvhost.exe
  • propsyse.exe
  • perfcore.exe
  • oldb32.exe
  • oledb32.exe
  • javaup.exe