Security Weekly 7: ExPetya is not an extortionist, Intel PT allows you to bypass PatchGuard, in the Malware Protection Engine again RCE
Mimicry is extremely common in the animal kingdom. To make it easier to hide from predators or vice versa, it is easier to sneak up on the undiscovered, the animals, reptiles, birds, and insects acquire a coloration similar to the surrounding terrain. There is mimicry and under the objects, and, finally, for animals of other species – more dangerous, or less tasty.
- Similarly, a new Trojan extortionist ExPetr, which seems to be Petya, but not quite him. Spreading like a plague, he caused rustling in 150 countries.
- One of the propagation vectors, but not the only one – the sweet couple EternalBlue and DoublePulsar, from which many have not bothered to patch up after WannaCry.
So that’s what I’m talking about.
On closer examination, it turned out that ExPetr is not a blackmailer and the most natural data eraser. Recovery of encrypted data is not provided and is impossible.
- The good old Petya generated an identifier for each victim, which had to be sent to extortionists after payment of the ransom. It was from him that the scammers figured out the key that was returned to the victim so that she could recover her files. And ExPetr shows the victim an identifier, that’s just useless – just a random set of numbers. Nobody wanted to decipher anything from the very beginning.
- Then there is a reasonable question, why was it to fence a garden with a ransom demand and disguise itself under a relatively peaceful Petya?
- Perhaps this is not a particularly tricky attempt to hide that the new epidemic is not just ordinary guys from nowhere trying to make money on a freebie exploit, but someone is much more vicious and does not need money. True, some money the authors of ExPetr still earned.
A method for bypassing the protection of the Windows kernel 10 is developed
- As you know, Windows 10 got a number of good, suitable protective functions. One of them, this is PatchGuard, rooted rootkits almost to the root. But the guys from CyberArk say that it does not take long to wait since they have already come up with a way to run the code free of space in the Windows 10 kernel space.
- The problem lies in the remarkable technology of Intel PT (Processor Trace), which allows security products to monitor the flow of commands executed by the processor to instantly determine a possible attack. The idea is excellent, but CyberArk could use PT to run its code in kernel space. They, of course, repulsed all this in Microsoft but got the answer that all this is nonsense because to use the vulnerability you need admin rights.
- And if so, then it is not a vulnerability, because the administrator is allowed everything on the machine, and if such an intruder has become – carcass light, drain the water.
- And yet this is not entirely true. Even a Trojan with admin rights can be detected and destroyed. But the exploit from CyberArk allows you to execute the code absolutely imperceptibly for any security systems. It is possible that something like this some bad guys have been using for a long time, only to catch them on this will be very, very difficult.
Malware Protection Engine again found RCE
- Researchers from Google Project Zero seem to like to dissect the protection engine from Microsoft. For the third time in recent months, a vulnerability has been found in it that allows remote execution of arbitrary code.
- The problem lies in the x86-emulator, on which MsMpEng runs untrusted PE-files. It turned out that Microsoft developers left out one of the emulator API calls, not accidentally, but “for a number of reasons.” Tricky Tevis Ormandy from Project Zero was able to use this in a cleverly crafted file that, when scanned, causes memory corruption in the emulator, which, according to Microsoft, allows “running code, installing programs, changing data, creating new accounts.”
- The typical attack scenario looks much like the previous times with the vulnerabilities of MsMpEng: the victim comes to a site that slips him a tricky file, or gets this file by email or through an instant messenger. MsMpEng automatically scans it, and those who do not need to manage the system.
Let me remind you that the leaky MsMpEng is contained in
- Microsoft Endpoint Protection;
- Microsoft Forefront Endpoint Protection;
- Windows Defender and Microsoft Intune Endpoint Protection;
But the vulnerability is only present in the 32-bit system.