May 12, 2009
In This Issue
Tech Talk
News & Articles- Anti-malware efforts move past signatures for new ways to find unwanted code
- Review: eEye Digital Security's Blink Professional
- Products shown at the RSA Conference
- View All Media Coverage
Reader Q&A
Announcements- New eEye Blink Server 4 Edition to Secure Application Servers
- eEye Offers Free Utility to Detect Conficker Worm and MS08-067 Patch
- eEye Awarded 2009 Everything Channel Five-Star Partner Program Guide Certification
- View All Announcements
EtceteraShellcode Detection- An Additional Layer for File-Format Exploit Prevention
The business of malware has made several leaps and bounds in the last 5 years in the area of malware authors and anti-virus vendors. Malware design is no longer lead by eclectic programmers and curious young adults; instead it’s a multi-million dollar venture being conducted by increasingly skilled teams of programmers who are being funded by even larger entities for profit and espionage purposes. Furthermore, since the introduction of malware’s ability to generate a substantial income, the amount of newly developed malware has grown exponentially in the last 2 years alone to staggering new highs. This new wave ‘pyramid scheme’ of malware related profits has forced Anti-Virus vendors and other computer security companies to constantly evolve their products and technologies in order to combat malware on such a large scale. In response to the advancements in Anti-Virus products, attackers have turned to more advanced methods in order to bypass signatures and heuristic detection engines. An example of these new attack strategies is File-Based Exploit Malware, where a typically harmless file is maliciously generated so that once opened by a vulnerable application, it will corrupt the application in such a way, that it will execute and install malware silently.
The actual concept of this attack is nothing new; attackers have trojanized files since the dawn of malware. The traditional route attackers used in the past have been through file containers; such as Office Macros, OLE embedded files, Alternative File Streams, and even merged or joined files. However, these methods are exceedingly primitive and were trivial for anti-virus products to detect and protect against. Since this method required the attackers to store an actual malware file inside the trojanized file, Anti-virus products could easily scan specific container sections of these files for malware, effectively treating each of them as a separate file. Unfortunately, file-based exploit malware does not follow these rules and does not use sub-container sections of the file and they actually do not embed a file in the traditional sense. Instead, attackers are embedding malicious ‘shellcode’ into these files in order to distribute their malware.
There are two requirements in order for a file based exploit to successful work: a vulnerability or exploitable condition in the file type’s associated application, and working shellcode. An exploitable condition is a programming error contained in the application responsible for opening the file (such as Microsoft Office Word for .doc files, Adobe Reader for .pdf files, or iTunes for .mp3 files), that when one of these applications opens a malformed associated file, the programming error corrupts the computer’s memory in such a way that it will load content from that malformed file into memory and execute it. Normally this would lead to just the application crashing and displaying a typical crash report dialog box to the user, unless the attacker embeds shellcode into the malformed file. Shellcode is a payload of raw machine byte code that when loaded into memory through an exploit, allows the attacker to effectively control the computer. So instead of crashing the application, the shellcode will conduct a malicious act such as downloading and installing malware from the internet, creating a remote access port, or even adding a user account to the computer.
File-based exploit malware makes traditional virus scanning obsolete; normally AV software will open the file, scan its content and not detect any embedded malware files and will mark the file as clean. This leaves the user exposed to a gaping hole in computer security that modern malware authors are actively using in order to compromise systems and install malware onto computers. In order to counter this threat, eEye’s Blink Endpoint Security utilizes a unique technology that stops file-based exploit malware dead in its tracks before it is executed. This technique is a new state-of-the-art generic exploit detection technology that allows any file to be scanned and not only detect traditional malware threats, but also malicious shellcode embedded anywhere within the file. Furthermore to ensure the safety of the system, the shellcode detection system scans the file prior to its execution, thus preventing exploits and malware from attempting to hide their presence or performing other evasive actions to bypass the technology.
A perfect demonstration of the effectiveness of this new technology can be seen with the latest 0-day threats in Microsoft PowerPoint and Excel . At the beginning of April 2009, malware authors had discovered a new unpatched vulnerability within Microsoft Office PowerPoint 2000, XP, 2003, and 2004 for Mac. This was similar to the Excel vulnerability that was discovered by malware authors in mid February which affected all versions of Excel. By combining either of these vulnerabilities with malicious shellcode, they were able to create a very effective file-based exploit malware. In order to spread this malware, attackers began sending emails with embedded links to the malicious presentations or spreadsheet files. Upon clicking on the link to the trojanized office file, the file-based exploit malware executes a large amount of shellcode that not only downloads and installs a brand new Windows rootkit in the background, but it also executes a normal Microsoft PowerPoint presentation or Excel spreadsheet in order to cover up the attack. This attack represented a true nightmare for AV vendors, a brand new flaw in a popular suite of software that installs a never before seen piece of malware; effectively bypassing any signature based detection that would be normally used in this scenario. By implementing this new shellcode detection technology into its AV scanning software, eEye Digital Security and Norman were the only AV vendors among 33 other vendors to detect this exploit and the only AV vendor to prevent this exploit from executing any malicious shellcode on a user’s system. Users with Blink installed on their system were not only protected against the new PowerPoint and Excel vulnerabilities with the newly developed shellcode detection engine but also by eEye’s patented system protection and zero-day attack protection engines. This layered defense system allows Blink to effectively block zero day vulnerabilities and attacks without the need of updates or signatures to its software.
Click HERE for Article References
The actual concept of this attack is nothing new; attackers have trojanized files since the dawn of malware. The traditional route attackers used in the past have been through file containers; such as Office Macros, OLE embedded files, Alternative File Streams, and even merged or joined files. However, these methods are exceedingly primitive and were trivial for anti-virus products to detect and protect against. Since this method required the attackers to store an actual malware file inside the trojanized file, Anti-virus products could easily scan specific container sections of these files for malware, effectively treating each of them as a separate file. Unfortunately, file-based exploit malware does not follow these rules and does not use sub-container sections of the file and they actually do not embed a file in the traditional sense. Instead, attackers are embedding malicious ‘shellcode’ into these files in order to distribute their malware.
There are two requirements in order for a file based exploit to successful work: a vulnerability or exploitable condition in the file type’s associated application, and working shellcode. An exploitable condition is a programming error contained in the application responsible for opening the file (such as Microsoft Office Word for .doc files, Adobe Reader for .pdf files, or iTunes for .mp3 files), that when one of these applications opens a malformed associated file, the programming error corrupts the computer’s memory in such a way that it will load content from that malformed file into memory and execute it. Normally this would lead to just the application crashing and displaying a typical crash report dialog box to the user, unless the attacker embeds shellcode into the malformed file. Shellcode is a payload of raw machine byte code that when loaded into memory through an exploit, allows the attacker to effectively control the computer. So instead of crashing the application, the shellcode will conduct a malicious act such as downloading and installing malware from the internet, creating a remote access port, or even adding a user account to the computer.
File-based exploit malware makes traditional virus scanning obsolete; normally AV software will open the file, scan its content and not detect any embedded malware files and will mark the file as clean. This leaves the user exposed to a gaping hole in computer security that modern malware authors are actively using in order to compromise systems and install malware onto computers. In order to counter this threat, eEye’s Blink Endpoint Security utilizes a unique technology that stops file-based exploit malware dead in its tracks before it is executed. This technique is a new state-of-the-art generic exploit detection technology that allows any file to be scanned and not only detect traditional malware threats, but also malicious shellcode embedded anywhere within the file. Furthermore to ensure the safety of the system, the shellcode detection system scans the file prior to its execution, thus preventing exploits and malware from attempting to hide their presence or performing other evasive actions to bypass the technology.
A perfect demonstration of the effectiveness of this new technology can be seen with the latest 0-day threats in Microsoft PowerPoint and Excel . At the beginning of April 2009, malware authors had discovered a new unpatched vulnerability within Microsoft Office PowerPoint 2000, XP, 2003, and 2004 for Mac. This was similar to the Excel vulnerability that was discovered by malware authors in mid February which affected all versions of Excel. By combining either of these vulnerabilities with malicious shellcode, they were able to create a very effective file-based exploit malware. In order to spread this malware, attackers began sending emails with embedded links to the malicious presentations or spreadsheet files. Upon clicking on the link to the trojanized office file, the file-based exploit malware executes a large amount of shellcode that not only downloads and installs a brand new Windows rootkit in the background, but it also executes a normal Microsoft PowerPoint presentation or Excel spreadsheet in order to cover up the attack. This attack represented a true nightmare for AV vendors, a brand new flaw in a popular suite of software that installs a never before seen piece of malware; effectively bypassing any signature based detection that would be normally used in this scenario. By implementing this new shellcode detection technology into its AV scanning software, eEye Digital Security and Norman were the only AV vendors among 33 other vendors to detect this exploit and the only AV vendor to prevent this exploit from executing any malicious shellcode on a user’s system. Users with Blink installed on their system were not only protected against the new PowerPoint and Excel vulnerabilities with the newly developed shellcode detection engine but also by eEye’s patented system protection and zero-day attack protection engines. This layered defense system allows Blink to effectively block zero day vulnerabilities and attacks without the need of updates or signatures to its software.
Click HERE for Article References
Source: Greg Linares, Research Engineer
The following articles represent the opinions of their respective authors. They do not necessarily represent the opinions of eEye Digital Security.
Malicious code is becoming more complex and, as it moves from the hands of hackers and into those of criminals, it has gone from being annoying to downright dangerous.
Full Article
Need a well-rounded security solution? With a firewall, spyware, malware, intrusion prevention, vulnerability assessment and system protection this tool becomes an invaluable protection asset in your network. eEye Digital Security is an excellent choice for workstation protection.
Full Article
Our round-up of intriguing new products from RSA.
Full Article
eEye and its security solutions have been covered by numerous press and media associations
Full Article
Q: How does the eEye Research Team keep track of security news?
A: eEye Research has put into place many tools and relationships that help us keep track of what is going on in the world of computer security. However, even though most of the Researchers are not exactly "excited" about the "Web2.0" world, one technology we all embrace is Google Reader. Each Researcher has his/her own Google Reader account, which we consolidate for customers/peers feeds using Yahoo Pipes. How's that for embracing Web2.0?
Well...we're proud of it. :)
A: eEye Research has put into place many tools and relationships that help us keep track of what is going on in the world of computer security. However, even though most of the Researchers are not exactly "excited" about the "Web2.0" world, one technology we all embrace is Google Reader. Each Researcher has his/her own Google Reader account, which we consolidate for customers/peers feeds using Yahoo Pipes. How's that for embracing Web2.0?
Well...we're proud of it. :)
Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.
Integrated Server Protection Platform featuring a Web Application Firewall, Protocol based Intrusion Prevention, and File Tampering Monitoring for Servers
Full Article
Estimates peg 9-12 million computers already infected by earlier strains of Conficker
Full Article
eEye Channel Partner program recognized as ‘exceptional’ by leading Channel authority
Full Article
eEye and its security solutions have been covered by numerous press and media associations
Full Article
eEye Research has seen staggering results from the recent influx of Blink Personal/Neighborhood Watch users. These results in turn offer eEye Research distinct insight into host-based vulnerability and attack trends, and further enhance Blink's host-based intrusion prevention system. Keep a watchful eye on the eEye Research Portal http://research.eeye.com/ for future projects that have arisen because of the mass use of Blink Personal including Neighborhood Watch reports and attack trends.
More
The monthly Vulnerability Expert Forum focuses on recently announced critical vulnerabilities - from Microsoft and other software vendors. eEye's Internet security experts will describe the actions necessary to protect your systems from the threats that target these vulnerabilities.
More