Ransomware infector can now dodge Microsoft’s tool for stopping Flash attacks

A for-hire toolkit used to exploit popular software, such as Adobe’s Flash Player, and spread malware can now bypass a key line of defence that Microsoft offers to enterprise customers.

Whenever a new flaw is discovered in Microsoft and third-party software that runs on Windows but there’s no patch available, one of the key tools enterprise can use to shield themselves until a patch arrives is Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET).

EMET can be deployed against threats delivered by exploit kits, which are often rented out to cybercriminals and contain a bundle of attacks for flaws in popular browsers and browser-plugins, such as Flash and Microsoft’s Silverlight.

One of the most widely-used exploit kits is Angler, which distributes banking malware and more recently multiple strains of ransomware, including CryptoWall, TeslaCrypt, and CryptXXX. The kit is planted on compromised websites where it lays in wait for vulnerable browsers.

Worryingly for the enterprise, security firm, FireEye, reported on Monday that some Angler exploits are now “completely evading” EMET to exploit bugs in Flash and Silverlight, which the company’s security researchers believe is “fairly sophisticated”.

One of the attacks that can evade an EMET mitigation technique known as Data Execution Prevention (DEP), which can prevent the execution of code in certain parts of a device's memory. One technique to bypass DEP is known as return oriented programming (ROP), however the exploits FireEye analysed didn’t use ROP techniques.

“The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll’s [for Silverlight] inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics,” FireEye researchers wrote.

The other EMET defence they observed exploits evading was a feature called Export Address Table Filtering (EAF), which FireEye explains is designed to “protect the contents of memory and prevent exploit code from identifying where things are loaded”.

FireEye noted that the company had only tested the exploits against Windows 7, however it did run the tests using Microsoft’s newest EMET, version 5.5.

While the tests didn't assess the exploits against Windows 10 with EMET, Angler's exploits are significant since Windows 7 is still by far the most widely used version of Windows in the world, making it the more highly valued system to compromise. According to NetMarkshare, Windows 7 runs on around 48 percent of desktops, versus the 17 percent share of Windows 10.

“The level of sophistication in exploits kit has increased significantly throughout the years. Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode,” the researchers conclude.

FireEye also recommended disabling browser plugins for Flash and Silverlight as a means to reducing the points that attackers can exploit.

Join the CSO newsletter!

Error: Please check your email address.

Tags EMETMicrosoftsecurityFireEyeWindows 7flash attachesransomwareCSO Australia

More about FireEyeMicrosoftToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place