A for-hire toolkit used to exploit popular software, such as Adobe’s Flash Player, and spread malware can now bypass a key line of defence that Microsoft offers to enterprise customers.
Whenever a new flaw is discovered in Microsoft and third-party software that runs on Windows but there’s no patch available, one of the key tools enterprise can use to shield themselves until a patch arrives is Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET).
EMET can be deployed against threats delivered by exploit kits, which are often rented out to cybercriminals and contain a bundle of attacks for flaws in popular browsers and browser-plugins, such as Flash and Microsoft’s Silverlight.
One of the most widely-used exploit kits is Angler, which distributes banking malware and more recently multiple strains of ransomware, including CryptoWall, TeslaCrypt, and CryptXXX. The kit is planted on compromised websites where it lays in wait for vulnerable browsers.
Worryingly for the enterprise, security firm, FireEye, reported on Monday that some Angler exploits are now “completely evading” EMET to exploit bugs in Flash and Silverlight, which the company’s security researchers believe is “fairly sophisticated”.
One of the attacks that can evade an EMET mitigation technique known as Data Execution Prevention (DEP), which can prevent the execution of code in certain parts of a device's memory. One technique to bypass DEP is known as return oriented programming (ROP), however the exploits FireEye analysed didn’t use ROP techniques.
“The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll’s [for Silverlight] inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics,” FireEye researchers wrote.
The other EMET defence they observed exploits evading was a feature called Export Address Table Filtering (EAF), which FireEye explains is designed to “protect the contents of memory and prevent exploit code from identifying where things are loaded”.
FireEye noted that the company had only tested the exploits against Windows 7, however it did run the tests using Microsoft’s newest EMET, version 5.5.
While the tests didn't assess the exploits against Windows 10 with EMET, Angler's exploits are significant since Windows 7 is still by far the most widely used version of Windows in the world, making it the more highly valued system to compromise. According to NetMarkshare, Windows 7 runs on around 48 percent of desktops, versus the 17 percent share of Windows 10.
“The level of sophistication in exploits kit has increased significantly throughout the years. Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode,” the researchers conclude.
FireEye also recommended disabling browser plugins for Flash and Silverlight as a means to reducing the points that attackers can exploit.