Cisco Blogs

Cisco Blog > Threat Research

Dangerous Clipboard: Analysis of the MS15-072 Patch

This post was authored by Marcin Noga with contributions from Jaeson Schultz.

Have you ever thought about how security researchers take a patch that has been released, and then reverse it to find the underlying security issue? Well, back In July Microsoft released security bulletin MS15-072, titled: “Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege (3069392)”. According to Microsoft, this vulnerability “could allow elevation of privilege if the Windows graphics component fails to properly process bitmap conversions.” Talos decided to have a deeper look at this vulnerability in order to better understand it, and this post describes the details of this process so that our readers may gain a better understanding of how this is done.

To read the full post, please visit the blog by clicking here.


Tags: , , ,

Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors

This post was authored by Ben Baker and Alex Chiu.

Executive Summary

Threat actors and security researchers are constantly looking for ways to better detect and evade each other.  As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples.  Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis.

Table of Contents
Executive Summary
The 10,000 Foot View at Rombertik
A Nasty Trap Door
The Actual Malware
Coverage and Indicators of Compromise

It becomes critical for researchers to reverse engineer evasive samples to find out how attackers are attempting to evade analysis tools. It is also important for researchers to communicate how the threat landscape is evolving to ensure that these same tools remain effective. A recent example of these behaviors is a malware sample Talos has identified as Rombertik. In the process of reverse engineering Rombertik, Talos discovered multiple layers of obfuscation and anti-analysis functionality. This functionality was designed to evade both static and dynamic analysis tools, make debugging difficult. If the sample detected it was being analyzed or debugged it would ultimately destroy the master boot record (MBR).

Talos’ goal is to protect our customer’s networks.  Reverse engineering Romberik helps Talos achieve that goal by better understanding how attackers are evolving to evade detection and make analysis difficult.  Identifying these techniques gives Talos new insight and knowledge that can be communicated to Cisco’s product teams.  This knowledge can then be used to harden our security products to ensure these anti-analysis techniques are ineffective and allow detection technologies to accurately identify malware to protect customers. Read More »

Tags: , , , , ,

Cryptowall 3.0: Back to the Basics

This post was authored by Andrea Allievi  & Earl Carter

Ransomware continues to impact a large number of organizations and the malware continues to evolve. In January, we examined Cryptowall 2.0 and highlighted new features incorporated into the dropper and Cryptowall binary. When Cryptowall 3.0 appeared, we were interested in seeing what new functionality was incorporated into this latest variant in the Cryptowall series.

The latest 3.0 sample that we analyzed was in a zip file. This zip file contains multiple dropper files which are essentially identical in functionality except for the encryption algorithm used to obfuscate the dropper and eventually build the Cryptowall 3.0 binary.

Read More »

Tags: , , , ,

Ransomware on Steroids: Cryptowall 2.0

This post was authored by Andrea Allievi and Earl Carter.

Ransomware holds a user’s data hostage. The latest ransomware variants encrypt the user’s data, thus making it unusable until a ransom is paid to retrieve the decryption key. The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper. Under the Windows 32-bit on Windows 64-bit (WOW64) environment, it is indeed able to switch the processor execution context from 32 bit to 64 bit.

Read More »

Tags: , , , ,

Debugger Inception – The Scriptable Debugger Within The Debugger

I recently began working on a toolset to aid with analyzing binary protocols and I decided to use it as an exercise to get more familiar with the Immunity Debugger. I have been using Windbg for a while now, however, I was constantly reading articles discussing how great Immunity Debugger is for exploit development and I had been meaning to take the time to become more familiar with it.

Read More »

Tags: , ,