Tag Archives: obfuscation

Tampered NSIS installers contain ransomware

In a blog post earlier this month Microsoft provided an in-depth analysis of a new technique in use by ransomware authors to disguise their attempts to hold your data for ransom.

What has made these newly disguised ransomware installers so successful?
These attack involve tampering with a Nullsoft Scriptable Install System (NSIS) installer (used in paid, free and open-source software such as VideoLAN VLC, Wireshark (among others)). In contrast to previously altered installers the attackers have removed their randomly named DLL (defined) which dramatically reduces the chance of detection due to far less code being present. Inclusions of non-malicious plugins, an uninstallation component and a legitimate .bmp image file for use with the installer help to divert attention away from the installer’s real purpose.

The installer instead contains an installation script which would usually automate the installation of the application for you. In this case however an obfuscated (defined here and here) script which calls the Win32API (API, defined) allows an attacker to allocate (make ready for use) an area in the computer’s memory in order to activate a small code fragment to decrypt the ransomware.

As detailed by Deep Instinct’s security researcher Tom Nipravsky; the script is sophisticated since it operates only in memory in addition to being multi-staged. Moreover the shell code (defined) uses a technique known as Heaven’s Gate which allows 64 bit shell code to make use of a 32 bit process (defined) which makes the work of security researchers more difficult since debuggers (defined) cannot easily handle a transition from one architecture to another. This also has the benefit of bypassing API hooks (defined) which are monitored by anti-malware software and makes use of system calls (defined) as opposed to API calls.

Moreover this ransomware uses a technique known as “process hollowing.” This occurs when an attacker creates a process in a suspended state (defined) but replaces it’s in memory code with code the attacker wishes to hide. Finally the attackers use an encrypted installer within NSIS which currently security vendors are unable to trace and is only decrypted when it is about to be used.

How can I protect myself from these threats?
Since the tampered NSIS installers originate from emails you should follow the advice from SANS with regards to email:

=============
Use Caution Opening Email Attachments – A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it.
=============

Source: https://www.sans.org/tip-of-the-day (date: 1st March 2017)

Microsoft encourages enterprise/corporate users to upgrade to Windows 10 and make use of its security features to defend against this threat.

Full disclosure: I don’t work for or on behalf of Microsoft nor do I wish to promote their products/services. I have simply provided a link to their advice for corporate users who may already have Windows 10 (or are considering upgrading) in order for them to better protect themselves against this and other threats using the security protections it offers.

Thank you.

WordPress Releases Security Update (February 2016)

On the 3rd of February WordPress released a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.4.2.

This is a critical security update that resolves 2 security issues. One is a server-side request forgery (SSRF) attack that could allow information disclosure since it has the potential to bypass normal access controls. The remaining issue was present on the login page of WordPress which could have been used to cause a redirect for a user trying to login.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

Separately a ransomware (defined) campaign is compromising very large numbers of WordPress websites by adding obfuscated (defined within this post) JavaScript (defined) to the websites that results in visitors to those sites being redirected to a website of the attacker’s choice. The JavaScript can deliver the ransomware to a victim system if it is using outdated versions of Adobe Flash Player/Reader, Microsoft Internet Explorer or Silverlight since it makes uses of the Nuclear exploit kit (defined). At this time there is very little detection of the exploit code using VirusTotal.com

A shortlist of recommendations to protect your WordPress website against this ransomware campaign is shown below (for your convenience). This list including further details of this threat is available from Heimdal Security’s blog post (I wish to express my sincere thanks to them for making such detailed information available to protect against this threat):

  • Keep software and your operating system updated at all times
  • Backup your data, do it often and in multiple locations
  • Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

Moreover; a technical description of how this attack occurs against a WordPress website is available within this Sucuri blog post. Malwarebytes also provide advice and a further technical description in their blog post as they describe how the exploits have switched from the Nuclear exploit kit (defined) the to the Angler exploit kit.

As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For more information on installing updates to commonly used software, this blog can assist. Please see the “Protecting Your PC” page for how to keep software updated. Moreover; specific information on Adobe updates is available here with Microsoft updates discussed here.

Thank you.