Just-In-Time Malware Assembly

Discussion in 'malware problems & news' started by itman, Dec 13, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I don't think this one has been reported on Wilders.

    Of concern to me is that .Net assemblies can be compiled on the fly using mscorsvw.exe.

    Once exploits are in an enterprise’s network, they evade security because there is no single malicious payload to be captured by a network monitoring system. The code then fools endpoint security systems by using local Windows systems utilities to stitch together snippets, most of which would never be blocked by security tools.

    These exploits sneak in via two common outlets: spear phishing emails that often contain media or Microsoft Office documents laced with malicious code, or malvertising campaigns served up through third-party ad networks. The exploits range in functions from botnet protocols to banking Trojans to ransomware.

    http://fedscoop.com/its-time-to-worry-about-just-in-time-malware

    This novel approach compromises systems while evading detection from network sandbox and traditional endpoint and network security solutions.

    Instead, JIT malware uses techniques borrowed from late-binding compilers to assemble a malware executable on the target endpoint itself in order to evade network sandbox analysis.


    https://www.invincea.com/2015/07/wh...malware-assembly-advanced-evasion-techniques/

     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,089
    Clever way to bypass monitoring systems. Hardening system and whitelisting could prevent infection from happening. Preventing active content (macros, activex, scripts) from running by some apps (office, pdf reader) or system and whitelisting binaries that can run would probably stop many of this attacks. Also vulnerable application needs to be exploited in this scenario. It's still interesting technique and I wonder if any AV/AM solutions are checking this kind of compiling happening.
     
    Last edited: Dec 13, 2015
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    From the articles, it seems like this is mostly used to establish a persistent presence undetected, once a workstation has been compromised? In which case yeah, the usual measures would work if actually followed. The problem is knowing if they didn't work.

    There's no reason it couldn't be done more directly, too, through shellcode and scripted routines. Probably nobody will though, because spear phishing is easier and more reliable. Hurray, I guess. :(
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Primary delivery mechanisms are cscript.exe, jscript.exe, and powershell.exe.

    I would imagine that behavior blocking w/rep scanning and hash checks would detect the compiled/assembled malware if it did something malicious; like a ransomware variant. If it established a botnet, AV's like Eset w/botnet protection should detect that. If it was a banking Trojan, a HIPS rule protecting the browser should detect any code injection.

    The problem is that the payload is still on the system and could easily recreate the malware if removed by security software. Note that it uses existing system features and functions to create the malware executable.
     
    Last edited: Dec 13, 2015
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Yeah. Important to note:

    Each real-world demo includes two scenarios. The first attack shows how each product handles a piece of known malware. As expected, they all detect and block the malware. In the second attack (weaponized Office document with malicious macro), we see a sample spear-phishing email containing a link to an Excel file. When the user attempts to open the file, only Invincea detects and stops the attempted data exfiltration. Trend Micro fails to detect the attack, allowing PowerShell to exfiltrate data from the user’s Documents folder to a remote FTP directory.

    I question whether MBAE would protect at all what I underlined above. What is described is basically a backdoor connection being established. Nothing malicious to the target system is being performed.

     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Worth noting is Invinea's Endpoint solution sandbox's and monitors all executing processes. This differs from retail behavior blockers like Emsisoft's that only monitors unknown and select known system processes. Or Eset's advanced heuristics that only monitors incoming network activity.

    The only way to reliably detect and stop such attacks is through a behavioral detection engine that monitors the actions of known and unknown processes, with containerization to isolate the attack surface. With Invincea, any time a known process is observed behaving anomalously, a detection event is immediately created. The process monitoring engine continuously monitors the following and uses them to detect malicious activity: process launch; module (DLL) load; registry write; file write; and network connection (including listener and outbound connection).

    Comparison to Sandboxie and other AV protection here: https://www.invincea.com/products/invincea-endpoint-small-business/

    At $45 U.S. a license, I might just check it out. -EDIT- Scratch that - min. purchase is 5 licenses.

    -EDIT- Interesting whitepaper here: https://www.invincea.com/wp-content..._Containerization-and-Whitelisting_112514.pdf

    Do note that Invincea does not use signatures and as such, does not scan files.
     
    Last edited: Dec 14, 2015
Loading...