Understanding Angler Exploit Kit

Discussion in 'malware problems & news' started by itman, Jun 8, 2016.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  2. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
  4. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    So, does Chrome with its experimental flags (like PPAPI32 and WIN32 lockdown) protect this variant?
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Win 7 only as noted:

    This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7.
    Also only applies to Flash and Silverlight exploits.

     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll’s inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics

    The problem is the way the "Virtual" APIs are being executed. This is why I use Eset's HIPS for memory protection since it doesn't care about the mode that VirtualProtect and VirtualAlloc are executed but rather detects any memory injection from a process using those APIs.

     
  7. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Ok, i haven't paid much attention to the original article.

    So, if i understand correctly, it is infecting the systems, by injecting itself to those dll's in memory. If true, can you please share your relevant HIPS rules. I am more intersted towards firefox.exe,plugin-container.exe, plugin executables if you have created any rules.

    Also, i am wondering if Windows PPL (protected process lite) feature (mentioned by @Windows_Security) can mitigate this by making these vulnerable executable s (like plugin-container.exe) to set to protected. Sorry, if my question doesn't make sense!
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    For starters, Eset has very effective independent exploit protection. It detected and stopped all HMPA test tool exploits from running in my testing using IE 11.

    Eset's HIPS has four process mitigations that I employ on all my Internet facing apps;

    1. Intercept events from another application
    2. Terminate/suspend another application
    3. Modify the state of another application
    4. Installation of a global hook

    I have tested using both disk and memory injection based malware simulation tests and all were stopped by one or more of the above mitigations.

    However, your best mitigation against this kind of crap is just not allowing ActiveX content to run in the browser. I have long ago uninstalled Flashplayer and never used Silverlight.

    EMET's issues stem from when possible, its employing of existing Windows protection mechanisms such as DEP.
     
Loading...