The Allegory of The Allegory of the Cavethe Cave

Has Application Whitelisting Coagulated Has Application Whitelisting Coagulated As Expect?As Expect?

What is this?What is this?

Curt Curt ShafferShafferCurt Shaffer has been in the IT field for 15 years. His experience is

diverse across the IT field from ISP network design and installation, to server engineering for small and medium business as well as a number of local and US federal international agencies as well as intrusion analysis, incident response and malware reverse engineering. His change over the past 5 years has been his security focus. A majority of his security work most recently has been building internal threat intelligence for federal agencies and in his current position as the Owner of and Sr. Threat Researcher, for Symbiotic Network Technologies, LLC he analyzes current and new trends in that attack landscape in order to provide organizations with a realistic view of how they are being attacked and what can be done about it.

He holds a number of industry standard certifications including CISSP, SANS:GREM, GCIA, GCIH, GPEN, GSEC and a number of CompTIA and Microsoft certifications.

Judah PlummerJudah Plummer

Works at Foreground Security - SOC Analyst Extraordinaire

Math and Comp. Sci. Degree from University of PittsburghHe has worked on validating these findings (found a 0 day once), and has assisted with the deployment and management of these applications in large deployments.

Also, found a DLC License bypass for Xbox (possible upcoming NovaHackers talk?).

Put to the TestPut to the Test

Put to the TestPut to the Test

McAfee – Popular choice for government and others

Bit9 – Popular due to ease of deployment App Locker – Built in/No extra cost

Previously …with Previously …with some updatessome updates

Windows File Protection Didn’t work

Java Exploits

All day long Payloads

Iexpress Didn’t Work

Previously …with Previously …with some updatessome updates

Adobe Worked

Javascript Worked

VBA Worked

Shellcode Worked

Previously …with Previously …with some updatessome updates

Other findings: Intercepting the Bit9 Client traffic (Fiddler FTW!) Rubber Ducky Powershell injections Disabling the Service

Why Is This Still Why Is This Still a Problem?a Problem?

“While we believe Bit9 is the most effective protection you can have on your endpoints. “

https://blog.bit9.com/2013/02/25/bit9-security-incident-update/

30 days to life?30 days to life?

The 90's called, they want their trial bypass backThe 90's called, they want their trial bypass back

Let Me In?Let Me In?

Just Ask NicelyJust Ask Nicely

Bypasses Bypasses BygoneBygone

DLL Injection

New Bypasses?New Bypasses? DLL Hijacking

Watering Hole Attacks

Modifying Executable File Types

Dynamic Annotation techniques and similar dynamic building techniques

Microsoft Winhttp

Security ID Modifications

DLL HijackingDLL Hijacking

DLL Hijacking has been used in the past as a persistence method.

We tested to see if we could trick the whitelisting solution into executing the hijacked DLL with our own malicious code.

Worked like a champ!

WateringWatering HoleHole AttackAttack

Have become more popular in advanced attacks

There is a huge range of techniques that can be taken advantage of and growing with new technologies such as HTML5.

Files can be called/executed by trusted applications and their plug-ins.

ModifyingModifying ExecutableExecutable FileFile

TypesTypes Change file types, such as .txt files to be executable

Changing the “Magic Number” of files, to be repaired later, after it has been overlooked due to being non-standard filetype and thus being ignored by Bit9.

DynamicDynamic AnnotationAnnotation

New technique for some interesting malware applications.

Build MOF executable from samples scripts pulled from trusted sites, such as Microsoft’s Technet, and build them on the fly with VB is one example we have seen used in the wild

We are working on a talk for later this year on the topic with a POC botnet.

WinhttpWinhttp

Our guess: not a lot of work has been put into protecting the new WinHTTP remote administration components of Windows.

Execute malicious code through this trusted process.

Any other system/admin tools that need to be trusted?

Security ID Security ID Modifications Modifications

Is whitelisting on a per user basis?

Have all types of users, including null user SIDs, been taken into account?

We didn’t have a lot of time to test modifying the SIDS of services and files, but it’s our guess this would work rather well.

Chris John Riley’s Chris John Riley’s PySCPySC

Shellcode from DNS TXT records

Or via Internet Explorer (using SSPI)

Works on the latest version we tested!

Thanks Chris!

Code link in the notes.

Future Future ConsiderationsConsiderations

Macintosh Bypasses

More HTML5 Features

Trusted Directory or Trusted User Abuse

Hash Collision Fun

Metasploit Module

Metasploit Module

Codename: “The Alan P@rs0ns Project: Sharks with friggin lasers”

Menu Options/Functionality: Operating System Version Vendor Choice Exploit/Bypass Style, Choice Payload Choice Post Exploitation

Questions?Questions?

Contact Info

curt@symbioticnt.net@inetopenurla (My blog…hope for a

revival soon )@bit0day (to follow releases of

details of our findings)jplummer@foregroundsecurity.com