Jump to content

Malvertising Campaign Finds a Way Around Ad Blockers


CrAKeN

Recommended Posts

12 hours ago, dcs18 said:

Yes . . . . . . it's a reviva

 

I'd prefer " renaissance ".... I am like an artist.....:P

 

11 hours ago, 0bin said:

What this program do?

 

Do tell us what are you talking about.


Generally we talked about SRP ( software restrictions policies ).
I used a keygen ( for ACDSee products : very good apps. for photo editing & viewing ) just to do the tests.

 

11 hours ago, nIGHT said:

From this

  Reveal hidden contents

to this

  Reveal hidden contents

an exploit was found. Good job @Recruit

 

Not really an exploit, just an option about how to configure SRPs from GPO.;)

Link to comment
Share on other sites


  • Replies 47
  • Views 4.8k
  • Created
  • Last Reply
  • Administrator
20 hours ago, 0bin said:

dtk27, little unrelated, but on mine router old tplink from 2015, I installed dd-wrt, look if can for your, is good distro and good program to manage for android too :) 

 

I would love to. Thought about it many times. But my router is not officially supported, because of that, the only way to install it is going through a lot of issues with high chances of breaking my router. The only custom firmware I can install is Tomato by Shibby, but my router comes with an mini modified version of DD-WRT, so I do not know if I should change it.

Link to comment
Share on other sites


15 hours ago, Recruit said:

Not really an exploit, just an option about how to configure SRPs from GPO.;)

I think you're sleepy or didn't get my point.

It's about the loophole you mentioned when a malware creates more folders(more than 2 levels folders) into those locations, they were able to execute exe or dll files.

 

Some things to consider:

1. Is your test system up-to-date fully patched? (The default Windows 7 Installation has loopholes in SRP.)

2. Was it just a badly configured SRP, whether is set from GPO or directly entered into the Policies registry?

3. Or, this is just the limit of functionality of SRP when using DisallowRun. (loophole)

4. dcs18's RestricRun recommendation might addressed (cover) this problem indirectly, but I'm interested on straycat's DisallowRun solution if it really has a loophole in it.

 

 

 

Link to comment
Share on other sites


4 hours ago, nIGHT said:

4. dcs18's RestricRun recommendation might addressed (cover) this problem indirectly <snip>

How does my security policy address the issue indirectly — did you try it?

 

Link to comment
Share on other sites


10 hours ago, DKT27 said:

I would love to. Thought about it many times. But my router is not officially supported, because of that, the only way to install it is going through a lot of issues with high chances of breaking my router. The only custom firmware I can install is Tomato by Shibby, but my router comes with an mini modified version of DD-WRT, so I do not know if I should change it.

Based on your router model, whether you should opt for firmware changes or not is something only you can ascertain — one can always query at their forums.

 

Now about the role of preventive measure in routers WRT (pun unintended) to ad. blocking, that is an exercise in futility because of a lack of granularity (one just cannot block specific advertisements.)

 

Just publishing a couple of relevant pages DD-WRT — check it out for yourself:—

 



IDjNmO6.png

 



H7hUUyT.png

Link to comment
Share on other sites


47 minutes ago, dcs18 said:

How does my security policy address the issue indirectly — did you try it?

Let me clear first if we have the same understanding here.

SRP using RestrictRun right? 

I didn't try it.

It is with the assumption that RestrictRun only allows those apps to run which are specified to run.

Those others apps (in this case a supposed-to-be-malware example of recruit) will not be permitted to run not only in the %Appdata% folder but everywhere unless overridden. (indirectly forbidden not to run)

These are those indirectly addressed restriction. It indirectly addressed the problem, but It is very effective in stopping it from execution.

While in straycat's DisallowRun, it tried to "target" (directly) the problem to "DisallowRun" those executable exe and dlls,

it failed stopping it when the executable is in more than two levels  folders, as of recruit's post.

Even though it tired to target the problem "directly", including "%Appdata%\*\*.exe", it fails when it is in 2 more levels folder.

This is what I meant as "indirectly" and "directly" in my previous post.

 

So, this is "Block few, permit everything" (direct approach) as opposed to "Allow few (apps), restrict everything" (indirect approach), I think. hahaha! I don't know.

I'm finished editing.

 

 

Link to comment
Share on other sites


1 minute ago, nIGHT said:
32 minutes ago, dcs18 said:
4 hours ago, nIGHT said:

4. dcs18's RestricRun recommendation might addressed (cover) this problem indirectly, but I'm interested on straycat's DisallowRun solution if it really has a loophole in it.

How does my security policy address the issue indirectly — did you try it?

I didn't try it.

That is the problem.

 

When both forms are implemented on the same computer — my implementation takes precedence and supersedes the SRP and GPO to to directly preempt and subdue the execution, with neither a visual error nor a auditory sound.

 

The above stands true even when one employs the weakest anti-executable program.

Link to comment
Share on other sites


Addendum: The issue is about straycat's post on not using AV in stopping the malware from execution right?

Link to comment
Share on other sites


This has got nothing to do with stray cat or AVs — it's about ways to circumvent malwares which can rise from malvertising that purports to have found a way to workaround ad. blockers.

 

Honestly, none of the sites that were published on the OP could ever bypass my ad. blocking (probably since I've been using my own custom filters.)

Link to comment
Share on other sites


38 minutes ago, dcs18 said:

That is the problem.

 

When both forms are implemented on the same computer — my implementation takes precedence and supersedes the SRP and GPO to to directly preempt and subdue the execution, with neither a visual error nor a auditory sound.

 

The above stands true even when one employs the weakest anti-executable program.

Even without the anti-executable program, which some security suite has it, your RestrictRun is really effective in addressing this "issue" to stop the malware from executing.

Paired with an even weak anti-executable software then it exhibits a very strong defense already as defense is layered on top of the other.

The problem is with straycat's DisallowRun, why it failed after more than 2 level's folder since we (recruit, and me) tried to figure how he did it.

recruit tried to find his old post and tested it.

Me, the very lazy one, tried to analyze that straycat's DisallowRun is not 99% effective as he claims above.

Maybe we miss something and he did good but if this is a loophole then he better pray those making malware will just execute at less than 3 levels folders.

Or, maybe straycat can be generous and enlighten us how he did it and help us build a good SRP based defense.

Link to comment
Share on other sites


6 minutes ago, nIGHT said:

Maybe we miss something and he did good but if this is a loophole then he better pray those making malware will just execute at less than 3 levels folders.

Now, I'm satisfied that you've understood the point. :)

 

 

6 minutes ago, nIGHT said:

Or, maybe straycat enlighten us how he did it and help us build a good SRP based defense.

Actually, he did not build that flawed SRP (it's an age old implementation) — in order to understand from where he flipped it, check out the following site for a more in-depth understanding and also compare his nSane screenshot:—

 

https://technet.microsoft.com/en-us/library/bb457006.aspx

Link to comment
Share on other sites


37 minutes ago, dcs18 said:

This has got nothing to do with stray cat or AVs — it's about ways to circumvent malwares which can rise from malvertising that purports to have found a way to workaround ad. blockers.

 

Honestly, none of the sites that were published on the OP could ever bypass my ad. blocking (probably since I've been using my own custom filters.)

(from another dcs18'spost)

ATM, the following single filter will ensure protecting against fingerprinting at http://www.uniquemachine.org/:—

  Hide contents

*$xmlhttprequest,domain=uniquemachine.org

It (Rought Ted) does use this site uniquemachine.org, for fingerprinting.

Good job at finding how to stop it dcs18!

Now if even it no longer use uniquemachine.org's fingerprinting, you still able to stop it using RestrictRun. Very good! :D

The "allow few, restrict all" approach (RestrictRun) is way better at handling this Rought Ted's issue and other malware issues.

 

14 minutes ago, dcs18 said:

Actually, he did not build that flawed SRP (it's an age old implementation) — in order to understand from where he flipped it, check out the following site for a more in-depth understanding and also compare his nSane screenshot:—

 

https://technet.microsoft.com/en-us/library/bb457006.aspx

I know he did not build the flaw, as I mentioned above that the original Windows 7 installation already got loopholes in it.

I was just curious how to do this using different SRP approach.

Thanks for the reference dcs19, I will read it later.

Need to change building, I'm on the top floor. The elevator cuts off all connections and it's very hot. hehehe!

 

Link to comment
Share on other sites


I'd like to thank straycat's advice, recruit for his experiement, stylemessiah for mentioning it first here on the forum and dcs18 valuable guidance for giving me a clear understanding on how these two SRP's approach work, how it handle the "issues", its limitation and how it can be further improved using layers of defenses (using Anti-executable feature, proper Adblock filtering, 3rd party firewall and security suite).

 

Maybe we can find a way to this 2 levels folder dilemma of DisallowRun.

Link to comment
Share on other sites


There would be a very obvious reply from Protagonist of this implementation — they'll state that the architectural issue can be resolved by writing a more deeper sub-folder rule:—

%AppData%\*.exe
%AppData%\*\*.exe
%AppData%\*\*\*.exe
%AppData%\*\*\*\*.exe
%AppData%\*\*\*\*\*.exe

 

%LocalAppData%\*.exe
%LocalAppData%\*\*.exe
%LocalAppData%\*\*\*.exe
%LocalAppData%\*\*\*\*.exe
%LocalAppData%\*\*\*\*\*.exe

 

%LocalAppData%\temp\*.zip\*.exe
%LocalAppData%\temp\*.zip\*\*.exe
%LocalAppData%\temp\*.zip\*\*\*.exe
%LocalAppData%\temp\*.zip\*\*\*\*.exe
%LocalAppData%\temp\*.zip\*\*\*\*\*.exe

 

%LocalAppData%\temp\7z*\*.exe
%LocalAppData%\temp\7z*\*\*.exe
%LocalAppData%\temp\7z*\*\*\*.exe
%LocalAppData%\temp\7z*\*\*\*\*.exe
%LocalAppData%\temp\7z*\*\*\*\*\*.exe

 

%LocalAppData%\temp\rar*\*.exe
%LocalAppData%\temp\rar*\*\*.exe
%LocalAppData%\temp\rar*\*\*\*.exe
%LocalAppData%\temp\rar*\*\*\*\*.exe
%LocalAppData%\temp\rar*\*\*\*\*\*.exe

 

%LocalAppData%\temp\wz*\*.exe
%LocalAppData%\temp\wz*\*\*.exe
%LocalAppData%\temp\wz*\*\*\*.exe
%LocalAppData%\temp\wz*\*\*\*\*.exe
%LocalAppData%\temp\wz*\*\*\*\*\*.exe

 

 

The malware-writers would respond by causing their malicious code to execute deeper and deeper and deeper and . . . . . never mind, concept-of-proof = the medieval Brontok virus which creates sub-folders each time a folder is opened.

 

 

The detrators would reply by remarking that path-driven rules eventually slow down prevention time — I'd point out the fact that at it's present depth, it's still too slow.

Link to comment
Share on other sites


2 hours ago, dcs18 said:

%AppData%\*\*\*\*\*.exe

 

1VjjZ4q.gif

 

If I were him, I will replace it like this :

 

" \ " = n+1 where n = { - ∞; + ∞ }

 

Not sure if Windows understands Wl2LIwk.gif

 

:rofl::lmao:

Link to comment
Share on other sites


Now, talking seriously, we can close the loopholes with AccessChk

 

Files must be copied to C:\Windows\System32.

 

Target groups : Users, Everyone, Authenticated Users, Interactive

Target folders : Program Files, Program Files (x86) , Windows or any other folders where you want to execute restricted extensions from " Designated File Types " or dll libraries, if these are also under restriction ( this setting is in Enforcement )

 

Commands ( only for Users group )

 

accesschk -w -s -q -u Users "C:\Program Files"

accesschk -w -s -q -u Users "C:\Program Files (x86)"

accesschk -w -s -q -u Users "C:\Windows"

 

Must be applied for or all groups / folders which I said above.

Link to comment
Share on other sites


Now, let's introduce some mischief into the equation — let me play the devil's advocate.

 

Bright ones would've noticed that some publishers have started migrating their installation directory from the more restrictive %ProgramFiles% and %ProgramFiles(x86)% to the more promising (from their point-of-view) %AppData% — a prime example of such a program is WhatsApp for Desktop residing at (%LocalAppData%\WhatsApp\app-*\WhatsApp.exe)

 

So then, what seems to be the corresponding exclusion rules for such upcoming programs and why were they not posted? Yes, I'm aware that it can be done (but, we are just playing with a little flash of hell-fire, here.)

 

Link to comment
Share on other sites


Do not forget : using SRPs means to play all the time with rules...SRPs are adaptive security measures......:P

Also be aware : if you restricted also dll libraries, you need to play with lots of exceptions for apps like for cloud, Chrome X64,  uTorrent and others....;)

Link to comment
Share on other sites


Another game of Devil's advocate:

 

If (self-acclaimed) SysAdmin (of hundreds of computers — again claimed) discovers that he has been offering lip-service here at nSane while his (let's imagine) thousands of clients have learned SRP at the same page that he flipped, and started undoing his policies? What counter measures does Mr. SysAdmin take and why were those precautions not posted?

 

Yes, I'm aware that it can be prevented (but, we are just playing with a little flash of hell-fire, here.) :P

Link to comment
Share on other sites


25 minutes ago, dcs18 said:

Mr. SysAdmin

 

Maybe I need to cut some phrases which I wrote about Mr.SysAdmin, here , in the past....but I am a quite busy now...Roland Garros has already started...:D

Link to comment
Share on other sites


I don't think accesschk will solve our DisallowRun issue here even if you have a fully up-to-date patch test Windows OS.

But for readers of this post, before you use  accesschk, be sure to download and install the necessary hotfix before using it.

Spoiler
11 hours ago, Recruit said:

Now, talking seriously, we can close the loopholes with AccessChk

 

Files must be copied to C:\Windows\System32.

 

Target groups : Users, Everyone, Authenticated Users, Interactive

Target folders : Program Files, Program Files (x86) , Windows or any other folders where you want to execute restricted extensions from " Designated File Types " or dll libraries, if these are also under restriction ( this setting is in Enforcement )

 

Commands ( only for Users group )

 



accesschk -w -s -q -u Users "C:\Program Files"

accesschk -w -s -q -u Users "C:\Program Files (x86)"

accesschk -w -s -q -u Users "C:\Windows"

 

Must be applied for or all groups / folders which I said above.

 

Remember my post above I asked if recruit has a fully up-to-date patch test OS.

This does not work reliably on a Windows 7 out-of-the-box installation as it got loopholes in it.

I use this as reference too.

Spoiler


Step 6: find and close loopholes

If you're using Windows 7, begin by obtaining and installing a Hotfix from Microsoft here: Microsoft Article ID: 2532445 Credit to security researcher Didier Stevens for his blogs on this subject.

Remember the key idea behind Software Restriction Policy: your non-Administrator accounts (or something exploiting them) should not have Write permissions to anywhere that they can run a dangerous file from. A stock Windows installation does have some loopholes. You fix them by creating Disallowed path rules for those folders.

What if I don't close the loopholes? Without closing these loopholes, SRP is still a potent boost in security. For example, garden-variety malware isn't expecting to get blocked when trying to run from your user profile in C:\Users, or an AutoRun attack on an infected USB device (both popular tactics), and SRP will block those attacks even if you don't close all possible loopholes. But you can spend another 15 minutes on this and really do the job right, so here's the plan:

  1. Download AccessChk from Microsoft TechNet.

  2. Extract AccessChk.exe out of the Zip file and save it to C:\Windows\System32.

  3. Now run accesschk -w -s -q -u group path. It needs to be run once for each Unrestricted path, and once for each group that your non-Admins effectively belong to. For your convenience, I've put the commands into a batchfile: SRP_audit.bat which you can download, then move to an Unrestricted location like C:\Program Files so you can run it. Make the necessary Disallowed path rules as you go. Tip: if the same location is revealed as a loophole for several groups, you only need one Disallowed rule to fix it.

If you prefer to run the commands manually, here they are. They check the three Unrestricted paths on a typical 64-bit Windows installation, for each of the groups (Users, Everyone, Authenticated Users, Interactive). If you have additional Unrestricted paths, check them too.

accesschk -w -s -q -u Users "C:\Program Files"

accesschk -w -s -q -u Users "C:\Program Files (x86)"

accesschk -w -s -q -u Users "C:\Windows"

accesschk -w -s -q -u Everyone "C:\Program Files"

accesschk -w -s -q -u Everyone "C:\Program Files (x86)"

accesschk -w -s -q -u Everyone "C:\Windows"

accesschk -w -s -q -u "Authenticated Users" "C:\Program Files"

accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)"

accesschk -w -s -q -u "Authenticated Users" "C:\Windows"

accesschk -w -s -q -u Interactive "C:\Program Files"

accesschk -w -s -q -u Interactive "C:\Program Files (x86)"

accesschk -w -s -q -u Interactive "C:\Windows"

After each command runs, note the folders where that group has Write access, and create a Path Rule that makes that folder Disallowed, if you haven't already created one. You'll be doing quite a few of these Disallowed rules, maybe 15 to 20, so when you're finished, glance down the list for any that you accidentally set to Unrestricted when you meant to use Disallowed. Tip: a Disallowed rule for a specific folder will cover its subfolders as well, so rules that Disallow the Temp or Tasks folder in C:\Windows will suffice for all their subfolders too. However, don't use this logic to lock down the whole C:\Windows\System32\spool folder or people won't be able to print. Instead, create rules for the necessary subfolders there on a one-by-one basis. Credit to the National Security Agency for this tip, as well as the suggested use of Accesschk.

accesschk_output.png

additional_rules.png

As you may guess, auditing your SRP rules after installing new printers or software is necessary to ensure ongoing protection from loopholes.

Decisions, decisions... When I did this on my home computer, I got one unpleasant result: my C:\Program Files (x86)\Steam folder was set to Full Control for the Users group, creating a very predictable loophole since Steam is very popular software. I closed the loophole with a Disallowed path rule on the entire folder, but if I want to run a Steam game, this means I have to right-click Steam and use Run as administrator to launch it, which is a risk in its own way. This is an example of why Software Restriction Policy is a "power user" tool... you'll need to adapt and overcome.

 

We are discussing SRP using either "DisallowRun" or "RestrictRun" to restrict unauthorized executable (*.exe, exe inside a compressed file, etc) or a "malware" not to run without our permission.

Each has its own limitation, advantages and disadvantages.

It is up to you to choose which one suits you better.

Here's the reference on how to use it using registry.

How to Block (or Allow) Certain Applications for Users in Windows

There's also the option of restricting file execution using parental control, but can only be enforced in child account.

How To Use Parental Controls in Windows 7

Unlike SRP restriction which restrict file execution even on other means aside from the file explorer. using parental control is limited to restricting file execution using file explorer only.

This will not stop any malicious executable files or malwares inside a compressed file to execute.

 

Note: UAC, which helps prevent unauthorized changes to our computer, does not prevent malware execution, most of us will find ourselves turning it off and relying to a 3rd party software with an anti-executable feature instead.

 

We have to depend on layers of layers of protection but while also keeping in mind that too much redundancy only slows our system down.

We have our browsers anti-finger printing protection (firefox new feature, or use TOR),your ad block of choice (adp, adguard, ublock) using custom filtering and element hiding, add ons (ghostery. disconnect, WOT, greasemonkey n scripts, noscript), sandboxing, anti malware of choice (example eset, avg, avast, etc ), anti executable (this could be an anti-malware with HIPS or a standalone software like Faronics), peerguardian, closing all ports/protocols in the leaked exploits, using a 3rd party firewall, all run inside a sandbox vm (vmware or virtualbox) connected using VPN. keeping in touch of nSane greatest(taking notes of their advices) wew! And, I'm still not paranoid. -_-

Link to comment
Share on other sites


  • Administrator

Some great posts there guys, keep it up.

 

On 28/5/2017 at 1:22 AM, 0bin said:

I had problems for previous beta of my router wdr3600 tplink, at first i reverted back, now I'm on it from at least 2 months and fine with it, cause I wanted something with iptables capabilities and ssh access,

There are problems I don't say are not, but my firmware wasn't updated from 2015, in 2 years big security hole for my tastes

 

My android app told me when there is a new firmware scraping data from here http://download1.dd-wrt.com/dd-wrtv2/downloads/betas/

 

On 28/5/2017 at 0:07 PM, dcs18 said:

Based on your router model, whether you should opt for firmware changes or not is something only you can ascertain — one can always query at their forums.

 

Now about the role of preventive measure in routers WRT (pun unintended) to ad. blocking, that is an exercise in futility because of a lack of granularity (one just cannot block specific advertisements.)

 

Just publishing a couple of relevant pages DD-WRT — check it out for yourself:—

 

 

  Reveal hidden contents

 

  Reveal hidden contents

 

 

Turns out, my router does support it. Just that they do not officially mention the highly sold relatively recent revision of it. Add to that, when I last checked it couple of years ago making it run on my router was indeed a problem, but not so anymore.

 

Thanks for the screenshots, appreciate them.

 

On 28/5/2017 at 7:42 PM, dcs18 said:

Now, let's introduce some mischief into the equation — let me play the devil's advocate.

 

Bright ones would've noticed that some publishers have started migrating their installation directory from the more restrictive %ProgramFiles% and %ProgramFiles(x86)% to the more promising (from their point-of-view) %AppData% — a prime example of such a program is WhatsApp for Desktop residing at (%LocalAppData%\WhatsApp\app-*\WhatsApp.exe)

 

So then, what seems to be the corresponding exclusion rules for such upcoming programs and why were they not posted? Yes, I'm aware that it can be done (but, we are just playing with a little flash of hell-fire, here.)

 

 

The first one I saw doing that was Google Chrome. I believe it was done to bypass security restrictions of the OS during installation I think.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...