Ransomware Targeting Windows 7 Can Now Evade Microsoft’s Best Security Defenses

Rafia Shaikh
Posted Jun 8, 2016
28Shares
Share Tweet Submit

Security researchers have revealed that drive-by attacks that install ransomware can now bypass Microsoft’s acclaimed protections against these exploits. These attacks that can evade Enhanced Mitigation Experience Toolkit (EMET) are included in the Angler Exploit Kit that is sold online offering ready-to-use exploits.

Windows 7 exploit kit can now bypass Microsoft’s protections

Angler Exploit Kit is a bundle of malware that criminal hackers use to penetrate the defenses of browsers and computers. Angler EK is often used to secretly embed exploits in malicious websites or online ads, attacking visiting web browsers. Assessing their plugins and vulnerabilities, the toolkit then attacks the targets using the malware that is specific to the platform. Once successfully installed, the kit installs ransomware, banking trojans, and other kinds of malware on the victim machines.

The Angler Exploit Kit now contains some new exploits that are able to evade Microsoft’s strong defenses against exploits. Along with EMET, the toolkit is also able to evade data execution prevention used to strengthen Windows security. EMET is one of Microsoft’s most popular defenses that protects Windows-based machines against security vulnerabilities in the OS or third-party applications. With the toolkit being to able to bypass Microsoft’s best defenses against Windows-based exploits, there could be a huge number of potential victims that could be targeted using the toolkit.

Security research firm FireEye has published a blog post this week, claiming that the new Angler attacks are “fairly sophisticated” and the first exploits found in the wild that can successfully bypass the mitigations.

The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion. These exploits do not utilize the usual return oriented programming to evade DEP. Data Execution Prevention (DEP) is a mitigation developed to prevent the execution of code in certain parts of memory. The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll’s inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics.

The level of sophistication in exploits kit has increased significantly throughout the years. Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode. – FireEye

The exploit kit evades the security defenses and then using vulnerabilities in Flash Player and Silverlight, it injects the TeslaCrypt ransomware on the target machines. FireEye researchers said “while exploiting Flash and other third-party frameworks is common practice,” Angler EK exploits successfully evading EMET is the new development. The bypass successfully works on Windows 7 machines that have Microsoft Silverlight or Flash Player browser plugins installed. Thankfully, the exploits don’t work on Microsoft’s latest Windows 10, which is considered more resistant to these exploits.

Researchers have recommended that users can stay clear of these exploits if their Windows computers don’t have Flash or Silverlight installed, since they are immune to these attacks – at least for now.

Share Tweet Submit