How the CIA infects air-gapped networks

Enlarge / A configuration screen found in the Drifting Deadline exploit. (credit: WikiLeaks)

Documents published Thursday purport to show how the Central Intelligence Agency has used USB drives to infiltrate computers so sensitive they are severed from the Internet to prevent them from being infected.

More than 150 pages of materials published by WikiLeaks describe a platform code-named Brutal Kangaroo that includes a sprawling collection of components to target computers and networks that aren't connected to the Internet. Drifting Deadline was a tool that was installed on computers of interest. It, in turn, would infect any USB drive that was connected. When the drive was later plugged into air-gapped machines, the drive would infect them with one or more pieces of malware suited to the mission at hand. A Microsoft representative said none of the exploits described work on supported versions of Windows.

The infected USB drives were at least sometimes able to infect computers even when users didn't open any files. The so-called EZCheese exploit, which was neutralized by a patch Microsoft appears to have released in 2015, worked anytime a malicious file icon was displayed by the Windows explorer. A later exploit known as Lachesis used the Windows autorun feature to infect computers running Windows 7. Lachesis didn't require Explorer to display any icons, but the drive of the drive letter the thrumbdrive was mounted on had to be included in a malicious link. The RiverJack exploit, meanwhile, used the Windows library-ms function to infect computers running Windows 7, 8, and 8.1. Riverjack worked only when a library junction was viewed in Explorer.

Read 4 remaining paragraphs | Comments

Can you see me now? Unpacking malware for advanced threat analysis.

A recent McAfee blog ‘Malware Packers Use Tricks to Avoid Analysis, Detection’, highlighted the use of packers as an effective way to slow down analysis and decrease detection by antimalware products.

As an engineer with a keen interest in malware, I’m very familiar with packers and the conclusion from that blog that ‘manual analysis usually defeats .’ Manual analysis can take time. Something that seems to be in short supply as of late.  I’ve found a McAfee product – McAfee Advanced Threat Defense (ATD)- that takes care of the packing problem for me, saving lots time and a few headaches too.

Let me explain: First, what’s a packer?

A packer, is a tool that can be utilized to compress, encrypt, or modify the format of a file. By packing a file, malware authors can obfuscate the content and disrupt analysis by threat detection tools. This technique may also be referred as “executable compression.” Compression of the file reduces the footprint or size of the file and can be an effective method to avoid or reduce the chance of the malicious file being detected, allowing for successful delivery of a payload. While an effective method, forcing the re-execution of code through a memory dump provides a solution to detect even the most advanced threats. So how is this accomplished? McAfee ATD provides an answer to detecting the most advanced and obfuscated code in packed or unpacked files.

When a packed sample arrives at McAfee ATD for analysis, the sample is loaded into memory and the packer associated with the sample unpacks the code, de-obfuscating the code during execution. At this point, several advanced detection engines are engaged, including dynamic analysis (observation of execution) and static code analysis (where the code – not just the behavior it exhibited in the sandbox – is scrutinized for any malicious behavior). After the sample has finished execution, McAfee ATD assesses the memory dump and maps the code. As sections of code are analyzed, family classification is performed on the buffered code based on known malicious behavior. Once the assessment of behavioral characteristics of the code is completed, a determination on whether the file is clean or malicious yields a reputation verdict. Quick. Easy. Done.

As mentioned in the previous blog, a rather effective method for defeating a packer is to manually analyze the file. McAfee ATD can help with that as well.  McAfee ATD offers manual analysis capabilities with its interactive mode, or X-Mode. Manually uploading a file to a McAfee  ATD appliance and enabling the X-Mode feature will allow users to choose their specified analysis environment or virtual machine (VM) to initiate the execution of a file. As the file is uploaded through this route, a user may open a window to the active VM denotating the file to observe and interact with the malware. This provides a deep investigative and forensic capability for a malware analyst to understand the behavior of the executed code.

A packer can prove to be an effective way to reduce the speed of analysis and even avoid it all together. With packed files that could typically fly under the radar undetected by traditional sandbox solutions, McAfee ATD provides ways to overcome this advanced method of detection avoidance from malware authors.

The post Can you see me now? Unpacking malware for advanced threat analysis. appeared first on McAfee Blogs.