TL;DR: Design issues in various security products, such as anti-virus, make it significantly easier for threat actors to bypass exploit mitigations. As part of our ongoing goal of complete endpoint security, we found a prevalent flaw where anti-virus products allocate memory with RWX permissions at a predictable address.
ModPOS is the latest in the string of POS malware that’s making the news. As its family name implies, this malware is intent on one: stealing credit card information.
A few days ago, we published a blog entry on an advanced malware called Moker, and discussed the different challenges that Moker placed to avoid detection and anti-dissection, as part of enSilo’s continuing improvement of our endpoint security software.
Now that we have the stripped down malware sample, it’s time to analyze the actual malware.
Recently, we came across Moker, an advanced malware residing in a sensitive network of a customer. Since the malware did not try to access an external server, but rather tamper with the system inner workings, we decided to give this malware a second look. (This kind of work is part of developing complete endpoint security software.)
Today, Microsoft released their latest Patch Tuesday. This Patch includes a fix for CVE-2015-2363, a complementary patch to CVE-2015-2360 from last month. The two CVEs together bundles within themselves IMPORTANT-rated exploitable vulnerabilities which we responsibly disclosed to Microsoft.
TL;DR: In this blog post we describe Selfie, a tool we have developed that automates finding the OEP for a majority of malwares packed with self-modifying code. The Selfie tool is now open-sourced, compiled to 32-bit, and can be found here.
As part of our research, we analyze the intricate relationship between Anti-Virus and Operating Systems (OS). During this process, we came across a vulnerability in AVG Internet Security 2015 build 5736 + Virus database 8919 released January 13th 2015.
The vulnerability? The affected AVG product had allocated a memory page with RWX
Today, Microsoft released their latest Patch Tuesday. This Patch includes a fix for vulnerability CVE-2015-0057, an IMPORTANT-rated Windows exploitable vulnerability which we responsibly disclosed to Microsoft a few months ago. (enSilo researchers often discover new vulnerabilities in out continuing work towards complete endpoint