Interesting CryptoAPI weakness (not security vulnerability)

Discussion in 'Application Software' started by harkaz, Sep 9, 2016.

  1. harkaz

    harkaz MDL Novice

    Dec 27, 2012
    34
    61
    0
    #1 harkaz, Sep 9, 2016
    Last edited by a moderator: Apr 20, 2017
  2. ofernandofilo

    ofernandofilo MDL Member

    Sep 26, 2015
    211
    128
    10
    This type of video always possess the same defect. Video was not made to display text. Text we show off video. Video shown actions, we shown what in text it is difficult or slow to be said.

    After the aesthetic discussion of media, thank you so much for sharing this technique.

    How is it possible to defend this kind of threat? Is there any way of mitigation? There are some new practice that we have to avoid this kind of problem? Assuming that the system is already compromised.

    Thank you very much, cheers
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. harkaz

    harkaz MDL Novice

    Dec 27, 2012
    34
    61
    0
    I'm not certain what the best defense approach would be. Creating a driver/service that would monitor the attempted modifications to that registry key and immediately revert them would be sufficient. Probably we will see this functionality integrated in antimalware software.

    Assuming the system is compromised, there is always the option of shutting down abruptly and booting into recovery environment, then load the offline registry and scan for the exploit in the certificate stores. Then use an offline virus scanner to eradicate the virus, if that's possible.

    Maybe I'll have to create some tools to help people eradicating this threat.
     
  4. dmex

    dmex MDL Junior Member

    Apr 20, 2011
    90
    95
    0
    If it requires administrative privileges then it's not a security issue and don't expect a "patch" this decade.

    You can achieve the exact same thing by deleting the CryptSvc registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc

    Since you have administrative privileges you could also just delete your boot loader, patch system files, hijack SSL connections, encrypt your entire hard-drive etc...
     
  5. harkaz

    harkaz MDL Novice

    Dec 27, 2012
    34
    61
    0
    No, this is not the same. It stops secure communication and integrity monitoring (returns a system-level error code) but will not hang the caller application, be it UAC/Applocker/AV software - which is the most important aspect of this attack. Yes, an administrator can do many things. But they are easily detected by the sophisticated protection systems present in mission-critical systems. Let's say I try to intercept a system call via hooking. Sooner or later, heuristics will detect me and throw me out of control, even if I'm admin, unless I have taken action to prevent the security system from functioning. Ransomware can be easily detected (including zero-day ones) by the latest artificial-intelligence antimalware software. With this attack I can easily and persistently paralyze the AV system. There is no need to create a new virus, that could potentially give more information about me as an attacker - I can use well-known malware to do the trick. The major challenge is getting admin access. I believe that stolen digital certificates or insiders will do the trick in many cases; no need for pricey and potentially unreliable memory corruption exploits...

    Delete the bootloader / Patch system files.. Most critical systems do not reboot often, so there would be no instant impact. Plus, this is easily detectable and fixed, if OS structures are used. Unless in ring 0 or beyond, it's very difficult to increase stealth (and effectiveness) of your rootkit.

    This zero-day technique, unless patched, could substantially increase the stealth of a user-mode rootkit.