Drive-by attacks that install the once-feared TeslaCrypt crypto ransomware are now able to bypass EMET, a Microsoft-provided tool designed to block entire classes of Windows-based exploits.
The EMET-evading attacks are included in Angler, a toolkit for sale online that provides ready-to-use exploits that can be stitched into compromised websites. Short for Enhanced Mitigation Experience Toolkit, EMET has come to be regarded as one of the most effective ways of hardening Windows-based computers from attacks that exploit security vulnerabilities in both the operating system or installed applications. According to a blog post published Monday by researchers from security firm FireEye, the new Angler attacks are significant because they’re the first exploits found in the wild that successfully pierce the mitigations.
“The level of sophistication in exploit kits has increased significantly throughout the years,” FireEye researchers wrote. “Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode.”
The newly observed exploits wield code based on the Adobe Flash and Microsoft Silverlight browser plugins that bypass data execution prevention, a protection that prevents computers from running data loaded into memory. DEP has proven to be extremely effective at blocking drive-by exploits because it prevents malicious code that vulnerable apps inadvertently pipe into memory from being able to do more than cause an application or operating-system crash. While a technique known as return oriented programming has long been able to blunt DEP protections, the new Angler exploits rely on a different technique that’s harder to detect and has fewer limitations.
The FireEye researchers explained:
The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion. These exploits do not utilize the usual return oriented programming to evade DEP. Data Execution Prevention (DEP) is a mitigation developed to prevent the execution of code in certain parts of memory. The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll’s inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics.
There are a few limitations to the new EMET bypasses. First, FireEye researchers so far have observed them working only on Windows 7 and not on Windows 10, which is widely regarded as more resistant to exploits. Second, they work only when targeted computers have either Flash or Silverlight installed. That means the attacks won’t work on systems that don’t use the plugins. Recently, the developers of TeslaCrypt abandoned the ransomware project and released the master decryption key that unlocks encrypted files. Then again, there’s nothing stopping Angler from using the EMET evasions to install other malicious applications.
The EMET bypasses underscore the back-and-forth nature of security. Microsoft created EMET to largely block entire classes of memory-based software exploits that had existed for decades. Now, Angler developers have struck back with techniques that can undo some of those protections. It wouldn’t be surprising if future versions of EMET attempt to regain the upper hand by preventing these new techniques from working.