ahsonbol

How built in security enhancements raise the bar for attackers

Blog Post created by ahsonbol on Mar 9, 2015

Knowing that the attackers usually have more time to come up with new ideas and methods to cause harm, those on the defensive side are always looking for new solutions that raise the bar higher for an attacker to do damage. In this blog post, we will discuss how built in security enhancements for popular software can be effective against an attacker.

 

The example we will use starts with an unusual User Agent string found in one of our RSA Security Analytics reports. The sample analyzed was using Google Chrome in its HTTP sessions. Below is a screenshot from RSA Security Analytics that shows HTTP traffic originating from the infected machine:


108167


There are three files of interest in those sessions:

  • lgchknjnpaaohlppjfmhkcpbiibkclfh_.crx
  • external_extensions.json
  • id.php


But looking closely, we can see that the infected machine is also connecting to a blogspot.com sub domain. These are the domains provided by Google Blogger service. In response, the page returned some kind of a code or command to the infected machine:


108168


Running the sample in a more controlled environment showed that the response above is necessary for the binary to continue its malicious behavior. The presence of the string is an indication for the binary that the download server is up so it can download the rest of the files on the infected machine.


Next, the malicious binary reaches out to a domain to download a JSON file, a PHP file and a CRX file:


108170

108169


And the string returned in the session above is used to as the filename in the following one:


108171


On an infected machine that has Google Chrome browser installed, the downloaded JSON file is used to replace the existing external_extensions.json file located under

C:\Program Files\Google\Chrome\Application\40.0.2214.93\default_apps\


The external_extensions.json contains meta information about external extensions to Google Chrome browser. Information like name, version and location of the CRX file for each extension can be found in it. A CRX file has the extension code itself.


The malware downloads the CRX file to the same directory above. It copies itself to a temp directory under the name “YoutubeEveryday.exe”. It also modifies the registry to gain persistency on the system by adding a new entry to the auto run key.


So, the main goal of the malware is to remove all the existing extensions from Google Chrome and install the newly downloaded one.


Unfortunately for the malware (and fortunately for the rest of us), this method doesn’t work anymore. To protect Windows users, Google now allows external extensions installation if they’re only hosted on the Chrome Web Store. You can read more about the steps that Google took to make its popular Chrome browser more secure. This is an example of raising the bar higher for the attacker.


As of this writing, VirusTotal has a low detection rate for the sample under investigation.

 

The IOCs discussed in this blog post were added to RSA FirstWatch Live feeds.

Outcomes