Wednesday, October 19, 2016

MBRFilter - Can't Touch This!

 This post was authored by Edmund Brumaghin and Yves Younan

Update: 10/20/2016 - MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing this protection during the infection process. Test thoroughly before deploying within production environments. 


Ransomware has become increasingly prevalent in the industry, and in many cases, unless there is a publicly released decryptor available, there is often not an easy means of retrieving encrypted files once a system has been infected. In addition to the creation and maintenance of regular system backups, it is increasingly important to focus on a multi-tiered defense-in-depth network architecture in an effort to prevent initial endpoint infection. This is often difficult in an evolving threat landscape where new ransomware families are being developed and deployed seemingly every day by threat actors of varying levels of sophistication.

While many ransomware families focus on the encryption of all or portions of a target system’s files others, such as Petya, rely on overwriting the contents of the Master Boot Record (MBR) to force a system reboot then only encrypt the Master File Table (MFT) of the hard drive on infected systems as a way to coerce users into paying the threat actors to retrieve the encryption keys required to decrypt their files.

To help combat ransomware that attempts to modify the MBR, Talos has released a new tool to the open source community, MBRFilter, a driver that allows the MBR to be placed into a read-only mode, preventing malicious software from writing to or modifying the contents of this section of the storage device.

Tuesday, October 18, 2016

Vulnerability Spotlight: Hopper Disassembler ELF Section Header Size Code Execution

Vulnerability Discovered by Tyler Bohan and Cory Duplantis of Cisco Talos

Talos has identified an exploitable out-of-bounds write vulnerability in the ELF Section Header parsing functionality of Hopper (TALOS-2016-0222/CVE-2016-8390). Hopper is a reverse engineering tool for macOS and Linux allowing the user to disassemble and decompile 32/64bit Intel-based Mac, Linux, Windows and iOS executables. During the parsing of ELF section headers, there is a user controlled size that is not validated, a malicious threat actor could craft an ELF file with specific section headers to trigger this vulnerability, potentially leading to remote code execution. A malicious threat actor could use a zip file containing the crafted executable to target threat researchers, sent via phishing or file sharing sites. This type of exploit can also be used as an anti-analysis measure in an attempt to defeat sandboxes and automated disassembly.

Hopper has been updated the changelog can be read at this URL:

Vulnerability Spotlight: Foxit PDF Reader JBIG2 Parser Information Disclosure

Vulnerability discovered by Aleksandar Nikolic of Talos.

Talos has identified an information disclosure vulnerability in Foxit PDF Reader
(TALOS-2016-0201/CVE-2016-8334). A wrongly bounded call to `memcpy`, while parsing jbig2 segments within a PDF file, can be triggered in Foxit PDF Reader causing an out-of-bounds heap memory to be read into a buffer. The `memcpy` call is properly sized, but the source is smaller than the size argument, causing the adjacent memory to be copied into a buffer, where heap metadata, addresses and pointers can be copied and later reused, disclosing memory layout. Combined with another vulnerability, this information disclosure can be used to leak heap memory layout and bypass ASLR. Phishing campaigns commonly use PDF files, as malicious attachments or linked downloads, to deliver malware.

Thursday, October 13, 2016

LockyDump - All Your Configs Are Belong To Us

This post was authored by Warren Mercer and Matthew Molyett


Locky has continued to evolve since its inception in February 2016. This has made it difficult to track at times due to changes in the way in which it's distributed as well as various characteristics of the malware itself. The actors responsible for Locky have continuously attempted to improve operational security (OPSEC) in regards to the tracking of affiliates making use of the ransomware. This post will discuss a new Locky configuration extractor that Talos is releasing, which we are naming 'LockyDump'. This is the first open source tool which can dump the configuration parameters used by all currently known variants of Locky e.g. .locky, .zepto & .odin based ransomware.

Using LockyDump you can run a known Locky sample within a virtualized environment and it will extract and provide all of the configuration information for the sample, including the AffilID associated with the sample. The latest variant of Locky made this extraction process increasingly difficult. Once this config extraction changed Talos looked to reverse further Locky samples in an attempt to gain the all important AffilID information. Obtaining the affiliate information for individual samples allows the historical tracking of Locky affiliates to identify trends and other characteristics on an individual affiliate basis such as their primary distribution method of choice e.g. through the use of Exploit Kits (EKs) or spam/phishing email.

Tuesday, October 11, 2016

Microsoft Patch Tuesday - October 2016

Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.

Bulletins Rated Critical

The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127

MS16-118 and MS16-119 are this month's bulletins for Internet Explorer and Edge respectively. The Internet Explorer bulletin fixes 11 vulnerabilities while the Edge bulletin fixes 13 vulnerabilities. Seven vulnerabilities were found to affect both Edge and IE. The majority of the vulnerabilities fixed are memory corruption flaws that could lead to arbitrary code execution. Several privilege escalation and information disclosure flaws were also fixed in this month's release.

Monday, October 3, 2016

Vulnerability Spotlight: FreeImage Library XMP Image Handling Code Execution Vulnerability

This vulnerability was discovered by Yves Younan.

Talos, in coordination with FreeImage, is disclosing the discovery of TALOS-2016-0189 / CVE-2016-5684.


FreeImage is widely used software integrated into over 100 products ranging from free to paid licensing and include multimedia software, games, developer tools, PDF generators and more.  FreeImage makes use of a common file format created by Adobe, Extensible Metadata Platform (XMP) that allows real-time managing of metadata.  Per Adobe, the XMP file format, allows users to “embed metadata into files themselves during the content creation process”, and FreeImage’s 3.17.0 integration of this file format into its software is vulnerable to an overflow in the “Colors Per Pixel” value of an XMP image.  Generally speaking, when FreeImage 3.17.0 opens an XMP file with a large enough Colors Per Pixel value, i.e. the number is too large, it is not handled properly by follow-on code in the function that uses it. You can liken it to taking a 99 oz. glass, turning on the faucet, and filling it up with 100+ ounces of water.  The water spills over and gets into areas you don’t want it to be.  In technical terms, the large value is not properly validated during the code execution and it can trigger an out of bounds write.  This causes an arbitrary memory overwrite that can effectively result in remote code execution. This is likely to be exploited if someone sends you a maliciously crafted image file as an email attachment or possibly via an instant message.

Due to the widespread integration and the relative ease with which the vulnerability can be exploited, we strongly encourage anyone using software that integrates FreeImage to patch their platforms as soon as possible.  A list of software can be found on FreeImage’s site here.

FreeImage patched this vulnerability in CVS on August 7th, however they have not released a new version of the software. If you use FreeImage, it is recommended that you update to the CVS version to avoid being exposed to this vulnerability.

For the full technical details regarding this vulnerability, please refer to the vulnerability advisory which can be found on our website here.


Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 39883 & 39884

For further zero day or vulnerability reports and information visit:

Friday, September 30, 2016

Vulnerability Spotlight: OpenJPEG JPEG2000 mcc record Code Execution Vulnerability

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos


Talos has identified an exploitable out-of-bounds vulnerability in the JPEG 2000 image file format parser implemented in OpenJPEG library (TALOS-2016-0193/CVE-2016-8332). The JPEG 2000 file format is commonly used for embedding images inside PDF documents. This particular vulnerability could allow an out-of-bound heap write to occur, resulting in heap corruption and lead to arbitrary code execution. Talos has disclosed this vulnerability responsibily to the library maintainers to ensure a patch is available.

Exploitation of this vulnerability is possible if a user were to open a file containing a specifically crafted JPEG 2000 image that exploits this flaw. Examples where this could be achieved would be in an email attack, where a user opens an attachment in a spam/phishing email, or in a hosted content scenario where a user downloads a file from Google Drive or Dropbox.


Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 40314-40315

For further zero day or vulnerability reports and information visit:

Vulnerability Spotlight: Redis CONFIG SET client-output-buffer-limit Code Execution Vulnerability

Vulnerability Discovered by Cory Duplantis of Talos


Talos is disclosing TALOS-2016-0206/CVE-2016-8339, an out-of-bounds write vulnerability in Redis. Redis is a simple in-memory data structure store using a key-value model. Redis has been growing in popularity due to its ability to handle problems that other databases can't solve or are inherently slow at. This particular vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write, potentially resulting in code execution.

Thursday, September 29, 2016

Want Tofsee My Pictures? A Botnet Gets Aggressive

This post was authored by Edmund Brumaghin


Tofsee is multi-purpose malware that has been in existence for several years, operating since at least 2013. It features a number of modules that are used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Once infected, systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Earlier this year, Talos published a blog post discussing how the RIG exploit kit was delivering this malware to compromised endpoints using malvertising. Malvertising is a technique commonly used by exploit kits to infect users that browse web sites that are serving compromised advertisements. This activity seemed to disappear in June, however Talos has recently observed a marked increase in the volume and velocity of spam email campaigns containing malicious attachments that are being used to distribute Tofsee.

Tuesday, September 27, 2016

Threat Spotlight: GozNym

This blog was authored by Ben Baker, Edmund Brumaghin and Jonah Samost.

Executive Summary

GozNym is the combination of features from two previously identified families of malware, Gozi and Nymaim. Gozi was a widely distributed banking trojan with a known Domain Generation Algorithm (DGA) and also contained the ability to install a Master Boot Record (MBR) rootkit. Nymaim emerged in 2013 as malware which was used to deliver ransomware and was previously distributed by the Black Hole exploit kit. The code had various anti-analysis techniques, such as the obfuscation of Win32 API calls.

There have been multiple instances in which the source code of the Gozi trojan has been leaked. Due to these leaks it was possible for the GozNym authors to make use of the ‘best of breed’ methodologies incorporated into Gozi and create a significantly more robust piece of malware which was now capable of utilizing strengthened persistence methods and ultimately becoming a powerful banking trojan.

Given the recent success of the GozNym trojan and the number of targeted attacks seeking to infect victims with this malware, Talos decided to take a deep look at the inner workings of this particular malware family. Talos started by examining the binaries associated with GozNym as well as the distribution mechanisms. Additionally, we were able to successfully reverse engineer the DGA associated with a GozNym command and control (C2) infrastructure and sinkhole that botnet. This gave Talos great visibility into the size and scope of this threat and the number of infected systems beaconing to C2 servers under adversarial control.