- Apr 24, 2016
Good news over at Wilders:
Sophos blog post:
No worries guys, we're still alive and kicking. We've been working on several projects and are planning to release a new BETA version of HitmanPro.Alert soon. It will contain several new protections as well as an updated CryptoGuard 5 engine. Stay tuned!
I have some information to share, about a protection that we've been working on over the last two years (and Wilder Security members have been enjoying it for that long too). It's about our Heap Heap Protect mitigation - called Dynamic Shellcode Protection in Sophos's flagship endpoint product Intercept X.
If you haven't read it yet and have 10 minutes, be sure to read my blog about it: Covert code faces a Heap of trouble in memory – Sophos News
Below a relatively short primer about why it's actually pretty bold.
Heap Heap Protect is unique in the world. It basically puts a hard limit on any application to what memory they can allocate. It impacts every process on the box, even Windows’ own processes.
How this works? Applications can ‘loan’ an extra memory region from the system for the purpose to run added code. But when the added code requests an additional ‘loan’ for the purpose to introduce and run even more code, we say NO.
The ‘freedom’ to use memory whenever an application sees fit has been a fundamental function of a computer since the invention of dynamic random-access memory in 1968. And thanks to segregation of data and code (enforced by the CPU hardware) we can now literally say NO MORE!
We initially crafted Heap Heap Protect to counter unknown supply-chain attacks like CCleaner APT. So, although it's completely signature-less, you may notice it is especially effective against remote access agents like Cobalt Strike and Meterpreter, as these are typically loaded into memory by a ‘loader’ or ‘stager’. Particularly in human-operated ransomware attacks, these agents are a mainstay.
To our surprise, when we tested the mitigation in the wild, it notably caught a lot of multi-packed malware too – including adware. This is because, before packed malware really works, the unpacker needs to allocate a region that can run the unpacked code. And multi-packed (layer over layer) malware will ‘loan’ such a region upon region – it unpacks like a matryoshka doll.
Perhaps the most interesting part of our protection is that our discovery is highly compatible with legitimate applications. Simply because regular applications are not loaded in a staged manner and they are not packed either.
If you want to know more, check out my blog. If you have, we'd like to hear your thoughts on this. Thanks!
Fileless malware, ransomware and remote access agents trying to evade detection by running in memory rely on being able to allocate “Heap” memory – a step just made harder by Sophos