James Steidl - Fotolia
Researchers reporting new encounters with the Angler exploit kit say it is bypassing protection afforded by Microsoft's latest version of EMET and exploiting vulnerabilities in Flash and Silverlight plug-ins. This is the first time Angler attacks have been observed in the wild that bypass EMET's data execution prevention.
Amit Malik and Raghav Pande, researchers at FireEye Inc., based in Milpitas, Calif., blogged that they "encountered some exploits from Angler exploit kit (EK) that are completely evading Microsoft's Enhanced Mitigation Experience Toolkit (EMET). This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7."
"Angler EK uses complex multilayered code obfuscation and leverages multiple exploits," Malik and Pande wrote. "These capabilities make Angler EK one of the more sophisticated exploit kits in use at this time."
Microsoft includes the Data Execution Prevention (DEP) mitigation technique in EMET to prevent code from executing in certain parts of memory, but the Angler exploit kit evades DEP by avoiding the use of return-oriented programming techniques. "Instead, they use Flash.ocx and Coreclr.dll's inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics," Malik and Pande wrote.
The Angler exploit kit is also reportedly evading other EMET features, including Export Address Table Filtering and EAF+, "two capabilities that seek to protect the contents of memory and prevent exploit code from identifying where things are loaded."
"EMET is only one layer in the protection against exploits and helps enterprises protect applications, some of which may be legacy and have been written to run on previous versions of Windows, such as XP," said Tony Anscombe, senior security evangelist at AVG Technologies, based in San Francisco. "Enhancing the security of the applications with EMET does not remove the need to have active, up-to-date antimalware software installed to detect and remove threats. EMET alone is not going to solve this problem and, in some ways, it may do more harm than good, as it could give system admins a false sense of security."
Microsoft EMET, updated to version 5.5 in February 2016, was originally intended to "detect and block exploitation techniques that are commonly used to exploit memory corruption vulnerabilities." The most recent upgrade was made to fix a vulnerability in EMET that allowed attackers to unload EMET from memory; Microsoft has not yet released a patch for the latest flaw.
Taking action against the Angler exploit kit
Noting that there are no quick solutions for the evasion techniques used to bypass DEP, the FireEye researchers did offer suggestions for remediation and mitigation of the threat from the Angler exploit kit.
"[O]rganizations can mitigate this threat through a robust vulnerability management program for end-user systems, which includes the installation of security updates for third-party software. Applications such as Adobe Flash, web browsers and Oracle Java should be patched routinely, prioritizing critical patches or removed, if possible. Because the web browser plays an important role in the infection process, disabling browser plug-ins for Flash or Silverlight may also reduce the browser attack surface."
Nick Bilogorskiysenior director of threat operations at Cyphort
"The evolution of security applications and operating systems means that the latest version is recommended to maintain the best level of protection," Anscombe said. "Minimizing the attack surface by removing unused/unneeded software is a good first step."
"There is no better time than now to disable Flash and Silverlight plug-ins for your browser," said Nick Bilogorskiy, senior director of threat operations at Cyphort Inc., based in Santa Clara, Calif. "That will help limit attack surface and make users safer from drive-by exploits."
Given that the latest Angler exploits have been seen working only on Windows 7, it may be time to upgrade to Windows 10, which "has the new Edge browser, which no longer supports the extensions for Java, Silverlight, VML, VBScript, Toolbars, BHOs or ActiveX," Bilogorskiy suggested.
"Windows 10 also has Device Guard, which runs separately from the OS, in a hypervisor, and helps blocking the execution of programs that are not digitally signed by a trusted vendor or Microsoft."
Learn more about strategies for mitigating the Angler exploit kit.
Find out more about how the Angler exploit kit used Flash zero-day exploits to make a malvertising campaign more effective.