Information security has always been one of the key focuses of LINE. LINE has always strove to actively promote various security enhancement strategies over the years. As a part of our ongoing effort towards information security, LINE information security engineers hold a meetup known as BECKS (a portmanteau of beer and hacks) in Korea, Japan, and Taiwan. We invite security professionals around the globe to participate in the exchange. The last BECKS meetup in Taipei was kicked off by Beist, the head of GrayLab and the LINE Security team, who came all the way from Korea to give opening remarks and express LINE’s commitment towards keeping good relations with the local information security community.
The speech was followed by two presentation sessions. In the first session, speakers from Japan shared their experience from testing Windows Defender with the EICAR test fie. In the second session, speakers from Taiwan shared the process of finding malicious payloads in the supply chain of code. The speakers of both sessions casually lead the attendees through an amazing recalling of their experiences in the field of information security.
AvOracle: New Attack Vector Against AntiVirus / Ryo Ichikawa and Ryota Shiga
The first session was presented by Ryo Ichikawa and Ryota Shiga. Ryo Ichikawa is the founder of CTF team TokyoWesterns. Ryota Shiga, also a member of TokyoWesterns, is a security engineer working at LINE. In the talk, they share their experiences of testing antivirus software with the EICAR test file. Antivirus software is a necessity in the modern age, protecting our computers by auditing file access, command executions, and analyzing various content. If antivirus software finds malicious content, it will block the content to protect users. But what if antivirus software could act as an oracle as well, using their various content analyzers? That is the basic idea of AvOracle, a combination of antivirus and oracle.
Ryo and Ryota shared the process of testing antivirus detection rules by triggering false positives with the EICAR test file. The EICAR test file is identified by antivirus software due to its similarity to other identified signatures. This is why a qualified virus scanner would react in the same way to the EICAR file as it would to a real virus. However, not all correctly configured virus scanners can detect the EICAR file. The EICAR test string is:
Windows Defender, also known as Windows Defender Antivirus, is a robust anti-malware component of Microsoft Windows. Windows Defender is even able to block inputting strings such as “Invoke-Mimikatz” in command prompt. Ryo and Ryota discovered in their research that Windows Defender may respond to possible malware, including the EICAR test file, in the following ways:
- Check whether malicious data is included in the contents of the suspicious file
- Change permissions to prevent the user from accessing the suspicious file
- Replace the malicious part with null bytes
- Delete the entire file
During their research of Windows Defender, Ryo and Ryota found the presentation “Windows Offender: Reverse Engineering Windows Defender’s Antivirus Emulator” by Alexei Bulazel presented at Black Hat 2018. Based on Bulazel’s research, Ryo and Ryota recreated the process and were able to trigger a response from Windows Defender by leaking a character using the EICAR test string. Combined with the first character of the string in the string
EICA + character
x, it can be tested whether the character is
R. It turns out that Windows Defender will detect if the character is appropriate, but it requires 256 attempts for the ASCII code of each character. Therefore, a binary search is adapted to accelerate the process and eventually obtain the oracle. Moreover, leveraging the characteristics of Bitwise XOR can get the certain position of the secret string in the same HTML. It can be found whether the secret arbitrary position character in the HTML is equal to the target character.
After depicting the context and mechanism of Windows Defender, Ryo and Ryota concluded that the content auditor can act like an oracle even for Windows Defender. Meanwhile, Windows Defender stays highly alert for potential viruses, but it may lead to new types of attacks as well.
Supply Chain Attack & Modern APT Malware / Bletchley Chen and Inndy Lin
The second session was presented by two security researchers from Cycarrier: Bletchley Chen and Inndy Lin. In their speech, they shared how to investigate APT attacks and the tools used to perform them. They started off by explaining why the “supply chain” of software becomes the frequent target of attacks so the audience can have a better idea about the context. When running software, the “supply chain” of code includes a lot of components. These components are likely to be attacked in various ways. For example, Stack Overflow may be a source of vulnerable code since a lot of developers copy unsecured code from Stack Overflow. Since vulnerable code is likely to be leveraged by other libraries, some hackers would release useful but harmful libraries to spread the malicious code. It’s difficult for users to ensure that every library is safe. For compiler, the malware-laced Xcode tool may be used to infect iOS apps compiled by the affected compiler. Furthermore, to the audience’s surprise, the weakest link among partners or supply chains may become the target of malware while most organizations keep strengthening their information security. Inndy and Bletchley explain that another APT group’s tactic is to synthesize normal programs for malicious intent. Attackers often intrude through legal applications with high authority for lateral movement to avoid being detected by security mechanisms.
Then, the speakers moved on to elaborate on the concept of the recent Shadow Hammer and WebStorage APT attacks. The attacker injected malicious code into a legal program, but the patched program still had a legal certificate. Such situations may occur if the developer cycle is compromised or the certificate is stolen. In this case, the former is more likely to have taken place. Only a small part of the program was modified while most of the code remained the same. Other attacks first took place via legal ASUS WebStorage updates and was rarely detected by antivirus programs. The speakers then went on to explain the profile of PLEAD and relevant activities, after which they shared the flow they used with their system when they investigated the PLEAD attacks that targeted multiple governmental organizations.
With so many threats and malware tricks around, how can you discover malicious payloads efficiently? With the insight that modern attackers may use compilers to generate shell code, and how useful shell code is for file-less attacks, Inndy and Bletchley shared their investigation principles: observe -> conceive threat hypothesis -> investigate -> check hypothesis -> revise hypothesis -> confirm hypothesis. When applying this to their APT investigation process, the steps include: malware analysis -> threat hunting -> threat intelligence -> threat investigation -> feedback. The speakers emphasized that getting the whole storyline of the attack is more important than finding a single pieace of malware. They then emphasized the importance of threat hunting, proactively and regularly investigating if any attacker is already concealed in the network, instead of passively detecting attacks. The session was concluded with a call to action, to make judgments based on the possible types of attacks and the campaign sequence of attacks.
As software grows more complex, it is almost impossible to create a secure supply chain. We must be aware that the weakest link in the supply chain can always be the target of an attack. With this in mind, we are more likely to adopt the right approach to develop a practical security mechanism.
The meetup tonight is the third BECKS.IO gathering this year. In addition to providing attendees with the latest security trends and case studies through speeches, it is our mission to form a platform for security professionals from various countries and fields to exchange their thoughts and experiences. We sincerely hope that the dynamic energy shown in the meetup reflects back onto the overall security community.