Attack Code Helps Angler Exploit Kit ‘Evade Microsoft’s EMET’

Computer security researchers have uncovered attack code that successfully evades a Microsoft tool that has until now been broadly effective at blocking exploits of vulnerabilities in the operating system or installed applications.

Some recent attacks by the Angler exploit kit, a tool that automates the exploitation of a number of different vulnerabilities, have been found to successfully install malware on Windows systems that have Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) installed, according to researchers at FireEye.

New sophistication

This is the first time such a toolkit has been seen to evade EMET, demonstrating a new level of sophistication in the development of the attack code, according to FireEye.

“The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion,” the company said in an advisory.

Attackers have long made use of security flaws in Adobe’s Flash, and to a lesser degree Microsoft’s similar Silverlight, as a means of implanting malicious code on users’s systems, because those tools are widely distributed with browsers and are often left unpatched.

EMET has proven an effective way of blocking such attacks, with one of its features, for instance, called data execution prevention (DEP), able to block malicious code from executing even after it has exploited Flash or Silverlight.

Attackers commonly use a technique called return-oriented programming (ROP) to attempt to evade DEP, but FireEye found that Angler used routines built into Flash and Silverlight to bypass the checks that would ordinarily detect ROP, allowing it to execute malicious code.

Checks evaded

“Since return address validation heuristics are evaded by utilizing these inbuilt functions from within ActionScript and Silverlight Engine, ROP checks by EMET’s DEP capability are not effective,” the company stated.

FireEye demonstrated that Angler was also able to evade other EMET features including Export Address Table Filtering (EAF) and EAF+ to successfully execute a ransomware program called TeslaCrypt on a system with the latest version of EMET installed.

The firm noted that to date, EMET evasion has only been detected on Windows 7 systems and not on Windows 10, which is widely considered more effective at blocking attacks.

Angler is often used to execute the TeslaCrypt ransomware, and in this case the program has been abandoned by its developers, who have made public the key that allows users to unlock affected systems. The kit could, however, be used to implant other types of malware on a system.

Mitigating risks

FireEye said organisations can mitigate threats by routinely patching third-party software including Flash, browsers and Oracle’s Java.

“Because the web browser plays an important role in the infection process, disabling browser plugins for Flash or Silverlight may also reduce the browser attack surface,” they wrote.

Angler was used in an attack last month that infected visitors to the websites of two US television stations via malicious advertisements.

Are you a security pro? Try our quiz!