This article is more than 1 year old

Ransomware dodges EMET

Infosec biz FireEye has blogged in detail about how new versions of the Angler Exploit Kit – used by malicious webpages to inject ransomware and other software nasties into people's PCs – sidestep Microsoft's EMET protections.

Included with Windows, EMET has a whole bundle of features designed to thwart attempts by hackers to exploit programming bugs to gain control of computers. However, it appears Angler's developers have found ways to evade these mechanisms to install evil code on PCs.

What's interesting is that Angler doesn't rely on tried-and-tested return oriented programming (ROP) to dodge Redmond's Data Execution Prevention (DEP) barriers. FireEye's Raghav Pande and Amit Malik explained:

The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion ... The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll’s inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics.

For full technical details, see the above link to FireEye's blog. ®

More about

TIP US OFF

Send us news