Sandworm Demonstrates Why Patches aren’t Foolproof

Last week the security community was scrambling to update new AV signatures while continuing to patch systems against new variants of the “Sandworm” malware, which attacks Windows systems using a zero-day flaw that can enable attackers to take complete control of an infected system.

The vulnerability used by Sandworm resides in a Windows component called Windows OLE (Object Linking and Embedding) that allows, as its name implies, object embedding in various Office formats, among them Powerpoint’s PPTX and PPSX.

This logical bug allows a specially crafted file to retrieve a (remote) binary over the web, and execute it on the local machine. According to Microsoft, a properly configured UAC will notify the user who can then prevent the code from executing. Nevertheless, a high number of infections have been reported, and attacks continue. Given the nature of this vulnerability, modern Windows defense mechanisms including DEP, ASLR and even EMET (without specially crafted rules), do not protect against this exploit.

Sandworm was initially discovered by security firm iSIGHT back in September, and was publicly disclosed two weeks ago in coordination with Microsoft patch MS14-060. However, security vendors soon reported that attackers continued to exploit the vulnerability on both patched and unpatched systems, using new variants that bypass MS14-060 as well as existing AV signatures.

Last week, Microsoft issued a Fix It patch to mitigate the vulnerability and advised users to install it or apply the workarounds contained in the original MS14-060 bulletin. As this example illustrates, it is not uncommon for new variants to emerge that can bypass AV signatures and in some cases even security patches.

We were immediately curious to confirm whether this threat would be detected out of the box by our behavioral engine. We expected it would be, since the exploit and executed payload exhibit a decidedly suspicious execution pattern:

  • First, the user opens a PPTX file, perhaps even a recently created one
  • Once PowerPoint loads the file, it immediately initiates a download from an unknown address over the web
  • Next the downloaded file executes, forks a new process, deletes the original file and registers itself to autostart
  • Finally, it downloads another file which creates a backdoor into the system

Since we’re able to monitor all system processes in real-time and trace their progress, we can establish context around each individual event above. SentinelOne detected this 0-day threat without making any changes to our system.

The ability to inspect machine code execution on the device being attacked exposes malware at run-time and provides the following benefits:

a) No need to update clients, signatures or even patch the OS itself

b) Machines that are difficult to patch, or disconnected from the network, are always protected

c) Provides detection and protection with zero previous knowledge of a threat We will continue to monitor this threat and provide updates on any further developments.