Hackers are evading traditional detection applications with a new approach called Application program interface hooking. LUKE JENNINGS, Chief Research Officer for Countercept at MWR InfoSecurity, takes a look at what API hooking is and how it can be thwarted.
Traditional malware detection and forensic investigation techniques typically focus on detecting malicious native executables on disk, and performing disk forensics to uncover evidence of historical actions on a system. In response, many threat actors have shifted their offensive techniques to avoid writing to disk, staying resident only in memory. Consequently, the ability to effectively analyse live memory for evidence of compromise and to gather additional forensic evidence has become increasingly important.
Application program interface (API) hooking is one of the memory-resident techniques cyber criminals are increasingly using. The process involves intercepting function calls in order to monitor and/or change the information passing back and forth between them. There are many reasons, both legitimate and malicious, why using this might be desirable. In the case of malware, the API hooking process is commonly considered to be ‘rootkit’ functionality and is mostly used to hide evidence of its presence on the system from other processes, and to spy on sensitive data.
How are the cyber criminals using API hooking?
There are two common use cases for the malicious use of API hooking. Firstly, it can be used to spy on sensitive information and so they use it to intercept sensitive data, such as communications with the keyboard to log keystrokes including passwords that are typed by a user, or sensitive network communications before they are transmitted. This includes the ability to intercept data encrypted using protocols such as Transport Layer Security (TLS) prior to the point at which they are protected, in order to capture passwords and other sensitive data before it is transmitted.
Secondly, they modify the results returned from certain API calls in order to hide the presence of their malware. This commonly may involve file-system or registry related API calls to remove entries used by the malware, to hide its presence from other processes. Not only can cyber criminals implement API hooking in a number of ways, the technique can also be deployed across a wide range of processes on a targeted system.
Tackling malicious API hooking
One way cyber security teams can detect the hidden traces of API hooking and other similar techniques is through memory analysis frameworks such as Volatility. Volatility is an open-source framework and the de facto standard toolset for performing memory analysis techniques against raw system memory images, useful in forensic investigations and malware analysis. The Volatility framework is very valuable when performing an in-depth investigation of systems on which day-to-day compromises have been detected.
While memory analysis can be an incredibly powerful and useful technique, it does not come without its challenges. One hurdle to consider when deploying memory analysis is the labour intensity it requires. Memory analysis is a highly skilled and time-intensive technique typically performed on one image at a time. This can be very effective when performing a dedicated investigation of a serious compromise, where the systems involved are known and relatively small in number. However, the challenge arises when trying to use memory analysis at scale to detect compromises on a large enterprise network in the absence of any other evidence.
Another obstacle to be aware of when implementing memory analysis is legitimate ‘bad’ behaviour. There are plenty of examples of hooking techniques being used by malware for malicious purposes. Nevertheless, there are also many cases of these techniques being used for legitimate, above-board purposes. In particular, technologies such as data loss prevention and antivirus often target the same functions for hooking as malware does. Without the techniques and experience to quickly separate legitimate injection and hooking from malicious behaviour, a great deal of time can be wasted.
Successful attack detection and response
As a first step in dealing with techniques like this, organisations need the capability in place to easily retrieve system memory images from suspect machines to allow rapid response and aid forensic investigation. However, this can generally only be used in a reactive manner.
To perform effective attack detection and response at scale specifically with regard to these techniques, an ability to conduct memory analysis proactively at scale across an enterprise network is required, which is where toolsets continuously conducting live memory analysis and reporting on suspicious findings are required. This will enable the proactive discovery of unknown memory-resident malware without any prior knowledge or signatures.
Good Endpoint Detection and Response (EDR) software that offers live memory analysis capabilities at scale are required to proactively detect the direct use of techniques such as live memory analysis. Additionally, when gathering results at scale, approaches such as anomaly detection can help greatly by drawing a dividing line between API hooking that is common across the network, probably due to security software in use, and anomalous API hooking that seems present only in a few isolated cases. Traditional memory forensics using a tool such as Volatility can then be used in order to investigate, in detail, systems exhibiting suspicious behaviour.
Many malware families have moved to using techniques such as API hooking in a stealthy attempt to avoid traditional security solutions and achieve certain end goals, such as spying on passwords. The 2015 Verizon Data Breach Report found that “malware is part of the event chain in virtually every security incident”. It also reported that “70-90% of malware samples are unique to an organisation” and that “organisations would need access to all threat intelligence indicators in order for the information to be helpful.” Given these findings, it is obvious that having an effective technique for discovering previously unseen malware on your network is extremely important.
Overall, memory analysis can be used to uncover some, not all, of the stealth techniques used by modern malware families. However, it is an important capability to have in order to detect compromises using modern memory-resident malware.
Android Go puts reliable smartphones in budget pockets
Nokia, Vodacom and Huawei have all launched entry-level smartphones running the Android Go edition, and all deliver a smooth experience, writes BRYAN TURNER.
Three new and notable Android Go smartphones have recently hit the market, namely the Nokia 1, the Vodafone Smart Kicka 4 and the Huawei Y3 (2018). These phones run one of the most basic versions of Android while still delivering a fairly smooth user experience.
Historically, consumers purchasing smartphones in the budget bracket would have a hit-and-miss experience with processing speed, smoothness of user interface, and app stability. The Google-supported Android Go edition operating system optimises the user experience by stripping out non-important visual effects to speed up the phone. Thish allows for more memory to be used by apps.
Google also ensures that all smartphones running Android Go will receive feature and security updates as they are released by Google. This is a major selling point for these smartphones, as users of this smartphone will always be running the latest software, with virtually no manufacturer bloatware.
Vodafone Smart Kicka 4
At the lowest entry-level, the Vodafone Smart Kicka 4 performs well as a communicator for emails and WhatsApp messages. The 4” screen represents a step up for entry-level Android phones, which were previously standardised at 3.5”.
The display is bright and very responsive, while the limited screen real estate leaves the navigation keys off the screen as touch buttons. It uses 3G connectivity, which might seem like an outdated technology, but is good enough to stream SD videos and music. Vodacom has also thrown in some data gifts if the smartphone is activated before the end of September 2018.
Its camera functionalities might be a slight let down for the aspirant Instagrammer, with a 2MP rear flash camera and a 0.3MP selfie snapper. Speed wise, the keyboard pops up quickly, which is a huge improvement from the Smart Kicka 3. However, this phone will not play well with graphics-intensive games.
Next up is the Nokia 1, which adds a much better 5MP camera, improved battery life and a bigger 4.5” screen. It supports LTE, which allows this smartphone to download and upload at the speed of flagships. It also sports the Nokia brand name, which many consumers trust.
Although the front camera is 2MP, the quality is extremely grainy, even with good lighting. This disqualifies this smartphone for the social media selfie snapper, but the 5MP rear camera will work for the landscape and portrait photographer.
The screen also redeems this smartphone, providing a display which represents colours truly and has great viewing angles. Xpress-on back covers allows the use of interchangeable, multi-coloured back covers, which has proven to be a successful sales point for mid-range smartphones in the past.
Huawei Y3 (2018)
The most capable of the Android Go edition competitors, the Huawei Y3 (2018) packs an even bigger screen at 5”, as well as an improved 8MP rear camera and HD video recording. The screen is the brightest and most vibrant of the three smartphones, but seems to be calibrated to show colours a little more saturated than they actually are.
Nevertheless, the camera outperforms the other smartphones with good colour replication and great selfie capabilities via the 2MP front camera – far superior to the Nokia 1 despite the same spec. LTE also comes standard with this smartphone and Vodacom throws in 4G/LTE data goodies until the end of September 2018. The battery, however, is not removable and may only be replaced by a warranty technician.
Comparing the 3
All three smartphones have removable back covers, which provide access to the battery, SIM card and SD card slots. The smartphones have Micro USB ports on the bottom with headphone jacks on the top. The built-in speakers all performed well, with the Y3 (2018) housing an exceptionally loud built-in speaker.
Although all at different price points, all three phones remain similar in performance and speed. The differentiators are apparent in the components, like camera quality and screen quality. It would be fair to rank the quality of the camera and battery life by respective market prices. The Vodafone Smart Kicka 4 performed well, for its R399 retail price. The Nokia 1, on the other hand, lags quite a bit in features when compared to the Huawei Y3 (2018), bwith oth retailing at R999.
SA gets digital archive
As the world entered the centenary of Nelson Mandela’s birth on Mandela Day, 18 July 2018, South Africa celebrated the launch of a digital living archive.
The southafrica.co.za site carries content about the country’s collective heritage in South Africa’s eleven official languages.
Designed as a nation building, educational and brand promotion web based tool, the free-to-view platform features award-winning photographic and written content by leading South African photographers, authors, academics and photojournalists.
The emphasis is on quality, credible, factual content that celebrates a collective heritage in terms of the following: Cultural Heritage; Natural Heritage; Education; History; Agriculture; Industry; Mining; and Travel.
At the same time as reflecting on the nation’s history, southafrica.co.za celebrates South Africa’s natural, cultural and economic assets so that the youth can learn about their nation in their home language.
Southafrica.co.za Founder and CEO Hans Gerrizen conceptualised southafrica.co.za as a means for youth and communities from outlying areas to benefit from the digital age in terms of the web tool’s empowering educational component.
“We can only stand to deepen our collective experience of democracy and become a more forward planning nation if we know facts about our nation’s past and present in everyone’s home language,” he says.
Southafrica.co.za, with sister company Siyabona Africa, is the organiser and sponsor of the Mandela: 100 Moments photographic exhibition that runs until 30 September at Cape Town’s V&A Waterfront-based Nelson Mandela Gateway to Robben Island. The 3-month exhibition, which runs daily from 08h00 until 15h00, is showcasing one hundred iconic Nelson Mandela images taken by veteran South African photojournalist and self-taught lensman Peter Magubane.