Hackers are evading traditional detection applications with a new approach called Application program interface hooking. LUKE JENNINGS, Chief Research Officer for Countercept at MWR InfoSecurity, takes a look at what API hooking is and how it can be thwarted.
Traditional malware detection and forensic investigation techniques typically focus on detecting malicious native executables on disk, and performing disk forensics to uncover evidence of historical actions on a system. In response, many threat actors have shifted their offensive techniques to avoid writing to disk, staying resident only in memory. Consequently, the ability to effectively analyse live memory for evidence of compromise and to gather additional forensic evidence has become increasingly important.
Application program interface (API) hooking is one of the memory-resident techniques cyber criminals are increasingly using. The process involves intercepting function calls in order to monitor and/or change the information passing back and forth between them. There are many reasons, both legitimate and malicious, why using this might be desirable. In the case of malware, the API hooking process is commonly considered to be ‘rootkit’ functionality and is mostly used to hide evidence of its presence on the system from other processes, and to spy on sensitive data.
How are the cyber criminals using API hooking?
There are two common use cases for the malicious use of API hooking. Firstly, it can be used to spy on sensitive information and so they use it to intercept sensitive data, such as communications with the keyboard to log keystrokes including passwords that are typed by a user, or sensitive network communications before they are transmitted. This includes the ability to intercept data encrypted using protocols such as Transport Layer Security (TLS) prior to the point at which they are protected, in order to capture passwords and other sensitive data before it is transmitted.
Secondly, they modify the results returned from certain API calls in order to hide the presence of their malware. This commonly may involve file-system or registry related API calls to remove entries used by the malware, to hide its presence from other processes. Not only can cyber criminals implement API hooking in a number of ways, the technique can also be deployed across a wide range of processes on a targeted system.
Tackling malicious API hooking
One way cyber security teams can detect the hidden traces of API hooking and other similar techniques is through memory analysis frameworks such as Volatility. Volatility is an open-source framework and the de facto standard toolset for performing memory analysis techniques against raw system memory images, useful in forensic investigations and malware analysis. The Volatility framework is very valuable when performing an in-depth investigation of systems on which day-to-day compromises have been detected.
While memory analysis can be an incredibly powerful and useful technique, it does not come without its challenges. One hurdle to consider when deploying memory analysis is the labour intensity it requires. Memory analysis is a highly skilled and time-intensive technique typically performed on one image at a time. This can be very effective when performing a dedicated investigation of a serious compromise, where the systems involved are known and relatively small in number. However, the challenge arises when trying to use memory analysis at scale to detect compromises on a large enterprise network in the absence of any other evidence.
Another obstacle to be aware of when implementing memory analysis is legitimate ‘bad’ behaviour. There are plenty of examples of hooking techniques being used by malware for malicious purposes. Nevertheless, there are also many cases of these techniques being used for legitimate, above-board purposes. In particular, technologies such as data loss prevention and antivirus often target the same functions for hooking as malware does. Without the techniques and experience to quickly separate legitimate injection and hooking from malicious behaviour, a great deal of time can be wasted.
Successful attack detection and response
As a first step in dealing with techniques like this, organisations need the capability in place to easily retrieve system memory images from suspect machines to allow rapid response and aid forensic investigation. However, this can generally only be used in a reactive manner.
To perform effective attack detection and response at scale specifically with regard to these techniques, an ability to conduct memory analysis proactively at scale across an enterprise network is required, which is where toolsets continuously conducting live memory analysis and reporting on suspicious findings are required. This will enable the proactive discovery of unknown memory-resident malware without any prior knowledge or signatures.
Good Endpoint Detection and Response (EDR) software that offers live memory analysis capabilities at scale are required to proactively detect the direct use of techniques such as live memory analysis. Additionally, when gathering results at scale, approaches such as anomaly detection can help greatly by drawing a dividing line between API hooking that is common across the network, probably due to security software in use, and anomalous API hooking that seems present only in a few isolated cases. Traditional memory forensics using a tool such as Volatility can then be used in order to investigate, in detail, systems exhibiting suspicious behaviour.
Many malware families have moved to using techniques such as API hooking in a stealthy attempt to avoid traditional security solutions and achieve certain end goals, such as spying on passwords. The 2015 Verizon Data Breach Report found that “malware is part of the event chain in virtually every security incident”. It also reported that “70-90% of malware samples are unique to an organisation” and that “organisations would need access to all threat intelligence indicators in order for the information to be helpful.” Given these findings, it is obvious that having an effective technique for discovering previously unseen malware on your network is extremely important.
Overall, memory analysis can be used to uncover some, not all, of the stealth techniques used by modern malware families. However, it is an important capability to have in order to detect compromises using modern memory-resident malware.
YouTube Music announces Smart Downloads, SA playlists
The service has introduced Smart Downloads which takes allowing users to store and play hundreds of tunes offline, automatically.
The latest updates from YouTube Music, for subscribers of its Music Premium and Premium services, include a new feature that allows users to switch seamlessly between a song and its music video for an uninterrupted experience.
It has also introduced Smart Downloads which takes the work out of downloading music, allowing users to store and play hundreds of tunes offline, automatically. YouTube Music has also announced new playlists for South Africa.
The updates all reflect features that are popular on the global leader in music streaming, Spotify, and that have been key to its growth.
YouTube said in a statement on Friday: “Imagine listening to a new track by your favourite artist in the YouTube Music app and having the ability to seamlessly switch over to watch the music video – no pauses, no interruptions, just a simple tap that keeps the music flowing. This standout new feature from YouTube Music allows YouTube Premium and YouTube Music Premium subscribers to make a seamless transition between a song and its music video for uninterrupted listening and/or watching. Whether you’re in the mood for listening or watching (or a little of both)… it’s all here – no app switching required.”
With Smart Downloads, YouTube Music automatically saves music at night, when connected to Wi-Fi, helping subscribers to use less mobile data, enjoy a smoother updating experience and save up to 500 songs offline using Liked Songs playlist as well as other playlists and albums.
Previously, music lovers could use the Offline Mixtape feature to download up to 100 songs, specifically chosen for them based on what they listened to most on the platform. Now, with Smart Downloads, they select the number of songs they would like automatically downloaded by toggling their YouTube Music Settings. This means YouTube Music Premium subscribers with Smart Downloads enabled on their mobile devices can now access hundreds of tracks regardless of connectivity.
This feature is currently available on Android, with plans to bring it to iOS in the future.
Click here to read more about YouTube Music playlists, and find out what is inside them.
Make cars, not waste
Jaguar Land Rover is trialling an innovative recycling process which converts plastic waste into a new premium grade material that could feature on future vehicles.
It’s estimated that the amount of waste plastic is predicted to exceed 12 million tonnes globally by 2050*. Today, not all of this plastic can be recycled for use in automotive applications – especially in vehicle parts that are required to meet the most exacting safety and quality standards.
Working in conjunction with chemical company, BASF, Jaguar Land Rover is part of a pilot project called ChemCycling that upcycles domestic waste plastic, otherwise destined for landfill or incinerators, into a new high-quality material.
The waste plastic is transformed to pyrolysis oil using a thermochemical process. This secondary raw material is then fed into BASF’s production chain as a replacement for fossil resources; ultimately producing a new premium grade that replicates the high quality and performance of ‘virgin’ plastics. Importantly, it can be tempered and coloured making it the ideal sustainable solution for designing the next-generation dashboards and exterior-surfaces in Jaguar and Land Rover models.
Jaguar Land Rover and BASF are currently testing the pilot phase material in a Jaguar I-PACE prototype front-end carrier overmoulding to verify it meets the same stringent safety requirements of the existing original part.
Pending the outcome of the trials and progression in taking chemical recycling to market readiness, adoption of the new premium material would mean Jaguar Land Rover could use domestically derived recycled plastic content throughout its cars without any compromise to quality or safety performance**.
Chris Brown, Senior Sustainability Manager at Jaguar Land Rover, said: “Plastics are vital to car manufacturing and have proven benefits during their use phase, however, plastic waste remains a major global challenge. Solving this issue requires innovation and joined-up thinking between regulators, manufacturers and suppliers.
“At Jaguar Land Rover, we are proactively increasing recycled content in our products, removing single-use plastics across our operations and reducing excess waste across the product lifecycle. The collaboration with BASF is just one way in which we are advancing our commitment to operating in a circular economy.”
This is the latest example of Jaguar Land Rover’s commitment to addressing the challenge of waste plastic. The company has collaborated with Kvadrat to offer customers alternative seat options that are both luxurious and sustainable. The high-quality material, available initially on the Range Rover Velar and Range Rover Evoque, combines a durable wool blend with a technical suedecloth that is made from 53 recycled plastic bottles per vehicle.
Jaguar Land Rover has already met its 2020 target for Zero Waste to Landfill for UK operations. This includes the removal of 1.3 million m2 – equal to 187 football pitches – of plastic from its manufacturing lineside and replacing 14 million single use plastic items in business operations.
Together, these efforts are driving towards Jaguar Land Rover’s vision for Destination Zero; an ambition to make societies safer and healthier, and the environment cleaner. Delivered through relentless innovation to adapt its products and services to the rapidly-changing world, the company’s focus is on achieving a future of zero emissions, zero accidents and zero congestion.
** All Jaguar and Land Rover vehicles tested have achieved a Euro NCAP 5* rating.