evolving threat landscape

The Evolving Threat LandscapeThe Evolving Threat Landscape

Zheng BuRahul KashyapM Af L bMcAfee Labs

Session ID: HT2-106Session Classification: Intermediate

Insert presenter logo here on slide master. See hidden slide 2 for directions

Agendag

V l biliti d E l it tiVulnerabilities and Exploitation

Targeted Attacks (APTs)

Cybercrime Goes Social

Q&A

Insert presenter logo here on slide master. See hidden slide 2 for directions2

Vulnerabilities and Exploitation


2010: Microsoft and Adobe Vulnerabilities Snapshotp

Security Patches

250

300

Security Patches

150

200

250

Microsoft

Adobe

50

100

Adobe

02007 2008 2009 2010 Source: McAfeeLabs


2010: High-Profile Zero-Day Vulnerabilitiesg y

CVE-2010-0249: MS10-002 HTML Object Memory Corruption Vulnerability—Operation Aurora

Steady increase in attacks targeting client softwareVulnerability Operation Aurora

CVE-2010-2883: Adobe SING Tag Buffer Overflow Vulnerability

CVE-2010-2884: Adobe Reader, Flash Player Code Execution V l bilit

software

Adobe and Microsoft were popular exploit victimsVulnerability

CVE-2010-1297: Adobe Flash Memory Corruption Vulnerability

CVE-2010-1885: Windows Help and Support Center Vulnerability

victims.

CVE-2010-1240: PDF/Launch Attack—Zeus

CVE-2010-2568: Windows Shortcut Icon Loading Vulnerability—Stuxnet

CVE-2010-2729: Print Spooler Service Impersonation Vulnerability—Stuxnet


Malware Writers Love Adobe Vulnerabilities

Productivity Application Vulnerability Based Malware - 2010

MS Office (Word, Excel, MS Office (Word, Excel, PowerPoint)

Adobe Reader, Acrobat

Source: MacAfee Labs


Which Adobe App Was Most Exploited in 2010? The Winner Is Reader!

Adobe: Unique Malware Detected in the Wild

Adobe Flash

Adobe PDFAdobe PDF

Source: McAfee Labs


Mitigation vs. Exploitation: a Catch-Up Game

Stack Stack Overflow AttacksOverflow AttacksStack Stack Overflow AttacksOverflow AttacksStack Canary Stack Canary ChecksChecks Safe SEHSafe SEH

Heap Overflow AttacksHeap Overflow AttacksHeap Safe UnlinkHeap Safe Unlink

ShellcodeShellcode ExecutionExecutionData Execution Prevention DEP/NX Data Execution Prevention DEP/NX

Address Space Layout Randomization (ASLR)Address Space Layout Randomization (ASLR)

Return Return Oriented Programming ROPOriented Programming ROPJIT SprayJIT SprayInsert presenter logo here on slide master. See hidden slide 2 for directions8

g gg gp yp y

Case Study: CVE-2010-2883 Adobe SING Tag Buffer Overflow Vulnerabilityg y

“Classic” stack overflow

Exploit does not overwrite return address

Overwrite pointer Overwrite pointer in the stack to bypass stack

t ti protection

Source: McAfee Labs


Case Study: CVE-2010-2883 Adobe SING Tag Buffer Overflow Vulnerability

U ROP h i i

g y

Use ROP techniques in the shellcode to bypass DEP+ASLR.

Special staged shellcode for this DLL


Source: McAfee Labs

DEP+ASLR=Peace of Mind!

Vulnerability Exploitation techniquey technique

Adobe Products Authplay.dll Code Execution [CVE-2010-3654 ] ROP Shellcode

Adobe Products Authplay dll Code Execution [CVE-2010-2884] ROP ShellcodeAdobe Products Authplay.dll Code Execution [CVE-2010-2884]

Adobe Flash Player, Reader, and Acrobat 'authplay.dll‘ [CVE-2010-1297] ROP Shellcode

Adobe Reader and Acrobat XFA TIFF Support Code Execution Vulnerability [CVE-2010-0188] ROP Shellcode

Adobe Reader 'CoolType.dll' TTF Font Vulnerability [CVE-2010-2883] ROP Shellcode

Adobe Reader and Acrobat 'newplayer()' JavaScript Method Vulnerability [CVE-2009-4324]

ROP Shellcode


Stealthy Exploitationy p

AKA: Harmonious Exploitation(“和谐漏洞利用”)

QualificationsNo intrusive reconnaissance required

Application and platform awareness

Robust exploitation

No impact on availability of the target servicep y g

No impact on availability of the target application

Bypassing the security mitigations on the target (GS, DEP, ASLR, etc.)

Ad ti t l t k i t l bl C&C d Adaptive to complex network environments, scalable, C&C ready,

Network Security Inspection Device evasion


Stealthy Exploitation: Case Studyy p y

Exploits that identify Exploits that identify Adobe Reader versions

Exploits that open a l i PDF fil legit PDF file on successful exploitation

Exploits that Exploits that obfuscate to evade NIPS inspection


Welcome to the “App Store” of Exploit Kitspp p


Crimepackp

Features includeTracking website stats

Regular updated exploits

Geo location tracker

OS stats

Browser stats

Test attack before launching

Success rate


Targeted Attacks (Advanced Persistent Threats)( )


Case Study: Operation Auroray p

A coordinated attack targeting a rapidly growing list of companies, including Google, Adobe, Juniper, Symantec, and others

Exploits a zero-day vulnerability in Internet Explorer

Lures users to malicious websites, installs Trojan malware on systems, uses Trojan to gain remote accessTrojan to gain remote access

Uses remote access to gain entry to corporate systems, steal intellectual property (including source code), and penetrate user accounts


Operation Aurora: Modus Operandip p

1 2 3Attack initiatedUser with IE vulnerability

1Attack in progressWebsite exploits vulnerability;

2Attack setup completeMalware installed on user’s

3

User with IE vulnerability visits website infected with Operation Aurora malware

Website exploits vulnerability; malware (disguised as JPG) downloaded to user’s system

Malware installed on user s system; malware opens back door (using custom protocol acting like SSL) that gives access to sensitive data


Operation Aurora: Exploitp p

Payload has multiple levels Original obfuscated exploit

of obfuscation to disguise the payload

Payload exploits a zero-day y p yvulnerability in Internet Explorer

The attack uses heap spray

De-obfuscated exploit

The attack uses heap spray and downloads a fake image—an XOR’ed binary.

Th b kd i The backdoor is now installed and sends out fake SSL traffic


Cybercrime Goes Social


Abusing Social Networksg

Fake accounts on sale

Accounts can be used to send spam, phishing, fake products/ services, or malicious d l ddownloads

Prices vary depending on the quality of account


Source: McAfee Labs

“Social” Hacktivism

2010 had several i t f ti i t instances of activist groups launching protests over the Internet

DDoS seems to be the favorite vector

Lines bet een Lines between cyberwarfare and hacktivism continue to blurto blur


Source: McAfee Labs

Operation Paybackp y


Operation Paybackp y

The attack tool was a modified, public open-source tool called LOICCreated a “social botnet” using HIVE modeCreated a social botnet using HIVE modeAttack vector is unsophisticated, but has temporary impact on global enterprises


Conclusions

Client-side attacks are on the riseClient-side attacks are on the rise

There is no silver bullet for security, all the available known defenses can be bypassedThere is no silver bullet for security, all the available known defenses can be bypassed

Stealthy exploitation makes attacks more difficult to be detectedStealthy exploitation makes attacks more difficult to be detected

APTs leverage all of the latest exploitation techniques and are APTs leverage all of the latest exploitation techniques and are becoming the most severe threats for businessesbecoming the most severe threats for businesses

Social networks have been leveraged by attackers and hacktivistsSocial networks have been leveraged by attackers and hacktivists

Do not completely rely on security protection from vendors. Use extreme caution when you surf!Do not completely rely on security protection from vendors. Use extreme caution when you surf!


evolving threat landscape

Technology

powerpoint adobe reader

adobe app

seehiddenslide2for7

seehiddenslide2for4

adobe reader versions

rop shellcodeadobe reader

stealthy exploitation

case study y py exploits