how google was pwned: in-depth look into the aurora attacks
DESCRIPTION
Presented at the February 2010 meeting of the Northeast Ohio Information Security Forum by Josh Kelley, Enterprise Security Analyst for a Fortune 1000 company.TRANSCRIPT
In-Depth Look into the Aurora Attacks
What makes Aurora Impressive
It weaves together targeted Social Engineering attacks, Zero-Day exploits, and malware to successfully compromise the networks of over 20 major international corporations including the almighty Google.
Two Separate Attack Vectors
Social Engineering – Focused and precise
Zero-day exploits – Internet Explorer
Social Engineering Vector
Several key things were done to increase the success of the spear-phishing emails: Certain individuals within the companies
were targeted. Friends of the targeted individuals were
targeted as well. The targets are thought to have elevated
privileges within the companies (Sysadmins, developers, etc.)
The Zero-Day Exploit
Microsoft Security Bulletin MS10-002
Affects Internet Explorer 5, 6, 7, and 8
HTML Object Memory Corruption
Why it works
IE has a bug in handling deleted objects
Allows the attacker to inject malicious code that was in previously deleted object.
The heap spray
Attacker utilizes heap spray technique to put the payload in memory
Core of the exploit
Exploit Flow
HTML loads the image JavaScript deletes it (Function EV1) Then replaces it with a memory address
(Function EV2) Which hits the Heap Spray And executes the payload
DEP in a nutshell
Data Execution Prevention (DEP) renders buffer overflows harder to exploit due to the fact it adjusts stacks to read-only.
DEP was often surprisingly hard to bypass in browser exploits and typically made heap spray attacks fairly difficult if not impossible.
ASLR in a nut shell
Most exploits heavily rely off of hijacking execution flow and typically are very reliant on memory addresses.
ASLR randomizes the memory addresses each reboot so that the attacker can’t typically predict the memory address to head over to.
Scary Stuff
The Aurora Attack Bypassed Data Execution Prevention (DEP)
Even Worse
DEP + Address Space Location Randomization (ASLR) was just recently bypassed on Windows 7 + IE 8
The once impossible to bypass, can now be bypassed.
So what this means…
Focused and organized attacks are on the rise….
Attackers will continue to get in through the easiest route.
A combination of zero-days and the human element was the root cause for the success of this attack.
How to prevent
This exploit has already been patched, make sure you update.
IE is a large target, consider moving to Firefox with No-Script enabled.
Kernel hooking HIPS could have potentially stopped this attack.