EIP Revisited

Exploitation & Defense in 2013Dan Guido – BruCon – 09/26/2013

Introductions

@dguido

Exploit Intelligence Project

Intel-driven case study from 2011 How do we use intel to mitigate a threat? What are optimal defenses for mass malware? How do crimepacks acquire exploits? Is security research being applied by

crimepack authors?

Separate what could happen from what is happening

Clear Market Leaders

NeoSp

loit

Phoe

nix

CRiMEP

ACK

Liber

ty

Web

Attack

er

Eleo

nore

Frag

us

Sibe

ria

JustEx

ploit

Bleed

ing

Life

SEO E

xploit

Kit

Zombie

Gpack

Phoe

nix

Uniqu

e

Nuclear YE

S

Chine

se

Liber

ty

Luck

y

Needle

Nuclear

Drago

n

I-Wor

m -

Kitro

0

500

1000

1500

2000

2500

3000

3500

4000

# o

f M

alici

ou

s U

RLs

Limited Target Support

5

5

21

Flash / ReaderJavaInternet ExplorerQuicktime

Low Quality Exploits

Memory Corruption (19)

Defeated by DEP 14

Defeated by ASLR 17

Defeated by EMET 19

Logic Flaws (8)

No Java in Internet Zone 4

No EXEs in PDFs 1

No Firefox or FoxIt Reader 2

Developed Elsewhere

DEP Bypasses (5)

Developed by APT 3

Developed by Whitehats 2

Developed by Malware Authors 0

Logic Flaws (8)

Discovered by APT 0

Discovered by Whitehats 8

Discovered by Malware Authors

0

Java is a Path Forward

Malicious

HTML

GoogleChrome

IE8DEP/ASLR

Bypass

DEP/ASLR

Bypass

Sandbox Escape

Integrity Escalatio

n

Java

Shell

Derived Optimal Defenses

Recommended to defend against crimepacks in 2011:1. Enable DEP on browser and plugins

2. Remove Java from Internet Zone

3. Secure Adobe Reader configuration

4. Use EMET when possible / where needed

Then, continue to monitor threat intel for changes…

Where are they now?

Crimepacks in 2013

Crimepacks in 2013

Standard desktop builds use DEP/ASLR/Sandboxes 2009: Windows XP, IE7, Flash 9, Office 2007,

Java 6 2013: Windows 7, IE9, Flash 11, Office 2010,

Java 7

Blackhole / Cool, Sweet Orange, and Gong Da Have these kits invested in bypassing our new

defenses? How have crimeware packs dealt with the

pressure?

The World is Changing

2011

-01

2011

-04

2011

-07

2011

-10

2012

-01

2012

-04

2012

-07

2012

-10

2013

-01

2013

-04

2013

-07

0

5

10

15

20

25

30

35

IE 6.0IE 7.0IE 8.0IE 9.0IE 10.0

Source: StatCounter January 2011 – August 2013 Browser Versions

Supported Targets

3

5

1

9

Reader / FlashInternet ExplorerWindows TTF FontJava

Windows XP Only

Exploit Origins

VUPEN Blog ArticlesAPT CampaignsSecurity Researchers

• All memory corruption exploits came from APT campaigns or the VUPEN blog.

• All Java exploits came from security researchers:• Jeroen Frijters

• TELUS Security Labs

• Adam Gowdiak (Security Explorations)

• Stefan Cornellius

• Sami Koivu via ZDI

• Michael Schierl via ZDI

• “Whitehats Shrugged”

IE / FlashJava

Cool Exploit Kit

Premium version of Blackhole, by the same author Launched a $100k bug bounty for improved exploits Only offered as a hosted service to prevent source leaks

As a result, Cool has several unique exploits: CVE-2011-3402: Windows Kernel TTF font (Duqu) CVE-2012-1876: IE 9 (VUPEN Pwn2Own) CVE-2012-0775: Reader 9/10 (self-developed?)

No privesc included for these targets, relies on payload

How did we stack up?

DEP, remove Java, secure Reader, EMET as necessary Safe from all but TTF font exploit w/o patching!

Systems being deployed now w/o Java are out of reach Win7, IE9, Reader X, EMET as necessary

Mixed messages coming from this data Success! We have pushed crimepacks to the margins Warning! It is easy to predict if you will get owned

The Advanced Persistent Threat

How effective are exploit mitigations against this threat?

Aurora et al.

Highly regarded technical capabilities Prolific developers of zero-day exploits Original source for many crimepack exploits Pioneered “watering hole” attack campaigns Notable for successful compromises of Google,

Bit9

Continues to cross paths with Trail of Bits Exploit profiled in Assured Exploitation Elderwood Exploit Kit dissection and analysis

Elderwood

Think, a “startup” for Aurora to invest in Developed several reusable vuln disc / exploit tools Requires less-skilled people to operate the tools Launch zero-day watering holes on a regular basis

Released new attacks every ~3 months in 2011/2012 4 Internet Explorer, 5 Adobe Flash zero-days Dozens of prominent websites compromised (CFR)

Quality Exploits?

Elderwood

50% of the time

Flash, Java, and Officeplugins available

Internet Explorer 8

All Computers

Modest exploit mitigations are surprisingly effective!

Meet NYU-Poly…

… and Davis

It’s Easy to Get Better

Elderwood NYU-Poly Davis

Plugins Required

Flash, Office, Java

.NET None

Version Support

IE8 / Win XP IE8 / Win7 IE9 / Win7

Reliability ~50% ~95% ~99%

Features Hardcoded ROP Hardcoded ROP

Dynamic ROP

Time to Develop

? (probably 8 hrs)

~5 days ~10 days

Experience Professional Amateur Amateur

Reality

RSA – phishing email with malicious Excel doc Exploited Flash vuln no longer viable in IE

Google – IE6 in remote office to total control of Gmail They found the ONE guy in Google using IE6

Amateurs push as hard as they can. Professionals push as hard as they have to. Rapid discovery and shift to low cost attack

vectors

APT Discoveries

Maybe we should try to make protections that cannot be bypassed by CS undergrads with 40 hrs of training?

We need to push harder since the professional bad guys can own things without caring about mitigations

APT can get better, we know they will, but is it prudent not to act just because you know they will respond?

Taming the Tiger

Use the Kill Chain and Courses of Action the way they were intended

Variety of Approaches

Drag picture to placeholder or click icon to add

or “An APT breached my network despite my $750,000 IPS and $2,000,000 SIEM. What other vendor products should I buy to

protect myself?” –Jerkface

External Exposure

Phishing Resistance

“99% of the security breaches it investigated in 2012 started with a targeted spearphishing attack.” –Mandiant

“If you go from 35 to 12% on fire, you’re still on fire.” –Zane Lackey

Exploitability

Final Conclusions

Let’s make defenses that bored undergrads can’t take out in one semester, that would be cool!

Let’s build things that help understand your adversary’s capability and intent.

Let’s use the defenses we have. They work, and they work against the people you care about.

Thanks Andrew Ruef and Hal Brodigan!

References

Contagio: An Overview of Exploit Packs http://contagiodump.blogspot.com/

2010/06/overview-of-exploit-packs-update.html

Elderwood Kit Analysis http://blog.trailofbits.com/2013/05/13/elderwood-a

nd-the-department-of-labor-hack/

Detecting Targeted Malicious Email http://papers.rohanamin.com/wp-content/uploads/

papers.rohanamin.com/2010/11/Amin2011-dissertation.pdf