Dan Guido - The Exploit Intelligence Project

longingwimpInternet και Εφαρμογές Web

26 Ιουν 2012 (πριν από 5 χρόνια και 4 μήνες)

865 εμφανίσεις

https://www.isecpartners.com

Dan Guido

SOURCE Boston, 04/20/2011

The Exploit Intelligence Project

2

Intro and Agenda


I work for
iSEC

Partners


NYC, Seattle, SF


specialize in Application Security


I don’t have a product to sell you



Today, I’m going to be sharing data and
my analysis
of attacker capabilities and methods


An informed defense is more effective and less costly



EIP shows that intelligence
-
driven, threat
-
focused
approaches to security are practical

and effective

3

WARNING!

The commentary is really important for
this talk.


If you’re a reporter, please contact me and
I’ll be happy to provide that commentary
for any section you’re interested in:


dguido@isecpartners.com

We Have An Analysis Problem

Or, you’re counting the wrong beans!

5

Let’s Talk About Vulnerabilities

*IBM X
-
Force 2010 Trend and Risk Report

6

How many vulnerabilities did

you have to pay attention to in 2010?

7

since 2006

8

Vulnerability Origin

*
Secunia

Yearly Report 2010

9

Affected Vendors (2010)

5

5

2

1

Oracle
Adobe
Microsoft
Apple
10

Wheel of Vulnerability Fortune

*
Secunia
: The Security Exposure of Software Portfolios

11

Locations to Track (2010)

0
1
2
3
4
5
6
Targeted
Attacks
ZDI
Prominent
Researcher
Personal
Website
Known
Behavior
Silent Patch
12

Google Chrome is Insecure!

*Bit 9 Research Report: Top Vulnerable Apps


2010

13

How many vulnerabilities were

massively exploited in Google Chrome in 2010?

Are we doing something wrong?

Yes, you’re doing it backwards!

15

We Have to Start at Attacks








Where do bad guys get their info from?


How do bad guys view the new
vulns

that come out?


How effective are my defenses against
this

attacker?

1.

2.

3
.

Maslow’s Internet Threat Hierarchy

# of Attacks

Data Lost

APT

Targeted

Mass
Malware

IP

$$$

Banking
Credentials

Mass Malware

How does it work?

18

Kill Chain Model


Systematic model for evaluating intrusions


Helps us objectively evaluate attacker capabilities


Align defense to specific processes an attacker takes



Typically used as a model to defend against APT


Evolves beyond response at point of compromise


Assumes unfixable vulnerabilities



First described by Mike
Cloppert

19

Recon

20

Weaponization

21

Delivery


22

Exploitation

23

Installation


24

Command and Control


25

Actions on Objectives

Leads to Cyber Pompeii

27

Process Overview

Recon

Weaponize

Delivery

Exploit

Install

C2

Actions

Millions of Infected Sites

Thousands of IPs

Thousands of Vulnerabilities

Millions of Malware Samples

Thousands of IPs

N/A

<
100 Exploits

The last point that you

have control of your data

Existing defenses attack
the
m
ost robust aspects of
mass
m
alware operations

Going on the Offensive

29

Exploit Kit Popularity (2011)

*
ThreatGRID

Data

Exploit Kit Popularity


AVG Threat Labs


Malware Domain List


Krebs on Security


Malware Intelligence


Contagio

Dump


Malware Tracker


M86 Security





Data Sources


Blackhole


Bleeding Life


CrimePack


3.1.3, 3.0, 2.2.8, 2.2.1


Eleonore


1.6, 1.4.4, 1.4.1, 1.3.2


Fragus


JustExploit


Liberty


2.1.0
, 1.0.7




LuckySploit


Phoenix


2.5, 2.4, 2.3, 2.2, 2.1, 2.0


SEO
Sploit

pack


Siberia


Unique Pack


WebAttacker


YES


Zombie

Data Processing


Decode


Jsunpack


Generic JS
Unpacker


Decodeby.us


PHP De
-
obfuscation



Detect


YARA Project


Generic scanning engine


Relate


SHODAN
HQ


Python API for
ExploitDB
,
MSF,
CVE



Live Testing


Vmware


Windows XP/7

Note: All free tools except
VMWare
/Windows

33

Jsunpack

Rules

rule
IEStyle

{

meta:

ref = “
CVE
-
2009
-
3672


hide = true

impact = 8

s
trings:

$trigger1 = “
getElementsByTagName

nocase

fullword

$trigger2 = “
style

nocase

fullword

$trigger3 = “
outerhtml

nocase

fullword

condition:

all of them

}

34

Jsunpack

vs

Eleonore

1.4.1

vuln_search.py


CVE


Name


ID



Exploit DB


Author


Date


ID


Name


Metasploit


Authors


Description


ID


Name


Rank



References


Vendor URLs (ex. MSB)


ZDI


Other Notable URLs

Powered by:

36

Sample Results: CVE
-
2010
-
1818


Exploit DB


08/30/2010


Ruben
Santamarta


Apple
QuickTime "_
Marshaled_pUnk
" Backdoor


14843


Metasploit


Ruben
Santamarta
,
jduck


Apple QuickTime 7.6.7 _
Marshaled_pUnk

Code Execution


“… exploits a memory trust issue in
Quicktime
…”


exploit/windows/browser/
apple_quicktime_marshaled_punk


Rank: Great


Refs


http://
reversemode.com/index.php?option=com_content&task=
view&id=69&Itemid=1


OSVDB
-
67705

37

Recap

Mapping of Exploit Kits
-
> CVEs + Metadata

Targeting Trends

Java from 2008 to Present

39

Targeting Trends


Java, Round One


12
-
08


Prominent researcher finds
CVE
-
2008
-
5353


08
-
09


Wins a
Pwnie

(researcher interest runs high)


08
-
09


ZDI submissions start trickling out


11
-
09


1 kit incorporates CVE
-
2008
-
5353

40

Java, Round Two


11
-
09


ZDI publishes 2
nd

batch of Java
vulns


CVE
-
2009
-
3867



01
-
10


Three kits
integrate 1
st

and 2
nd

vulns


CVE
-
2008
-
5353 and CVE
-
2009
-
3867



04
-
10


3
rd

batch of researcher disclosures


CVE
-
2010
-
0886
,
CVE
-
2010
-
0840
,
CVE
-
2010
-
0842



Back and forth between researchers/malware keeps
interest in Java running high



41

From April
2010 onwards,
new Java exploits
are

a
dded to
almost all popular exploit
kits

42

Java Today


Popularity


11 out of 15 kits include at least one Java exploit (73%)


7

out of 15 kits include more than one (46%)



Where did this trend come from?


Who followed who? The malware or research community?


Why can we even compare these two groups together?



What
is next?


Java and Flash will continue to be a pain point


Quickest path to install malware in IE and Firefox

43

0
1
2
3
4
5
6
Targeted
Attacks
ZDI
Prominent
Researcher
Personal
Website
Known
Behavior
Silent Patch
The New Trend: more
exploits are being rapidly
repurposed from
targeted attack campaigns
in 2010
-
2011

Capabilities Assessment

If we only had a time machine

45

Optimized Defense


Jan 1, 2009


what can we put in place to mitigate all
exploits for the next two years?


Restrictions:
no patching allowed



2009 recap


Internet Explorer 7, Firefox 3.0


Adobe Reader 9


Java,
Quicktime
, Flash, Office 2007


Windows XP SP3



Dataset represents 27 exploits

46

Slice and Dice

Memory
Corruption

(19)

Logic

(8)

Partition exploits based on mitigation options

47

19 Memory Corruption Exploits


5 unique targets


IE, Flash, Reader, Java, Firefox,
Opera



Do I have my
sysadmins

adhere to patch schedules or
have them test and enable DEP in four applications?


Patch schedules: Monthly, Quarterly,
Ad
-
hoc


Two years: 60+ patches in these apps



I choose Data Execution Prevention (DEP)


Good choice! It mitigates 14 exploits.

48

8 Logic Flaws


4

unique targets


Java, Reader, IE, Firefox,
FoxIt



Do we have a business case to justify getting
repeatedly compromised by mass malware?


No? Remove Java from the Internet Zone in IE


Configure Reader to prompt on JS execution


“Disallow opening of non
-
PDF file attachments”



This leaves two exploits, one in IE and one in FF

49

Most Severe Exploits 2009
-
2010

IE

Help Center XSS

Firefox

SessionStore

Reader

libTIFF

Reader

CoolType

SING

Flash

(IE)

newfunction

Quicktime

(IE)


_
Marshaled_pUnk

Java

getSoundBank

50

Enhanced Mitigation Experience Toolkit


Microsoft utility that adds obstacles to exploitation


On XP: DEP, SEHOP, Null Page, Heap Spray, EAT filter


Distributed as an MSI, controlled via
CLI or Registry



Apply it to one application at a time


Harden legacy applications


Temporary protections against known zero
-
day


Permanent protections against highly targeted apps



http://blogs.technet.com/cfs
-
file.ashx/__
key/CommunityServer
-
Components
-
PostAttachments/00
-
03
-
35
-
03
-
78/Users
-
Guide.pdf


51

Most Severe Exploits 2009
-
2010

IE

Help Center XSS

Firefox

SessionStore

The Firefox exploit is only in one kit. We can
make an informed decision about the amount
of risk we are assuming.

52

Intelligence
-
Driven Mitigations


Easy mitigations (22 out of 27 exploits)


DEP on IE, Firefox, and Reader


No Java in the Internet Zone


Disallow
opening of non
-
PDF file
attachments



Hard mitigations (all the rest)


EMET on IE and
Reader, the two most attacked apps


Upgrade to IE8 for that pesky Help Center XSS


Disallow Firefox, patch it, or accept the risk



Extremely limited susceptibility going forward

53

Taking
I
t Further


Mass
m
alware
e
xploits are:

1.
Result of users browsing internet sites

2.
Shortest path to install malware w/ a single exploit








Malicious

HTML

Google

Chrome

IE8

IE7, Plugins,

Java, Flash,
etc.

DEP

Bypass

DEP

Bypass

Sandbox
Escape

Install

SpyEye

*DDZ


Memory Corruption, Exploitation and You

54

Google Chrome Frame

“X
-
UA
-
Compatible: chrome=1”

55

Google Chrome Frame


Internet sites standardized around HTML/JS


This is why you don’t need IE6 or IE7 at home



For internet sites, add HTTP header w/ Bluecoat


Browser is sandboxed


Uses auto
-
updated Google version of Flash


No other plugins are loaded



Maintain whitelist of internet sites that need IE


Typically established vendor relationships



All intranet websites will load with IE as usual


Seamless to the user, mitigates all exploits in use


Maslow’s Internet Threat Hierarchy

# of Attacks

Data Lost

APT

Targeted

IP

$$$

Banking
Credentials

Now you’re ready to defend against

more advanced attackers

57

Intelligence
-
Driven Conclusions


Don’t wait to act with Flash and Java


Pay attention to targeted attack disclosures in 2011



Force malware authors to use multiple exploits


Seriously consider Google Chrome Frame



Are your consultants/MSSPs/scanners evaluating
vulnerabilities the same way
that
attackers are?



Intelligence
-
Driven Response


Informed defense is more effective and less costly


Threat
-
focused security is practical


Attack data is necessary to adequately model
your risk


58

Thanks


Rcecoder
, Mila
Parkour
, Francois
Paget, Adam Meyers


Exploit Pack Table on
Contagio

Dump &
Exploit
Kit Source



Mike
Cloppert

and Dino Dai
Zovi


Inspiration, ideas, and encouragement



Chris Clark


Getting started with the research process at
iSEC



John
Matherly


Creating SHODAN and fixing my bugs



Dean De Beer


ThreatGRID

data, screenshots, and background material

59

References and Q&A


Updates with more data at
SummerCon
, 6/10



Related Presentations (online)


Memory Corruption, Exploitation, and You


DDZ


Intelligence
-
Driven Response to APT


M.
Cloppert


Any
Mandiant

Presentation



Related Presentations (at SOURCE)


2011 Verizon Data Breach Report, Hutton


Fuel for
Pwnage
, Diaz and
Mieres


Dino Dai
Zovi

Keynote



dguido@isecpartners.com

Appendix

61

Frequently Asked Question #1


Q: What do you think about network detections?



A: Apply the same analysis process (kill chain) to the
adversary you care about and determine major
source of overlaps in intrusions. You may find better
indicators than simply IP addresses.


ie
., “Hey,
all
the malicious
domains
attacking me are
registered
with same
whois

data.”


See some of Mike
Cloppert’s

writings


See
ThreatGRID

when it comes out

62

Frequently Asked Question #2


Q: How can we keep up with these data? You did a
point in time assessment, but I want this going
forward.



A:
This
analysis process and data
should be picked
up
by the security industry and used effectively. AV
companies have been doing you a disservice by not
doing this in the past. They should start now.

63

Frequently Asked Question #3


Q: Aren’t you cheating by saying we should use EMET to mitigate past
exploits?


A:


If we were smart enough to enable mitigations like DEP, we would have had
a solid 1.5 years where we weren’t affected by mass malware
mem

corruption exploits at all, buying us a huge amount of time to investigate
other mitigations techniques.


The exploits that EMET
was needed for
came after the tool was released in
Oct 2009. If you had someone performing this analysis, you could have
observed the exploits that bypassed DEP and responded the same way I did.
Intelligence gathering is not a static process, we have to continue collecting
and responding to new information.


There are more ways to use this intelligence. For instance, since we know
that Flash and targeted attacks are so rapidly incorporated into mass
exploitation campaigns, we would have known on
April
11
th

that CVE
-
2011
-
0611 would be a significant issue. The patch came out on April 15
th
, but I
doubt many orgs patched over the weekend or enabled other mitigating
options before it was massively exploited on April 18
th
. With this data in
hand, they would have realized the seriousness of the original event on the
11
th
.

64

Frequently Asked Question #4


Q: Future analysis?


A:


How [exactly] do researcher disclosures correlate with
massive exploitation?


Are the number of bugs exploited as zero
-
day
increasing? Why?


Do researchers follow zero
-
day disclosure trends or
vice
-
versa?


Exactly how much exploit code is modified from public
PoC’s

before being integrated into a kit?


Expect new results some time
in June