beyond aurora’s veil: a vulnerable tale - sector · internet explorer html memory corruption...
TRANSCRIPT
Derek MankyCyber Security & Threat ResearchFortiGuard Labs
October 26th, 2010: SecTor 2010 – Toronto, CA
Beyond Aurora’s Veil: A Vulnerable Tale
… Meanwhile JBIG2 ZeroDay PDF/SWF
January 2009: Malicious PDF Samples In the Wild
Drop Gh0st RAT Trojan, Exploits CVE20090658NoClick Variant through Windows Shell Extensions
February 02, 2009: Adobe Acknowledges via APSA0901
March 10, 2009: Adobe Patches via APSB0903
Attacks Occurred Roughly 63 Days Before Patch
Conficker: April Doomsday ..
2
3
Gh0st RAT Advertisement Photo
... A Vulnerable Tale
Meanwhile … Gumblar & Bredolab Botnets Sync Through PDF Exploits
March 18, 2009 Adobe Issues Patch APSB0904
Includes CVE20090927, PDF Exploit
March 23, 2009: Gumblar attack surfaces
Compromised websites with exploitsFreshly exploiting CVE20090927
Drops Bredolab Botnet (First appearance)Downloads FTP Stealing Module for GumblarDownloads FakeAV for Profit
Aggressively Attacked 5 Days After POC Released
Bredolab & Gumblar
4
Bredolab & Gumblar
5
Then and Now … Gumblar & Bredolab Botnets Sync Through PDF Exploits
Bredolab Oct 2009: New Protocol (v2), Custom Encrypted HTTP Jan 2010: Uses Pushdo Botnet
New Webmailing Engine Distributed (Webwail)[1]
Cracks CAPTCHAs in < 30 secondsFeb 2010: Downloads Ransomware
Force Kills Applications, Demands > $50 USD Oct 2010: Distributes Grum/Tedroo Botnet
Source Code AvailableBredolab now used for various operators & attacks since original incarnation
Bredolab & Gumblar
6
[1] FortiGuard Labs Discovers Webwail in December 2009
Then and Now … Gumblar & Bredolab Botnets Sync Through PDF Exploits
Gumblar Today[1]
9,350 infected links951 links hosting exploits165 malware variants servedPopular exploited vulns:
CVE20070701CVE20080655CVE20082992CVE20090927
Bredolab & Gumblar
7
[1] FortiGuard Web Scanning Systems, Oct 19th 2010
In The Threat Spotlight … Internet Explorer HTML Memory Corruption (“Aurora”)
September 30, 2009: Microsoft Receives Vulnerability Report (Later CVE20100249)
December 15, 2009: Google Later Acknowledges Attack Discovery
January 04, 2010: C&C Servers Taken Down January 12, 2010: Attacks Publicly Acknowledged
Dropped Custom Trojan January 14, 2010: Public POC Exploit Code Available January 21, 2010:
Microsoft Patches via MS10002
ZeroDay 113 Days Before Patch, 7 Days From Public POC
... A Vulnerable Tale
8
… Meanwhile Internet Explorer UseAfterFree
March 09, 2010: Microsoft Acknowledges via Advisory / CVE20100806 Web DriveBy Attacks Already In the Wild
Drop Gh0st RAT Trojan, Similar to Aurora
March 30, 2010: Microsoft Patches via MS10018
Attacks Occurred Roughly 21 Days Before Patch FortiGuard Detects Highest Exploit Rate Before Patch (ZeroDay)
... A Vulnerable Tale
9
Internet Explorer Use-After-Free
1111
Fortinet Confidential
Exploit Demonstration
The Next Chapter
What can we learn?
!!! Headlines are not everything !!!Reactive defense against high profiles attack == inefficient
Threats often share similar attack techniquesBrowsers, Document Formats, System Services
ConfickerNeeris (RPC DCOM), Murofet (DGA)Gh0st RAT (PDF JBIG2)Gumblar (PDF getIcon)
AuroraGoogle/etc & Gh0st RAT: IE UseAfterFree
12
The Next Chapter
What can we learn?
Zeroday attacks happen more often than you may thinkAttacks can continue for months undetectedCan be 13 week response time for patches
Once detected / reported ..Otherwise 612 months
Patched vulnerabilities are attacked quickly, and frequentlyConficker: 30 DaysGumblar: 5 Days
Patch management!Quick patching is essentialDoes not work on zeroday attacks
13
The Next Chapter
The new decade of threats
Attacks can survive for years Attacks change extremely frequently
Serverside polymorphismRepack hosted malwareRepack hosted scripts [Gumblar]
Crimeware and source codeCopy & paste botsNew versions
Endless domainsCreates tremendous volume
14
FortiGuard Labs – Security Research
15
• 87 Zero-Days Discovered Since 2008, Mostly Critical• Oct 2010: 30+ Outstanding in Zero-Day State
http://www.fortiguard.com/advisory/UpcomingAdvisory.html
Fighting Back
Strategic Defense
Standard security rules apply; often ignored Layered security vs. Growing attack surface
Applicable to Infection & PostInfection
Education and Training (RSS)Think before you linkUse of JS, Flash (Noscript, PDF Reader)Trust management (PGP, SSL)
Alternative software considerationsOS, Browsers, Doc Readers, Sandboxes
Access level lockdown (Admin privileges)
16
17
Layered Security vs. Growing Attack Surface
Intrusion Prevention: Botnet C&C, ZeroDays & Exploits
Application Control: Malicious services Compromised Facebook Applications
Webfiltering: Botnet C&C, Fast Flux / MalHosting, SEO
Antispam: Spambots & Incoming Campaigns
Antivirus: Trojans, bots, ransomware, etc
Vulnerability Review Software used vs. alternatives
Fighting Back
18