exploits - from zero day to ongoing threat
TRANSCRIPT
2
EXPLOITS – FROM 0DAY TO ONGOING THREATANDREAS FOBIAN, SECURITY RESEARCHER G DATA
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 3
OVERVIEW
What are Exploits? Exploit Evolution
- Change of attack vectors- Lifecycle of a 0day
Defensive strategies/ technologies
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 4
EXPLOITS - MOTIVATION
Definition: „Programm using a vulnerbility to execute arbitrary programms, not limited to calc.exe “
Exploit Kits: Framework for infections using exploits 50 – 200 Mio $ loss using exploit kits Bitkom: 14 billon $ loss in buisness sector
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 5
EXPLOITS 101Load Website
Create layout
Load images
Render graphic and show layout
Wait for Input Load Exploit
IEXPLORER.EXE
MSHTML.DLL
HTML
JPG
JS
Malicious Code
(Shellcode)
JSCRIPT.DLL
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 6
ROOT CAUSE: COMPLEXITY
2007 2008 2009 2010 2011 2012 2013 2014 20150.00
2000.00
4000.00
6000.00
8000.00
10000.00
12000.00
14000.00
KLOC (OK)KLOC (Faults)
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 7
EVOLUTION OF ATTACK VECTORS
Q1/200
5
Q2/200
5
Q3/200
5
Q4/200
5
Q1/200
6
Q2/200
6
Q3/200
6
Q4/200
6
Q1/200
7
Q2/200
7
Q3/200
7
Q4/200
7
Q1/200
8
Q2/200
8
Q3/200
8
Q4/200
8
Q1/200
9
Q2/200
9
Q3/200
9
Q4/200
9
Q1/201
0
Q2/201
0
Q3/201
0
Q4/201
0
Q1/201
1
Q2/201
1
Q3/201
1
Q4/201
1
Q1/201
2
Q2/201
2
Q3/201
2
Q4/201
2
Q1/201
3
Q2/201
3
Q3/201
3
Q4/201
3
Q1/201
4
Q2/201
4
Q3/201
4
Q4/201
4
Q1/201
5
Q2/201
5
Q3/201
50
20
40
60
80
100
120
140
160
jre_ekjreinternet_explorer_ekinternet_explorerflash_player_ekflash_playeracrobat_reader_ekacrobat_reader
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 8
LIFECYCLE OF AN EXPLOIT
Vulnerbilityreleased
Vendor notifiesVulnerbility
Vulnerbilitypublished
Vulnerbilityfound
Patch released
td
tvtvd
tpd ta
Zero day Attack
Follow-on Attacks
Patchdeploymentfinished
tp
Reactive Protectionmechanisms
published
ts
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 9
TARGETED ATTACK -> EXPLOIT KIT
3 Flash 0Days 0-”day”: October 2013 – 5.Juli 2015 Exploit Kit Integration 7.Juli 2015 Fixed 10. Juli 2015
Example: Hacking Team
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 10
EVOLUTION OF ATTACK VECTORS
Q1/200
5
Q2/200
5
Q3/200
5
Q4/200
5
Q1/200
6
Q2/200
6
Q3/200
6
Q4/200
6
Q1/200
7
Q2/200
7
Q3/200
7
Q4/200
7
Q1/200
8
Q2/200
8
Q3/200
8
Q4/200
8
Q1/200
9
Q2/200
9
Q3/200
9
Q4/200
9
Q1/201
0
Q2/201
0
Q3/201
0
Q4/201
0
Q1/201
1
Q2/201
1
Q3/201
1
Q4/201
1
Q1/201
2
Q2/201
2
Q3/201
2
Q4/201
2
Q1/201
3
Q2/201
3
Q3/201
3
Q4/201
3
Q1/201
4
Q2/201
4
Q3/201
4
Q4/201
4
Q1/201
5
Q2/201
5
Q3/201
50
20
40
60
80
100
120
140
160
jre_ekjreinternet_explorer_ekinternet_explorerflash_player_ekflash_playeracrobat_reader_ekacrobat_reader
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 11
Q1/200
5
Q2/200
5
Q3/200
5
Q4/200
5
Q1/200
6
Q2/200
6
Q3/200
6
Q4/200
6
Q1/200
7
Q2/200
7
Q3/200
7
Q4/200
7
Q1/200
8
Q2/200
8
Q3/200
8
Q4/200
8
Q1/200
9
Q2/200
9
Q3/200
9
Q4/200
9
Q1/201
0
Q2/201
0
Q3/201
0
Q4/201
0
Q1/201
1
Q2/201
1
Q3/201
1
Q4/201
1
Q1/201
2
Q2/201
2
Q3/201
2
Q4/201
2
Q1/201
3
Q2/201
3
Q3/201
3
Q4/201
3
Q1/201
4
Q2/201
4
Q3/201
4
Q4/201
4
Q1/201
5
Q2/201
5
Q3/201
50
1
2
3
4
5
6
7
8
9
javainternet_explorerflash_playeracrobat_reader
RELEASED EXPLOITS PER QUARTER
ASLR/DEP Sandboxing Click to play Vector Check
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 12
DEP (DATA EXECUTION PREVENTION)
Load Website
Create layout
Load images
Render graphic and show layout
Wait for Input Load Exploit
IEXPLORER.EXE
MSHTML.DLL
HTML
JPG
JS
Malicious Code
(Shellcode)
JSCRIPT.DLL
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 13
DEP (DATA EXECUTION PREVENTION)
Load Website
Create layout
Load images
Render graphic and show layout
Wait for Input Load Exploit
IEXPLORER.EXE
MSHTML.DLL
HTML
JPG
JS
Malicious Code
(Shellcode)
JSCRIPT.DLL
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 14
ROP (RETURN ORIENTED PROGRAMMING)
Load Website
Create layout
Load images
Render graphic and show layout
Wait for Input Load Exploit
IEXPLORER.EXE
MSHTML.DLL
HTML
JPG
JS
Malicious Code
(Shellcode)
JSCRIPT.DLL
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 15
ASLR (ADDRESS SPACE LAYOUT RANDOMIZATION)
Load Website
Create layout
Load images
Render graphic and show layout
Wait for Input Load Exploit
IEXPLORER.EXE
MSHTML.DLL
HTML
JPG
JS
Malicious Code
(Shellcode)
JSCRIPT.DLL
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 16
ASLR (ADDRESS SPACE LAYOUT RANDOMIZATION)
Load Website
Create layout
Load images
Render graphic and show layout
Wait for Input Load Exploit
MSHTMT.DLL
JSCRIPT.DLL
JPG
JS
HTML
Malicious Code
(Shellcode)
IEXPLORER.EXE
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 17
14 billon $ loss?
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 18
EXPLOIT PROTECTION
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 19
ADDRESS TABLE FILTERLoad Website
Create layout
Load images
Render graphic and show layout
Wait for Input Load Exploit
IEXPLORER.EXE
MSHTML.DLL
HTML
JPG
JS
Malicious Code
(Shellcode)
JSCRIPT.DLL
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 20
CONCLUSION Fixing all security bugs is expensive A look at the past show:
- Killing offensive techniques forces attackers to develop new techniques - Goal: Increasing the cost of a functional attack
Mitigation Software Patchmanagement
G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 21
… THANK YOU!
