Dan Guido SOURCE Boston 2011

The Exploit Intelligence Project

Dan Guido
SOURCE Boston, 04/20/2011

https://www.isecpartners.com

Intro and Agenda
 I work for iSEC Partners
 NYC, Seattle, SF – specialize in Application Security
 I don’t have a product to sell you

 Today, I’m going to be sharing data and my analysis
of attacker capabilities and methods
 An informed defense is more effective and less costly

 EIP shows that intelligence-driven, threat-focused
approaches to security are practical and effective

2

WARNING!

The commentary is really important for
this talk.

If you’re a reporter, please contact me and
I’ll be happy to provide that commentary
for any section you’re interested in:

dguido@isecpartners.com

3

We Have An Analysis Problem
Or, you’re counting the wrong beans!

Let’s Talk About Vulnerabilities

5
*IBM X-Force 2010 Trend and Risk Report

How many vulnerabilities did
you have to pay attention to in 2010?

6

Vulnerability Origin

8
*Secunia Yearly Report 2010

Affected Vendors (2010)

1
2 Oracle
5
Adobe
Microsoft
Apple
5

9

Wheel of Vulnerability Fortune

10
*Secunia: The Security Exposure of Software Portfolios

Where or how were massively exploited
vulnerabilities first discovered in 2010?
6

5

4

3

2

1

0

Targeted ZDI Prominent Personal Known Discovered
Attacks Researcher Website Behavior by Malware

11

Google Chrome is Insecure!

12
*Bit 9 Research Report: Top Vulnerable Apps – 2010

How many vulnerabilities were
massively exploited in Google Chrome in 2010?

13

Are we doing something wrong?
Yes, you’re doing it backwards!

We Have to Start at Attacks

1. 2. 3.

 Where do bad guys get their info from?
 How do bad guys view the new vulns that come out?
 How effective are my defenses against this attacker?

15

Maslow’s Internet Threat Hierarchy

# of Attacks Data Lost

APT IP

Targeted $$$

Mass Banking
Credentials
Malware

Mass Malware
How does it work?

Kill Chain Model
 Systematic model for evaluating intrusions
 Helps us objectively evaluate attacker capabilities
 Align defense to specific processes an attacker takes

 Typically used as a model to defend against APT
 Evolves beyond response at point of compromise
 Assumes unfixable vulnerabilities

 First described by Mike Cloppert

18

Weaponization

20
5-20 exploits, $200-$2000 dollars

Command and Control

24

Actions on Objectives

25

Process Overview
Recon Millions of Infected Sites

Existing defenses attack
Weaponize Thousands of Vulnerabilities the most robust aspects of
mass malware operations
Delivery Thousands of IPs

The last point that you
Exploit <100 Exploits
have control of your data

Install Millions of Malware Samples

C2 Thousands of IPs

Actions N/A 27

Exploit Kit Popularity (2011)

29
*ThreatGRID Data

Exploit Kit Popularity

 AVG Threat Labs
 Malware Domain List
 Krebs on Security
 Malware Intelligence
 Contagio Dump
 Malware Tracker
 M86 Security
 …

Data Sources
 Blackhole  LuckySploit
 Bleeding Life  Phoenix
 CrimePack  2.5, 2.4, 2.3, 2.2, 2.1, 2.0

 3.1.3, 3.0, 2.2.8, 2.2.1  SEO Sploit pack
 Eleonore  Siberia
 1.6, 1.4.4, 1.4.1, 1.3.2  Unique Pack
 Fragus  WebAttacker
 JustExploit  YES
 Liberty  Zombie
 2.1.0, 1.0.7

Data Processing

 Decode  Relate
 Jsunpack  SHODAN HQ
 Generic JS Unpacker  Python API for ExploitDB,
 Decodeby.us MSF, CVE
 PHP De-obfuscation
 Live Testing
 Vmware
 Detect
 Windows XP/7
 YARA Project
 Generic scanning engine

Note: All free tools except VMWare/Windows

Jsunpack/YARA Rules
rule IEStyle
{
meta:
ref = “CVE-2009-3672”
hide = true
impact = 8
strings:
$trigger1 = “getElementsByTagName” nocase fullword
$trigger2 = “style” nocase fullword
$trigger3 = “outerhtml” nocase fullword
condition:
all of them
}

33

Jsunpack vs Eleonore 1.4.1

34

vuln_search.py
 CVE  Metasploit
 Name  Authors
 ID  Description
 ID
 Name
 Exploit DB
 Rank
 Author
 Date
 ID  References
 Name  Vendor URLs (ex. MSB)
 ZDI
 Other Notable URLs

Powered by:

Sample Results: CVE-2010-1818
 Exploit DB
 08/30/2010
 Ruben Santamarta
 Apple QuickTime "_Marshaled_pUnk" Backdoor
 14843
 Metasploit
 Ruben Santamarta, jduck
 Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
 “… exploits a memory trust issue in Quicktime…”
 exploit/windows/browser/apple_quicktime_marshaled_punk
 Rank: Great
 Refs
 http://reversemode.com/index.php?option=com_content&task=
view&id=69&Itemid=1
 OSVDB-67705

36

Recap

Mapping of Exploit Kits -> CVEs + Metadata

37

Targeting Trends
Java from 2008 to Present

Targeting Trends
 Java, Round One
 12-08 – Prominent researcher finds CVE-2008-5353
 08-09 – Wins a Pwnie (researcher interest runs high)
 08-09 – ZDI submissions start trickling out
 11-09 – 1 kit incorporates CVE-2008-5353

39

Java, Round Two
 11-09 – ZDI publishes 2nd batch of Java vulns
 CVE-2009-3867

 01-10 – Three kits integrate 1st and 2nd vulns
 CVE-2008-5353 and CVE-2009-3867

 04-10 – 3rd batch of researcher disclosures
 CVE-2010-0886, CVE-2010-0840, CVE-2010-0842

 Back and forth between researchers/malware keeps
interest in Java running high

40

From April 2010 onwards, new Java exploits are
added to almost all popular exploit kits
41

Java Today
 Popularity
 11 out of 15 kits include at least one Java exploit (73%)
 7 out of 15 kits include more than one (46%)

 Where did this trend come from?
 Who followed who? The malware or research community?
 Why can we even compare these two groups together?

 What is next?
 Java and Flash will continue to be a pain point
 Quickest path to install malware in IE and Firefox

42

The New Trend: more exploits are being rapidly
repurposed from targeted attack campaigns in 2010-2011
6

5

4

3

2

1

0

Targeted ZDI Prominent Personal Known Silent Patch
Attacks Researcher Website Behavior

43

Capabilities Assessment
If we only had a time machine

Optimized Defense
 Jan 1, 2009 – what can we put in place to mitigate all
exploits for the next two years?
 Restrictions: no patching allowed

 2009 recap
 Internet Explorer 7, Firefox 3.0
 Adobe Reader 9
 Java, Quicktime, Flash, Office 2007
 Windows XP SP3

 Dataset represents 27 exploits

45

Slice and Dice

Memory
Logic
Corruption
(8)
(19)

Partition exploits based on mitigation options
46

19 Memory Corruption Exploits
 5 unique targets
 IE, Flash, Reader, Java, Firefox, Opera

 Do I have my sysadmins adhere to patch schedules or
have them test and enable DEP in four applications?
 Patch schedules: Monthly, Quarterly, Ad-hoc
 Two years: 60+ patches in these apps

 I choose Data Execution Prevention (DEP)
 Good choice! It mitigates 14 exploits.

47

8 Logic Flaws
 4 unique targets
 Java, Reader, IE, Firefox, FoxIt

 Do we have a business case to justify getting
repeatedly compromised by mass malware?
 No? Remove Java from the Internet Zone in IE
 Configure Reader to prompt on JS execution
 “Disallow opening of non-PDF file attachments”

 This leaves two exploits, one in IE and one in FF

48

Most Severe Exploits 2009-2010
IE Help Center XSS

Firefox SessionStore

Reader libTIFF

Reader CoolType SING

Flash (IE) newfunction

Quicktime (IE) _Marshaled_pUnk

Java getSoundBank

49

Enhanced Mitigation Experience Toolkit
 Microsoft utility that adds obstacles to exploitation
 On XP: DEP, SEHOP, Null Page, Heap Spray, EAT filter
 Distributed as an MSI, controlled via CLI or Registry

 Apply it to one application at a time
 Harden legacy applications
 Temporary protections against known zero-day
 Permanent protections against highly targeted apps

 http://blogs.technet.com/cfs-
file.ashx/__key/CommunityServer-Components-
PostAttachments/00-03-35-03-78/Users-Guide.pdf

50

Most Severe Exploits 2009-2010

IE Help Center XSS

Firefox SessionStore

The Firefox exploit is only in one kit. We can
make an informed decision about the amount
of risk we are assuming.

51

Intelligence-Driven Mitigations
 Easy mitigations (22 out of 27 exploits)
 DEP on IE, Firefox, and Reader
 No Java in the Internet Zone
 Disallow opening of non-PDF file attachments

 Hard mitigations (all the rest)
 EMET on IE and Reader, the two most attacked apps
 Upgrade to IE8 for that pesky Help Center XSS
 Disallow Firefox, patch it, or accept the risk

 Extremely limited susceptibility going forward

52

Taking It Further
 Mass malware exploits are:
1. Result of users browsing internet sites
2. Shortest path to install malware w/ a single exploit

Google DEP Sandbox
Chrome Bypass Escape

Malicious DEP
IE8
HTML Bypass

IE7, Plugins,
Install
Java, Flash,
SpyEye
etc.
53
*DDZ – Memory Corruption, Exploitation and You

Google Chrome Frame

“X-UA-Compatible: chrome=1” 54

Google Chrome Frame
 Internet sites standardized around HTML/JS
 This is why you don’t need IE6 or IE7 at home

 For internet sites, add HTTP header w/ Bluecoat
 Browser is sandboxed
 Uses auto-updated Google version of Flash
 No other plugins are loaded

 Maintain whitelist of internet sites that need IE
 Typically, established vendor relationships

 All intranet websites will load with IE as usual
 Seamless to the user, mitigates all exploits in use

55

Maslow’s Internet Threat Hierarchy

# of Attacks Data Lost

APT IP

Targeted $$$

Now you’re ready to defend against Banking
more advanced attackers Credentials

Intelligence-Driven Conclusions
 Don’t wait to act with Flash and Java
 Pay attention to targeted attack disclosures in 2011

 Force malware authors to use multiple exploits
 Seriously consider Google Chrome Frame

 Are your consultants/MSSPs/scanners evaluating
vulnerabilities the same way that attackers are?

 Intelligence-Driven Response
 Informed defense is more effective and less costly
 Threat-focused security is practical
 Attack data is necessary to adequately model your risk

57

Thanks
 Rcecoder, Mila Parkour, Francois Paget, Adam Meyers
 Exploit Pack Table on Contagio Dump & Exploit Kit Source

 Mike Cloppert and Dino Dai Zovi
 Inspiration, ideas, and encouragement

 Chris Clark
 Getting started with the research process at iSEC

 John Matherly
 Creating SHODAN and fixing my bugs

 Dean De Beer
 ThreatGRID data, screenshots, and background material

58

References and Q&A
 Updates with more data at SummerCon, 6/10

 Related Presentations (online)
 Memory Corruption, Exploitation, and You – DDZ
 Intelligence-Driven Response to APT – M. Cloppert
 Any Mandiant Presentation

 Related Presentations (at SOURCE)
 2011 Verizon Data Breach Report, Hutton
 Fuel for Pwnage, Diaz and Mieres
 Dino Dai Zovi Keynote

 dguido@isecpartners.com

59

Frequently Asked Question #1
 Q: What do you think about network detections?

 A: Apply the same analysis process (kill chain) to the
adversary you care about and determine major
source of overlaps in intrusions. You may find better
indicators than simply IP addresses.
 ie., “Hey, all the malicious domains attacking me are
registered with the same whois data.”
 or, “All the domains that compromise me have low
TTL values in common.”
 See some of Mike Cloppert’s writings
 See ThreatGRID when it comes out

61

 Q: How can we keep up with this data? You did a
point in time assessment, but I want this going
forward.

 A: This analysis process and data should be picked up
by the security industry and used effectively. AV
companies have been doing you a disservice by not
doing this in the past. They should start now.

62

 Q: Aren’t you cheating by saying we should use EMET to mitigate past
exploits?
 A:
 If we were smart enough to enable mitigations like DEP, we would have had
a solid 1.5 years where we weren’t affected by mass malware mem
corruption exploits at all, buying us a huge amount of time to investigate
other mitigations techniques.
 The exploits that EMET was needed for came after the tool was released in
Oct 2009. If you had someone performing this analysis, you could have
observed the exploits that bypassed DEP and responded the same way I did.
Intelligence gathering is not a static process, we have to continue collecting
and responding to new information.
 There are more ways to use this intelligence. For instance, since we know
that Flash and targeted attacks are so rapidly incorporated into mass
exploitation campaigns, we would have known on April 11th that CVE-2011-
0611 would be a significant issue. The patch came out on April 15th, but I
doubt many orgs patched over the weekend or enabled other mitigating
options before it was massively exploited on April 18th. With this data in
hand, they would have realized the seriousness of the original event on the
11th.

63

 Q: Future analysis?
 A:
 How [exactly] do researcher disclosures correlate with
massive exploitation?
 Are the number of bugs exploited as zero-day
increasing? Why?
 Do researchers follow zero-day disclosure trends or
vice-versa?
 Exactly how much exploit code is modified from public
PoC’s before being integrated into a kit?
 Expect new results some time in June

64

Dan Guido SOURCE Boston 2011

More Related Content

What's hot (13)

Viewers also liked (6)

Similar to Dan Guido SOURCE Boston 2011 (20)

More from Source Conference (20)

Recently uploaded (20)

Dan Guido SOURCE Boston 2011