EIP RevisitedExploitation & Defense in 2013
Dan Guido – BruCon – 09/26/2013
Introductions
@dguido
Exploit Intelligence Project
Intel-driven case study from 2011 How do we use intel to mitigate a threat? What are optimal defenses for mass malware? How do crimepacks acquire exploits? Is security research being applied by
crimepack authors? Separate what could happen from what is
happening
Clear Market Leaders
NeoSp
loit
Phoe
nix
CRiMEPACK
Libert
y
WebAtta
cker
Eleon
oreFra
gusSib
eria
JustEx
ploit
Bleedin
g Life
SEO Ex
ploit K
it
ZombieGpa
ck
Phoe
nixUniq
ue
Nuclea
rYE
S
ChineseLib
ertyLuc
kyNee
dle
Nuclea
r
Dragon
I-Worm
- Kitro
0500
1000150020002500300035004000
# o
f Mal
icio
us U
RLs
Limited Target Support
5
5
21
Flash / ReaderJavaInternet ExplorerQuicktime
Low Quality Exploits
Memory Corruption (19)Defeated by DEP 14Defeated by ASLR 17Defeated by EMET 19
Logic Flaws (8)No Java in Internet Zone 4No EXEs in PDFs 1No Firefox or FoxIt Reader 2
Developed Elsewhere
DEP Bypasses (5)Developed by APT 3Developed by Whitehats 2Developed by Malware Authors 0
Logic Flaws (8)Discovered by APT 0Discovered by Whitehats 8Discovered by Malware Authors
0
Java is a Path Forward
Malicious
HTML
GoogleChrome
IE8DEP/ASLR
Bypass
DEP/ASLR
BypassSandbox Escape
Integrity Escalatio
n
Java
Shell
Derived Optimal Defenses
Recommended to defend against crimepacks in 2011:1. Enable DEP on browser and plugins2. Remove Java from Internet Zone3. Secure Adobe Reader configuration4. Use EMET when possible / where needed
Then, continue to monitor threat intel for changes…
Where are they now?Crimepacks in 2013
Crimepacks in 2013
Standard desktop builds use DEP/ASLR/Sandboxes 2009: Windows XP, IE7, Flash 9, Office 2007,
Java 6 2013: Windows 7, IE9, Flash 11, Office 2010,
Java 7 Blackhole / Cool, Sweet Orange, and Gong Da
Have these kits invested in bypassing our new defenses?
How have crimeware packs dealt with the pressure?
The World is Changing
2011
-01
2011
-04
2011
-07
2011
-10
2012
-01
2012
-04
2012
-07
2012
-10
2013
-01
2013
-04
2013
-0705
101520253035
IE 6.0IE 7.0IE 8.0IE 9.0IE 10.0
Source: StatCounter January 2011 – August 2013 Browser Versions
Supported Targets
3
5
1
9Reader / FlashInternet ExplorerWindows TTF FontJava
Windows XP Only
Close Encounters of the EIP Kind
Crimepacks acquire capabilities for Windows 7+ through divine intervention
Exploit Origins
VUPEN Blog ArticlesAPT CampaignsSecurity Researchers
• All memory corruption exploits came from APT campaigns or the VUPEN blog.
• All Java exploits came from security researchers:• Jeroen Frijters• TELUS Security Labs• Adam Gowdiak (Security
Explorations)• Stefan Cornellius• Sami Koivu via ZDI• Michael Schierl via ZDI
• “Whitehats Shrugged”
IE / FlashJava
Cool Exploit Kit
Premium version of Blackhole, by the same author Launched a $100k bug bounty for improved exploits Only offered as a hosted service to prevent source leaks
As a result, Cool has several unique exploits: CVE-2011-3402: Windows Kernel TTF font (Duqu) CVE-2012-1876: IE 9 (VUPEN Pwn2Own) CVE-2012-0775: Reader 9/10 (self-developed)
Relies upon payload for privesc (ex. in caberp source)
How’d we stack up?
DEP, remove Java, secure Reader, EMET as necessary Safe from all but TTF font exploit w/o patching!
Systems being deployed now w/o Java are out of reach Win7, IE9, Reader X, EMET as necessary
Mixed messages coming from this data Success! We have pushed crimepacks to the margins Warning! It is easy to predict if you will get owned
The Advanced Persistent Threat
How effective are exploit mitigations against this threat?
Aurora et al.
Highly regarded technical capabilities Prolific developers of zero-day exploits Original source for many crimepack exploits Pioneered “watering hole” attack campaigns Notable for successful compromises of Google,
Bit9 Continues to cross paths with Trail of Bits
Exploit profiled in Assured Exploitation Elderwood Exploit Kit dissection and analysis
Elderwood
Think, a “startup” for Aurora to invest in Developed several reusable vuln disc / exploit tools Requires less-skilled people to operate the tools Launch zero-day watering holes on a regular basis
Released new attacks every ~3 months in 2011/2012 4 Internet Explorer, 5 Adobe Flash zero-days Dozens of prominent websites compromised (CFR)
Quality Exploits?
Elderwood
50% of the time
Flash, Java, and Officeplugins available
Internet Explorer 8
All Computers
Modest exploit mitigations are surprisingly effective!
Meet NYU-Poly…
… and Davis
It’s Easy to Get Better
Elderwood NYU-Poly Davis
Plugins Required
Flash, Office, Java
.NET None
Version Support
IE8 / Win XP IE8 / Win7 IE9 / Win7
Reliability ~50% ~95% ~99%
Features Hardcoded ROP Hardcoded ROPASLR Bypass
Dynamic ROPASLR Bypass
Time to Develop
? (probably 8 hrs)
~5 days ~10 days
Experience Professional Amateur Amateur
Reality
RSA – phishing email with malicious Excel doc Exploited Flash vuln no longer viable in IE
Google – IE6 in remote office to total control of Gmail They found the ONE guy in Google using IE6
Amateurs push as hard as they can. Professionals push as hard as they have to. Rapid discovery and shift to low cost attack vectors
APT Discoveries
Maybe we should try to make protections that cannot be bypassed by CS undergrads with 40 hrs of training?
We need to push harder since the professional bad guys can own things without caring about mitigations
APT can get better, we know they will, but is it prudent not to act just because you know they will respond?
Taming the TigerUse the Kill Chain and Courses of Action the way they were
intended
Variety of Approaches
Drag picture to placeholder or click icon to add
“An APT breached my network despite my $750,000 IPS and $2,000,000 SIEM. What other vendor products should I buy to
protect myself?” –Jerkface
External Exposure
Phishing Resistance“99% of the security breaches it investigated in 2012 started with
a targeted spearphishing attack.” –Mandiant“If you go from 35 to 12% on fire, you’re still on fire.” –Zane
Lackey
Exploitability
Final Conclusions
Let’s make defenses that bored undergrads can’t take out in one semester, that would be cool!
Let’s build things that help understand your adversary’s capability and intent.
Let’s use the defenses we have. They work, and they work against the people you care about.
Thanks Andrew Ruef and Hal Brodigan!
References
Contagio: An Overview of Exploit Packs http://contagiodump.blogspot.com/
2010/06/overview-of-exploit-packs-update.html Elderwood Kit Analysis
http://blog.trailofbits.com/2013/05/13/elderwood-and-the-department-of-labor-hack/
Detecting Targeted Malicious Email Rohan Amin