https://www.isecpartners.com
Dan Guido SOURCE Boston, 04/20/2011
The Exploit Intelligence Project
2
Intro and Agenda
I work for iSEC Partners
NYC, Seattle, SF – specialize in Application Security
I don’t have a product to sell you
Today, I’m going to be sharing data and my analysis of attacker capabilities and methods
An informed defense is more effective and less costly
EIP shows that intelligence-driven, threat-focused approaches to security are practical and effective
3
WARNING!
The commentary is really important for this talk.
If you’re a reporter, please contact me and I’ll be happy to provide that commentary
for any section you’re interested in:
mailto:[email protected]
We Have An Analysis Problem
Or, you’re counting the wrong beans!
5
Let’s Talk About Vulnerabilities
*IBM X-Force 2010 Trend and Risk Report
6
How many vulnerabilities did you have to pay attention to in 2010?
7
since 2006
8
Vulnerability Origin
*Secunia Yearly Report 2010
9
Affected Vendors (2010)
5
5
2
1
Oracle
Adobe
Microsoft
Apple
10
Wheel of Vulnerability Fortune
*Secunia: The Security Exposure of Software Portfolios
11
Locations to Track (2010)
0
1
2
3
4
5
6
TargetedAttacks
ZDI ProminentResearcher
PersonalWebsite
KnownBehavior
Silent Patch
12
Google Chrome is Insecure!
*Bit 9 Research Report: Top Vulnerable Apps – 2010
13
How many vulnerabilities were massively exploited in Google Chrome in 2010?
Are we doing something wrong?
Yes, you’re doing it backwards!
15
We Have to Start at Attacks
Where do bad guys get their info from?
How do bad guys view the new vulns that come out?
How effective are my defenses against this attacker?
1. 2. 3.
Maslow’s Internet Threat Hierarchy
# of Attacks Data Lost
APT
Targeted
Mass Malware
IP
$$$
Banking Credentials
Mass Malware
How does it work?
18
Kill Chain Model
Systematic model for evaluating intrusions
Helps us objectively evaluate attacker capabilities
Align defense to specific processes an attacker takes
Typically used as a model to defend against APT
Evolves beyond response at point of compromise
Assumes unfixable vulnerabilities
First described by Mike Cloppert
19
Recon
20
Weaponization
21
Delivery
22
Exploitation
23
Installation
24
Command and Control
25
Actions on Objectives
Leads to Cyber Pompeii
27
Process Overview Recon
Weaponize
Delivery
Exploit
Install
C2
Actions
Millions of Infected Sites
Thousands of IPs
Thousands of Vulnerabilities
Millions of Malware Samples
Thousands of IPs
N/A
Going on the Offensive
29
Exploit Kit Popularity (2011)
*ThreatGRID Data
Exploit Kit Popularity
AVG Threat Labs
Malware Domain List
Krebs on Security
Malware Intelligence
Contagio Dump
Malware Tracker
M86 Security
…
Data Sources
Blackhole
Bleeding Life
CrimePack 3.1.3, 3.0, 2.2.8, 2.2.1
Eleonore 1.6, 1.4.4, 1.4.1, 1.3.2
Fragus
JustExploit
Liberty 2.1.0, 1.0.7
LuckySploit
Phoenix 2.5, 2.4, 2.3, 2.2, 2.1, 2.0
SEO Sploit pack
Siberia
Unique Pack
WebAttacker
YES
Zombie
Data Processing
Decode Jsunpack
Generic JS Unpacker
Decodeby.us PHP De-obfuscation
Detect YARA Project
Generic scanning engine
Relate SHODAN HQ
Python API for ExploitDB, MSF, CVE
Live Testing Vmware
Windows XP/7
Note: All free tools except VMWare/Windows
33
Jsunpack Rules
rule IEStyle
{
meta:
ref = “CVE-2009-3672”
hide = true
impact = 8
strings:
$trigger1 = “getElementsByTagName” nocase fullword
$trigger2 = “style” nocase fullword
$trigger3 = “outerhtml” nocase fullword
condition:
all of them
}
34
Jsunpack vs Eleonore 1.4.1
vuln_search.py
CVE Name ID
Exploit DB Author Date ID Name
Metasploit Authors Description ID Name Rank
References Vendor URLs (ex. MSB) ZDI Other Notable URLs
Powered by:
36
Sample Results: CVE-2010-1818 Exploit DB
08/30/2010 Ruben Santamarta Apple QuickTime "_Marshaled_pUnk" Backdoor 14843
Metasploit Ruben Santamarta, jduck Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution “… exploits a memory trust issue in Quicktime…” exploit/windows/browser/apple_quicktime_marshaled_punk Rank: Great
Refs http://reversemode.com/index.php?option=com_content&task=
view&id=69&Itemid=1 OSVDB-67705
http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1
37
Recap
Mapping of Exploit Kits -> CVEs + Metadata
Targeting Trends
Java from 2008 to Present
39
Targeting Trends
Java, Round One
12-08 – Prominent researcher finds CVE-2008-5353
08-09 – Wins a Pwnie (researcher interest runs high)
08-09 – ZDI submissions start trickling out
11-09 – 1 kit incorporates CVE-2008-5353
40
Java, Round Two
11-09 – ZDI publishes 2nd batch of Java vulns CVE-2009-3867
01-10 – Three kits integrate 1st and 2nd vulns CVE-2008-5353 and CVE-2009-3867
04-10 – 3rd batch of researcher disclosures CVE-2010-0886, CVE-2010-0840, CVE-2010-0842
Back and forth between researchers/malware keeps interest in Java running high
41
From April 2010 onwards, new Java exploits are added to almost all popular exploit kits
42
Java Today
Popularity
11 out of 15 kits include at least one Java exploit (73%)
7 out of 15 kits include more than one (46%)
Where did this trend come from?
Who followed who? The malware or research community?
Why can we even compare these two groups together?
What is next?
Java and Flash will continue to be a pain point
Quickest path to install malware in IE and Firefox
43
0
1
2
3
4
5
6
TargetedAttacks
ZDI ProminentResearcher
PersonalWebsite
KnownBehavior
Silent Patch
The New Trend: more exploits are being rapidly repurposed from targeted attack campaigns in 2010-2011
Capabilities Assessment
If we only had a time machine
45
Optimized Defense
Jan 1, 2009 – what can we put in place to mitigate all exploits for the next two years? Restrictions: no patching allowed
2009 recap Internet Explorer 7, Firefox 3.0
Adobe Reader 9
Java, Quicktime, Flash, Office 2007
Windows XP SP3
Dataset represents 27 exploits
46
Slice and Dice
Memory Corruption
(19)
Logic (8)
Partition exploits based on mitigation options
47
19 Memory Corruption Exploits
5 unique targets
IE, Flash, Reader, Java, Firefox, Opera
Do I have my sysadmins adhere to patch schedules or have them test and enable DEP in four applications?
Patch schedules: Monthly, Quarterly, Ad-hoc
Two years: 60+ patches in these apps
I choose Data Execution Prevention (DEP)
Good choice! It mitigates 14 exploits.
48
8 Logic Flaws
4 unique targets
Java, Reader, IE, Firefox, FoxIt
Do we have a business case to justify getting repeatedly compromised by mass malware?
No? Remove Java from the Internet Zone in IE
Configure Reader to prompt on JS execution
“Disallow opening of non-PDF file attachments”
This leaves two exploits, one in IE and one in FF
49
Most Severe Exploits 2009-2010
IE Help Center XSS
Firefox SessionStore
Reader libTIFF
Reader CoolType SING
Flash (IE) newfunction
Quicktime (IE) _Marshaled_pUnk
Java getSoundBank
50
Enhanced Mitigation Experience Toolkit
Microsoft utility that adds obstacles to exploitation On XP: DEP, SEHOP, Null Page, Heap Spray, EAT filter
Distributed as an MSI, controlled via CLI or Registry
Apply it to one application at a time Harden legacy applications
Temporary protections against known zero-day
Permanent protections against highly targeted apps
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdf
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdfhttp://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdf
51
Most Severe Exploits 2009-2010
IE Help Center XSS
Firefox SessionStore
The Firefox exploit is only in one kit. We can make an informed decision about the amount
of risk we are assuming.
52
Intelligence-Driven Mitigations
Easy mitigations (22 out of 27 exploits) DEP on IE, Firefox, and Reader
No Java in the Internet Zone
Disallow opening of non-PDF file attachments
Hard mitigations (all the rest) EMET on IE and Reader, the two most attacked apps
Upgrade to IE8 for that pesky Help Center XSS
Disallow Firefox, patch it, or accept the risk
Extremely limited susceptibility going forward
53
Taking It Further
Mass malware exploits are:
1. Result of users browsing internet sites
2. Shortest path to install malware w/ a single exploit
Malicious
HTML
Chrome
IE8
IE7, Plugins,
Java, Flash,
etc.
DEP
Bypass
DEP
Bypass
Sandbox
Escape
Install
SpyEye
*DDZ – Memory Corruption, Exploitation and You
54
Google Chrome Frame
“X-UA-Compatible: chrome=1”
55
Google Chrome Frame Internet sites standardized around HTML/JS
This is why you don’t need IE6 or IE7 at home
For internet sites, add HTTP header w/ Bluecoat
Browser is sandboxed Uses auto-updated Google version of Flash No other plugins are loaded
Maintain whitelist of internet sites that need IE
Typically established vendor relationships
All intranet websites will load with IE as usual
Seamless to the user, mitigates all exploits in use
Maslow’s Internet Threat Hierarchy
# of Attacks Data Lost
APT
Targeted
IP
$$$
Banking Credentials
Now you’re ready to defend against more advanced attackers
57
Intelligence-Driven Conclusions Don’t wait to act with Flash and Java Pay attention to targeted attack disclosures in 2011
Force malware authors to use multiple exploits Seriously consider Google Chrome Frame
Are your consultants/MSSPs/scanners evaluating vulnerabilities the same way that attackers are?
Intelligence-Driven Response Informed defense is more effective and less costly Threat-focused security is practical Attack data is necessary to adequately model your risk
58
Thanks Rcecoder, Mila Parkour, Francois Paget, Adam Meyers
Exploit Pack Table on Contagio Dump & Exploit Kit Source
Mike Cloppert and Dino Dai Zovi Inspiration, ideas, and encouragement
Chris Clark Getting started with the research process at iSEC
John Matherly Creating SHODAN and fixing my bugs
Dean De Beer ThreatGRID data, screenshots, and background material
59
References and Q&A Updates with more data at SummerCon, 6/10
Related Presentations (online) Memory Corruption, Exploitation, and You – DDZ Intelligence-Driven Response to APT – M. Cloppert Any Mandiant Presentation
Related Presentations (at SOURCE) 2011 Verizon Data Breach Report, Hutton Fuel for Pwnage, Diaz and Mieres Dino Dai Zovi Keynote
mailto:[email protected]
Appendix
61
Frequently Asked Question #1
Q: What do you think about network detections?
A: Apply the same analysis process (kill chain) to the adversary you care about and determine major source of overlaps in intrusions. You may find better indicators than simply IP addresses.
ie., “Hey, all the malicious domains attacking me are registered with same whois data.”
See some of Mike Cloppert’s writings
See ThreatGRID when it comes out
62
Frequently Asked Question #2
Q: How can we keep up with these data? You did a point in time assessment, but I want this going forward.
A: This analysis process and data should be picked up by the security industry and used effectively. AV companies have been doing you a disservice by not doing this in the past. They should start now.
63
Frequently Asked Question #3 Q: Aren’t you cheating by saying we should use EMET to mitigate past
exploits?
A: If we were smart enough to enable mitigations like DEP, we would have had
a solid 1.5 years where we weren’t affected by mass malware mem corruption exploits at all, buying us a huge amount of time to investigate other mitigations techniques.
The exploits that EMET was needed for came after the tool was released in Oct 2009. If you had someone performing this analysis, you could have observed the exploits that bypassed DEP and responded the same way I did. Intelligence gathering is not a static process, we have to continue collecting and responding to new information.
There are more ways to use this intelligence. For instance, since we know that Flash and targeted attacks are so rapidly incorporated into mass exploitation campaigns, we would have known on April 11th that CVE-2011-0611 would be a significant issue. The patch came out on April 15th, but I doubt many orgs patched over the weekend or enabled other mitigating options before it was massively exploited on April 18th. With this data in hand, they would have realized the seriousness of the original event on the 11th.
64
Frequently Asked Question #4
Q: Future analysis?
A:
How [exactly] do researcher disclosures correlate with massive exploitation?
Are the number of bugs exploited as zero-day increasing? Why?
Do researchers follow zero-day disclosure trends or vice-versa?
Exactly how much exploit code is modified from public PoC’s before being integrated into a kit?
Expect new results some time in June