The Elderwood Project
description
Transcript of The Elderwood Project
![Page 1: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/1.jpg)
The Elderwood Project
Brian BowlbyCompNet
![Page 2: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/2.jpg)
Review of material on Symantec website (www.symantec.com)
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
http://www.symantec.com/connect/blogs/how-elderwood-platform-fueling-2014-s-zero-day-attacks
![Page 3: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/3.jpg)
What is the Elderwood Project (also called the Elderwood Platform)?
A set of zero-day exploits that have been engineered and packaged in a “consumer-friendly” way to allow non-technical people to easily attack their targets.
Name Elderwood comes from source code variable used by the attackers
![Page 4: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/4.jpg)
What are zero-day exploits?
Exploits that exist in the initial release of a software package
Often unknown to the programmer(s)
May be known, but too expensive or time consuming to correct
Generally, serious vulnerabilities are rare (8 identified in 2011)
![Page 5: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/5.jpg)
Which zero-day exploits are included?
• Adobe Flash Player Object Type Confusion Remote Code
Execution Vulnerability (CVE-2012-0779)
• Adobe Flash Player Remote Code Execution Vulnerability(CVE-2012-1535)
• Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)
• Microsoft XML Core Services Remote Code Execution Vulnerability(CVE-2012-1889)
![Page 6: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/6.jpg)
Newer packages include exploits of these vulnerabilities
• Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)
• Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324)
• Adobe Flash Player and AIR Remote Code Execution Vulnerability (CVE-2014-0502)
![Page 7: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/7.jpg)
How are these vulnerabilities exploited?
Two methods for propagating their payload
– Spear-phishing
Attach an infected document in an email message
– Watering hole attack
Visitors of a web site are infected
![Page 8: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/8.jpg)
![Page 9: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/9.jpg)
A third possibility – a combination of the above
Send target user an email with a link to an infected website
Link can be unique for that user
![Page 10: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/10.jpg)
Who is Behind Elderwood?
High degree of technical sophistication – able to exploit many different vulnerabilities
Once packaged, less technical groups can mount actual attacks – perhaps different group for each target
Attacks are targeted – no mass email campaigns
Attackers are patient – may lie in wait for several months before adding malicious code
![Page 11: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/11.jpg)
Components of Elderwood
![Page 12: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/12.jpg)
Targets
Defense – Companies that manufacture components for top-tier defense contractors
NGOs and human rights groups (Amnesty International)
Finance, Energy, Education and Government
![Page 13: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/13.jpg)
![Page 14: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/14.jpg)
Recent Timeline of Elderwood Attacks
![Page 15: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/15.jpg)
Groups using the Elderwood Platform
![Page 16: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/16.jpg)
Takeaway Lessons
Apply the latest patches/updates to your software
Don’t open attachments unless you’re sure of the source
Be careful when clicking on links in email messages
Check that URL matches “printed” one http://fake.name.com
![Page 17: The Elderwood Project](https://reader036.fdocuments.us/reader036/viewer/2022062315/56815a63550346895dc7a630/html5/thumbnails/17.jpg)
Thanks / Questions?