The Evolving Threat LandscapeThe Evolving Threat Landscape
Zheng BuRahul KashyapM Af L bMcAfee Labs
Session ID: HT2-106Session Classification: Intermediate
Insert presenter logo here on slide master. See hidden slide 2 for directions
Agendag
V l biliti d E l it tiVulnerabilities and Exploitation
Targeted Attacks (APTs)
Cybercrime Goes Social
Q&A
Insert presenter logo here on slide master. See hidden slide 2 for directions2
Vulnerabilities and Exploitation
Insert presenter logo here on slide master. See hidden slide 2 for directions3
2010: Microsoft and Adobe Vulnerabilities Snapshotp
Security Patches
250
300
Security Patches
150
200
250
Microsoft
Adobe
50
100
Adobe
02007 2008 2009 2010 Source: McAfeeLabs
Insert presenter logo here on slide master. See hidden slide 2 for directions4
2010: High-Profile Zero-Day Vulnerabilitiesg y
CVE-2010-0249: MS10-002 HTML Object Memory Corruption Vulnerability—Operation Aurora
Steady increase in attacks targeting client softwareVulnerability Operation Aurora
CVE-2010-2883: Adobe SING Tag Buffer Overflow Vulnerability
CVE-2010-2884: Adobe Reader, Flash Player Code Execution V l bilit
software
Adobe and Microsoft were popular exploit victimsVulnerability
CVE-2010-1297: Adobe Flash Memory Corruption Vulnerability
CVE-2010-1885: Windows Help and Support Center Vulnerability
victims.
CVE-2010-1240: PDF/Launch Attack—Zeus
CVE-2010-2568: Windows Shortcut Icon Loading Vulnerability—Stuxnet
CVE-2010-2729: Print Spooler Service Impersonation Vulnerability—Stuxnet
Insert presenter logo here on slide master. See hidden slide 2 for directions5
Malware Writers Love Adobe Vulnerabilities
Productivity Application Vulnerability Based Malware - 2010
MS Office (Word, Excel, MS Office (Word, Excel, PowerPoint)
Adobe Reader, Acrobat
Source: MacAfee Labs
Insert presenter logo here on slide master. See hidden slide 2 for directions6
Which Adobe App Was Most Exploited in 2010? The Winner Is Reader!
Adobe: Unique Malware Detected in the Wild
Adobe Flash
Adobe PDFAdobe PDF
Source: McAfee Labs
Insert presenter logo here on slide master. See hidden slide 2 for directions7
Mitigation vs. Exploitation: a Catch-Up Game
Stack Stack Overflow AttacksOverflow AttacksStack Stack Overflow AttacksOverflow AttacksStack Canary Stack Canary ChecksChecks Safe SEHSafe SEH
Heap Overflow AttacksHeap Overflow AttacksHeap Safe UnlinkHeap Safe Unlink
ShellcodeShellcode ExecutionExecutionData Execution Prevention DEP/NX Data Execution Prevention DEP/NX
Address Space Layout Randomization (ASLR)Address Space Layout Randomization (ASLR)
Return Return Oriented Programming ROPOriented Programming ROPJIT SprayJIT SprayInsert presenter logo here on slide master. See hidden slide 2 for directions8
g gg gp yp y
Case Study: CVE-2010-2883 Adobe SING Tag Buffer Overflow Vulnerabilityg y
“Classic” stack overflow
Exploit does not overwrite return address
Overwrite pointer Overwrite pointer in the stack to bypass stack
t ti protection
Source: McAfee Labs
Insert presenter logo here on slide master. See hidden slide 2 for directions9
Case Study: CVE-2010-2883 Adobe SING Tag Buffer Overflow Vulnerability
U ROP h i i
g y
Use ROP techniques in the shellcode to bypass DEP+ASLR.
Special staged shellcode for this DLL
Insert presenter logo here on slide master. See hidden slide 2 for directions10
Source: McAfee Labs
DEP+ASLR=Peace of Mind!
Vulnerability Exploitation techniquey technique
Adobe Products Authplay.dll Code Execution [CVE-2010-3654 ] ROP Shellcode
Adobe Products Authplay dll Code Execution [CVE-2010-2884] ROP ShellcodeAdobe Products Authplay.dll Code Execution [CVE-2010-2884]
Adobe Flash Player, Reader, and Acrobat 'authplay.dll‘ [CVE-2010-1297] ROP Shellcode
Adobe Reader and Acrobat XFA TIFF Support Code Execution Vulnerability [CVE-2010-0188] ROP Shellcode
Adobe Reader 'CoolType.dll' TTF Font Vulnerability [CVE-2010-2883] ROP Shellcode
Adobe Reader and Acrobat 'newplayer()' JavaScript Method Vulnerability [CVE-2009-4324]
ROP Shellcode
Insert presenter logo here on slide master. See hidden slide 2 for directions11
Stealthy Exploitationy p
AKA: Harmonious Exploitation(“和谐漏洞利用”)
QualificationsNo intrusive reconnaissance required
Application and platform awareness
Robust exploitation
No impact on availability of the target servicep y g
No impact on availability of the target application
Bypassing the security mitigations on the target (GS, DEP, ASLR, etc.)
Ad ti t l t k i t l bl C&C d Adaptive to complex network environments, scalable, C&C ready,
Network Security Inspection Device evasion
Insert presenter logo here on slide master. See hidden slide 2 for directions12
Stealthy Exploitation: Case Studyy p y
Exploits that identify Exploits that identify Adobe Reader versions
Exploits that open a l i PDF fil legit PDF file on successful exploitation
Exploits that Exploits that obfuscate to evade NIPS inspection
Insert presenter logo here on slide master. See hidden slide 2 for directions13
Welcome to the “App Store” of Exploit Kitspp p
Insert presenter logo here on slide master. See hidden slide 2 for directions14
Crimepackp
Features includeTracking website stats
Regular updated exploits
Geo location tracker
OS stats
Browser stats
Test attack before launching
Success rate
Insert presenter logo here on slide master. See hidden slide 2 for directions15
Targeted Attacks (Advanced Persistent Threats)( )
Insert presenter logo here on slide master. See hidden slide 2 for directions16
Case Study: Operation Auroray p
A coordinated attack targeting a rapidly growing list of companies, including Google, Adobe, Juniper, Symantec, and others
Exploits a zero-day vulnerability in Internet Explorer
Lures users to malicious websites, installs Trojan malware on systems, uses Trojan to gain remote accessTrojan to gain remote access
Uses remote access to gain entry to corporate systems, steal intellectual property (including source code), and penetrate user accounts
Insert presenter logo here on slide master. See hidden slide 2 for directions17
Operation Aurora: Modus Operandip p
1 2 3Attack initiatedUser with IE vulnerability
1Attack in progressWebsite exploits vulnerability;
2Attack setup completeMalware installed on user’s
3
User with IE vulnerability visits website infected with Operation Aurora malware
Website exploits vulnerability; malware (disguised as JPG) downloaded to user’s system
Malware installed on user s system; malware opens back door (using custom protocol acting like SSL) that gives access to sensitive data
Insert presenter logo here on slide master. See hidden slide 2 for directions18
Operation Aurora: Exploitp p
Payload has multiple levels Original obfuscated exploit
of obfuscation to disguise the payload
Payload exploits a zero-day y p yvulnerability in Internet Explorer
The attack uses heap spray
De-obfuscated exploit
The attack uses heap spray and downloads a fake image—an XOR’ed binary.
Th b kd i The backdoor is now installed and sends out fake SSL traffic
Insert presenter logo here on slide master. See hidden slide 2 for directions19
Cybercrime Goes Social
Insert presenter logo here on slide master. See hidden slide 2 for directions20
Abusing Social Networksg
Fake accounts on sale
Accounts can be used to send spam, phishing, fake products/ services, or malicious d l ddownloads
Prices vary depending on the quality of account
Insert presenter logo here on slide master. See hidden slide 2 for directions21
Source: McAfee Labs
“Social” Hacktivism
2010 had several i t f ti i t instances of activist groups launching protests over the Internet
DDoS seems to be the favorite vector
Lines bet een Lines between cyberwarfare and hacktivism continue to blurto blur
Insert presenter logo here on slide master. See hidden slide 2 for directions22
Source: McAfee Labs
Operation Paybackp y
Insert presenter logo here on slide master. See hidden slide 2 for directions23
Operation Paybackp y
The attack tool was a modified, public open-source tool called LOICCreated a “social botnet” using HIVE modeCreated a social botnet using HIVE modeAttack vector is unsophisticated, but has temporary impact on global enterprises
Insert presenter logo here on slide master. See hidden slide 2 for directions24
Conclusions
Client-side attacks are on the riseClient-side attacks are on the rise
There is no silver bullet for security, all the available known defenses can be bypassedThere is no silver bullet for security, all the available known defenses can be bypassed
Stealthy exploitation makes attacks more difficult to be detectedStealthy exploitation makes attacks more difficult to be detected
APTs leverage all of the latest exploitation techniques and are APTs leverage all of the latest exploitation techniques and are becoming the most severe threats for businessesbecoming the most severe threats for businesses
Social networks have been leveraged by attackers and hacktivistsSocial networks have been leveraged by attackers and hacktivists
Do not completely rely on security protection from vendors. Use extreme caution when you surf!Do not completely rely on security protection from vendors. Use extreme caution when you surf!
Insert presenter logo here on slide master. See hidden slide 2 for directions25
Top Related