Aurora Internet Explorer Zero Day Attack


Published on

An analysis of the Aurora Internet Explorer Zero Day Attack (aka Google China Attack) and possible solutions for corporations.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Aurora Internet Explorer Zero Day Attack

  1. 1. AURORA ZERO DAY EXPLOIT OVERVIEW Providing Comprehensive Systems and Network Security (877) 744-3444 Mission Critical Systems, Inc. 877-744-3444 © 2009 Mission Critical Systems.
  2. 2. Important terminology for this discussion.. <ul><ul><li>Phishing – the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication </li></ul></ul><ul><ul><li>Spearphishing – Phishing attacks targeting specific individuals </li></ul></ul><ul><ul><li>Whaling - Phishing attacks that are directed specifically at senior executives and other high profile targets within businesses </li></ul></ul><ul><ul><li>Vulnerability - is a system susceptibility or flaw </li></ul></ul><ul><ul><li>Exploit - An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. This frequently includes such things as violently gaining control of a computer system or allowing privilege escalation or a denial of service attack. </li></ul></ul><ul><ul><li>Payload - code carried by the exploit to the target computer and then executed there </li></ul></ul><ul><ul><li>Metasploit Framework - a toolkit for developing and executing exploit code against a remote target machine. Can be used by good guys for testing, or bad guys for attacks </li></ul></ul> 877-744-3444 © 2009 Mission Critical Systems.
  3. 3. Aurora Internet Explorer Zero-Day Attack The Aurora attacks leveraged a combination of previously unknown vulnerabilities in Internet Explorer (IE6, IE7, and IE8) on Windows (XP, Vista, and 7) – as well as nearly a dozen pieces of malware and several levels of encryption to burrow deeply into company networks and obscure their activity. As early as December 2009, emails containing links to malicious websites which exploited this vulnerability were sent to Google, Adobe, and approximately 30 other companies in a spearphishing attack.  When users clicked on the links, a piece of exploit code on the web site attacked the vulnerability and installed an initial infection of malware onto the users machine. 877-744-3444 © 2009 Mission Critical Systems.
  4. 4. Aurora Internet Explorer Zero-Day Attack Once the malware was installed on the machine, additional malicious code was downloaded. One of the malicious programs established an encrypted SSL connection to the hackers network. This remote backdoor allowed the hacker unfettered and undetectable access to the users machine. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network to search for login credentials, intellectual property and whatever else they were seeking. It is believed that the attackers were targeting source-code repositories of many of the companies and succeeded in reaching their target in many cases. 877-744-3444 © 2009 Mission Critical Systems.
  5. 5. Aurora Internet Explorer Zero-Day Attack The Aurora attach is an example of an Advanced Persistent Threat : •  Advanced means the adversary can operate in the full spectrum of computer intrusion. •  Persistent means the adversary is formally tasked to accomplish a mission. •  Threat means the adversary is not a piece of mindless code. Since the code is now publicly available, we expect the number of attacks of this type will grow with time. It is also expected that the next wave of attacks to come from cybercriminals whose techniques are equally sophisticated, but whose motives are somewhat different. They will most certainly be hunting for data, but it will be for monetary gain rather than information gathering. Essentially, the attack is ongoing. 877-744-3444 © 2009 Mission Critical Systems.
  6. 6. Aurora Internet Explorer Risk by Platform DEP = Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows. 877-744-3444 © 2009 Mission Critical Systems.
  7. 7. Attack Timeline <ul><li>December 2009 – Emails targeted 30 companies – including Google, Adobe, </li></ul><ul><li>January 12, 2010 – Google announcement of attack </li></ul><ul><li>January 13, 2010 – Adobe and other companies announce they were attacked </li></ul><ul><li>January 14, 2010 – Zero-Day Exploit details made public </li></ul><ul><li>January 15, 2010 – Metasploit Framework add support for the vulnerability </li></ul><ul><li>January 15, 2010 – Proof of Concept released on the Internet </li></ul><ul><li>January 17, 2010 – Websense ‘Threatseeker’ detects live attack website in China </li></ul><ul><li>January 18, 2010 – Second live attack website detected </li></ul><ul><li>January 19, 2010 – Reports of malicious link spreading through Instant Messaging </li></ul><ul><li>January 21, 2010 – Microsoft releases ‘Out-of-Band’ patch via Auto-Update </li></ul> 877-744-3444 © 2009 Mission Critical Systems.
  8. 8. Video of the Exploit in Action 877-744-3444 © 2009 Mission Critical Systems. Courtesy McAfee :
  9. 9. Anti-Virus is not enough ! <ul><ul><ul><li>Antivirus and URL filtering solutions did not protect Google, Adobe and others when Aurora first appeared </li></ul></ul></ul><ul><ul><ul><li>Why? Anti-Virus looks for the PAYLOAD – not the EXPLOIT </li></ul></ul></ul><ul><ul><ul><li>Hackers can take advantage of the EXPLOIT to introduce multiple PAYLOADS. Ultimately, there can be thousands of PAYLOADS all taking advantage of the same EXPLOIT </li></ul></ul></ul><ul><ul><ul><li>Anti-Virus scans files as they are written to the hard drive. They are not designed to secure the browser in real-time for Web exploits </li></ul></ul></ul>As of January 21, only 25% of AV vendors tracked protect against the payload according to 877-744-3444 © 2009 Mission Critical Systems.
  10. 10. - IE is not the only vulnerable application - Vulnerabilities are constantly being discovered <ul><li>Vulnerabilities discovered in the following product in 2009 and 2010 </li></ul><ul><ul><li>Microsoft Internet Explorer, MSN Messenger </li></ul></ul><ul><ul><li>Adobe Acrobat, Flash Player, Shockwave </li></ul></ul><ul><ul><li>Apple Quick Time, Safari, iTunes </li></ul></ul><ul><ul><li>HP Utilities (Printer software, PC Multimedia software) </li></ul></ul><ul><ul><li>Mozilla Firefox </li></ul></ul><ul><ul><li>Opera Browser </li></ul></ul><ul><ul><li>RealNetworks Real Player </li></ul></ul><ul><ul><li>Skype </li></ul></ul><ul><ul><li>Sun Java </li></ul></ul><ul><ul><li>Trillian </li></ul></ul><ul><ul><li>VMware Player,Workstation and other products </li></ul></ul> 877-744-3444 © 2009 Mission Critical Systems.
  11. 11. Exploit Packs Hackers are sharing code and tools. ‘Exploit packs’ suggest a new level of sophistication in attacks and drive-by malware downloads. These are basically packed exploits that intelligently chooses exploits based on the client’s browser, search for vulnerable applications, and then exploit them with the proper exploit. So now its not good enough to just update Internet Explorer. All you apps better be patched, or have alternative protection measures in place. The window to remediate is growing smaller and the bad guys are getting faster. Its getting tough out there.. Businesses have to adapt to these ever changing threats 877-744-3444 © 2009 Mission Critical Systems.
  12. 12. Solutions.… Desktop Anti-Virus ( Symantec , McAfee ) – Host protection is an absolute must, but not necessarily a good FIRST line of defense. Anti-Virus products rely on anti-virus signatures to detect the PAYLOAD – not the exploit used to deliver the payload. You can have thousands of signatures over the course of the exploit. Vulnerability Scanners ( eEye , Symantec Enterprise Security Manager , McAfee Vulnerability Manager ) – useful for determining what machines are un-patched, but offers no real time protection. DLP ( Vontu , Websense , RSA ) – Data Loss Prevention could allow companies to prevent the theft and leakage of confidential data and code, but would not prevent the initial infection or owning of the machines. 877-744-3444 © 2009 Mission Critical Systems.
  13. 13. Solutions (continued).… IPS ( Tipping Point , Check Point , McAfee ) - Requires a signature update to detect the exploit, but these offer proactive protection against different varieties of payloads. IPS companies are usually given advanced notice of an exploit before announced to the public, making them a good line of defense. Host IPS ( McAfee , Symantec , eEye ) – Host IPS is an excellent tool for preventing unknown exploits from taking advantage of vulnerabilities, as they are looking for specific behaviors. HIPS complements traditional signature and heuristic antivirus detection methods, since it does not need continuous updates to stay ahead of new malware. Many Anti-Virus packages offer HIPS as an upgrade. Gateway HTTP and HTTPS Inspection ( Websense Security Gateway , McAfee WebWasher ) - Gateway Security products are one of the best ways to protect yourself, as they combine Anti-Virus, URL Filtering, and Exploit Protection in a single product. For example, Websense provided its customers of Web Security Gateway with zero day protection from this attack before it began in December (actually the protection mechanisms stopped it as of January 2009.  By correlating spam (Phishing attacks) with malicious links, infected websites, payload delivery sites, as well as exploit/vulnerability protection and antivirus, they were able to determine the attack and block access. They provide inbound inspection for viruses, malicious code, as well as standard URL filtering for HTTP, HTTPS, and FTP. 877-744-3444 © 2009 Mission Critical Systems.
  14. 14. Questions? Providing Comprehensive System and Network Security Mission Critical Systems (877)744-3444 877-744-3444 © 2009 Mission Critical Systems.