How Google Was Pwned: In-Depth Look into the Aurora Attacks

In-Depth Look into the Aurora Attacks

What makes Aurora Impressive It weaves together targeted Social Engineering attacks, Zero-Day exploits, and malware to successfully compromise the networks of over 20 major international corporations including the almighty Google.

Two Separate Attack Vectors   SocialEngineering – Focused and precise   Zero-day exploits – Internet Explorer

Social Engineering Vector   Severalkey things were done to increase the success of the spear- phishing emails:   Certain individuals within the companies were targeted.   Friends of the targeted individuals were targeted as well.   The targets are thought to have elevated privileges within the companies (Sysadmins, developers, etc.)

The Zero-Day Exploit   Microsoft Security Bulletin MS10-002   Affects Internet Explorer 5, 6, 7, and 8   HTML Object Memory Corruption

Why it works   IE has a bug in handling deleted objects   Allows the attacker to inject malicious code that was in previously deleted object.

The heap spray   Attackerutilizes heap spray technique to put the payload in memory

Core of the exploit

Exploit Flow   HTML loads the image   JavaScript deletes it (Function EV1)   Then replaces it with a memory address (Function EV2)   Which hits the Heap Spray   And executes the payload

DEP in a nutshell   DataExecution Prevention (DEP) renders buffer overflows harder to exploit due to the fact it adjusts stacks to read-only.   DEP was often surprisingly hard to bypass in browser exploits and typically made heap spray attacks fairly difficult if not impossible.

ASLR in a nut shell   Most exploits heavily rely off of hijacking execution flow and typically are very reliant on memory addresses.   ASLR randomizes the memory addresses each reboot so that the attacker can’t typically predict the memory address to head over to.

Scary Stuff   The Aurora Attack Bypassed Data Execution Prevention (DEP)

Even Worse   DEP+ Address Space Location Randomization (ASLR) was just recently bypassed on Windows 7 + IE 8   Theonce impossible to bypass, can now be bypassed.

So what this means…   Focused and organized attacks are on the rise….   Attackerswill continue to get in through the easiest route.   A combination of zero-days and the human element was the root cause for the success of this attack.

How to prevent   This exploit has already been patched, make sure you update.   IEis a large target, consider moving to Firefox with No-Script enabled.   Kernelhooking HIPS could have potentially stopped this attack.

http://www.slideshare.net	109
http://www.neoisf.org	21
http://www.neoinfosecforum.org	4
http://www.neoisf.com	1
http://neoisf.org	1

How Google Was Pwned: In-Depth Look into the Aurora Attacks

by Northeast Ohio Information Security Forum on Mar 09, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 136

Statistics

How Google Was Pwned: In-Depth Look into the Aurora Attacks — Presentation Transcript