In-Depth Look into the Aurora Attacks
What makes Aurora Impressive

   It weaves together targeted Social
Engineering attacks, Zero-Day exploits,
and malware to...
Two Separate Attack Vectors


  SocialEngineering – Focused and
  precise

  Zero-day   exploits – Internet Explorer
Social Engineering Vector
  Severalkey things were done to
  increase the success of the spear-
  phishing emails:
    C...
The Zero-Day Exploit

  Microsoft   Security Bulletin MS10-002

  Affects   Internet Explorer 5, 6, 7, and 8

  HTML   ...
Why it works

  IE   has a bug in handling deleted objects

  Allows the attacker to inject malicious
  code that was in...
The heap spray
  Attackerutilizes heap spray technique to
  put the payload in memory
Core of the exploit
Exploit Flow
  HTML   loads the image
  JavaScript deletes it (Function EV1)
  Then replaces it with a memory address
 ...
DEP in a nutshell
  DataExecution Prevention (DEP)
  renders buffer overflows harder to
  exploit due to the fact it adju...
ASLR in a nut shell
  Most exploits heavily rely off of hijacking
  execution flow and typically are very
  reliant on me...
Scary Stuff
  The Aurora Attack
                   Bypassed Data
  Execution Prevention (DEP)
Even Worse
  DEP+ Address Space Location
  Randomization (ASLR) was just recently
  bypassed on Windows 7 + IE 8

  Theo...
So what this means…
  Focused and organized attacks are on
  the rise….

  Attackerswill continue to get in through
  th...
How to prevent
  This
     exploit has already been patched,
  make sure you update.

  IEis a large target, consider mo...
Upcoming SlideShare
Loading in …5
×

How Google Was Pwned: In-Depth Look into the Aurora Attacks

2,278 views
2,196 views

Published on

Presented at the February 2010 meeting of the Northeast Ohio Information Security Forum by Josh Kelley, Enterprise Security Analyst for a Fortune 1000 company.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,278
On SlideShare
0
From Embeds
0
Number of Embeds
154
Actions
Shares
0
Downloads
41
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How Google Was Pwned: In-Depth Look into the Aurora Attacks

  1. 1. In-Depth Look into the Aurora Attacks
  2. 2. What makes Aurora Impressive It weaves together targeted Social Engineering attacks, Zero-Day exploits, and malware to successfully compromise the networks of over 20 major international corporations including the almighty Google.
  3. 3. Two Separate Attack Vectors   SocialEngineering – Focused and precise   Zero-day exploits – Internet Explorer
  4. 4. Social Engineering Vector   Severalkey things were done to increase the success of the spear- phishing emails:   Certain individuals within the companies were targeted.   Friends of the targeted individuals were targeted as well.   The targets are thought to have elevated privileges within the companies (Sysadmins, developers, etc.)
  5. 5. The Zero-Day Exploit   Microsoft Security Bulletin MS10-002   Affects Internet Explorer 5, 6, 7, and 8   HTML Object Memory Corruption
  6. 6. Why it works   IE has a bug in handling deleted objects   Allows the attacker to inject malicious code that was in previously deleted object.
  7. 7. The heap spray   Attackerutilizes heap spray technique to put the payload in memory
  8. 8. Core of the exploit
  9. 9. Exploit Flow   HTML loads the image   JavaScript deletes it (Function EV1)   Then replaces it with a memory address (Function EV2)   Which hits the Heap Spray   And executes the payload
  10. 10. DEP in a nutshell   DataExecution Prevention (DEP) renders buffer overflows harder to exploit due to the fact it adjusts stacks to read-only.   DEP was often surprisingly hard to bypass in browser exploits and typically made heap spray attacks fairly difficult if not impossible.
  11. 11. ASLR in a nut shell   Most exploits heavily rely off of hijacking execution flow and typically are very reliant on memory addresses.   ASLR randomizes the memory addresses each reboot so that the attacker can’t typically predict the memory address to head over to.
  12. 12. Scary Stuff   The Aurora Attack Bypassed Data Execution Prevention (DEP)
  13. 13. Even Worse   DEP+ Address Space Location Randomization (ASLR) was just recently bypassed on Windows 7 + IE 8   Theonce impossible to bypass, can now be bypassed.
  14. 14. So what this means…   Focused and organized attacks are on the rise….   Attackerswill continue to get in through the easiest route.   A combination of zero-days and the human element was the root cause for the success of this attack.
  15. 15. How to prevent   This exploit has already been patched, make sure you update.   IEis a large target, consider moving to Firefox with No-Script enabled.   Kernelhooking HIPS could have potentially stopped this attack.

×