Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
In-Depth Look into the Aurora Attacks
What makes Aurora Impressive

   It weaves together targeted Social
Engineering attacks, Zero-Day exploits,
and malware to...
Two Separate Attack Vectors


  SocialEngineering – Focused and
  precise

  Zero-day   exploits – Internet Explorer
Social Engineering Vector
  Severalkey things were done to
  increase the success of the spear-
  phishing emails:
    C...
The Zero-Day Exploit

  Microsoft   Security Bulletin MS10-002

  Affects   Internet Explorer 5, 6, 7, and 8

  HTML   ...
Why it works

  IE   has a bug in handling deleted objects

  Allows the attacker to inject malicious
  code that was in...
The heap spray
  Attackerutilizes heap spray technique to
  put the payload in memory
Core of the exploit
Exploit Flow
  HTML   loads the image
  JavaScript deletes it (Function EV1)
  Then replaces it with a memory address
 ...
DEP in a nutshell
  DataExecution Prevention (DEP)
  renders buffer overflows harder to
  exploit due to the fact it adju...
ASLR in a nut shell
  Most exploits heavily rely off of hijacking
  execution flow and typically are very
  reliant on me...
Scary Stuff
  The Aurora Attack
                   Bypassed Data
  Execution Prevention (DEP)
Even Worse
  DEP+ Address Space Location
  Randomization (ASLR) was just recently
  bypassed on Windows 7 + IE 8

  Theo...
So what this means…
  Focused and organized attacks are on
  the rise….

  Attackerswill continue to get in through
  th...
How to prevent
  This
     exploit has already been patched,
  make sure you update.

  IEis a large target, consider mo...
Upcoming SlideShare
Loading in …5
×

How Google Was Pwned: In-Depth Look into the Aurora Attacks

2,461 views

Published on

Presented at the February 2010 meeting of the Northeast Ohio Information Security Forum by Josh Kelley, Enterprise Security Analyst for a Fortune 1000 company.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

How Google Was Pwned: In-Depth Look into the Aurora Attacks

  1. 1. In-Depth Look into the Aurora Attacks
  2. 2. What makes Aurora Impressive It weaves together targeted Social Engineering attacks, Zero-Day exploits, and malware to successfully compromise the networks of over 20 major international corporations including the almighty Google.
  3. 3. Two Separate Attack Vectors   SocialEngineering – Focused and precise   Zero-day exploits – Internet Explorer
  4. 4. Social Engineering Vector   Severalkey things were done to increase the success of the spear- phishing emails:   Certain individuals within the companies were targeted.   Friends of the targeted individuals were targeted as well.   The targets are thought to have elevated privileges within the companies (Sysadmins, developers, etc.)
  5. 5. The Zero-Day Exploit   Microsoft Security Bulletin MS10-002   Affects Internet Explorer 5, 6, 7, and 8   HTML Object Memory Corruption
  6. 6. Why it works   IE has a bug in handling deleted objects   Allows the attacker to inject malicious code that was in previously deleted object.
  7. 7. The heap spray   Attackerutilizes heap spray technique to put the payload in memory
  8. 8. Core of the exploit
  9. 9. Exploit Flow   HTML loads the image   JavaScript deletes it (Function EV1)   Then replaces it with a memory address (Function EV2)   Which hits the Heap Spray   And executes the payload
  10. 10. DEP in a nutshell   DataExecution Prevention (DEP) renders buffer overflows harder to exploit due to the fact it adjusts stacks to read-only.   DEP was often surprisingly hard to bypass in browser exploits and typically made heap spray attacks fairly difficult if not impossible.
  11. 11. ASLR in a nut shell   Most exploits heavily rely off of hijacking execution flow and typically are very reliant on memory addresses.   ASLR randomizes the memory addresses each reboot so that the attacker can’t typically predict the memory address to head over to.
  12. 12. Scary Stuff   The Aurora Attack Bypassed Data Execution Prevention (DEP)
  13. 13. Even Worse   DEP+ Address Space Location Randomization (ASLR) was just recently bypassed on Windows 7 + IE 8   Theonce impossible to bypass, can now be bypassed.
  14. 14. So what this means…   Focused and organized attacks are on the rise….   Attackerswill continue to get in through the easiest route.   A combination of zero-days and the human element was the root cause for the success of this attack.
  15. 15. How to prevent   This exploit has already been patched, make sure you update.   IEis a large target, consider moving to Firefox with No-Script enabled.   Kernelhooking HIPS could have potentially stopped this attack.

×