Dan Guido SOURCE Boston 2011


Published on

SOURCE Boston 2011
Exploit Intelligence Report
Dan's data and analysis of attacker capabilities and methods.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Dan Guido SOURCE Boston 2011

  1. 1. The Exploit Intelligence Project Dan Guido SOURCE Boston, 04/20/2011 https://www.isecpartners.com
  2. 2. Intro and Agenda I work for iSEC Partners  NYC, Seattle, SF – specialize in Application Security  I don’t have a product to sell you Today, I’m going to be sharing data and my analysis of attacker capabilities and methods  An informed defense is more effective and less costly EIP shows that intelligence-driven, threat-focused approaches to security are practical and effective 2
  3. 3. WARNING! The commentary is really important for this talk.If you’re a reporter, please contact me and I’ll be happy to provide that commentary for any section you’re interested in: dguido@isecpartners.com 3
  4. 4. We Have An Analysis ProblemOr, you’re counting the wrong beans!
  5. 5. Let’s Talk About Vulnerabilities 5 *IBM X-Force 2010 Trend and Risk Report
  6. 6. How many vulnerabilities didyou have to pay attention to in 2010? 6
  7. 7. since 2006 7
  8. 8. Vulnerability Origin 8 *Secunia Yearly Report 2010
  9. 9. Affected Vendors (2010) 1 2 Oracle 5 Adobe Microsoft Apple 5 9
  10. 10. Wheel of Vulnerability Fortune 10 *Secunia: The Security Exposure of Software Portfolios
  11. 11. Where or how were massively exploited vulnerabilities first discovered in 2010?6543210 Targeted ZDI Prominent Personal Known Discovered Attacks Researcher Website Behavior by Malware 11
  12. 12. Google Chrome is Insecure! 12 *Bit 9 Research Report: Top Vulnerable Apps – 2010
  13. 13. How many vulnerabilities weremassively exploited in Google Chrome in 2010? 13
  14. 14. Are we doing something wrong?Yes, you’re doing it backwards!
  15. 15. We Have to Start at Attacks 1. 2. 3. Where do bad guys get their info from? How do bad guys view the new vulns that come out? How effective are my defenses against this attacker? 15
  16. 16. Maslow’s Internet Threat Hierarchy # of Attacks Data Lost APT IP Targeted $$$ Mass Banking Credentials Malware
  17. 17. Mass MalwareHow does it work?
  18. 18. Kill Chain Model Systematic model for evaluating intrusions  Helps us objectively evaluate attacker capabilities  Align defense to specific processes an attacker takes Typically used as a model to defend against APT  Evolves beyond response at point of compromise  Assumes unfixable vulnerabilities First described by Mike Cloppert 18
  19. 19. Recon 19
  20. 20. Weaponization 205-20 exploits, $200-$2000 dollars
  21. 21. Delivery 21
  22. 22. Exploitation 22
  23. 23. Installation 23
  24. 24. Command and Control 24
  25. 25. Actions on Objectives 25
  26. 26. Leads to Cyber Pompeii
  27. 27. Process Overview Recon Millions of Infected Sites Existing defenses attackWeaponize Thousands of Vulnerabilities the most robust aspects of mass malware operationsDelivery Thousands of IPs The last point that youExploit <100 Exploits have control of your data Install Millions of Malware Samples C2 Thousands of IPsActions N/A 27
  28. 28. Going on the Offensive
  29. 29. Exploit Kit Popularity (2011) 29 *ThreatGRID Data
  30. 30. Exploit Kit Popularity AVG Threat Labs Malware Domain List Krebs on Security Malware Intelligence Contagio Dump Malware Tracker M86 Security …
  31. 31. Data Sources Blackhole  LuckySploit Bleeding Life  Phoenix CrimePack  2.5, 2.4, 2.3, 2.2, 2.1, 2.0  3.1.3, 3.0, 2.2.8, 2.2.1  SEO Sploit pack Eleonore  Siberia  1.6, 1.4.4, 1.4.1, 1.3.2  Unique Pack Fragus  WebAttacker JustExploit  YES Liberty  Zombie  2.1.0, 1.0.7
  32. 32. Data Processing Decode  Relate  Jsunpack  SHODAN HQ  Generic JS Unpacker  Python API for ExploitDB,  Decodeby.us MSF, CVE  PHP De-obfuscation  Live Testing  Vmware Detect  Windows XP/7  YARA Project  Generic scanning engine Note: All free tools except VMWare/Windows
  33. 33. Jsunpack/YARA Rulesrule IEStyle{ meta: ref = “CVE-2009-3672” hide = true impact = 8 strings: $trigger1 = “getElementsByTagName” nocase fullword $trigger2 = “style” nocase fullword $trigger3 = “outerhtml” nocase fullword condition: all of them} 33
  34. 34. Jsunpack vs Eleonore 1.4.1 34
  35. 35. vuln_search.py CVE  Metasploit  Name  Authors  ID  Description  ID  Name Exploit DB  Rank  Author  Date  ID  References  Name  Vendor URLs (ex. MSB)  ZDI  Other Notable URLs Powered by:
  36. 36. Sample Results: CVE-2010-1818 Exploit DB  08/30/2010  Ruben Santamarta  Apple QuickTime "_Marshaled_pUnk" Backdoor  14843 Metasploit  Ruben Santamarta, jduck  Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution  “… exploits a memory trust issue in Quicktime…”  exploit/windows/browser/apple_quicktime_marshaled_punk  Rank: Great Refs  http://reversemode.com/index.php?option=com_content&task= view&id=69&Itemid=1  OSVDB-67705 36
  37. 37. RecapMapping of Exploit Kits -> CVEs + Metadata 37
  38. 38. Targeting TrendsJava from 2008 to Present
  39. 39. Targeting Trends Java, Round One  12-08 – Prominent researcher finds CVE-2008-5353  08-09 – Wins a Pwnie (researcher interest runs high)  08-09 – ZDI submissions start trickling out  11-09 – 1 kit incorporates CVE-2008-5353 39
  40. 40. Java, Round Two 11-09 – ZDI publishes 2nd batch of Java vulns  CVE-2009-3867 01-10 – Three kits integrate 1st and 2nd vulns  CVE-2008-5353 and CVE-2009-3867 04-10 – 3rd batch of researcher disclosures  CVE-2010-0886, CVE-2010-0840, CVE-2010-0842 Back and forth between researchers/malware keeps interest in Java running high 40
  41. 41. From April 2010 onwards, new Java exploits are added to almost all popular exploit kits 41
  42. 42. Java Today Popularity  11 out of 15 kits include at least one Java exploit (73%)  7 out of 15 kits include more than one (46%) Where did this trend come from?  Who followed who? The malware or research community?  Why can we even compare these two groups together? What is next?  Java and Flash will continue to be a pain point  Quickest path to install malware in IE and Firefox 42
  43. 43. The New Trend: more exploits are being rapidlyrepurposed from targeted attack campaigns in 2010-20116543210 Targeted ZDI Prominent Personal Known Silent Patch Attacks Researcher Website Behavior 43
  44. 44. Capabilities AssessmentIf we only had a time machine
  45. 45. Optimized Defense Jan 1, 2009 – what can we put in place to mitigate all exploits for the next two years?  Restrictions: no patching allowed 2009 recap  Internet Explorer 7, Firefox 3.0  Adobe Reader 9  Java, Quicktime, Flash, Office 2007  Windows XP SP3 Dataset represents 27 exploits 45
  46. 46. Slice and Dice Memory Logic Corruption (8) (19)Partition exploits based on mitigation options 46
  47. 47. 19 Memory Corruption Exploits 5 unique targets  IE, Flash, Reader, Java, Firefox, Opera Do I have my sysadmins adhere to patch schedules or have them test and enable DEP in four applications?  Patch schedules: Monthly, Quarterly, Ad-hoc  Two years: 60+ patches in these apps I choose Data Execution Prevention (DEP)  Good choice! It mitigates 14 exploits. 47
  48. 48. 8 Logic Flaws 4 unique targets  Java, Reader, IE, Firefox, FoxIt Do we have a business case to justify getting repeatedly compromised by mass malware?  No? Remove Java from the Internet Zone in IE  Configure Reader to prompt on JS execution  “Disallow opening of non-PDF file attachments” This leaves two exploits, one in IE and one in FF 48
  49. 49. Most Severe Exploits 2009-2010 IE Help Center XSS Firefox SessionStore Reader libTIFF Reader CoolType SING Flash (IE) newfunction Quicktime (IE) _Marshaled_pUnk Java getSoundBank 49
  50. 50. Enhanced Mitigation Experience Toolkit Microsoft utility that adds obstacles to exploitation  On XP: DEP, SEHOP, Null Page, Heap Spray, EAT filter  Distributed as an MSI, controlled via CLI or Registry Apply it to one application at a time  Harden legacy applications  Temporary protections against known zero-day  Permanent protections against highly targeted apps http://blogs.technet.com/cfs- file.ashx/__key/CommunityServer-Components- PostAttachments/00-03-35-03-78/Users-Guide.pdf 50
  51. 51. Most Severe Exploits 2009-2010 IE Help Center XSS Firefox SessionStore The Firefox exploit is only in one kit. We can make an informed decision about the amount of risk we are assuming. 51
  52. 52. Intelligence-Driven Mitigations Easy mitigations (22 out of 27 exploits)  DEP on IE, Firefox, and Reader  No Java in the Internet Zone  Disallow opening of non-PDF file attachments Hard mitigations (all the rest)  EMET on IE and Reader, the two most attacked apps  Upgrade to IE8 for that pesky Help Center XSS  Disallow Firefox, patch it, or accept the risk Extremely limited susceptibility going forward 52
  53. 53. Taking It Further  Mass malware exploits are: 1. Result of users browsing internet sites 2. Shortest path to install malware w/ a single exploit Google DEP Sandbox Chrome Bypass EscapeMalicious DEP IE8 HTML Bypass IE7, Plugins, Install Java, Flash, SpyEye etc. 53 *DDZ – Memory Corruption, Exploitation and You
  54. 54. Google Chrome Frame “X-UA-Compatible: chrome=1” 54
  55. 55. Google Chrome Frame Internet sites standardized around HTML/JS  This is why you don’t need IE6 or IE7 at home For internet sites, add HTTP header w/ Bluecoat  Browser is sandboxed  Uses auto-updated Google version of Flash  No other plugins are loaded Maintain whitelist of internet sites that need IE  Typically, established vendor relationships All intranet websites will load with IE as usual Seamless to the user, mitigates all exploits in use 55
  56. 56. Maslow’s Internet Threat Hierarchy # of Attacks Data Lost APT IP Targeted $$$Now you’re ready to defend against Banking more advanced attackers Credentials
  57. 57. Intelligence-Driven Conclusions Don’t wait to act with Flash and Java Pay attention to targeted attack disclosures in 2011 Force malware authors to use multiple exploits  Seriously consider Google Chrome Frame Are your consultants/MSSPs/scanners evaluating vulnerabilities the same way that attackers are? Intelligence-Driven Response  Informed defense is more effective and less costly  Threat-focused security is practical  Attack data is necessary to adequately model your risk 57
  58. 58. Thanks Rcecoder, Mila Parkour, Francois Paget, Adam Meyers  Exploit Pack Table on Contagio Dump & Exploit Kit Source Mike Cloppert and Dino Dai Zovi  Inspiration, ideas, and encouragement Chris Clark  Getting started with the research process at iSEC John Matherly  Creating SHODAN and fixing my bugs Dean De Beer  ThreatGRID data, screenshots, and background material 58
  59. 59. References and Q&A Updates with more data at SummerCon, 6/10 Related Presentations (online)  Memory Corruption, Exploitation, and You – DDZ  Intelligence-Driven Response to APT – M. Cloppert  Any Mandiant Presentation Related Presentations (at SOURCE)  2011 Verizon Data Breach Report, Hutton  Fuel for Pwnage, Diaz and Mieres  Dino Dai Zovi Keynote dguido@isecpartners.com 59
  60. 60. Appendix
  61. 61. Frequently Asked Question #1 Q: What do you think about network detections? A: Apply the same analysis process (kill chain) to the adversary you care about and determine major source of overlaps in intrusions. You may find better indicators than simply IP addresses.  ie., “Hey, all the malicious domains attacking me are registered with the same whois data.”  or, “All the domains that compromise me have low TTL values in common.”  See some of Mike Cloppert’s writings  See ThreatGRID when it comes out 61
  62. 62. Frequently Asked Question #2 Q: How can we keep up with this data? You did a point in time assessment, but I want this going forward. A: This analysis process and data should be picked up by the security industry and used effectively. AV companies have been doing you a disservice by not doing this in the past. They should start now. 62
  63. 63. Frequently Asked Question #3 Q: Aren’t you cheating by saying we should use EMET to mitigate past exploits? A:  If we were smart enough to enable mitigations like DEP, we would have had a solid 1.5 years where we weren’t affected by mass malware mem corruption exploits at all, buying us a huge amount of time to investigate other mitigations techniques.  The exploits that EMET was needed for came after the tool was released in Oct 2009. If you had someone performing this analysis, you could have observed the exploits that bypassed DEP and responded the same way I did. Intelligence gathering is not a static process, we have to continue collecting and responding to new information.  There are more ways to use this intelligence. For instance, since we know that Flash and targeted attacks are so rapidly incorporated into mass exploitation campaigns, we would have known on April 11th that CVE-2011- 0611 would be a significant issue. The patch came out on April 15th, but I doubt many orgs patched over the weekend or enabled other mitigating options before it was massively exploited on April 18th. With this data in hand, they would have realized the seriousness of the original event on the 11th. 63
  64. 64. Frequently Asked Question #4 Q: Future analysis? A:  How [exactly] do researcher disclosures correlate with massive exploitation?  Are the number of bugs exploited as zero-day increasing? Why?  Do researchers follow zero-day disclosure trends or vice-versa?  Exactly how much exploit code is modified from public PoC’s before being integrated into a kit?  Expect new results some time in June 64