The Evolving Threat LandscapeZheng BuRahul KashyapM Af L bMcAfee Labs                                 Session ID: HT2-106 ...
Agenda g     Vulnerabilities and Exploitation     V l    biliti     d E l it ti     Targeted Attacks (APTs)     Cybercrime...
Vulnerabilities and Exploitation                           Insert presenter logo                            here on slide ...
2010: Microsoft and AdobeVulnerabilities Snapshot                   p                Security Patches                 Secu...
2010: High-Profile Zero-Day Vulnerabilities        g                 y                                                    ...
Malware Writers Love AdobeVulnerabilities     Productivity Application Vulnerability Based Malware - 2010                 ...
Which Adobe App Was Most Exploitedin 2010? The Winner Is Reader!      Adobe: Unique Malware Detected in the Wild          ...
Mitigation vs. Exploitation: a Catch-UpGame                                       Stack Overflow Attacks                  ...
Case Study: CVE-2010-2883Adobe SING Tag Buffer Overflow Vulnerability              g                            y  “Classi...
Case Study: CVE-2010-2883Adobe SING Tag Buffer Overflow Vulnerability              g                            y  Use  U ...
DEP+ASLR=Peace of Mind!                                                                         ExploitationVulnerability ...
Stealthy Exploitation       y   p AKA: Harmonious Exploitation(“和谐漏洞利用”) Qualifications   No intrusive reconnaissance requ...
Stealthy Exploitation: Case Study       y   p                    y Exploits that identify Adobe Reader versions Exploits t...
Welcome to the “App Store” of Exploit Kits                 pp             p                                   Insert prese...
Crimepack     pFeatures include  Tracking website stats  Regular updated exploits  Geo location tracker  OS stats  Browser...
Targeted Attacks(Advanced Persistent Threats)(                           )                         Insert presenter logo  ...
Case Study: Operation Aurora         y   p A coordinated attack targeting a rapidly growing list of companies, including G...
Operation Aurora: Modus Operandi p                       p     1                              2                           ...
Operation Aurora: Exploit p                  p                                     Original obfuscated exploit Payload has...
Cybercrime Goes Social                     Insert presenter logo                      here on slide master.               ...
Abusing Social Networks      gFake accounts on saleAccounts can be used to sendspam, phishing, fake products/services, or ...
“Social” Hacktivism 2010 had several instances of activist i t        f ti i t groups launching protests over the Internet...
Operation Payback p          y                         Insert presenter logo                          here on slide master...
Operation Payback p          y The attack tool was a modified, public open-source tool called LOIC Created a “social botne...
Conclusions  Client-side attacks are on the rise  There is no silver bullet for security, all the available known  defense...
Upcoming SlideShare
Loading in …5
×

Evolving Threat Landscape

918 views

Published on

RSA 2011 conference

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
918
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Evolving Threat Landscape

  1. 1. The Evolving Threat LandscapeZheng BuRahul KashyapM Af L bMcAfee Labs Session ID: HT2-106 Session Classification: Intermediate Insert presenter logo  here on slide master.  See hidden slide 2 for  directions
  2. 2. Agenda g Vulnerabilities and Exploitation V l biliti d E l it ti Targeted Attacks (APTs) Cybercrime Goes Social Q&A Insert presenter logo  here on slide master.  See hidden slide 2 for  2 directions
  3. 3. Vulnerabilities and Exploitation Insert presenter logo  here on slide master.  See hidden slide 2 for  3 directions
  4. 4. 2010: Microsoft and AdobeVulnerabilities Snapshot p Security Patches  Security Patches 300 250 200 Microsoft 150 Adobe 100 50 0 2007 2008 2009 2010 Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  4 directions
  5. 5. 2010: High-Profile Zero-Day Vulnerabilities g y Steady increase inCVE-2010-0249: MS10-002 HTML Object Memory Corruption attacks targeting clientVulnerability OperationVulnerability—Operation Aurora softwareCVE-2010-2883: Adobe SING Tag Buffer Overflow Vulnerability Adobe and MicrosoftCVE-2010-2884: Adobe Reader, Flash Player Code Execution were popular exploitVulnerabilityV l bilit victims. victimsCVE-2010-1297: Adobe Flash Memory Corruption VulnerabilityCVE-2010-1885: Windows Help and Support Center VulnerabilityCVE-2010-1240: PDF/Launch Attack—ZeusCVE-2010-2568: Windows Shortcut Icon Loading Vulnerability—StuxnetCVE-2010-2729: Print Spooler Service ImpersonationVulnerability—Stuxnet Insert presenter logo  here on slide master.  See hidden slide 2 for  5 directions
  6. 6. Malware Writers Love AdobeVulnerabilities Productivity Application Vulnerability Based Malware - 2010 MS Office (Word, Excel, PowerPoint) Adobe Reader, Acrobat Source: MacAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  6 directions
  7. 7. Which Adobe App Was Most Exploitedin 2010? The Winner Is Reader! Adobe: Unique Malware Detected in the Wild Adobe Flash Adobe PDF Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  7 directions
  8. 8. Mitigation vs. Exploitation: a Catch-UpGame Stack Overflow Attacks Stack Canary Checks Safe SEH Heap Overflow Attacks Heap Safe Unlink Shellcode Execution Data Execution Prevention DEP/NX Address Space Layout Randomization (ASLR) JIT Spray p y Return Oriented Programming ROP g g Insert presenter logo  here on slide master.  See hidden slide 2 for  8 directions
  9. 9. Case Study: CVE-2010-2883Adobe SING Tag Buffer Overflow Vulnerability g y “Classic” stack overflow Exploit does not overwrite return address Overwrite pointer in the stack to bypass stack protection t ti Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  9 directions
  10. 10. Case Study: CVE-2010-2883Adobe SING Tag Buffer Overflow Vulnerability g y Use U ROP techniques i h i in the shellcode to bypass DEP+ASLR. Special staged shellcode for this DLL Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  10 directions
  11. 11. DEP+ASLR=Peace of Mind! ExploitationVulnerability y techniqueAdobe Products Authplay.dll Code Execution [CVE-2010-3654 ] ROP Shellcode ROP ShellcodeAdobe Products Authplay dll Code Execution [CVE-2010-2884] Authplay.dllAdobe Flash Player, Reader, and Acrobat authplay.dll‘ [CVE-2010-1297] ROP ShellcodeAdobe Reader and Acrobat XFA TIFF Support Code Execution ROP ShellcodeVulnerability [CVE-2010-0188]Adobe Reader CoolType.dll TTF Font Vulnerability [CVE-2010-2883] ROP ShellcodeAdobe Reader and Acrobat newplayer() JavaScript Method Vulnerability ROP Shellcode[CVE-2009-4324] Insert presenter logo  here on slide master.  See hidden slide 2 for  11 directions
  12. 12. Stealthy Exploitation y p AKA: Harmonious Exploitation(“和谐漏洞利用”) Qualifications No intrusive reconnaissance required Application and platform awareness Robust exploitation No impact on availability of the target service p y g No impact on availability of the target application Bypassing the security mitigations on the target (GS, DEP, ASLR, etc.) Adaptive to Ad ti t complex network environments, scalable, C&C ready, l t k i t l bl d Network Security Inspection Device evasion Insert presenter logo  here on slide master.  See hidden slide 2 for  12 directions
  13. 13. Stealthy Exploitation: Case Study y p y Exploits that identify Adobe Reader versions Exploits that open a legit l i PDF file on fil successful exploitation Exploits that obfuscate to evade NIPS inspection Insert presenter logo  here on slide master.  See hidden slide 2 for  13 directions
  14. 14. Welcome to the “App Store” of Exploit Kits pp p Insert presenter logo  here on slide master.  See hidden slide 2 for  14 directions
  15. 15. Crimepack pFeatures include Tracking website stats Regular updated exploits Geo location tracker OS stats Browser stats Test attack before launching Success rate Insert presenter logo  here on slide master.  See hidden slide 2 for  15 directions
  16. 16. Targeted Attacks(Advanced Persistent Threats)( ) Insert presenter logo  here on slide master.  See hidden slide 2 for  16 directions
  17. 17. Case Study: Operation Aurora y p A coordinated attack targeting a rapidly growing list of companies, including Google, Adobe, Juniper, Symantec, and others Exploits a zero-day vulnerability in Internet Explorer Lures users to malicious websites, installs Trojan malware on systems, uses Trojan to gain remote access Uses remote access to gain entry to corporate systems, steal intellectual property (including source code), and penetrate user accounts Insert presenter logo  here on slide master.  See hidden slide 2 for  17 directions
  18. 18. Operation Aurora: Modus Operandi p p 1 2 3Attack initiated Attack in progress Attack setup completeUser with IE vulnerability Website exploits vulnerability; Malware installed on user’s user svisits website infected with malware (disguised as JPG) system; malware opens backOperation Aurora malware downloaded to user’s system door (using custom protocol acting like SSL) that gives access to sensitive data Insert presenter logo  here on slide master.  See hidden slide 2 for  18 directions
  19. 19. Operation Aurora: Exploit p p Original obfuscated exploit Payload has multiple levels of obfuscation to disguise the payload Payload exploits a zero-day y p y vulnerability in Internet Explorer De-obfuscated exploit The attack uses heap spray and downloads a fake image—an XOR’ed binary. The b kd Th backdoor i now is installed and sends out fake SSL traffic Insert presenter logo  here on slide master.  See hidden slide 2 for  19 directions
  20. 20. Cybercrime Goes Social Insert presenter logo  here on slide master.  See hidden slide 2 for  20 directions
  21. 21. Abusing Social Networks gFake accounts on saleAccounts can be used to sendspam, phishing, fake products/services, or maliciousdownloadsd l dPrices vary depending on thequality of account Source: McAfee Labs Insert presenter logo  here on slide master.  See hidden slide 2 for  21 directions
  22. 22. “Social” Hacktivism 2010 had several instances of activist i t f ti i t groups launching protests over the Internet DDoS seems to be the favorite vector Lines bet een between cyberwarfare and hacktivism continue to blur Insert presenter logo  Source: McAfee Labs here on slide master.  See hidden slide 2 for  22 directions
  23. 23. Operation Payback p y Insert presenter logo  here on slide master.  See hidden slide 2 for  23 directions
  24. 24. Operation Payback p y The attack tool was a modified, public open-source tool called LOIC Created a “social botnet using HIVE mode social botnet” Attack vector is unsophisticated, but has temporary impact on global enterprises Insert presenter logo  here on slide master.  See hidden slide 2 for  24 directions
  25. 25. Conclusions Client-side attacks are on the rise There is no silver bullet for security, all the available known defenses can be bypassed Stealthy exploitation makes attacks more difficult to be detected APTs leverage all of the latest exploitation techniques and are becoming the most severe threats for businesses Social networks have been leveraged by attackers and hacktivists Do not completely rely on security protection from vendors. Use extreme caution when you surf! Insert presenter logo  here on slide master.  See hidden slide 2 for  25 directions

×