Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Allegory of the
Cave
Has Application Whitelisting Coagulated As Expect?
What is this?
Curt Shaffer

Curt Shaffer has been in the IT field for 15 years. His experience is diverse across the
IT field from ISP n...
Judah Plummer
Works at Foreground Security - SOC Analyst Extraordinaire
Math and Comp. Sci. Degree from University of Pi...
Put to the Test
Put to the Test
 McAfee – Popular choice for government and
others
 Bit9 – Popular due to ease of deployment
 App Locke...
Previously …with
some updates
 Windows File Protection
 Didn’t work
 Java
 Exploits
 All day long 
 Payloads
 Iexp...
Previously …with
some updates
 Adobe
 Worked 
 Javascript
 Worked 
 VBA
 Worked 
 Shellcode
 Worked 
Previously …with
some updates
 Other findings:
 Intercepting the Bit9 Client traffic (Fiddler FTW!)
 Rubber Ducky Power...
Why Is This Still a
Problem?
“While we believe Bit9 is the most effective protection you can have
on your endpoints. “
htt...
30 days to life?
The 90's called, they want their trial bypass back
Let Me In?
Just Ask Nicely
Bypasses Bygone
DLL Injection
New Bypasses?
 DLL Hijacking
 Watering Hole Attacks
 Modifying Executable File Types
 Dynamic Annotation techniques an...
DLL Hijacking
 DLL Hijacking has been used in the past as a persistence method.
 We tested to see if we could trick the ...
Watering Hole Attack
 Have become more popular in advanced attacks
 There is a huge range of techniques that can be take...
Modifying Executable File
Types
 Change file types, such as .txt files to be executable
 Changing the “Magic Number” of ...
Dynamic Annotation
 New technique for some interesting malware applications.
 Build MOF executable from samples scripts ...
Winhttp
 Our guess: not a lot of work has been put into protecting the new
WinHTTP remote administration components of Wi...
Security ID Modifications
 Is whitelisting on a per user basis?
 Have all types of users, including null user SIDs, been...
Chris John Riley’s PySC
 Shellcode from DNS TXT records
 Or via Internet Explorer (using SSPI)
 Works on the latest ver...
Future Considerations
 Macintosh Bypasses
 More HTML5 Features
 Trusted Directory or Trusted User Abuse
 Hash Collisio...
Metasploit Module
 Codename: “The Alan P@rs0ns Project: Sharks with friggin
lasers”
 Menu Options/Functionality:
 Opera...
Questions?
Contact Info
curt@symbioticnt.net
@inetopenurla (My blog…hope for a
revival soon )
@bit0day (to follow releases of detail...
Upcoming SlideShare
Loading in …5
×

Allegory of the cave(1)

1,589 views

Published on

ShmooCon Epilogue 2014

Published in: Technology
  • Be the first to comment

Allegory of the cave(1)

  1. 1. The Allegory of the Cave Has Application Whitelisting Coagulated As Expect?
  2. 2. What is this?
  3. 3. Curt Shaffer Curt Shaffer has been in the IT field for 15 years. His experience is diverse across the IT field from ISP network design and installation, to server engineering for small and medium business as well as a number of local and US federal international agencies as well as intrusion analysis, incident response and malware reverse engineering. His change over the past 5 years has been his security focus. A majority of his security work most recently has been building internal threat intelligence for federal agencies and in his current position as the Owner of and Sr. Threat Researcher, for Symbiotic Network Technologies, LLC he analyzes current and new trends in that attack landscape in order to provide organizations with a realistic view of how they are being attacked and what can be done about it. He holds a number of industry standard certifications including CISSP, SANS:GREM, GCIA, GCIH, GPEN, GSEC and a number of CompTIA and Microsoft certifications.
  4. 4. Judah Plummer Works at Foreground Security - SOC Analyst Extraordinaire Math and Comp. Sci. Degree from University of Pittsburgh He has worked on validating these findings (found a 0 day once), and has assisted with the deployment and management of these applications in large deployments. Also, found a DLC License bypass for Xbox (possible upcoming NovaHackers talk?).
  5. 5. Put to the Test
  6. 6. Put to the Test  McAfee – Popular choice for government and others  Bit9 – Popular due to ease of deployment  App Locker – Built in/No extra cost
  7. 7. Previously …with some updates  Windows File Protection  Didn’t work  Java  Exploits  All day long   Payloads  Iexpress  Didn’t Work 
  8. 8. Previously …with some updates  Adobe  Worked   Javascript  Worked   VBA  Worked   Shellcode  Worked 
  9. 9. Previously …with some updates  Other findings:  Intercepting the Bit9 Client traffic (Fiddler FTW!)  Rubber Ducky Powershell injections  Disabling the Service
  10. 10. Why Is This Still a Problem? “While we believe Bit9 is the most effective protection you can have on your endpoints. “ https://blog.bit9.com/2013/02/25/bit9-security-incident-update/
  11. 11. 30 days to life? The 90's called, they want their trial bypass back
  12. 12. Let Me In?
  13. 13. Just Ask Nicely
  14. 14. Bypasses Bygone DLL Injection
  15. 15. New Bypasses?  DLL Hijacking  Watering Hole Attacks  Modifying Executable File Types  Dynamic Annotation techniques and similar dynamic building techniques  Microsoft Winhttp  Security ID Modifications
  16. 16. DLL Hijacking  DLL Hijacking has been used in the past as a persistence method.  We tested to see if we could trick the whitelisting solution into executing the hijacked DLL with our own malicious code.  Worked like a champ!
  17. 17. Watering Hole Attack  Have become more popular in advanced attacks  There is a huge range of techniques that can be taken advantage of and growing with new technologies such as HTML5.  Files can be called/executed by trusted applications and their plugins.
  18. 18. Modifying Executable File Types  Change file types, such as .txt files to be executable  Changing the “Magic Number” of files, to be repaired later, after it has been overlooked due to being non-standard filetype and thus being ignored by Bit9.
  19. 19. Dynamic Annotation  New technique for some interesting malware applications.  Build MOF executable from samples scripts pulled from trusted sites, such as Microsoft’s Technet, and build them on the fly with VB is one example we have seen used in the wild  We are working on a talk for later this year on the topic with a POC botnet.
  20. 20. Winhttp  Our guess: not a lot of work has been put into protecting the new WinHTTP remote administration components of Windows.  Execute malicious code through this trusted process.  Any other system/admin tools that need to be trusted?
  21. 21. Security ID Modifications  Is whitelisting on a per user basis?  Have all types of users, including null user SIDs, been taken into account?  We didn’t have a lot of time to test modifying the SIDS of services and files, but it’s our guess this would work rather well.
  22. 22. Chris John Riley’s PySC  Shellcode from DNS TXT records  Or via Internet Explorer (using SSPI)  Works on the latest version we tested!  Thanks Chris!  Code link in the notes.
  23. 23. Future Considerations  Macintosh Bypasses  More HTML5 Features  Trusted Directory or Trusted User Abuse  Hash Collision Fun  Metasploit Module
  24. 24. Metasploit Module  Codename: “The Alan P@rs0ns Project: Sharks with friggin lasers”  Menu Options/Functionality:  Operating System Version  Vendor Choice  Exploit/Bypass Style, Choice  Payload Choice  Post Exploitation
  25. 25. Questions?
  26. 26. Contact Info curt@symbioticnt.net @inetopenurla (My blog…hope for a revival soon ) @bit0day (to follow releases of details of our findings) jplummer@foregroundsecurity.com

×