Beyond Aurora s Veil: A Vulnerable Tale

Transcription

1 Beyond Aurora s Veil: A Vulnerable Tale Derek Manky Cyber Security & Threat Research FortiGuard Labs October 26th, 2010: SecTor 2010 Toronto, CA

2 Conficker: April Doomsday.. Meanwhile JBIG2 Zero Day PDF/SWF January 2009: Malicious PDF Samples In the Wild Drop Gh0st RAT Trojan, Exploits CVE No Click Variant through Windows Shell Extensions February 02, 2009: Adobe Acknowledges via APSA09 01 March 10, 2009: Adobe Patches via APSB Attacks Occurred Roughly 63 Days Before Patch

3 ... A Vulnerable Tale Gh0st RAT Advertisement Photo 3

4 Bredolab & Gumblar Meanwhile Gumblar & Bredolab Botnets Sync Through PDF Exploits 4 March 18, 2009 Adobe Issues Patch APSB09 04 Includes CVE , PDF Exploit March 23, 2009: Gumblar attack surfaces Compromised websites with exploits Freshly exploiting CVE Drops Bredolab Botnet (First appearance) Downloads FTP Stealing Module for Gumblar Downloads FakeAV for Profit Aggressively Attacked 5 Days After POC Released

5 Bredolab & Gumblar 5

6 Bredolab & Gumblar Then and Now Gumblar & Bredolab Botnets Sync Through PDF Exploits Bredolab Oct 2009: New Protocol (v2), Custom Encrypted HTTP Jan 2010: Uses Pushdo Botnet New Webmailing Engine Distributed (Webwail)[1] Cracks CAPTCHAs in < 30 seconds Feb 2010: Downloads Ransomware Force Kills Applications, Demands > $50 USD Oct 2010: Distributes Grum/Tedroo Botnet Source Code Available Bredolab now used for various operators & attacks since original incarnation [1] FortiGuard Labs Discovers Webwail in December

7 Bredolab & Gumblar Then and Now Gumblar & Bredolab Botnets Sync Through PDF Exploits Gumblar Today[1] 9,350 infected links 951 links hosting exploits 165 malware variants served Popular exploited vulns: CVE CVE CVE CVE [1] FortiGuard Web Scanning Systems, Oct 19 th

8 ... A Vulnerable Tale In The Threat Spotlight Internet Explorer HTML Memory Corruption ( Aurora ) 8 September 30, 2009: Microsoft Receives Vulnerability Report (Later CVE ) December 15, 2009: Google Later Acknowledges Attack Discovery January 04, 2010: C&C Servers Taken Down January 12, 2010: Attacks Publicly Acknowledged Dropped Custom Trojan January 14, 2010: Public POC Exploit Code Available January 21, 2010: Microsoft Patches via MS Zero Day 113 Days Before Patch, 7 Days From Public POC

9 ... A Vulnerable Tale Meanwhile Internet Explorer Use After Free 9 March 09, 2010: Microsoft Acknowledges via Advisory / CVE Web Drive By Attacks Already In the Wild Drop Gh0st RAT Trojan, Similar to Aurora March 30, 2010: Microsoft Patches via MS Attacks Occurred Roughly 21 Days Before Patch FortiGuard Detects Highest Exploit Rate Before Patch (Zero Day)

10 Internet Explorer Use-After-Free

11 Exploit Demonstration Fortinet Confidential 11

12 The Next Chapter What can we learn?!!! Headlines are not everything!!! Reactive defense against high profiles attack == inefficient Threats often share similar attack techniques Browsers, Document Formats, System Services Conficker Neeris (RPC DCOM), Murofet (DGA) Gh0st RAT (PDF JBIG2) Gumblar (PDF geticon) Aurora Google/etc & Gh0st RAT: IE Use After Free 12

13 The Next Chapter What can we learn? 13 Zero day attacks happen more often than you may think Attacks can continue for months undetected Can be 1 3 week response time for patches Once detected / reported.. Otherwise 6 12 months Patched vulnerabilities are attacked quickly, and frequently Conficker: 30 Days Gumblar: 5 Days Patch management! Quick patching is essential Does not work on zero day attacks

14 The Next Chapter The new decade of threats Attacks can survive for years Attacks change extremely frequently Server side polymorphism Repack hosted malware Repack hosted scripts [Gumblar] Crimeware and source code Copy & paste bots New versions Endless domains Creates tremendous volume 14

15 FortiGuard Labs Security Research 87 Zero-Days Discovered Since 2008, Mostly Critical Oct 2010: 30+ Outstanding in Zero-Day State 15

16 Fighting Back Strategic Defense Standard security rules apply; often ignored Layered security vs. Growing attack surface Applicable to Infection & Post Infection Education and Training (RSS) Think before you link Use of JS, Flash (Noscript, PDF Reader) Trust management (PGP, SSL) Alternative software considerations OS, Browsers, Doc Readers, Sandboxes Access level lock down (Admin privileges) 16

17 Fighting Back Layered Security vs. Growing Attack Surface Intrusion Prevention: Botnet C&C, Zero Days & Exploits Application Control: Malicious services Compromised Facebook Applications Webfiltering: Botnet C&C, Fast Flux / MalHosting, SEO Antispam: Spambots & Incoming Campaigns Antivirus: Trojans, bots, ransomware, etc Vulnerability Review Software used vs. alternatives 17

18 18