New Tool for Discovering Flash Player 0-day Attacks in the. Wild from Various Channels



Similar documents
New Tool for Discovering Flash Player 0-day Attacks in the Wild from Various

RIA SECURITY TECHNOLOGY

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

============================================================= =============================================================

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Endpoint Business Products Testing Report. Performed by AV-Test GmbH

Beyond Aurora s Veil: A Vulnerable Tale

Be Prepared for Java Zero-day Attacks

System Compatibility. Enhancements. Operating Systems. Hardware Requirements. Security

Unstructured Threat Intelligence Processing using NLP

PCI Vulnerability Validation Report

HP Client Automation Standard Fast Track guide

Background. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.

Applications Life-cycle Management

Shane Hartman CISSP, GCIA, GREM Suncoast Security Society

Covert Operations: Kill Chain Actions using Security Analytics

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Optimized Mal-Ops Hack ad networks like a boss

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Introduction to Cisco Inventory and Reporting

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Closing the Antivirus Protection Gap

Securing SharePoint 101. Rob Rachwald Imperva

EVILSEED: A Guided Approach to Finding Malicious Web Pages

To the Cloud! Software Security Evolution at Adobe

Tracking Anti-Malware Protection 2015

RECOMMENDED JAVA SETTINGS

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

System requirements for ICS Skills ATS

How To Install the Virtual Learning App

76% Secunia Vulnerability Review. Key figures and facts from a global IT-Security perspective. Published February 26, secunia.

2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Staff Guide to Online Teaching Timetables

Advanced Persistent Threats

Crosscheck Web Services Patent Pending Automated SOA Compliance and Security Assessment

CORPORATE AV / EPP COMPARATIVE ANALYSIS

CORE SECURITY. Exploiting Adobe Flash Player in the era of Control Flow Guard. Francisco Falcon Black Hat Europe 2015 November 12-13, 2015

IBM Advanced Threat Protection Solution

Easy Do-It-Yourself Computer Maintenance Tips

Mobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim

User Documentation Web Traffic Security. University of Stavanger

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk Rahul Kashyap

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Specific recommendations

Telecom Systems Billing Application User Guide

MRG Effitas Real World Enterprise Security Exploit Prevention March Real World Enterprise Security Exploit Prevention Test.

MRG Effitas Real World Enterprise Security Exploit Prevention March Real World Enterprise Security Exploit Prevention Test.

Lumension Guide to Patch Management Best Practices

Fighting Advanced Threats

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

ONLINE RECONNAISSANCE

The Leader in Cloud Security SECURITY ADVISORY

Microsoft Update Management. Sam Youness Microsoft

Protecting Your Organisation from Targeted Cyber Intrusion

The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection

Bridging the gap between COTS tool alerting and raw data analysis

Physical Memory Standard Operating Procedures

WHITE PAPER: THREAT INTELLIGENCE RANKING

Sandbox Roulette: Are you ready for the gamble?

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

Targeted attacks: Tools and techniques

Adobe Connect Quick Guide

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

It s Time to Think Differently About Network Security. Franklyn Jones CMO, Spikes Security

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

Report cover page. Report title: Description: Generated on: Generated by: Date filter: Event logs: Other filters: Signature: Reviewed by:

Feature List for Kaspersky Security for Mobile

Dartmouth College Technical Support Document for Kronos PC version

Northwestern University Dell Kace Patch Management

Vulnerability-Focused Threat Detection: Protect Against the Unknown

Checking Browser Settings, and Basic System Requirements for QuestionPoint

Introduction to IBM Digital Analytics Michigan.gov

Session 3: IT Infrastructure Security Track ThreatExchange Winning through collaboration. Tomas Sander HP Labs

Workflow Automation Support and troubleshooting guide

SAP Digital CRM. Getting Started Guide. All-in-one customer engagement built for teams. Run Simple

DETERMINATION OF THE PERFORMANCE

Breaking the Cyber Attack Lifecycle

Troubleshooting steps for Oracle Financials and Markview. Jan 2015

AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence

Windows Updates vs. Web Threats

Windows Phone 7 Internals and Exploitability

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

Closing the Vulnerability Gap of Third- Party Patching

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Google Apps Engine. G-Jacking AppEngine-based applications. Presented 30/05/2014. For HITB 2014 By Nicolas Collignon and Samir Megueddem

Enterprise Mobility Report 06/2015. Creation date: Vlastimil Turzík

Android Malware Characterisation. Giovanni Russello

A comprehensive guide to XML Sitemaps:

Integrating MSS, SEP and NGFW to catch targeted APTs

INSTANT MESSAGING SECURITY

The evolvement of the Threat Landscape. Viktor Ziegler, Account Manager Germany & Eastern Europe March 2014

N J C C I C NJ CYBERSECURITY AND COMMUNICATIONS INTEGRATION CELL

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

IBM Security QRadar Vulnerability Manager Version User Guide

Presented by Brian Woodward

Transcription:

New Tool for Discovering Flash Player 0-day Attacks in the Wild from Various Channels @heisecode 1, Background In 2014, Microsoft introduced isolated heap and memory protector to avoid IE UAF exploits, it is harder to exploit PC using IE as a target. In late 2014 when did a plan for 2015, I thought Flash Player will be most popular attack target in PC, So I did some research for catching flash 0-day attack in 2015 and finally have some results. There are two important factors to discover 0-day attacks, one is how to get more effective samples in the wild, another is how to identify 0-day from large number of samples. I found some sample channels which can provide effective samples in the wild and develop a tool to help me identify these samples. 2, Sample Channels 1> Products feedback There are usually many SWF samples from kinds of products or engines detection feedback. This channel is most effective channel, because the samples have been filtered by products and engines rules, and the number of samples is large. There are many new feedback added every day, so need to process them every day.

2> URL Crawl Attackers always prepare several exploits in a URL, use which exploit depends on the software version installed in the victims PC. So products or engines feedback may contain many old CVEs detection just because some users installed old Java version or IE version. I get these old CVEs detection URLs from feedback and crawl these URLs to get the whole exploits based in these URLs, and there may have a Flash exploit. 3> Download from VT Intelligence I can download many SWF samples from https://www.virustotal.com/intelligence Based on some research, attackers may submit their exploits or POCs to VT to check AV detection. And some 0-days firstly submitted to VT before they were publicly disclosed. 4> URL Pattern Exploit Kits and some targeted attacks may use URLs which have some pattern. Some URLs have relation to the type of the target and some URLs have same kind based on attackers habits. I can use URL pattern to search URLs from our products or engines feedback to get some suspicious URLs and visit them to check there is a flash 0-day.

3, Tool to identify 0-day Because the number of samples and URLs is large, so I need a tool to help me to identify. This tool should have fast process speed and low false alert. It also should have a logger to log the URL/Sample name corresponding to the events/behaviors. So I developed a tool named AFED (Advanced Flash Exploit Detector). AFED is something: An IE BHO written by C++ Hook Flash OCX when Flash Player loaded to IE tab process. Hook IE event to get current URL name. Write exploit detection or sample behaviors to log. And the automation process is: Simple Python code Register AFED BHO using regsvr32.exe Every time load a URL in IE, AFED hook Flash Player OCX to detect Kill IE processes to load next URL When finished all URLs, parse log file In July, Adobe introduced Vector object mitigation into Flash Player with help of Google Project Zero. The mitigation is based on the fact that almost every flash exploit used corrupt Vector object to achieve arbitrary read and write. And Vector object was easily to be corrupted.

So there are some differences between before and after Adobe introduced Vector object mitigation. 1> Before Adobe introduced Vector.<*> mitigation Before the mitigation, Flash exploits used corrupted Vector object to achieve arbitrary read and write process memory. So AFED checks the Vector object length to detect Flash exploits. Simplified flash exploit flow is like this: I hook AVM2 JIT flow to get the check point, the hook key function is:

So the detection flow is like this: Then I hook the vector object creating, the key function is: So the final detection flow can be this:

2> After Adobe introduced Vector.<*> mitigation JIT native code prologues are like this: And we can get AS3 method name and its JIT native code address in the hook point. So we can log every AS3 method call:

We can add heuristic rules based on behaviors. For example, CVE-2015-7645 used ByteArray heapspray to exploit, so AFED will print lots of Call [flash.utils::bytearray] to the log. We can add rule when parsing log to match the ByteArray heapspray. We can add other rules based on analysis of recent exploits or your experience such as BitmapData heapspray used in recent exploits. 3> Hook Flash OCX load Because Flash OCX is a COM component, so I hook CoGetClassObject function in urlmon.dll. I use IsEqualCLSID(rclsid, CLSID_Flash) to identify Flash OCX is being loaded or not.

4, Reference 1> Inside AVM, Haifei Li 2> Google Project Zero Blog, http://googleprojectzero.blogspot.tw/2015/07/significant-flash-explo it-mitigations_16.html

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information