2010: The Year of the Exploit

Similar documents
The Peak of Chaos Shane D. Shook, PhD 10/31/2012

Stuxnet Malware. Official communication presented at CIP Seminar by Thomas Brandstetter. Siemens AG All Rights Reserved.

The Stuxnet Worm The Nexus of Cyber Security and International Policy. By George Aquila Mentor: Ming Chow

IOActive Security Advisory

PCI Vulnerability Validation Report

The Leader in Cloud Security SECURITY ADVISORY

Using Tofino to control the spread of Stuxnet Malware

THE SECURITY EXPOSURE

Windows XP Pro Service Pack 3 Approved Window Update Description Update. XP Service Pack 3 (KB936929) Windows Internet Explorer 7 for Windows XP

The Stuxnet Worm and Options for Remediation

Beyond Aurora s Veil: A Vulnerable Tale

Windows XP Pro Service Pack 3

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Sandbox Roulette: Are you ready for the gamble?

MCAFEE FOUNDSTONE FSL UPDATE

Using Vulnerable Hosts to Assess Cyber Security Risk in Critical Infrastructures

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Post-Stuxnet Industrial Security: Zero-Day Discovery and Risk Containment of Industrial Malware

76% Secunia Vulnerability Review. Key figures and facts from a global IT-Security perspective. Published February 26, secunia.

Vulnerability-Focused Threat Detection: Protect Against the Unknown

Choosing Between Whitelisting and Blacklisting Endpoint Security Software for Fixed Function Devices

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Optimizing Windows Security Features to Block Malware and Hack Tools on USB Storage Devices

TIME TO LIVE ON THE NETWORK

Security Testing in Critical Systems

Install this update to increase the performance of web sites that use Ajax. After you install this item, you may have to restart your computer.

IN10A. MICROSOFT WINDOWS CRITICAL UPDATES October 2014

Post-Stuxnet Industrial Security

More Than A Microsoft World. Marc Maiffret Co-Founder Chief Hacking Officer

Software Vulnerability Assessment

Penetration Testing Report Client: Business Solutions June 15 th 2015

Agenda , Palo Alto Networks. Confidential and Proprietary.

W32.Stuxnet Dossier. Security Response. Introduction. Nicolas Falliere, Liam O Murchu, and Eric Chien

Discovering passwords in the memory

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Egress Switch Best Practice Security Guide V4.x

Windows Remote Access

EXPLORING VULNERABILITIES IN NETWORKED TELEMETRY

Managed Services Agreement. Hilliard Office Solutions, Ltd. PO Box Phone: Midland, Texas Fax:

Cyber security and critical national infrastructure

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

6. Exercise: Writing Security Advisories

Using Windows Update for Windows Me

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015

Secunia Vulnerability Review

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

HUNTING ASYNCHRONOUS VULNERABILITIES. James Kettle

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

STAT Scanner Product Guide

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

a Post-Stuxnet World The Future of Critical Infrastructure Security Eric Byres, P.Eng.

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Phone Fax

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

Security Patch Management

The Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director

Security Vulnerability Management. Mark J Cox

MWR InfoSecurity Security Advisory. Symantec s Altiris Deployment Solution File Transfer Race Condition. 7 th January 2010

Background. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.

Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out

MALWARE THREATS AND TRENDS. Chris Blow, Director Dustin Hutchison, Director

How To Create An Ics Network With A Network Of Nodes

Conficker by the numbers

Maximizing customer protections

Using Windows Update for Windows 95/98

Honeypots & Honeynets Overview. Adli Wahid Security Specialist, APNIC.net adli@apnic.net

Dealing with the unsupported Windows XP

Protecting Your Organisation from Targeted Cyber Intrusion

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Applications Life-cycle Management

Implementing Security Update Management

Computer Security DD2395

Malware and Attacks Further reading:

Are you prepared to be next? Invensys Cyber Security

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

Protecting productivity with Plant Security Services

Desktop Security. Overview and Technology Guidance. Michael Ramsey Network Specialist, NC DPI

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Year end Report for 2006 *

Proactive Vulnerability Management Using Rapid7 NeXpose

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk Rahul Kashyap

Taking a Proactive Approach to Patch Management. B e s t P r a c t i c e s G u i d e

Elements to a Secure Environment Becoming Resilient Towards Modern Cyberthreats. Windows XP Support Has Ended Why It Concerns You

Security Intelligence and Analytics in Industrial Systems

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Is Penetration Testing recommended for Industrial Control Systems?

CSIS Security Research and Intelligence Advisory Microsoft GDI+ Integer division by zero flaw handling.ico files VU# CVE

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Microsoft Security Bulletin MS Important

Advanced Endpoint Protection Overview

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

Hands-on Hacking Unlimited

Network Monitoring Tool to Identify Malware Infected Computers

WHITE PAPER: TECHNICAL. Using Symantec Critical System Protection for Patch Mitigation and Securing Legacy Out-of- Support Platforms

Evolution of attacks and Intrusion Detection

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

Transcription:

2010: The Year of the Exploit Juraj Malcho (malcho@eset.sk) Alexandr Matrosov (matrosov@esetnod32.ru) Eugene Rodionov (rodionov@esetnod32.ru) David Harley (dharley@eset.com)

Microsoft Windows Server Releases Roadmap The picture courtesy of Microsoft

Microsoft Significant vulnerabilities MS03-026 Buffer Overrun In RPC Interface (Blaster) MS04-011 LSASS Vulnerability (Rbot MS06-014 MDAC exploit (the base of Exploit Packs) MS07-017 Windows Animated Cursor Remote Code Execution Vulnerability MS08-067 MS10-046 Vulnerability in Server Service (Conficker) Vulnerability in Windows Shell (Stuxnet) Microsoft Security Advisory (2269637) Insecure Library Loading Could Allow Remote Code Execution

MS10-046 LNK exploit Windows Shell vulnerability Discovered in the wild as a 0-day Out-of-band patch released on August 2 nd 2010 Affects all Windows versions Spreading (not only) via removable devices regardless of security settings MITRE code CVE-2010-2568 Win32/Stuxnet

VirusBlokAda identified Stuxnet and the LNK exploit on June 17 th (Trojan-Spy.04850) Microsoft and others only took a notice a month later Realtek Semiconductors notified on June 24 th regarding the certificate problem Allegedly, the notification was ignored July 13 th The Moment of Truth Win32/Rootkit.TmpHider July 6 th 2010: Win32/Rootkit.Agent.NTK Gradual unfurling of the truth about Stuxnet At first seemed to be spyware Only in September was it found to be a tool of destruction

Targeted attack Not only an eye-opener for the general public, but even for many in the IT security industry Uncompromisingly professional Created by a team of people 0-day vulnerability portfolio 4 0-day vulnerabilities: MS10-046, MS10-061, MS10-073, MS10-0XX + MS08-067 Signed! Compromised Realtek & JMicron certificates Weeks of exhaustive analysis The effect on Siemens Simatic SCADA SW Speculation about other possible targets

invisible First variants January/March/June 2009 Vulnerability arsenal was limited by then: MS08-067 MS10-061 MS08-025 (win32k.sys!ntusermessagecall) autorun.inf Significant upgrade in January 2010 Another driver added Signed by Realtek Technologies certificate New 0-day vulnerabilities added: MS10-046, MS10-061, MS10-073, MS10-0XX

signatures

vulnerabilities removable devices MS10-046 Win2000/XP MS10-073 general attack vector propagation additional attack vectors Stuxnet propagation and installation vectors in MS Windows privilege escalation installation privilege escalation local network MS08-067 Vista/Win7/Server 2008 MS10-0XX MS10-061

exploit #1: MS10-0XX A vulnerability in Task Scheduler service Scheduled tasks integrity checking problem Used for privilege escalation Windows Vista and above

exploit #2: MS10-073 A vulnerability in win32k.sys Based on faulty processing of keyboard layout files Used for privilege escalation Windows 2000 and WindowsXP are affected fanny.bmp Win32/Agent.OSW (Win32/Dottun) between win32k.sys and LNK exploit connection

exploit #3: MS10-061 A vulnerability in Printer Spooler Shared printers problem 2009/04 Used to spread over the network All Windows versions vulnerable A problem in verifying the identity of the printing client Instead of being sent to a printer files are dropped to: %SYSTEM32% (privileged operation): Windows\System32\winsta.exe and Windows\System32\wbem\mof\sysnullevnt.mof

exploit #4: MS10-046 LNK exploit CVE-2010-2568 A design error, no shell code or buffer overflow issue Used to spread via removable media All Windows versions vulnerable The graphics are loaded from the file referenced in the LNK file and not only that

exploit #4: MS10-046 4 ways of storing the path to the payload: \\.\STORAGE#Volume#_??_USBSTOR#Disk&Ven USB&Prod_FLASH_DRI VE&Rev_#12345000100000000173&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp \\.\STORAGE#Volume#1&19f7e59c&0&_??_USBSTOR#Disk&Ven USB&Pr od_flash_drive&rev_#12345000100000000173&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~wtr4141.tmp \\.\STORAGE#RemovableMedia#8&1c5235dc&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp \\.\STORAGE#RemovableMedia#7&1c5235dc&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp

MS10-046 related malware and its evolution 8(+) CVE-2010-2744/MS10-073 (win32k.sys) since 2009/11!!!

... needs to be considered and protected

Education is a necessary part of defence Gathering data Not so difficult online Mining and exploring it To find the right target Marketing folks know this Cyber criminals are no different Careful what you say Nothing comes for free Mistrust information you didn't ask for or people you

Questions? Juraj Malcho (malcho@eset.sk) Alexandr Matrosov (matrosov@esetnod32.ru) Eugene Rodionov (rodionov@esetnod32.ru) David Harley (dharley@eset.com)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information