Transcript The Elderwood Project

The Elderwood Project
Brian Bowlby
CompNet
Review of material on Symantec website
(www.symantec.com)
http://www.symantec.com/content/en/us/enter
prise/media/security_response/whitepapers/th
e-elderwood-project.pdf
http://www.symantec.com/connect/blogs/howelderwood-platform-fueling-2014-s-zero-dayattacks
What is the Elderwood Project (also
called the Elderwood Platform)?
A set of zero-day exploits that have been engineered
and packaged in a “consumer-friendly” way to allow
non-technical people to easily attack their targets.
Name Elderwood comes from source code variable
used by the attackers
What are zero-day exploits?
Exploits that exist in the initial release of a software package
Often unknown to the programmer(s)
May be known, but too expensive or time consuming to correct
Generally, serious vulnerabilities are rare (8 identified in 2011)
Which zero-day exploits are included?
• Adobe Flash Player Object Type Confusion Remote Code Execution
Vulnerability (CVE-2012-0779)
• Adobe Flash Player Remote Code Execution Vulnerability(CVE-20121535)
• Microsoft Internet Explorer Same ID Property Remote Code
Execution Vulnerability (CVE-2012-1875)
• Microsoft XML Core Services Remote Code Execution
Vulnerability(CVE-2012-1889)
Newer packages include exploits of these
vulnerabilities
• Microsoft Internet Explorer Use-After-Free Remote Code
Execution Vulnerability (CVE-2014-0322)
• Microsoft Internet Explorer Memory Corruption Vulnerability
(CVE-2014-0324)
• Adobe Flash Player and AIR Remote Code Execution
Vulnerability (CVE-2014-0502)
How are these vulnerabilities exploited?
Two methods for propagating their payload
– Spear-phishing
Attach an infected document in an email message
– Watering hole attack
Visitors of a web site are infected
A third possibility – a combination of the above
Send target user an email with a link to an infected website
Link can be unique for that user
Who is Behind Elderwood?
High degree of technical sophistication – able to exploit
many different vulnerabilities
Once packaged, less technical groups can mount actual
attacks – perhaps different group for each target
Attacks are targeted – no mass email campaigns
Attackers are patient – may lie in wait for several months
before adding malicious code
Components of Elderwood
Targets
Defense – Companies that manufacture components for
top-tier defense contractors
NGOs and human rights groups (Amnesty International)
Finance, Energy, Education and Government
Recent Timeline of Elderwood Attacks
Groups using the Elderwood Platform
Takeaway Lessons
Apply the latest patches/updates to your software
Don’t open attachments unless you’re sure of the source
Be careful when clicking on links in email messages
Check that URL matches “printed” one
http://fake.name.com
Thanks / Questions?