EIP Revisited - Trail of Bits

Download Report

Transcript EIP Revisited - Trail of Bits 

Introductions
@dguido
Exploit Intelligence Project
 Intel-driven case study from 2011




How do we use intel to mitigate a threat?
What are optimal defenses for mass malware?
How do crimepacks acquire exploits?
Is security research being applied by crimepack authors?
 Separate what could happen from what is happening
Clear Market Leaders
# of Malicious URLs
4000
3500
3000
2500
2000
1500
1000
500
0
Limited Target Support
1
2
5
5
Flash / Reader
Java
Internet Explorer
Quicktime
Low Quality Exploits
Memory Corruption (19)
Defeated by DEP
14
Defeated by ASLR
17
Defeated by EMET
19
Logic Flaws (8)
No Java in Internet Zone
4
No EXEs in PDFs
1
No Firefox or FoxIt Reader
2
Developed Elsewhere
DEP Bypasses (5)
Developed by APT
Developed by Whitehats
Developed by Malware Authors
3
2
0
Logic Flaws (8)
Discovered by APT
0
Discovered by Whitehats
8
Discovered by Malware Authors
0
Java is a Path Forward
Malicious
HTML
Google
Chrome
DEP/ASLR
Bypass
Sandbox
Escape
IE8
DEP/ASLR
Bypass
Integrity
Escalation
Java
Shell
Derived Optimal Defenses
 Recommended to defend against crimepacks in 2011:
1.
2.
3.
4.
Enable DEP on browser and plugins
Remove Java from Internet Zone
Secure Adobe Reader configuration
Use EMET when possible / where needed
 Then, continue to monitor threat intel for changes…
Where are they
now?
Crimepacks in 2013
Crimepacks in 2013
 Standard desktop builds use DEP/ASLR/Sandboxes
 2009: Windows XP, IE7, Flash 9, Office 2007, Java 6
 2013: Windows 7, IE9, Flash 11, Office 2010, Java 7
 Blackhole / Cool, Sweet Orange, and Gong Da
 Have these kits invested in bypassing our new defenses?
 How have crimeware packs dealt with the pressure?
The World is Changing
35
30
25
IE 6.0
IE 7.0
IE 8.0
IE 9.0
IE 10.0
20
15
10
5
2013-07
2013-05
2013-03
2013-01
2012-11
2012-09
2012-07
2012-05
2012-03
2012-01
2011-11
2011-09
2011-07
2011-05
2011-03
2011-01
0
Source: StatCounter January 2011 – August 2013 Browser Versions
Supported Targets
3
Windows XP Only
9
5
1
Reader / Flash
Internet Explorer
Windows TTF Font
Java
Exploit Origins
• All memory corruption exploits
came from APT campaigns or
the VUPEN blog.
Java
IE / Flash
• All Java exploits came from
security researchers:
•
Jeroen Frijters
•
TELUS Security Labs
•
Adam Gowdiak (Security Explorations)
•
Stefan Cornellius
•
Sami Koivu via ZDI
•
Michael Schierl via ZDI
• “Whitehats Shrugged”
VUPEN Blog Articles
APT Campaigns
Security Researchers
Cool Exploit Kit
 Premium version of Blackhole, by the same author
 Launched a $100k bug bounty for improved exploits
 Only offered as a hosted service to prevent source leaks
 As a result, Cool has several unique exploits:
 CVE-2011-3402: Windows Kernel TTF font (Duqu)
 CVE-2012-1876: IE 9 (VUPEN Pwn2Own)
 CVE-2012-0775: Reader 9/10 (self-developed?)
 No privesc included for these targets, relies on payload
How did we stack up?
 DEP, remove Java, secure Reader, EMET as necessary
 Safe from all but TTF font exploit w/o patching!
 Systems being deployed now w/o Java are out of reach
 Win7, IE9, Reader X, EMET as necessary
 Mixed messages coming from this data
 Success! We have pushed crimepacks to the margins
 Warning! It is easy to predict if you will get owned
The Advanced Persistent Threat
How effective are exploit mitigations against this threat?
Aurora et al.
 Highly regarded technical capabilities




Prolific developers of zero-day exploits
Original source for many crimepack exploits
Pioneered “watering hole” attack campaigns
Notable for successful compromises of Google, Bit9
 Continues to cross paths with Trail of Bits
 Exploit profiled in Assured Exploitation
 Elderwood Exploit Kit dissection and analysis
Elderwood
 Think, a “startup” for Aurora to invest in
 Developed several reusable vuln disc / exploit tools
 Requires less-skilled people to operate the tools
 Launch zero-day watering holes on a regular basis
 Released new attacks every ~3 months in 2011/2012
 4 Internet Explorer, 5 Adobe Flash zero-days
 Dozens of prominent websites compromised (CFR)
Quality Exploits?
All Computers
Internet Explorer 8
Flash, Java, and Office
plugins available
50% of the time
Elderwood
Modest exploit mitigations are surprisingly effective!
Meet NYU-Poly…
… and Davis
It’s Easy to Get Better
Elderwood
NYU-Poly
Davis
Plugins Required Flash, Office, Java
.NET
None
Version Support
IE8 / Win XP
IE8 / Win7
IE9 / Win7
Reliability
~50%
~95%
~99%
Features
Hardcoded ROP
Hardcoded ROP
Dynamic ROP
Time to Develop
? (probably 8 hrs)
~5 days
~10 days
Experience
Professional
Amateur
Amateur
Reality
 RSA – phishing email with malicious Excel doc
 Exploited Flash vuln no longer viable in IE
 Google – IE6 in remote office to total control of Gmail
 They found the ONE guy in Google using IE6
 Amateurs push as hard as they can. Professionals push
as hard as they have to.
 Rapid discovery and shift to low cost attack vectors
APT Discoveries
 Maybe we should try to make protections that cannot
be bypassed by CS undergrads with 40 hrs of training?
 We need to push harder since the professional bad guys
can own things without caring about mitigations
 APT can get better, we know they will, but is it prudent
not to act just because you know they will respond?
Taming the Tiger
Use the Kill Chain and Courses of Action the way they were intended
Variety of Approaches
or “An APT breached my network despite my $750,000 IPS and $2,000,000
SIEM. What other vendor products should I buy to protect myself ?” –Jerkface
External Exposure
Phishing Resistance
“99% of the security breaches it investigated in 2012 started with a targeted
spearphishing attack.” –Mandiant
“If you go from 35 to 12% on fire, you’re still on fire.” –Zane Lackey
Exploitability
Final Conclusions
 Let’s make defenses that bored undergrads can’t take
out in one semester, that would be cool!
 Let’s build things that help understand your adversary’s
capability and intent.
 Let’s use the defenses we have. They work, and they
work against the people you care about.
 Thanks Andrew Ruef and Hal Brodigan!
References
 Contagio: An Overview of Exploit Packs
 http://contagiodump.blogspot.com/2010/06/overview-ofexploit-packs-update.html
 Elderwood Kit Analysis
 http://blog.trailofbits.com/2013/05/13/elderwood-and-thedepartment-of-labor-hack/
 Detecting Targeted Malicious Email
 http://papers.rohanamin.com/wpcontent/uploads/papers.rohanamin.com/2010/11/Amin201
1-dissertation.pdf