1.
The Exploit Intelligence Project
Dan Guido
SOURCE Boston, 04/20/2011
https://www.isecpartners.com

2.
Intro and Agenda
 I work for iSEC Partners
 NYC, Seattle, SF – specialize in Application Security
 I don’t have a product to sell you
 Today, I’m going to be sharing data and my analysis
of attacker capabilities and methods
 An informed defense is more effective and less costly
 EIP shows that intelligence-driven, threat-focused
approaches to security are practical and effective
2

3.
WARNING!
The commentary is really important for
this talk.
If you’re a reporter, please contact me and
I’ll be happy to provide that commentary
for any section you’re interested in:
dguido@isecpartners.com
3

4.
We Have An Analysis Problem
Or, you’re counting the wrong beans!

5.
Let’s Talk About Vulnerabilities
5
*IBM X-Force 2010 Trend and Risk Report

6.
How many vulnerabilities did
you have to pay attention to in 2010?
6

7.
since 2006
7

8.
Vulnerability Origin
8
*Secunia Yearly Report 2010

9.
Affected Vendors (2010)
1
2 Oracle
5
Adobe
Microsoft
Apple
5
9

10.
Wheel of Vulnerability Fortune
10
*Secunia: The Security Exposure of Software Portfolios

11.
Where or how were massively exploited
vulnerabilities first discovered in 2010?
6
5
4
3
2
1
0
Targeted ZDI Prominent Personal Known Discovered
Attacks Researcher Website Behavior by Malware
11

12.
Google Chrome is Insecure!
12
*Bit 9 Research Report: Top Vulnerable Apps – 2010

13.
How many vulnerabilities were
massively exploited in Google Chrome in 2010?
13

14.
Are we doing something wrong?
Yes, you’re doing it backwards!

15.
We Have to Start at Attacks
1. 2. 3.
 Where do bad guys get their info from?
 How do bad guys view the new vulns that come out?
 How effective are my defenses against this attacker?
15

16.
Maslow’s Internet Threat Hierarchy
# of Attacks Data Lost
APT IP
Targeted $$$
Mass Banking
Credentials
Malware

17.
Mass Malware
How does it work?

18.
Kill Chain Model
 Systematic model for evaluating intrusions
 Helps us objectively evaluate attacker capabilities
 Align defense to specific processes an attacker takes
 Typically used as a model to defend against APT
 Evolves beyond response at point of compromise
 Assumes unfixable vulnerabilities
 First described by Mike Cloppert
18

19.
Recon
19

20.
Weaponization
20
5-20 exploits, $200-$2000 dollars

21.
Delivery
21

22.
Exploitation
22

23.
Installation
23

24.
Command and Control
24

25.
Actions on Objectives
25

26.
Leads to Cyber Pompeii

27.
Process Overview
Recon Millions of Infected Sites
Existing defenses attack
Weaponize Thousands of Vulnerabilities the most robust aspects of
mass malware operations
Delivery Thousands of IPs
The last point that you
Exploit <100 Exploits
have control of your data
Install Millions of Malware Samples
C2 Thousands of IPs
Actions N/A 27

28.
Going on the Offensive

29.
Exploit Kit Popularity (2011)
29
*ThreatGRID Data

30.
Exploit Kit Popularity
 AVG Threat Labs
 Malware Domain List
 Krebs on Security
 Malware Intelligence
 Contagio Dump
 Malware Tracker
 M86 Security
 …

31.
Data Sources
 Blackhole  LuckySploit
 Bleeding Life  Phoenix
 CrimePack  2.5, 2.4, 2.3, 2.2, 2.1, 2.0
 3.1.3, 3.0, 2.2.8, 2.2.1  SEO Sploit pack
 Eleonore  Siberia
 1.6, 1.4.4, 1.4.1, 1.3.2  Unique Pack
 Fragus  WebAttacker
 JustExploit  YES
 Liberty  Zombie
 2.1.0, 1.0.7

32.
Data Processing
 Decode  Relate
 Jsunpack  SHODAN HQ
 Generic JS Unpacker  Python API for ExploitDB,
 Decodeby.us MSF, CVE
 PHP De-obfuscation
 Live Testing
 Vmware
 Detect
 Windows XP/7
 YARA Project
 Generic scanning engine
Note: All free tools except VMWare/Windows

33.
Jsunpack/YARA Rules
rule IEStyle
{
meta:
ref = “CVE-2009-3672”
hide = true
impact = 8
strings:
$trigger1 = “getElementsByTagName” nocase fullword
$trigger2 = “style” nocase fullword
$trigger3 = “outerhtml” nocase fullword
condition:
all of them
}
33

34.
Jsunpack vs Eleonore 1.4.1
34

35.
vuln_search.py
 CVE  Metasploit
 Name  Authors
 ID  Description
 ID
 Name
 Exploit DB
 Rank
 Author
 Date
 ID  References
 Name  Vendor URLs (ex. MSB)
 ZDI
 Other Notable URLs
Powered by:

36.
Sample Results: CVE-2010-1818
 Exploit DB
 08/30/2010
 Ruben Santamarta
 Apple QuickTime "_Marshaled_pUnk" Backdoor
 14843
 Metasploit
 Ruben Santamarta, jduck
 Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
 “… exploits a memory trust issue in Quicktime…”
 exploit/windows/browser/apple_quicktime_marshaled_punk
 Rank: Great
 Refs
 http://reversemode.com/index.php?option=com_content&task=
view&id=69&Itemid=1
 OSVDB-67705
36

37.
Recap
Mapping of Exploit Kits -> CVEs + Metadata
37

38.
Targeting Trends
Java from 2008 to Present

39.
Targeting Trends
 Java, Round One
 12-08 – Prominent researcher finds CVE-2008-5353
 08-09 – Wins a Pwnie (researcher interest runs high)
 08-09 – ZDI submissions start trickling out
 11-09 – 1 kit incorporates CVE-2008-5353
39

40.
Java, Round Two
 11-09 – ZDI publishes 2nd batch of Java vulns
 CVE-2009-3867
 01-10 – Three kits integrate 1st and 2nd vulns
 CVE-2008-5353 and CVE-2009-3867
 04-10 – 3rd batch of researcher disclosures
 CVE-2010-0886, CVE-2010-0840, CVE-2010-0842
 Back and forth between researchers/malware keeps
interest in Java running high
40

41.
From April 2010 onwards, new Java exploits are
added to almost all popular exploit kits
41

42.
Java Today
 Popularity
 11 out of 15 kits include at least one Java exploit (73%)
 7 out of 15 kits include more than one (46%)
 Where did this trend come from?
 Who followed who? The malware or research community?
 Why can we even compare these two groups together?
 What is next?
 Java and Flash will continue to be a pain point
 Quickest path to install malware in IE and Firefox
42

43.
The New Trend: more exploits are being rapidly
repurposed from targeted attack campaigns in 2010-2011
6
5
4
3
2
1
0
Targeted ZDI Prominent Personal Known Silent Patch
Attacks Researcher Website Behavior
43

44.
Capabilities Assessment
If we only had a time machine

45.
Optimized Defense
 Jan 1, 2009 – what can we put in place to mitigate all
exploits for the next two years?
 Restrictions: no patching allowed
 2009 recap
 Internet Explorer 7, Firefox 3.0
 Adobe Reader 9
 Java, Quicktime, Flash, Office 2007
 Windows XP SP3
 Dataset represents 27 exploits
45

46.
Slice and Dice
Memory
Logic
Corruption
(8)
(19)
Partition exploits based on mitigation options
46

47.
19 Memory Corruption Exploits
 5 unique targets
 IE, Flash, Reader, Java, Firefox, Opera
 Do I have my sysadmins adhere to patch schedules or
have them test and enable DEP in four applications?
 Patch schedules: Monthly, Quarterly, Ad-hoc
 Two years: 60+ patches in these apps
 I choose Data Execution Prevention (DEP)
 Good choice! It mitigates 14 exploits.
47

48.
8 Logic Flaws
 4 unique targets
 Java, Reader, IE, Firefox, FoxIt
 Do we have a business case to justify getting
repeatedly compromised by mass malware?
 No? Remove Java from the Internet Zone in IE
 Configure Reader to prompt on JS execution
 “Disallow opening of non-PDF file attachments”
 This leaves two exploits, one in IE and one in FF
48

49.
Most Severe Exploits 2009-2010
IE Help Center XSS
Firefox SessionStore
Reader libTIFF
Reader CoolType SING
Flash (IE) newfunction
Quicktime (IE) _Marshaled_pUnk
Java getSoundBank
49

50.
Enhanced Mitigation Experience Toolkit
 Microsoft utility that adds obstacles to exploitation
 On XP: DEP, SEHOP, Null Page, Heap Spray, EAT filter
 Distributed as an MSI, controlled via CLI or Registry
 Apply it to one application at a time
 Harden legacy applications
 Temporary protections against known zero-day
 Permanent protections against highly targeted apps
 http://blogs.technet.com/cfs-
file.ashx/__key/CommunityServer-Components-
PostAttachments/00-03-35-03-78/Users-Guide.pdf
50

51.
Most Severe Exploits 2009-2010
IE Help Center XSS
Firefox SessionStore
The Firefox exploit is only in one kit. We can
make an informed decision about the amount
of risk we are assuming.
51

52.
Intelligence-Driven Mitigations
 Easy mitigations (22 out of 27 exploits)
 DEP on IE, Firefox, and Reader
 No Java in the Internet Zone
 Disallow opening of non-PDF file attachments
 Hard mitigations (all the rest)
 EMET on IE and Reader, the two most attacked apps
 Upgrade to IE8 for that pesky Help Center XSS
 Disallow Firefox, patch it, or accept the risk
 Extremely limited susceptibility going forward
52

53.
Taking It Further
 Mass malware exploits are:
1. Result of users browsing internet sites
2. Shortest path to install malware w/ a single exploit
Google DEP Sandbox
Chrome Bypass Escape
Malicious DEP
IE8
HTML Bypass
IE7, Plugins,
Install
Java, Flash,
SpyEye
etc.
53
*DDZ – Memory Corruption, Exploitation and You

54.
Google Chrome Frame
“X-UA-Compatible: chrome=1” 54

55.
Google Chrome Frame
 Internet sites standardized around HTML/JS
 This is why you don’t need IE6 or IE7 at home
 For internet sites, add HTTP header w/ Bluecoat
 Browser is sandboxed
 Uses auto-updated Google version of Flash
 No other plugins are loaded
 Maintain whitelist of internet sites that need IE
 Typically, established vendor relationships
 All intranet websites will load with IE as usual
 Seamless to the user, mitigates all exploits in use
55

56.
Maslow’s Internet Threat Hierarchy
# of Attacks Data Lost
APT IP
Targeted $$$
Now you’re ready to defend against Banking
more advanced attackers Credentials

57.
Intelligence-Driven Conclusions
 Don’t wait to act with Flash and Java
 Pay attention to targeted attack disclosures in 2011
 Force malware authors to use multiple exploits
 Seriously consider Google Chrome Frame
 Are your consultants/MSSPs/scanners evaluating
vulnerabilities the same way that attackers are?
 Intelligence-Driven Response
 Informed defense is more effective and less costly
 Threat-focused security is practical
 Attack data is necessary to adequately model your risk
57

58.
Thanks
 Rcecoder, Mila Parkour, Francois Paget, Adam Meyers
 Exploit Pack Table on Contagio Dump & Exploit Kit Source
 Mike Cloppert and Dino Dai Zovi
 Inspiration, ideas, and encouragement
 Chris Clark
 Getting started with the research process at iSEC
 John Matherly
 Creating SHODAN and fixing my bugs
 Dean De Beer
 ThreatGRID data, screenshots, and background material
58

59.
References and Q&A
 Updates with more data at SummerCon, 6/10
 Related Presentations (online)
 Memory Corruption, Exploitation, and You – DDZ
 Intelligence-Driven Response to APT – M. Cloppert
 Any Mandiant Presentation
 Related Presentations (at SOURCE)
 2011 Verizon Data Breach Report, Hutton
 Fuel for Pwnage, Diaz and Mieres
 Dino Dai Zovi Keynote
 dguido@isecpartners.com
59

60.
Appendix

61.
Frequently Asked Question #1
 Q: What do you think about network detections?
 A: Apply the same analysis process (kill chain) to the
adversary you care about and determine major
source of overlaps in intrusions. You may find better
indicators than simply IP addresses.
 ie., “Hey, all the malicious domains attacking me are
registered with the same whois data.”
 or, “All the domains that compromise me have low
TTL values in common.”
 See some of Mike Cloppert’s writings
 See ThreatGRID when it comes out
61

62.
Frequently Asked Question #2
 Q: How can we keep up with this data? You did a
point in time assessment, but I want this going
forward.
 A: This analysis process and data should be picked up
by the security industry and used effectively. AV
companies have been doing you a disservice by not
doing this in the past. They should start now.
62

63.
Frequently Asked Question #3
 Q: Aren’t you cheating by saying we should use EMET to mitigate past
exploits?
 A:
 If we were smart enough to enable mitigations like DEP, we would have had
a solid 1.5 years where we weren’t affected by mass malware mem
corruption exploits at all, buying us a huge amount of time to investigate
other mitigations techniques.
 The exploits that EMET was needed for came after the tool was released in
Oct 2009. If you had someone performing this analysis, you could have
observed the exploits that bypassed DEP and responded the same way I did.
Intelligence gathering is not a static process, we have to continue collecting
and responding to new information.
 There are more ways to use this intelligence. For instance, since we know
that Flash and targeted attacks are so rapidly incorporated into mass
exploitation campaigns, we would have known on April 11th that CVE-2011-
0611 would be a significant issue. The patch came out on April 15th, but I
doubt many orgs patched over the weekend or enabled other mitigating
options before it was massively exploited on April 18th. With this data in
hand, they would have realized the seriousness of the original event on the
11th.
63

64.
Frequently Asked Question #4
 Q: Future analysis?
 A:
 How [exactly] do researcher disclosures correlate with
massive exploitation?
 Are the number of bugs exploited as zero-day
increasing? Why?
 Do researchers follow zero-day disclosure trends or
vice-versa?
 Exactly how much exploit code is modified from public
PoC’s before being integrated into a kit?
 Expect new results some time in June
64