Beyond Aurora’s Veil: A Vulnerable Tale
Derek Manky Cyber Security & Threat Research FortiGuard Labs
October 26th, 2010: SecTor 2010 – Toronto, CA Conficker: April Doomsday ..
… Meanwhile JBIG2 ZeroDay PDF/SWF
. January 2009: . Malicious PDF Samples In the Wild Drop Gh0st RAT Trojan, Exploits CVE20090658 NoClick Variant through Windows Shell Extensions
. February 02, 2009: . Adobe Acknowledges via APSA0901
. March 10, 2009: . Adobe Patches via APSB0903
. Attacks Occurred Roughly 63 Days Before Patch
2 ... A Vulnerable Tale
Gh0st RAT Advertisement Photo
3 Bredolab & Gumblar
Meanwhile … Gumblar & Bredolab Botnets Sync Through PDF Exploits
. March 18, 2009 . Adobe Issues Patch APSB0904 Includes CVE20090927, PDF Exploit
. March 23, 2009: . Gumblar attack surfaces Compromised websites with exploits Freshly exploiting CVE20090927 . Drops Bredolab Botnet (First appearance) Downloads FTP Stealing Module for Gumblar Downloads FakeAV for Profit
. Aggressively Attacked 5 Days After POC Released
4 Bredolab & Gumblar
5 Bredolab & Gumblar
Then and Now … Gumblar & Bredolab Botnets Sync Through PDF Exploits
. Bredolab . Oct 2009: New Protocol (v2), Custom Encrypted HTTP . Jan 2010: Uses Pushdo Botnet New Webmailing Engine Distributed (Webwail)[1] Cracks CAPTCHAs in < 30 seconds Feb 2010: Downloads Ransomware Force Kills Applications, Demands > $50 USD . Oct 2010: Distributes Grum/Tedroo Botnet
. Source Code Available Bredolab now used for various operators & attacks since original incarnation
[1] FortiGuard Labs Discovers Webwail in December 2009
6 Bredolab & Gumblar
Then and Now … Gumblar & Bredolab Botnets Sync Through PDF Exploits
. Gumblar Today[1]
9,350 infected links 951 links hosting exploits 165 malware variants served Popular exploited vulns: CVE20070701 CVE20080655 CVE20082992 CVE20090927
[1] FortiGuard Web Scanning Systems, Oct 19th 2010
7 ... A Vulnerable Tale
In The Threat Spotlight … Internet Explorer HTML Memory Corruption (“Aurora”)
. September 30, 2009: . Microsoft Receives Vulnerability Report (Later CVE20100249) . December 15, 2009: . Google Later Acknowledges Attack Discovery
. January 04, 2010: C&C Servers Taken Down . January 12, 2010: Attacks Publicly Acknowledged . Dropped Custom Trojan . January 14, 2010: Public POC Exploit Code Available . January 21, 2010: . Microsoft Patches via MS10002
. ZeroDay 113 Days Before Patch, 7 Days From Public POC
8 ... A Vulnerable Tale
… Meanwhile Internet Explorer UseAfterFree
. March 09, 2010: . Microsoft Acknowledges via Advisory / CVE20100806 . Web DriveBy Attacks Already In the Wild . Drop Gh0st RAT Trojan, Similar to Aurora
. March 30, 2010: . Microsoft Patches via MS10018
. Attacks Occurred Roughly 21 Days Before Patch . FortiGuard Detects Highest Exploit Rate Before Patch (ZeroDay)
9 Internet Explorer Use-After-Free Exploit Demonstration
Fortinet Confidential 11 11 The Next Chapter
What can we learn?
. !!! Headlines are not everything !!! Reactive defense against high profiles attack == inefficient
. Threats often share similar attack techniques Browsers, Document Formats, System Services
Conficker Neeris (RPC DCOM), Murofet (DGA) Gh0st RAT (PDF JBIG2) Gumblar (PDF getIcon)
Aurora Google/etc & Gh0st RAT: IE UseAfterFree
12 The Next Chapter
What can we learn?
. Zeroday attacks happen more often than you may think Attacks can continue for months undetected Can be 13 week response time for patches Once detected / reported .. Otherwise 612 months
. Patched vulnerabilities are attacked quickly, and frequently Conficker: 30 Days Gumblar: 5 Days
. Patch management! Quick patching is essential Does not work on zeroday attacks
13 The Next Chapter
The new decade of threats
. Attacks can survive for years . Attacks change extremely frequently Serverside polymorphism Repack hosted malware Repack hosted scripts [Gumblar]
Crimeware and source code Copy & paste bots New versions
Endless domains Creates tremendous volume
14 FortiGuard Labs – Security Research
• 87 Zero-Days Discovered Since 2008, Mostly Critical • Oct 2010: 30+ Outstanding in Zero-Day State
15 http://www.fortiguard.com/advisory/UpcomingAdvisory.html Fighting Back
Strategic Defense
. Standard security rules apply; often ignored . Layered security vs. Growing attack surface Applicable to Infection & PostInfection
. Education and Training (RSS) Think before you link Use of JS, Flash (Noscript, PDF Reader) Trust management (PGP, SSL)
. Alternative software considerations OS, Browsers, Doc Readers, Sandboxes
. Access level lockdown (Admin privileges)
16 Fighting Back
Layered Security vs. Growing Attack Surface
. Intrusion Prevention: Botnet C&C, ZeroDays & Exploits
. Application Control: Malicious services . Compromised Facebook Applications
. Webfiltering: Botnet C&C, Fast Flux / MalHosting, SEO
. Antispam: Spambots & Incoming Campaigns
. Antivirus: Trojans, bots, ransomware, etc
. Vulnerability Review . Software used vs. alternatives
17 18