Beyond Aurora’s Veil: A Vulnerable Tale Derek Manky Cyber Security & Threat Research FortiGuard Labs October 26th, 2010: SecTor 2010 ± Toronto, CA Conficker: April Doomsday .. ¼ Meanwhile JBIG2 Zero-Day PDF/SWF . January 2009: . Malicious PDF Samples In the Wild Drop Gh0st RAT Trojan, Exploits CVE-2009-0658 No-Click Variant through Windows Shell Extensions . February 02, 2009: . Adobe Acknowledges via APSA09-01 . March 10, 2009: . Adobe Patches via APSB09-03 . Attacks Occurred Roughly 63 Days Before Patch 2 ... A Vulnerable Tale Gh0st RAT Advertisement Photo 3 Bredolab & Gumblar Meanwhile ¼ Gumblar & Bredolab Botnets Sync Through PDF Exploits . March 18, 2009 . Adobe Issues Patch APSB09-04 Includes CVE-2009-0927, PDF Exploit . March 23, 2009: . Gumblar attack surfaces Compromised websites with exploits Freshly exploiting CVE-2009-0927 . Drops Bredolab Botnet (First appearance) Downloads FTP Stealing Module for Gumblar Downloads FakeAV for Profit . Aggressively Attacked 5 Days After POC Released 4 Bredolab & Gumblar 5 Bredolab & Gumblar Then and Now ¼ Gumblar & Bredolab Botnets Sync Through PDF Exploits . Bredolab . Oct 2009: New Protocol (v2), Custom Encrypted HTTP . Jan 2010: Uses Pushdo Botnet New Webmailing Engine Distributed (Webwail)[1] Cracks CAPTCHAs in < 30 seconds Feb 2010: Downloads Ransomware Force Kills Applications, Demands > $50 USD . Oct 2010: Distributes Grum/Tedroo Botnet . Source Code Available Bredolab now used for various operators & attacks since original incarnation [1] FortiGuard Labs Discovers Webwail in December 2009 6 Bredolab & Gumblar Then and Now ¼ Gumblar & Bredolab Botnets Sync Through PDF Exploits . Gumblar Today[1] 9,350 infected links 951 links hosting exploits 165 malware variants served Popular exploited vulns: CVE-2007-0701 CVE-2008-0655 CVE-2008-2992 CVE-2009-0927 [1] FortiGuard Web Scanning Systems, Oct 19th 2010 7 ... A Vulnerable Tale In The Threat Spotlight ¼ Internet Explorer HTML Memory Corruption (ªAuroraº) . September 30, 2009: . Microsoft Receives Vulnerability Report (Later CVE-2010-0249) . December 15, 2009: . Google Later Acknowledges Attack Discovery . January 04, 2010: C&C Servers Taken Down . January 12, 2010: Attacks Publicly Acknowledged . Dropped Custom Trojan . January 14, 2010: Public POC Exploit Code Available . January 21, 2010: . Microsoft Patches via MS10-002 . Zero-Day 113 Days Before Patch, 7 Days From Public POC 8 ... A Vulnerable Tale ¼ Meanwhile Internet Explorer Use-After-Free . March 09, 2010: . Microsoft Acknowledges via Advisory / CVE-2010-0806 . Web Drive-By Attacks Already In the Wild . Drop Gh0st RAT Trojan, Similar to Aurora . March 30, 2010: . Microsoft Patches via MS10-018 . Attacks Occurred Roughly 21 Days Before Patch . FortiGuard Detects Highest Exploit Rate Before Patch (Zero-Day) 9 Internet Explorer Use-After-Free Exploit Demonstration Fortinet Confidential 11 11 The Next Chapter What can we learn? . !!! Headlines are not everything !!! Reactive defense against high profiles attack == inefficient . Threats often share similar attack techniques Browsers, Document Formats, System Services Conficker Neeris (RPC DCOM), Murofet (DGA) Gh0st RAT (PDF JBIG2) Gumblar (PDF getIcon) Aurora Google/etc & Gh0st RAT: IE Use-After-Free 12 The Next Chapter What can we learn? . Zero-day attacks happen more often than you may think Attacks can continue for months undetected Can be 1-3 week response time for patches Once detected / reported .. Otherwise 6-12 months . Patched vulnerabilities are attacked quickly, and frequently Conficker: 30 Days Gumblar: 5 Days . Patch management! Quick patching is essential Does not work on zero-day attacks 13 The Next Chapter The new decade of threats . Attacks can survive for years . Attacks change extremely frequently Server-side polymorphism Repack hosted malware Repack hosted scripts [Gumblar] Crimeware and source code Copy & paste bots New versions Endless domains Creates tremendous volume 14 FortiGuard Labs – Security Research · 87 Zero-Days Discovered Since 2008, Mostly Critical · Oct 2010: 30+ Outstanding in Zero-Day State 15 http://www.fortiguard.com/advisory/UpcomingAdvisory.html Fighting Back Strategic Defense . Standard security rules apply; often ignored . Layered security vs. Growing attack surface Applicable to Infection & Post-Infection . Education and Training (RSS) Think before you link Use of JS, Flash (Noscript, PDF Reader) Trust management (PGP, SSL) . Alternative software considerations OS, Browsers, Doc Readers, Sandboxes . Access level lock-down (Admin privileges) 16 Fighting Back Layered Security vs. Growing Attack Surface . Intrusion Prevention: Botnet C&C, Zero-Days & Exploits . Application Control: Malicious services . Compromised Facebook Applications . Webfiltering: Botnet C&C, Fast Flux / MalHosting, SEO . Antispam: Spambots & Incoming Campaigns . Antivirus: Trojans, bots, ransomware, etc . Vulnerability Review . Software used vs. alternatives 17 18.