Exploit in the Wild, Caught Red-Handed

Imagine a futuristic security technology that can stop any exploit at the exact moment of exploitation—regardless of the way the exploit was built, its evasion techniques or any mutation it might have or was possibly imagined to have. This technology is truly agnostic for any form of attack. An attack prevented with its attacker captured and caught red-handed at the exact point in time of the exploit…Sounds dreamy, no? For the guys at the stealth startup Morphisec it’s a daily reality. So, I decided to convince the team in the malware analysis lab to share some of their findings from today, and I have to brag about it a bit:)

 

Exploit Analysis

The target software is Adobe Flash and the vulnerability is CVE-2015-0359 (Flash up to 17.0.0.134). Today, the team got a fresh sample which was uploaded to Virus Total 21 Hours ago! From the moment we received it from Virus Total, the scan results showed that no security tool in the market detects it except for McAfee GW Edition—which generally identified its malicious activity.
Screen Shot 2015-04-28 at 5.56.23 PM

 

The guys at Morphisec love samples like these because they allows them to test their product against what is considered to be a zero-day—or at least an unknown attack. Within an hour, the identification of the CVE/vulnerability exploited by the attack and the method of exploitation were already clear.

 

Technical Analysis

Morphisec prevents the attack when it starts to look for the Flash Module address (which later would be used to find gadgets). The vulnerability allows the attacker to modify the size of a single array (out of many sequentially allocated arrays – size 0x3fe).

An array’s size 0x3fe (index [401]) is modified to size 0x40000001 to reflect the entire memory’s size. The first double word in this array points to a read-only section inside the Flash Module. Attacker uses this address as a start address for iteration dedicated for an MZ search (indicates the start of the library), each search iteration (MZ) is 64k long (after the read only pointer that was leaked is aligned to a 64k boundary).

After the attacker finds the MZ, it validates the signatures (NT) of the model, gets the code base pointer and size, and from that point, the attack searches gadgets in the code of the Flash module.

Screen Shot 2015-04-29 at 9.16.19 AM

Screen Shot 2015-04-29 at 9.03.31 AM

Screen Shot 2015-04-29 at 9.04.13 AM

 

Screen Shot 2015-04-29 at 9.07.39 AM

Morphisec’s technology not only stopped it on the first step of exploitation, it also identified the targeted vulnerability and the method of exploitation as part of its amazing real-time forensic capability. All of this was done instantly in memory on the binary level without any decompilation!

I imagine that pretty soon the other security products will add the signature of this sample to their database so it can properly be detected. Nevertheless, the situation remains that each new mutation of the same attack makes the common security arsenal “blind” to it—which is not very efficient. Gladly, Morphisec is changing this reality! I know that when a startup is still in stealth mode and there is no public information about such comparisons… it’s a bit “unfair” to the other technologies on the market, but still… I just had to mention it:)

 

P.S. Pretty soon we will start sharing more details about Morphisec technology—so stay tuned. Follow us via Twitter  @morphisec for more updates.
Like it? Share with your friends...Tweet about this on TwitterShare on LinkedInShare on RedditEmail this to someonePrint this pageShare on FacebookShare on Google+

Time to Re-think Vulnerabilities Disclosure

Public disclosure of vulnerabilities has always bothered me and I wasn’t able to put a finger on the reason until now. As a person whom has been involved personally in vulnerabilities disclosure I am highly appreciative for the contribution security researchers on awareness and it is very hard to imagine what would the world be  like without disclosures. Still the way attacks are being crafted today and their links to such disclosures got me into thinking whether we are doing it in the best way possible. So I twitted this and got a lot of “constructive feedback”:) from the team in the cyber labs at Ben-Gurion of how do I dare?

 

So I decided to build my argument right.

Vulnerabilities

The basic fact is that software has vulnerabilities. Software gets more and more complex within time and this complexity usually invites errors. Some of those errors can be abused by attackers in order to exploit the systems such software is running on. Vulnerabilities split to two groups, the ones which the vendor is aware of and the ones whom are unknown. And it is unknown how many unknowns are there inside each piece of code.

Disclosure

There are many companies, individuals and organisations which search for vulnerabilities in software and once they find such they disclose their findings. They disclose at least the mere existence of the vulnerability to the public and the vendor and many times even publish proof of concept code example which can be used to exploit the found vulnerabilities. Such disclosure serves two purposes:

  • Making users of the software aware to the problem as soon as possible
  • Making the vendor aware of the problem so it can create and send a fix to their users

After the vendor is aware to the problem then it is in their responsibility to notify the users formally and then to create an update for the software which fixes the bug.

Timelines

Past to Time of Disclosure – The unknown vulnerability waiting silently and eager to be discovered.

Time of Disclosure to Patch is Ready – Everyone know about the vulnerability, the good and the bad guys, and it is now on production systems waiting to be exploited by attackers.

Patch Ready to System is Fixed – Also during this time period the vulnerability is still there waiting to get exploited.

The following diagram demonstrates those timelines in relation to the ShellShock bug:

7-ways-to-stay-7-years-ahead-of-the-threat-5-638

Image taken from http://www.slideshare.net/ibmsecurity/7-ways-to-stay-7-years-ahead-of-the-threat

 

Summary

So indeed the disclosure process eventually ends with a fixed system but there is a long period of time where systems are vulnerable and attackers don’t need to work hard on uncovering new vulnerabilities since they have the disclosed one waiting for them.

I got into thinking about this after I saw this stats via Tripwire

“About half of the CVEs exploited in 2014 went from publish to pwn in less than a month” (DBIR, pg. 18).

This stats means that half of the exploits identified during 2014 were based on published CVEs (CVE is a public vulnerability database) and although some may argue that the attackers could have the same knowledge on those vulnerabilities before they were published I say it is far-fetched. If I was an attacker what would be easier for me than going over the recently published vulnerabilities and finding one that is suitable for my target and later on building an attack around it. Needless to say that there are tools which provide also examples for that such as Metasploit. Of the course the time window to operate is not infinite such as in the case of an unknown vulnerability which no one knows about but still a month or more is enough to get the job done.

Last Words

A new process of disclosure should be devised where the risk level during the time of disclosure up to the time a patch is ready and applied should be reduced. Otherwise we are all just helping the attackers while trying to save the world.

 

 

 

 

Like it? Share with your friends...Tweet about this on TwitterShare on LinkedInShare on RedditEmail this to someonePrint this pageShare on FacebookShare on Google+

Most cyber attacks start with an exploit – I know how to make them go away

Yet another new Ransomware with a new sophisticated approach http://blog.trendmicro.com/trendlabs-security-intelligence/crypvault-new-crypto-ransomware-encrypts-and-quarantines-files/

Pay attention that the key section in the description on the way it operates is “The malware arrives to affected systems via an email attachment. When users execute the attached malicious JavaScript file, it will download four files from its C&C server:”

When users execute the JavaScript files it means the JavaScript was loaded into the browser application and exploited the browser in order to get in and then start all the heavy lifting. The browser is vulnerable, software is vulnerable, it’s a given fact of an imperfect world.

I know a startup company, called Morphisec which is eliminating those exploits in a very surprising and efficient way. 

In general vulnerabilities are considered to be a chronic disease and this does not have to be this way. Some smart guys and girls are working on a cure:)

Remember, it all starts with the exploit.

    Like it? Share with your friends...Tweet about this on TwitterShare on LinkedInShare on RedditEmail this to someonePrint this pageShare on FacebookShare on Google+