May 16, 2007
In This Issue
Tech Talk
News & Articles- When signature based antivirus isn't enough
- Hacking Vista: Easier than you think
- A Chronology of Data Breaches
- Podcast with Security Now!
Reader Q&A
Announcements- eEye Consumers Download Over 13,000 Copies of Blink Personal
- eEye Expands Its Business Operations
- eEye Exhibits at 10th Annual 2007 NYS Cyber Security Conference
- eEye Exhibits at InfoSecurity Canada 2007
EtceteraAttackers Are Shifting Their Focus To Client-Side Vulnerabilities, Are You?
The attack surface for network-based attacks has been dwindling in recent times. Out of 38 zero-day vulnerabilities monitored by the eEye Research Zero-Day Tracker, only nine are network-based while the other 29 represent client-side vulnerabilities.
This is not to say that network-based attacks are dead (e.g. Computer Associates’ many recent remote SYSTEM vulnerabilities), but they are not as common as they used to be. The attacker's primary target has shifted from those remote network-based vulnerabilities to something much simpler — your client-side applications.
Client-side applications are the main form of productivity software within networks. Consequently the install base for client-side applications tends to be quite high. These applications also have much more complicated "protocols" (i.e. file-formats) than that of network-based technologies. This creates a lot of room for error on the part of the programmer while also creating a very large attack surface for attackers to find vulnerabilities.
Fuzzing is especially useful for attackers to help identify these vulnerabilities since a well-tuned fuzzier, either downloaded or custom-developed, can rip apart client-side applications in the background over a matter of days and turn up quite a few interesting exceptions. In fact, in many of the malicious file-format examples that eEye Research has seen, there is evidence within the file that alludes to fuzzing as the method of discovery.
Once the attacker has identified an exploitable vulnerability within a client-side application, they now have a very powerful attack tool in their arsenal. Furthermore, the simplicity of finding these vulnerabilities makes it very easy for a good attacker to build up a large exploit database.
As many security architects know, their networks resemble what is known as "crustacean security": hard on the outside, squishy in the middle. All of the protection and security resources are directed towards the perimeter, keeping the bad guy out by disabling access to any of the network using firewalls and network IPS. This type of security methodology arose from the days where the main threat to a network was the notorious worm.
However, the squishy center is what the attackers are really after. This squishy center is represented by the day-to-day workstations and internal-facing servers — systems that are considered "secure" because they're on the internal network. These systems typically only have COTS anti-virus solutions which are only catching known malware based on signatures. This is hardly enough to stop an attacker with a large surface area of client-side applications to attack. What does anti-virus do with targeted payloads arising from these types of exploits? Nothing.
Gaining access to the inside was usually demonstrated in movies by physically breaking into the network or social engineering a security guard. Sure, many people are worried about the "internal threat" attacking these systems…but the mentality has always been "if the attacker is inside of my network, then it's already game over".
However, with the large amount of day-to-day hours being spent on the internet by large workforces, attackers can leverage the gullibility of the masses by using their "internet ignorance" as the attack vector, effectively becoming the "internal threat" from outside locations by using client-side vulnerabilities.
eEye Research has seen many recent real-world examples where client-side exploits are actually being leveraged to create a foothold in an environment to attack other network-based applications.
Example 1 – Resume.doc
An attacker wants to break into a targeted company's network to steal proprietary information. These types of attackers that specifically target certain networks are not your normal "script kiddies" but are very viable threats.
The attacker reviews the target's website, looking for any sign of job postings. Once a posting is found that looks that it will be opened immediately for applicants (i.e. "Senior", "Lead", "Manager", etc), he or she sidesteps the "submit your resume in plain text in the box" and e-mails the HR department directly (typically this is HR@targetcompany.xyz) with the proper job description in the e-mail header and body.
The attacker then leverages a zero-day Microsoft Word exploit (of which there have been 6 public zero-day vulnerabilities since December 2006) to build a malicious resume.doc Word document. Obviously such a document will be opened by the targeted HR department since this is one of their main duties.
The exploit runs code under the context of the logged in HR user and then leverages the recent DNS zero-day vulnerability as part of the payload to attack the internal DNS server (which is commonly an AD server as well).
Now, not only has the attacker leveraged a simple client-side vulnerability across an anonymous vector (e-mail), but now that attacker has compromised the entire Active Directory…with one simple Word document.
How would common defenses stop this attack?
Well, network IPS systems would be clueless about the attack because of the complicated nature of Word document file structures. The sanitization of e-mails typically will only be "is this .doc an acceptable extension", which for most environments would be a "yes" and get passed on through the mail gateway. Then, the malicious document has made itself to the desktop computer running a simple anti-virus solution.
Since this is a targeted attack the custom payload is not identified within the signature-based security software and is free to attack internal network hosts. The DNS/AD server is easily identified and then attacked with a direct connection without any in-line IPS since the attacking host is on the same subnet and considered a "trusted source".
The AD/DNS server also does not have any IPS protection other than the simple AV solution because of the risk for disabling mission-critical services. Thus, normal enterprise security solutions have been rendered useless against these types of attacks.
The only way to protect from such an attack effectively is by providing host-based generic protection that prevents the underlying vulnerability within Microsoft Word.
Example 2 – Workstation Vendor ActiveX
An attacker has found a zero-day vulnerability in an ActiveX control that is installed by default on all workstations from a certain hardware vendor (example: eEye Advisory: IBM eGatherer ActiveX Code Execution Vulnerability). The attacker leverages this vulnerability on every website where he is able to host custom HTML.
Once the sites are online, the attacker starts sending links to targeted enterprise workers trying to coax someone into opening a link to one of the attacker-generated ActiveX exploits. Once the link is opened, if the vulnerable ActiveX control has not been removed or disabled on the victim's workstation, the attacker is now running code under the context of the logged in user.
The attacker furthers the exploit impact by leveraging a privilege escalation vulnerability within Windows (example: eEye Advisory: Windows Vista CSRSS Dangling Process Pointer Privilege Escalation), thus elevating his or her privileges to SYSTEM on the host.
The host can now be completely rooted to be leveraged in any other attacks against the enterprise network from inside of the firewall. All of this from a seemingly-friendly HTML site attacking an ActiveX the user never knew they had on their system.
Network-based IPS solutions will commonly be useless here as well unless the primary vulnerability being exploited within the vulnerable ActiveX had been known by the IPS vendor.
Furthermore, because of the advances in obfustication for HTML-based exploits, many network IPS vendors will have a hard time blocking malicious traffic intended for a vulnerable ActiveX while still allowing legitimate traffic through.
As was the same in the previous example, the only way to protect from such an attack effectively is by providing host-based generic protection that prevents the underlying vulnerability in the ActiveX control.
Conclusion
These examples are not meant to render network-based IDP/IPS or anti-virus solutions useless; after all, they are contributing factors for the lack of worm outbreaks presently. However, anti-virus and perimeter security are not enough to stop a mildly dedicated attacker from your network. Security architects must understand the new threat trends for their environment, how the attackers have switched from the network-level to the host-level, and what types of protection systems are available to stop these attacks.
This is not to say that network-based attacks are dead (e.g. Computer Associates’ many recent remote SYSTEM vulnerabilities), but they are not as common as they used to be. The attacker's primary target has shifted from those remote network-based vulnerabilities to something much simpler — your client-side applications.
Client-side applications are the main form of productivity software within networks. Consequently the install base for client-side applications tends to be quite high. These applications also have much more complicated "protocols" (i.e. file-formats) than that of network-based technologies. This creates a lot of room for error on the part of the programmer while also creating a very large attack surface for attackers to find vulnerabilities.
Fuzzing is especially useful for attackers to help identify these vulnerabilities since a well-tuned fuzzier, either downloaded or custom-developed, can rip apart client-side applications in the background over a matter of days and turn up quite a few interesting exceptions. In fact, in many of the malicious file-format examples that eEye Research has seen, there is evidence within the file that alludes to fuzzing as the method of discovery.
Once the attacker has identified an exploitable vulnerability within a client-side application, they now have a very powerful attack tool in their arsenal. Furthermore, the simplicity of finding these vulnerabilities makes it very easy for a good attacker to build up a large exploit database.
As many security architects know, their networks resemble what is known as "crustacean security": hard on the outside, squishy in the middle. All of the protection and security resources are directed towards the perimeter, keeping the bad guy out by disabling access to any of the network using firewalls and network IPS. This type of security methodology arose from the days where the main threat to a network was the notorious worm.
However, the squishy center is what the attackers are really after. This squishy center is represented by the day-to-day workstations and internal-facing servers — systems that are considered "secure" because they're on the internal network. These systems typically only have COTS anti-virus solutions which are only catching known malware based on signatures. This is hardly enough to stop an attacker with a large surface area of client-side applications to attack. What does anti-virus do with targeted payloads arising from these types of exploits? Nothing.
Gaining access to the inside was usually demonstrated in movies by physically breaking into the network or social engineering a security guard. Sure, many people are worried about the "internal threat" attacking these systems…but the mentality has always been "if the attacker is inside of my network, then it's already game over".
However, with the large amount of day-to-day hours being spent on the internet by large workforces, attackers can leverage the gullibility of the masses by using their "internet ignorance" as the attack vector, effectively becoming the "internal threat" from outside locations by using client-side vulnerabilities.
eEye Research has seen many recent real-world examples where client-side exploits are actually being leveraged to create a foothold in an environment to attack other network-based applications.
Example 1 – Resume.doc
An attacker wants to break into a targeted company's network to steal proprietary information. These types of attackers that specifically target certain networks are not your normal "script kiddies" but are very viable threats.
The attacker reviews the target's website, looking for any sign of job postings. Once a posting is found that looks that it will be opened immediately for applicants (i.e. "Senior", "Lead", "Manager", etc), he or she sidesteps the "submit your resume in plain text in the box" and e-mails the HR department directly (typically this is HR@targetcompany.xyz) with the proper job description in the e-mail header and body.
The attacker then leverages a zero-day Microsoft Word exploit (of which there have been 6 public zero-day vulnerabilities since December 2006) to build a malicious resume.doc Word document. Obviously such a document will be opened by the targeted HR department since this is one of their main duties.
The exploit runs code under the context of the logged in HR user and then leverages the recent DNS zero-day vulnerability as part of the payload to attack the internal DNS server (which is commonly an AD server as well).
Now, not only has the attacker leveraged a simple client-side vulnerability across an anonymous vector (e-mail), but now that attacker has compromised the entire Active Directory…with one simple Word document.
How would common defenses stop this attack?
Well, network IPS systems would be clueless about the attack because of the complicated nature of Word document file structures. The sanitization of e-mails typically will only be "is this .doc an acceptable extension", which for most environments would be a "yes" and get passed on through the mail gateway. Then, the malicious document has made itself to the desktop computer running a simple anti-virus solution.
Since this is a targeted attack the custom payload is not identified within the signature-based security software and is free to attack internal network hosts. The DNS/AD server is easily identified and then attacked with a direct connection without any in-line IPS since the attacking host is on the same subnet and considered a "trusted source".
The AD/DNS server also does not have any IPS protection other than the simple AV solution because of the risk for disabling mission-critical services. Thus, normal enterprise security solutions have been rendered useless against these types of attacks.
The only way to protect from such an attack effectively is by providing host-based generic protection that prevents the underlying vulnerability within Microsoft Word.
Example 2 – Workstation Vendor ActiveX
An attacker has found a zero-day vulnerability in an ActiveX control that is installed by default on all workstations from a certain hardware vendor (example: eEye Advisory: IBM eGatherer ActiveX Code Execution Vulnerability). The attacker leverages this vulnerability on every website where he is able to host custom HTML.
Once the sites are online, the attacker starts sending links to targeted enterprise workers trying to coax someone into opening a link to one of the attacker-generated ActiveX exploits. Once the link is opened, if the vulnerable ActiveX control has not been removed or disabled on the victim's workstation, the attacker is now running code under the context of the logged in user.
The attacker furthers the exploit impact by leveraging a privilege escalation vulnerability within Windows (example: eEye Advisory: Windows Vista CSRSS Dangling Process Pointer Privilege Escalation), thus elevating his or her privileges to SYSTEM on the host.
The host can now be completely rooted to be leveraged in any other attacks against the enterprise network from inside of the firewall. All of this from a seemingly-friendly HTML site attacking an ActiveX the user never knew they had on their system.
Network-based IPS solutions will commonly be useless here as well unless the primary vulnerability being exploited within the vulnerable ActiveX had been known by the IPS vendor.
Furthermore, because of the advances in obfustication for HTML-based exploits, many network IPS vendors will have a hard time blocking malicious traffic intended for a vulnerable ActiveX while still allowing legitimate traffic through.
As was the same in the previous example, the only way to protect from such an attack effectively is by providing host-based generic protection that prevents the underlying vulnerability in the ActiveX control.
Conclusion
These examples are not meant to render network-based IDP/IPS or anti-virus solutions useless; after all, they are contributing factors for the lack of worm outbreaks presently. However, anti-virus and perimeter security are not enough to stop a mildly dedicated attacker from your network. Security architects must understand the new threat trends for their environment, how the attackers have switched from the network-level to the host-level, and what types of protection systems are available to stop these attacks.
Source: Andre Protas, Research Engineer, eEye Digital Security
The following articles represent the opinions of their respective authors. They do not necessarily represent the opinions of eEye Digital Security.
Endpoint security is changing at a breathtaking pace. For more than a decade, signature-based antivirus was sufficient for most companies. A couple of years ago, spyware emerged as a business-level threat, and pure-play companies scrambled to bring centrally managed products to market, while traditional antivirus vendors played catch-up.
Full Article
Hackers who've gone legit show how even Windows Vista is prone to security breaches. PC security experts from eEye Digital in Aliso Viejo, CA demonstrate how.
Full Article
View reported data breaches where personal information such as Social Security numbers, account numbers, and driver's license numbers have been compromised.
Full Article
Leo Laporte and Steve Gibson speak with Marc Maiffret, co-founder of eEye Digital Security of Aliso Viejo, California. eEye has perhaps done more forensic and vulnerability testing research to increase the remote security of Windows than any other group, including Microsoft. They continue to find and report an amazing number of Windows security vulnerabilities.
Full Article
Q: What are some of the other Patch Updates besides Microsoft patches that you would recommend people pay close attention to or make sure they are aware?
A: eEye Research strongly suggests that users use the "check for updates automatically" features in many software products. For many Microsoft products as well as other large vendors, this will alert users when a security patch is available for their software. Do yourself a favor and apply the update in a timely manner, this will help you mitigate many known vulnerabilities.
However, some software vendors may actually give a false sense of security with this feature. For example, the Big Yellow worm was exploiting systems six months after the release of the patch. Many users thought that they were secure with the "Live Update" update mechanism; however that only updated virus signature files and not the software itself, keeping users at risk from this vulnerability without their knowledge.
So, although the auto-update mechanism will serve you well in many occurrences, it still takes proactive security to know what vulnerabilities you may be susceptible to. Client-side vulnerability assessment tools help identify these vulnerabilities at home and SMBs, and fully functional network vulnerability scanners will help the enterprise networks.
A: eEye Research strongly suggests that users use the "check for updates automatically" features in many software products. For many Microsoft products as well as other large vendors, this will alert users when a security patch is available for their software. Do yourself a favor and apply the update in a timely manner, this will help you mitigate many known vulnerabilities.
However, some software vendors may actually give a false sense of security with this feature. For example, the Big Yellow worm was exploiting systems six months after the release of the patch. Many users thought that they were secure with the "Live Update" update mechanism; however that only updated virus signature files and not the software itself, keeping users at risk from this vulnerability without their knowledge.
So, although the auto-update mechanism will serve you well in many occurrences, it still takes proactive security to know what vulnerabilities you may be susceptible to. Client-side vulnerability assessment tools help identify these vulnerabilities at home and SMBs, and fully functional network vulnerability scanners will help the enterprise networks.
Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.
In the first 45 days after eEye Digital Security announced its free edition of Blink® Personal Internet Security, more than 13,000 consumers have given the software a trial run, making it the most popular product download in company history. Blink Personal Internet Security includes anti-virus, anti-spyware, personal firewall, and host vulnerability assessment at no cost to consumers and home office users.
Full Article
eEye Digital Security® announced its expansion in new territories in which to market and sell its unified client security and vulnerability management solutions that have garnered the company recent accolades.
Full Article
Information is a vital resource for all businesses including agencies of State government. Learn how to adopt the latest security technologies by visiting eEye Booth 121.
Full Article
When it comes to your critical information - it's not a question if are you at risk, it's a question of when will you be compromised. Visit eEye Digital Security at booth 622 to learn how you can proactively secure your network: before, during and after attacks.
Full Article
eEye Research has seen some staggering results from the recent influx in Blink Personal/Neighborhood Watch users. This data is offering eEye Research a distinct insight into host-based vulnerability and attack trends to offer enhanced protection into Blink. Keep an eye on the eEye Research Portal http://research.eeye.com/ for future projects that have arisen because of the mass use of Blink personal including Neighborhood Watch reports and attack trends.
More