Symantec DeepSight Threat Management System Analysis: Client-side Exploitation
Good day,
Symantec has made two reports available to the public, listed at
the end of this post. These documents describe instances of
client-side exploitation. At least one instance appears to
involve an attacker with criminal intent targeting an individual
at a financial institution.
I'm going to do something I almost never do (and try to
avoid), and that's deliver a frank soapbox rant. Before that,
I would like to acknowledge the work of the following individuals,
without whom, many of these threats would remain unknown
(apologies to any I've left out):
http-equiv
Liu Die Yu
Drew Copely & eEye
Jelmer
Georgi Guninski
GreyMagic Security
Dror Shalev
Thor Larholm
Roozbeh Afrasiabi
Andreas Sandblad
Marc Slemko
Client-side exploitation is nothing new. We have seen and
discussed the potential risk posed by Microsoft Internet
Explorer (and to a lesser extent, other client applications)
for some time. In fact, Symantec Internet Security Threat
Reports in the past have warned repeatedly of these issues
specifically as future threats.
There is really no surprise, though. It was only a matter of
time before attackers caught on. I've said this before -- it's
difficult for me to think of a better class of vulnerabilities:
no dependence on version or memory layout or any other such messy
factors, firewalls are totally irrelevant and VPNs become basically
a free ride in, the browser doesn't end up crashing (i.e. the
victim remains blissfully unaware that they've been owned)..
and there seems to be an endless supply of new tricks to use,
thanks to the labyrinthine complexity of components, subcomponents
and the genetically mutated frankenstein* of an access control
mechanism that is supposed to hold it all together. Finally, to
top it all off, when a bug has been patched.. you never know if
it has really been patched, because you're not even entirely
sure where or what the bug is. Often these vulnerabilities are
not single flaws, but combinations of bad behavior and weaknesses
put together. Fix one avenue of attack and it only takes the
discovery of another (usually code execution in Local Zone) to
recreate the original attack. Recall the longevity of "CODEBASE"
and other similar "non-vulnerabilities".
Part of the problem is that MSIE has the worst feature creep that I
have ever seen. This "thing" is now used as, fundamentally, an
interface presentation tool. The browser is used for anything and
everything you could possibly want it to: e-mail, applications,
file management, multimedia... and where the browser as an entire
application isn't used, the HTML rendering component often is.
I do my best to maintain an unbiased stance. I think that the
other browsers are probably just as bad, to the extent possible as
they are not as complex and integrated into the operating system
as MSIE. But this is the reality, folks.
Microsoft's effort so far to understand and fix these problems one
at a time is commendable. They are probably the best commercial
vendor for responding to and correcting security issues.
On the bright side, XP SP2 looks like it make some desperately
needed changes. Let's hope a fundamental redesign is in the works
too, because that looks like the only solution to me.
Until then, try to make the most of your Interweb experience with
basically every option in the MSIE security settings set to
"Disable". Then again, why bother worrying about another
hole in IE, or anything else for that matter. The average home PC
is already beyond compromised with about 50 different individual
instances of malicious code and IRC bots and spyware all competing
with each other to log keystrokes, turn on your webcam and bind
backdoor servers to listening ports.
Cheers.
* e.g. tripping on "document" vs "Document"
--
The reports are available at:
http://tms.symantec.com/ClientSideExploitation.asp
Client-side Exploits: Forensic Analysis of a Compromised
Financial Services Laptop
This document details the forensic analysis of a machine
compromised through the use of a client-side vulnerability.
The evidence gathered in this analysis strongly suggests that
this client-side attack was used to specifically target a
financial institution, with the goal of retrieving the necessary
authentication credentials to escalate the initial attack to
further compromise other related systems. The analysis of
this compromise provides us with a real-world example of
targeted attacks against a specific company, in this case, a
company in the Financial Services sector using a client-side
attack vector. Although not new, the targeted exploitation of
client-side vulnerabilities has not seen extensive documentation
or analysis. This analysis aims to provide the reader with a
detailed description of an actual attack exploiting a client-side
vulnerability.
http://tms.symantec.com/documents/040617-Analysis-FinancialInstitutionCompromise.pdf
Compromised IIS Server / Unpatched Internet Explorer
Vulnerability Exploitation Alert
The DeepSight Threat Analyst Team has become aware of various
public reports of Microsoft Internet Information Services (IIS)
servers being attacked and subsequently compromised. As a second
component of the compromise, a malicious JavaScript is hosted
on the infected IIS system and inserted into files served from
that system. This document contains information about the
vulnerabilities used and the subsequently deployed malcode, which
is not available elsewhere. The malicious JavaScript in question
is designed to compromise client systems through multiple known,
but unpatched vulnerabilities in Internet Explorer. The resulting
client-side infection includes, among other things, a keystroke
logger. The Threat Analyst Team has manually captured a sample of
the IE exploit, and resulting binary, in the DeepSight Honeynet
system. Further investigation of the exploit resulted in the
conclusions described below. UPDATE: This Threat Alert has been
updated to include additional information about the client side
exploits used in this attack. Additional information about other
associated files has also been added.
http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf
--
David Mirza Ahmad
Symantec
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12