Ten years later, Windows XP still dominates the Web

If I had a complicated setup I probably wouldn't bother posting it either. Especially if other users couldn't benefit from it.

 

Anyways, by reading your posts, looks like you have a really big security setup covering pretty much all sides. Would be at least entertaining to see a gigantic post from yours showing what you use in detail. And maybe the reasons behind the choices. I'm sure the link on your signature would get lots of clicks/visits, hahaha.

For the fun, man, for the fun. Also, the post could teach some lessons.

 

OK, this is from your post #109, and I'll respond to your comments/questions.

My interest is not in the malware per se, but in how an exploit is triggered to deliver the malware.

Two things here.

One, I don't surf porn, warez, keygen, pirated software and the like sites, so am not interested in exploits there (unless some really sensational exploit I've heard about which isn't too often).

Second, researchers have pointed out that most exploits on those sites are social engineering ploys, which don't interest me at all. It's the remote code execution attack vector that I follow.

Some words here about social engineering. Three years ago last month, acknowledged analyst (and Wilders member) Marco of Prevx made these comments before it was fashionable. (The sensational drive-by exploits made the most news).

Is it necessary to add that it doesn't matter which OS (or version) the user is running? This was noted more than four years ago, when many people were still in denial:

DNS changer Trojan for Mac (!) in the wild
Published: 2007-11-01
http://isc.sans.org/diary.html?storyid=3595

A current trojan making the rounds is SpyEye, using social engineering tactics:

Spy Eye Description
http://www.spywareremove.com/removeSpyEye.html

So, social engineering exploits are a separate category and require user education/training, no matter the OS brand or version.

I'm not sure about the reference to a "cowboy," but again, what's the fun in knowingly let malware execute? I have little interest in what malware does.

More of interest for me is

• looking at how an exploit triggers the loading of the malware and
  
  
• how to defend against it

Back in 2005 when I started looking at exploits carefully, the infamous WMF vulnerability was made into an exploit. ISC (Internet Storm Center) was the site to watch because their world-wide group of Handlers often caught an exploit and posted the URL:

Windows WMF 0-day exploit in the wild
Published: 2005-12-29
http://isc.sans.edu/diary.html?storyid=972

Now, this and other URLs were known for at least one day, before any AV put out a signature.

Looking at the site revealed the remote execution code that triggered the exploit:

Code:

i-frame src="wmf_exp.wmf" i-frame

This was not the first use of i-frame for malicious purposes, and some at DSLR security forum noted that blocking i-frame in the browser was protection against many types of exploits.

Letting the exploit run showed that Default-Deny protection against non-whitelisted executables blocked the payload:



Downloading ioo.exe and letting it run would just infect my computer and provide me nothing of value. But learning how the exploit was triggered was informative. I hope you can see the difference, from my point of view.

I was able to handle and deal with the onslaught of sensational articles that appeared during that week, such as this one:

WMF 0-day: Exploit spreads, defenses few
Published: 2005-12-30
http://www.securityfocus.com/brief/91

Defenses few? Maybe, but there were some, and those home users that I was helping in those days were protected, despite the lack of a patch. (The patch appeared a week or so later: MS06-001

I should add, that this exploit infected all versions of Windows at that time, not just the older versions.


----
rich

 

@Rmus,

great post again!

It's also good to see how some like Cloneranger prove that XP can be bolstered to defend against all the supposed evil, ninja-leaping, service-impaling threats out there.

 

Although I'm no longer using XP at the moment, I acknowledge the fact that there are ways to maintain Windows XP in terms of it's security aspects...that's up to the individual to decide the approach taken.

Admittedly, newer and improved technology makes it harder for the bad guys and that is indeed a pro argument to having/using the most current OS. It's 1 of those reasons why I'm using Windows 7...

However, that aside, what's the point in comparing the security of an older OS vs a newer one if the person behind the keyboard suffers from Stupid User Syndrome or Stupid Administrator Syndrome? Not to mention that the new code may bring in new vulnerabilities that may not be existent in the prior OS. It all boils down to 1 thing: yes I do believe that a user using newer OS would be more secure by default now but the arms race still continues...do tell me when it stops (well, it's 2012 btw )

If you ask me, security is not just having the right policy and/or using the latest technology...it also involves the human element such as adapting to different environments and accepting risks...

As Bruce Schneir simply puts it...
"Security is both a feeling and a reality. And they're not the same."

The Psychology of Security:
http://www.schneier.com/essay-155.html

 

The bolded portion sums it all. Even with the dreaded zero day kernel exploit like Duqu or another LNK exploit like in Stuxnet. If the malware's drivers or malicious dll won't load, it is nothing. Or as long as the malicious hackers can't have a return command shell, it will mean nothing. Even with an unpatched system and oldapps full of holes as long as one has layered security like sandboxes, firewalls, etc.

 

And we definitely disagree here. Or rather, the human element being considered part of security is the biggest issue with security right now.

This is a great quote though. There's feeling secure, there's playing the odds, there's hoping for the best, there's stacking on whatever you can find... and then there's actually being secure.

 

VirtualAlloc() can load your shellcode. Shellcode tries to return a command shell, download and execute a payload, load a driver or a malicious dll. Layered security can stop those. Only memory protections can stop shellcode from executing.

 

That brings back some memories. This exploit showed up when I was beta testing SSM and evaluating its ability to protect my system without help from an AV. At the time, I'd captured a variant of the exploit that none of the AVs recognized, which basically sealed my opinion of AVs.

The one that really got my atttention was in late 2007, the PDF 0-day. It showed the value of isolating attack surface apps (like the PDF reader) from other user apps and OS components by restricting interprocess messaging, parent-child permissions, and de-integrating the user apps from each other. Even with SSM restricting the interprocess messaging and parent-child permissions, it was not able to defend against the exploit if I opened the PDF in the browser. Saved to disk and opened directly with the PDF reader, the exploit was stopped there.

Regarding the "stupid user syndrome", if the security policy doesn't include the user, it will fail. The only thing I know that defends against the stupid user syndrome, those who never seem to learn anything is to take away their ability to make system altering decisions. When stupid user syndrome is also stupid administrator syndrome, there's no real options left short of disabling the PC or cutting off the power.

 

WMF testing etc. Ahh those were the days 98SE wasn't vulnerable

Yes CloneRanger has NO patches

How on earth could i, or people in my postion, become a target ? Something/s would need to get in first. Even if it/they did a reboot will eliminate Everything

As above ?

 

Thanks for the reply, Rmus. I'm not looking to pick a fight at all, I hope you're not taking it that way. I think I understand where you're coming from. So you want to know how it gets into a machine in the first place, you don't care what it was intended to do. You're focused on the delivery (excluding social engineering) rather than the execution. Is that right? I get that- you want to block those entry points. This makes sense.

I think you and I are ultimately interested in the same thing, but we're just coming at it from different angles. The way I want to defend against malware is to understand what the malware does on a code level, what its doing when it executes. If you parse malware like it's in a blender, eventually you'll get common themes.

Bad stuff:

• sends data to a stack and then calls the stack
• calls another application or website.
• injects itself into other processes
• schedules tasks
• has processes that write or delete files
• escalates privilges
• generates network traffic

So I can defend against that stuff by preventing these basic things. I'm still learning so I can't address how to stop each bad thing individually (that's why I was interested in what you were doing). But I know that the following things can severely limit these bad processes in a general sense:

• limit what applications can do (Apparmor & MAC)
• sandboxing prevents calling other apps & permanent writing/deleting
• limit privileges for users
• watch logs & set alarms for suspicious network traffic
• run a fine-grained firewall (e.g. so an app can't open a port)
• use an AV & keep it updated
• keep my OS updated

And to answer your question "What's the fun in knowingly letting malware execute?" In my case, the fun would be to see what the malware was going to do (in a sandbox of course). See if it was a pdf that was going to call an excel spreadsheet. Why would a pdf need to do that? So now I will create a rule that won't allow one app to call any other app unless it gets my explicit approval. So I just protected myself from this particular malware as well as a huge range of potential malware, currently existing and hasn't been written yet.

Good grief, again I'm rambling on about things completely unrelated to XP. Rmus, I'd be interested to hear what progress you've made, but maybe not in this thread. In fact I'll bet you've discussed it elsewhere previously- maybe you can point me to it.

 

They originally tried to say it was and used the threat of this remaining unpatched to try to get people to "upgrade".
http://isc.sans.edu/diary.html?date=2006-01-01

Same old thing. A cross between an urban myth and a bad joke. Using thread injection attacks as an example, it's of no value to try to inject data or commands into the threads of system services when those services don't exist on a specific OS. Not much point in testing if 98SE is vulnerable when the intended target of the attack isn't there. It isn't hard to come up with similar examples for every previous version of Windows from 98FE thru XP-SP3.

 

You are welcome!

Well, you are much more "into" this stuff than I am; much of what you write is over my head!

From my point of view, malware delivery methods (attack vectors) haven't changed in a number of years, hence, I've gotten a bit bored, and have done very little testing. The same types of exploits are just packaged into kits, making them easier to infect vulnerable systems via web page code.


----
rich

 

Yes and No.

I thought the same about Win2K until it finally became clear that the exploit targeted a graphics DLL which needed to be called by an imaging program.

When I went to that web site with the WMF exploit embedded, it did not work on my Win2K system because I did not have the .wmf file extension associated with anything. If I opened the WMF file directly in my IrfanView program, the exploit ran. In this one, the WMF file attempted to call out to a malicious server to download malware:



Some at DSLR showed the same thing with Win 95/98 using a PoC.

Now, Win XP had its own built-in viewer, Windows Picture and Fax Viewer with .wmf as one of the file extensions associated with it.
Hence, the web page code automatically called the Viewer:




So, there were two attack vectors:

• encountering a booby-trapped web site
  
  
• being tricked to manually opening a malicious WMF file in an image viewer

You can argue whether or not this exploit targeted the OS, or software running within the OS.


----
rich

 

That's interesting. I had 4 variants of the actual exploit that failed to function on 98. I also opened them manually in IrfanView and that didn't happen. Perhaps that behavior was limited to the POC.

Either way, it's a good argument for keeping a firewall that controls outbound traffic on a per process level, like the one you and I both use.

 

If so, another reason I don't like POCs

Yes. Firewalls that control outbound traffic also alert to both PDF and JAVA exploits that call out for the payload:






It's pretty evident that with properly configured browsers and firewalls, many exploits don't even get a chance to deliver the payload.

This was a lesson for Microsoft in the early years of Windows XP. With Windows XP through SP1, firewall protection was not enabled by default. After the arrival of the Blaster Worm, Microsoft enabled the firewall beginning with SP2.

From a blog after the MS08-067 patch (the vulnerability that Conficker exploited one month later):

MS08-067 and the SDL
http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx

And so, during the period when Windows XP SP1 was the latest and greatest, it was no guarantee that it could not be exploited.

However, anyone with a properly configured firewall would be protected, no matter the OS:




----
rich

 

I wasn't sure if I wanted to reply to this. Most here know what I use and some of my reasons for it, and most will completely disagree with my choices. It's not that I really care or would change my mind. Just don't want to hear the same old rhetoric all over again from an entirely new group of people. All it would do is hijack the thread and start the old vs new arguments all over again.

 

I was one of them & on here I tested Every POC available, plus lots of Real WMF exploits, & not one succeeded to my knowledge. Amongst other Apps, at the time i was using Winsonar as my AntiExe, which proved it self time & time again against All sorts of nasties. Also my ZA FW was set up to ask for Every outbound attempt, as it is now

See below.

I had, & still have, XnView as my default viewer, & the POC's & nasties didn't work with it

 

Old vs. New - Gotta love it!

I'm still running Windows SP2,guess that means I'm even more of a target.
This will be the year,that my luck runs out,I just know it!

 

Saying you're just as secure on XP as you are on 7 is like me going a year on a raw XP machine unpatched with old java and flash player and not getting infected and declaring that policy and technology are useless security measures.

 

There's no Windows SP2 ,

 

Sure gets some peeps fired up

Me too

Not if you're nice n secure it doesn't

Don't be so negative

I would have more than GeSWall though !

 

Yes, there was no consistency.

Search for:

WMF Win98

and you will find opposing views as to the vulnerability!


----
rich

 

And what is "Windows SP2"? Is it Windows XP with Service Pack 2 installed? And what is the reason for not using, at least, Windows XP with Service Pack 3 and latest security updates instead of a vulnerable copy of Windows XP with old Service Pack 2?

 

Originally Posted by guest

It was Boost who said it, but i knew what he meant

Yes, XP/SP2

First off, i read ALL sorts of problems some people were having with it, & i could do without that. Next i like to things my way, not because MS or someone else says i should. Also it's extra bloat i can live without. Plus with my setup i've proved time n time again it's Extremely secure, so i don't need it.

I've Never said others should follow my example, but i'm not afraid to talk about how safe/secure people can be Without patches