How would you get infected?

You either put your trust in the words in the article or the users here telling you otherwise. That simple.

It's a shame that MS words so poorly, but it's nothing we don't see across the board on all operating systems.

 

If you guys are right, and you might be, then that implies the MS folks in charge of writing the kb's are incompetent. Is it not possible there are IT administrators in charge of large businesses who decide which patches are applied based on the statements, including mitigating factors, in those kb's?

Another question: should IT admins seek patch information from MS kb's or from Wilders Security members?

 

They're not incompetent.

1) It's not hard to see the motivation behind making exploits sound harder to pull off than they are. Again, we see this on Linux too.

2) *IF the exploit is the only thing an attacker has* they require login credentials. If we look at that exploit as an isolated exploit, they need login credentials. HOWEVER, that does not mean that they can't do the same exact thing with RCE, it only, unfortunately, implies it through poor wording.

I have no interest in IT, but I'm not even in that field and I know enough to determine what a patch does without either of those sources. I would hope (though I don't assume) that anyone in this field with any competency is used to this type of wording, and knows what "kernel exploit" means regardless.

I say I don't assume because incompetence is rampant in every industry.

 

Okay fair enough, but then the articles should clearly state the exploits could be pulled off with RCE as well. Taken literally, they imply only local login credentials are required, even in the "mitigating factors" Vulnerability information.

 

Yes, they should. But they don't. It's a shame.

 

So it seems it's not trivial to bypass SRP after all. If you have the right tools specifically developed for abusing certain classes of unpatched vulnerabilities, yeah I can see the abuse happening.

And I'm repeating myself; if it were that trivial to bypass SRP /applocker/AE, wouldn't we've seen least some statistics or incident reports indicating these attacks are real threats and not only poc?

It is also interesting to note what security concepts we adhere to when attempting to protect our systems. Some are satisfied protecting themselves with yesterday's technology (AV) but that still works well for the majority. Some need the extra protection against current exploits and perhaps tomorrow's exploits. Some, very few, prefer looking far into the future and hoping set up their systems to be protected against attacks that are very specific and need a whole lot of dedication to get through with. As long as any of above protects you, and if it works for you, it's not fair to imply this or that setup sucks or is weak, offers 0 protection etc.

 

Oh yes, I agree about scientists, etc.

But, since this is about ifs, what if during the time you've (not just you, but everyone) been discussing all the ifs you could think about, someone hacked into your system, and you got no freaking clue? What if that was done by a very skilled hacker? What if during the time I took to write this post I got hacked? I wonder if I will ever know I was hacked?

Just too many ifs to think about... Which is why I brought something easier: Infect my system, when I use my profile to access WSF. Which would then brings us to another if...

It's just like discussing things like SRP/AppLocker all over again, which has been done before... what if the malware author only wants to run malicious code in an already running process, but not put it in hdd? What if despite all security measures in place, I fall for a phishing scheme that just looked so legit? Damn... PhishTank should have protected me... if such bogus domain were on their database... lol I mean, should we also discuss how we'd fall for such fradulent schemes as well? We can fall for them... if we believe them...

 

It IS trivial to bypass SRP on any system other than 7/2008 with that fix applied, using function parameters that are right there and make it as easy as can be. Why malware is too stupid to use them (since literally no extra effort at all), I don't know... Probably because hardly anyone, overall, is using SRP/AppLocker, or at least not in a way that interferes enough for attackers to care. *shrug*


But anyway, really none of that has anything to do with EoP vulnerabilities, since that elevation can easily occur (if said fixes aren't applied) in just a bit of shellcode -- I don't mean the complicated "load a DLL from memory," no, just the initial shellcode from some remote exploit in browser, etc. No possible involvement of SRP at all, period. And once that happens, SRP and everything is moot.

And if there was anything involving SRP/AppLocker bypasses, that's all strictly user-mode stuff, which can still be stopped by other measures/software, contained by a sandbox, etc., so it's not much to worry about anyway. I don't see how anything user-mode could do anything permanently to my system. SRP, even if it can be bypassed is simply an effective thing to stop stuff FIRST.

The most important thing is that nothing is effective against EoP exploits, so it's critical that those patches are installed. Maybe even more so than RCE fixes in programs -- I could allow THAT stuff to be exploited all day long, whatever it does that EMET/SRP/dropped-rights doesn't stop, Sandboxie will contain. No real harm at all (other than possible information-stealing from stuff that can be read).


I can't believe that supposedly security-conscious people like Sully (!!) don't install Windows updates. Truly unbelievable! I wonder if that also includes (excludes) kernel RCE ones like font and graphics parsing...

 

I notice Shellcode is getting mentioned often in this thread. FWIW (I think some people are not going to like this source), the latest MS Security Intelligence report v14 shows it to be one of the lowest reported exploits in 2013. You can check v13 and see similar results - very low report incidence.

Is this trend going to continue or there the belief that this exploit type is going to escalate in the near future? Currently, if one takes the report as gospel, it looks to be of little concern, especially compared to HTML/Javascript exploits.

~ Removed Copyrighted Image ~

 

Not sure how they're categorizing things there exactly? Anyway HTML and JS exploits can usually be used to inject shellcode, as can any memory based attack. See the definition: https://en.wikipedia.org/wiki/Shellcode

If I can exploit a Javascript engine vulnerability in e.g. Chrome, I can make it execute stuff. Whether said stuff is in a separate file doesn't really matter.

I suspect that they're classing shellcode separately because it's not usually used, as opposed to not be usable.

 

Replace each mention of "shellcode" in this thread with "exploit."


That is all.


I said how basically every exploit IS shellcode... In documents/HTML/JS/Flash/Java, what do you think they're "specially crafting" to corrupt memory and set up the exploit?


Don't get the Shellcode and especially Heapspray on the MS report... A "Heapspray exploit?" Heapspray is a technique that any sort of exploit could use to increase probability of success...

 

I'm not sure either how MS categorizes shellcode, because the Wiki shows there are several types, including the "Download and execute" (drive-by downloads), and the report even mentions the prevalence of drive-by exploits used by Blacole kit, the most common exploit detected in second half of 2012, so really it stands to reason that should place shellcode a lot higher on that graph.

We posted a minute apart. It must be the way MS views shellcode, I suppose, a differing opinion on what it is and how often it's used.

 

Ok. Anyhoo, IMO SRP is underrated and often unnecessarily frowned upon. It may not divert a directed attack (that could be trivial depending on your system status, attacker's tools, other available vuln or special MS "features" built into applocker/srp etc) but it, and together with other protection layers you have, will be quite effective.
Not bulletproof or magical but it works well for now. And yeah, if you have a zero day in your kernel that's actively being exploited, protective measures such as hips, sandboxing, srp, uac, lua, av etc won't matter much.

I think this is often getting lost in these are-srp-good-enough discussions - SRP should be just another layer in your security setup. It's not like anyone here is saying SRP is the single best solution against all kinds of attacks.

 

Yep, no updates that are not in sp1 for windows 7. On xp I used sp2 and a few choise ones after that. They are always slipstreamed into a source disc and installed, never after the install.

Unbelievable? No. There is nothing to not believe. I have no virus, no trojan, no rootkit. I also have no AV, no HIPS, no scanner of any kind. Why is it so hard for you to believe that?

I've already been down that road of worrying about computer security. I spent many years making sure I was in control of things - what may run or not, what may communicate or not. I got tired of all the work required to be so damn safe, so I experimented with alternatives. At any given point in time I can put my system through a set of scans or checks and come up clean. So if I can do that, why should I bother with "keeping up with the joneses"?

I maintain that most people need the updates, but even with them they will still get infected with something, while I will have no updates, no security tools other than what the OS offers and Sandboxie/Chrome, and I will not be infected.

But, to be fair, the difference is that I know how to fix things if it ever does happen AND I make sure I have nothing of importance to steal or lose. Most people seem to put thier entire life on electronic devices. I simply don't trust them, at all, because it doesn't matter if you are unpatched or patched, there is no way to stop exploits 100%.

I fixed a computer last night, win7, that had emet (3.5 I think) and was up to date. IE10 was the browser. I am sure other than emet everything else was default. It also had MSE on it. You know, the typical win7 setup. UAC at defaults. It had a nasty rootkit/trojan. It was the first time I had to use mbam chameleon actually, it was so pesky. I was going to remove it manually, but did not bring my thumb drive with me (my own anti-virus lol). But after a good while, I was able to get it removed.

The way I look at things, why would I want to be like that, all up to date using the latest and greatest, only to have to deal with viruses/etc? If a brand new up to date machine, used by someone who isn't a noob still gets infected, then I think I will continue to be the "odd duck" and continue to remain problem free

Sul.

EDIT: But I do spend a large amount of time learning and implementing things for squid and squid guard on my pfsense router. I have 3 kids that use the internet and I take thier security very seriously, although its a different form of security.

 

HOW did it get infected? (Default UAC auto-elevation bypass...?) Should never happen on my systems... unless I ran an unsafe downloaded file, etc. as admin, which is not going to happen.

Oh I know what you mean... I've never wanted to use any of that security software stuff that could slow things down or cause other issues. Always ran everything as admin, but updated, and never had much of a problem -- couple times since 2005, some "annoy-ware" got in, but it was amazingly trivial to remove by hand. But I didn't want any more of that, but still did NOT want any security software. Then I found out about dropped rights after so many years. I also do NOT want a non-Admin account, and UAC sucks for usability (and for making desktop programs that need to do admin stuff), so I hope I can fix that for when I move off XP.

No problems after dropped rights (still updating of course), and then later I found and added Sandboxie since dropped rights helps tremendously, but can't protect other attack vectors like SBIE (of course you know this ). I'm OK with Sandboxie, because it's TINY and light, open-able to make programs work as if it's not there, and doesn't mess with other stuff on the system that's not run in it.

I thought I was going to say something else... feel like I just stopped now, haha. But I have to go eat. Anyway, I shun all security software that has any performance or usability impact, so it's just built-in Windows features and Sandboxie for me. Should be bulletproof. Don't expect anything can happen (that can't be wiped from sandbox), short of unpatched kernel exploits...


Of course if that system you fixed had Sandboxie, they could have fixed it themselves by deleting sandbox contents, I assume.

P.S. I don't have any updates on Win 7 SP1 system either... but only because it's just connected to the TV, and not getting random stuff online.

You have missed some absolutely critical remote kernel exploits since SP1. And I certainly hope you aren't using IE.

 

Not entirely sure. User reports they don't recall UAC popping up. Lived in appdata/temp directory. Likely a userland drive-by that was harmless UNTIL the user clicked something. It was quite sophisticated at first, displaying the old XP control center which so many users have seen. After it hit payload, which I presume was after the user seen the control center gui, it then got into a typical "antivirus platinum 2012" look, where it said it was scanning and you are infected, picking probably MRU entries so the user thought thier programs were screwed. This user doesn't normally have problems and does realize the issues, so he called me and we tried a couple easy solutions over the phone, but in the end it required me to fix it. Its one of the few I can recall that hooked into the OS in safe mode very well. Without my tools I could only use mbam chameleon, which worked great.

That was an issue with me. At first I did not mind the slower feel and the prompts for everything under the sun. But eventually when I was only allowing things that were legitimate and very rarely anything questionable, I got tired of securing nothing.

If I was a normal user, I would use LUA/SUA and UAC. But I am not normal as I mess with things way too much that require admin. I play games, research or experiment, and experiment is usually breaking something to see why it broke. I think user rights are great for most people, just not for what I do.

I messed with it some. Then, being me, decided I would do something more in-depth, so started messing around with policies quite in-depth. I had Easter (who isn't around often these days), who is a real security nut in the purest sense, try some of it out. Results were kinda neat, but it was super geeky to implement, and not easy to maintain. But it did teach me a great deal about the OS and how the rights for objects/containers and users are built, and why things are the way they are. Not a failed attempt by any means, but too involved. I really liked SRP on XP (and vista I guess but I dislike vista) with the "basic user" tweak. It allowed a lot of creative ways to harden things. I don't mind srp v2 (applocker) but its not the same really.

Dropped rights in SBIE confused me for awhile because I wasn't clear on just what it was doing, or supposed to do. I had a few hard-headed threads about that because I was so focused on the technical nature of how the OS handles or implements reducing rights. It caused me to take a good in-depth look at Sandboxie which turned out to be a very good thing. I've done so much more with it since then, although usually in an off-the-wall manner. I find I do lots of things like that not because I try to be different or refuse to conform to the "rules" but because my curiosity gets the better of me and once I start to understand I keep asking "why" and "what happens if".

I shun things that either require a lot of baby sitting and hand holding to keep working or cause a perceptible slow down in performance. Technical things aside, I think that a great program with a horrible interface is no better than a mediocre program with a great interface. Firewalls are a great example of that IMO. Some might be "better" than others, but when you don't use it to its potential because of the interface design, whats the point? Might as well use one that you want to use because it "agrees with you".

The ironic part is that I had put SBIE on it a couple months ago. The user occassionaly started the browser in the sandbox, but usually not. I explained it, in much more detail this time, and they have "seen the light" it seems. Time will tell if they backslide or not. This user is pretty good about listening overall, so we shall see. But yes, I am confident that the problem could have been avoided if they were using it. Sandboxie can certainly be circumvented, but I haven't seen it yet, so until that happens I will make the most of it when I can

Of that I have no doubt. Its a double edged sword for me. I basically quit following it all to that degree a few years ago. Not that I don't have an interest, just that with my family I have too many interests and that is one that is not a priority any longer, probably because I remain so problem free. I am certainly not against being up to date, but I don't think, IF you know what you are doing, you MUST be.

Now lets take a moment to quantify my last statement. You most likely see it from a black and white perspective. There are exploits/flaws, and there are fixes for the exploits/flaws. If you don't apply the fix, then you have the exploit and it is a matter of time before you become another victim.

I would agree with that.

But what you may not include into the equation, but that I do (heavily too) is that much of your risk is based on behaviour and situations. For example, if you have nothing on your machine that is valuable, and you get infected, what is your risk? It is naturally quite low because other than the inconvenience of having to reinstall or reimage, you have lost or exposed nothing. And behaviour plays a large role as well. What you use and what you do. I will freely admit that a large portion of the reason I don't have problems is that I just don't do a lot of things that others might. I am very particular about anything banking related, actually quite anal about my methods in that respect. But aside from that sort of thing, I don't go anywhere I don't know or would question without some form of assurance. Such as using a VM or SBIE. I never, literally never, use IE or FF. I use chrome or sometimes opera, used to use Kmeleon. I don't use the same programs many use. I like to be "obscure" in what I use, where I go and my approach.

But it doesn't stop there. I put a lot of thought into how I can use my computer every day without being patched or without using security tools, or even being admin. I make use of Integrity Levels and other OS features. I try to be creative with my setup knowing what I will do and won't do. I truly do believe that if you know enough about yourself and the threats you will likely face, there are many creative ways you can minimize what may happen, without having a HIPS or firewall or even updates.

But thats just me. Its been working for a good while now, and I see no reason to change until I am bitten. And one bite in 5 years would not constitute, for me, a reason to change. It would have to be repeat offences to get my attention. Its just too easy for me to handle the situations otherwise. If everyone spent hours and hours devising thier images and installs, where they save data to, how they save it, how to "recover" from worst case scenarios and stuff as much as I have, they would likely have that same feeling I do. I am prepared for the worst. Its quite nice actually now, just doing what I want without the constant "reconfiguring" of my security all the time or the worrying that might go with it, fretting that the newest exploit could cause me problems. What problems? Oh, a reinstall? 10 minutes and I am back in business.

Its all perspective. Black and white facts are great. But there is much more if you want there to be

Sul.

 

And that is exactly what I will attempt to bring back on Windows 7(+?)! (Before next year, since nobody else has.) The Basic/Normal User is what I use on XP.

I could have done more by now to check if it will work the way I dream of (user land hooking and altering of CreateProcess, etc. to do like an automatic DropMyRights, using same SRP reg keys as XP, etc.), but in my basic initial checking, I was very glad about what I found.

It's one part of my planned tool to do different SRP stuff without GP (like PGS in that way), among possible other tricks and tweaks I have in mind, including but not limited to, Integrity Levels, Job Objects (not sure they do much on their own, without heavy restrictions like Chrome/Sandboxie 4), ...

I don't use Sandboxie to Drop Rights -- well it's enabled, but Windows SRP does it before Sandboxie takes over (forced progs). Besides, Drop Rights seems to be broken in Sandboxie 4 so far -- it does change some stuff, but does not restrict access to Administrators-only files and registry keys! But not an issue for me, when SRP drops rights "for real" first...

 

It is possible to run quite conveniently from a Standard account using Surun:

-http://forum.kay-bruns.de/thread/481,2;nocount

However, it elevates the process in the context of the Standard user, as opposed to that of the administrator's account.

 

How am I supposed to read that gibberish?

Anyway, I'd rather use UAC than some other "security program" (yeah I've read about SuRun, SuDown, SuWhatever long ago).

There's absolutely nothing "convenient" about having to do anything to run as admin. Since I can't choose an option to always run X as admin after it asks once (unless SuRun does that? then cool), I simple want everything to run as admin, except specific (risk) exceptions.

I simply can't run all my things that need admin access without constantly being annoyed by UAC. And it would be truly horrible if set to Max (to be secure), since like tons more Windows things would bug me.

 

Shellcode is used in virtually every exploit.

And according to MS exploits are rising, not falling.

 

Well now I'm really second guessing MS' literature Clearly in the graph I posted (since removed), it lists shellcode near the bottom. Of course what you and others are saying, plus the Wiki info, it should be far higher than that. If what is being said here and elsewhere is true, then their reports should accurately reflect those views as well. It's frustrating

You can set up applications to automatically elevate, so that you just right-click and from the context menu choose "Start as administrator". No password or further prompts to address. The program does run a service and two other processes, so you might not like that, although they are lightweight.

 

OK, well that would be better than the confirmation with UAC, but that still doesn't really satisfy me, hehe. I already looked into manifests, custom AppCompat configs, etc. but nothing will allow you to to tell Windows "just run it as admin," every time (if in an admin account).

That's why my next hope, by the time I move off XP for actual desktop use, is to be able to turn off UAC, but run Internet or other high-risk stuff with limited privileges. Funny thing is, none of that even matters if I'd be running everything in Sandboxie anyway, but yet, I still want stuff to be able to operate like I'm used to on XP.


BTW, no I'm not one of those people, "Oh noes!!1 More processes and memory usage!" If those processes are needed for operation, that's fine (I don't want useless processes like from Java starter, or when I used Adobe reader, etc.). I know that processes and the "memory" they use have no impact on anything when they're just sitting there sleeping almost 100% of the time.

 

My foray into win7 and SRP v1 was really not that great. In fact, dismal. SRP v2 (applocker) a lot of people like but you will understand I guess that it won't do what SRP does in XP. Actually, I did get it to work in win7 when me an Kees1958 were experimenting, but honestly I think its a dead end.

However, by being creative with Integrity Levels and DACLs, you can get some pretty neat security going on. Add to that some of the newer features like Kees is always talking about, it turns out to be pretty robust. Not going to stop everything, but will stop a lot.

I don't use DR either in sandboxie. But I tend to use sandboxie either as a supplement to my normal use, or when I want to test something new or go to some website that I think might not be so nice. I don't actually browse day to day in the sandbox any more.

Its a process you know, first learning how things work, then how they break, then how you keep them from breaking, and eventually you don't really think about it, you just handle it. There are lots of rabbit trails along the way, each one adding to what you know. I guess in the end, for myself, I am simply not overly concerned with being infected or exploited any longer. I have my set methods that have proved themselves to me over and over, and I don't really deviate from that. If I get bitten, I will handle it and move on. When I am told I cannot do it that way, well, I've been told that my whole life, so its nothing new. I remember once I got an old cdrom drive to work in a 386 box, that really should not have worked, according to all the people I knew that actually knew something. Yet, it worked. I was again told that when my modem hit a constant 54k throughput, it should not be possible because of overhead, yet I loaded pages with opera faster than anyone else did (who was also on 56k). I once showed a really savvy router guy for a big corporation my throughput on my 10/100 nic in my home network. Pegged at 99%. He said you can't do that, thats not possible. I said here is the screenshot. He still talks about that to this day when we see each other.

I have no doubt a patched system has its exploits fixed I guess, but I have doubts about whether or not it actually affects me with how I do things. To each thier own I guess. I will be interested to see what you cook up when you get on win7. I am not too proud to change how I do things if something better comes along. I actually like the change, if it seems worthwhile.

Sul.

 

You might try using the Windows RunAs feature with the /savecred switch, if that would meet your objectives. The gotcha is that the program will be seeing the file system from the point of view of that alternate user. Anyway, to set that up:

1. make a shortcut to the desired program

2. right-click your shortcut and choose Properties, then add runas /user:desired username /savecred at the beginning of the Target: line.

3. Change the Start In: box to a location where your non-privileged user has access, such as its profile folder.

The admin account does need to have a password, and the Secondary Logon service needs to be enabled (which is the default). Oh, and the /savecred switch is not available (that I know of) on Home editions of WinXP; I'm not sure about other releases of Windows.

For my own systems, I use biometrics for elevation. One finger swipe and I'm on my way.

 

What would happen if one were to cut your finger? Hopefully, you're not using the middle finger...

By the way, does the runas /savecred store credentials encrypted? Or plain view?