Thread-injection attacks from browser exploits are increasing: Invincea

Discussion in 'other security issues & news' started by MrBrian, Dec 28, 2011.

Thread Status:
Not open for further replies.
  1. BrandiCandi

    BrandiCandi Guest

    Mine will
    http://xkcd.com/644/
    :D
     
  2. BrandiCandi

    BrandiCandi Guest

    This thread seems like it died in 2011, but this is a good enough place as any to voice this particular opinion. The real issue being debated is the level of risk everyone sees. I think Hungry Man is right, malware authors will focus on the easiest targets, which are folks that surf carelessly with OSs & programs that don't get updated & run non-updated or no AV programs. IMO with every layer of security I add (update programs & OS regularly, run an updated AV program that doesn't suck, use a firewall, use common sense), the malware authors are less and less likely to want to bother with me. The vast majority of computer users fall into this category of risk.

    Targeted attacks are a completely different category of risk. Of course, first you have to decide if you would actually be targeted, highly unlikely for any random citizen. But if you're a defense contractor or developing cold fusion, then maybe you would be targeted. And the point here is that a persistent cracker can crack anything given time, talent & patience. But you have to ask yourself- what's the true likelihood of this ever being a problem for me? Why would Black Hat Bob work so hard to get the photos of junior's 3rd birthday party off my hard drive or my Facebook account, especially when there are millions of easier targets out there with far higher payoffs?
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    A wise choice! :p
     
  4. BrandiCandi

    BrandiCandi Guest

    You zeroed in on the important part of my argument I see
    :thumb: :thumb:
     
  5. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,374
    or most remunerative?
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Malware is a business. They weigh the cost of infection against the potential income. In my opinion, at this time, it's more profitable to make use of old out of date operating systems or applications than complex attacks on the kernel/ sandboxes.
     
  7. BrandiCandi

    BrandiCandi Guest

    vasa1
    -http://www.securityweek.com/inside-look-hacker-business-models
    You'll find it's a well run business. Automate attacks & your profits increase. That would inheritenly exclude customized/hardened desktops with multiple layers of security. Why waste time targeting a few with a specific configuration when you can hit masses with no configuration?
     
  8. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    I largely agree with your post but I think it's important to mention that targeted attacks aren't limited to your examples.
    Everything that's worth (potentially) big money can be a target, whether it's research done at a uni (f.i. solar panels) or a payroll software system being developed. Even the complete blueprint of a dishwasher manufacturer (f.i. the market leader in this branch) can be 'copy/pasted' by 'Black Hat Bob' if he has full access and that can be sold also.
    Targeted attacks aren't just limited to 'exciting' stuff, 'boring stuff' can be worth just as much if you take into account the costs and benefits of such an attack.

    I agree though that malware code writers going after large amounts of citizen bank accounts/private data will make a different cost/benefit-based decision.
    Those guys won't try to develop a trojan being able to sneak into a specific up-to-date 'Wilderssecurity tweaked 'n secured' system. They're after the masses.
     
  9. wat0114

    wat0114 Guest

    Has anyone been able to find stats on the following trend these guys write about:

    ?
     
  10. BrandiCandi

    BrandiCandi Guest

    I'm afraid the technical details of a thread-injection attack are beyond me, but i found this stat for you:
    -http://it.slashdot.org/story/11/02/17/1740227/80-of-browsers-found-to-be-at-risk-of-attack
    -http://www.computerworld.com/s/article/9209958/Bulk_of_browsers_found_to_be_at_risk_of_attack

    So if 80% of browsers out there are ripe for exploitation, I don't think it's any surprise that browsers are targeted.

    All the research I've done over the last several months has shown me that it's REALLY important to harden the browser. That's from countless sources.
     
  11. wat0114

    wat0114 Guest

    Thank you for the links, Brandi!

    Too bad there wasn't anything documenting the thread injection attacks the site linked to in the first post mentions, although it's a nice check on browser and plug-in update status.

    You're right, it's no surprise at all. Wilders member Rmus has stated in several of his posts the importance of securing the browser in defending against web-borne attacks. Keeping it and all plugins up to date is clearly an important first step, yet as those stats show, most people neglet this.

    Absolutely agree on this! I've recently gone to great lengths in pursuing this goal on my browser of choice, IE9 :)
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I doubt thread injection attacks are used a ton. I don't know about ROP exploits being used or anything like that. We wouldn't necessarily see them in the wild because
    1) You don't need ROP on XP - there's no ASLR, which means there's basically no DEP. ROP is specifically meant to defeat these two things.

    2) If you do attack Vista/ 7 you don't need thread injection or shared IPC because almost no one runs with SRP.

    Worth noting that ROP did garner enough attention in win8 to merit them adding specific ROP mitigation techniques.

    edit: Also worth nothing that thread injection/ ICP are not the only ways to bypass a whitelist.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.