Zero-day Exploits: Are You Prepared?

Discussion in 'other security issues & news' started by Rmus, Dec 28, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It seems that a number of these have surfaced in the past few months. The Remote Code Execution exploits are the most interesting - there is a kind of mystique about them - the idea of something slipping in without you noticing - like an intruder sneaking into your house while you are watching TV.

    Looking at some of the recent exploits, there is a common pattern. Using the unionseek_wmf exploit as an example:

    1) the exploit itself, finding a vulnerability (media file)

    2) the downloading of a dropper (ioo.exe)

    3) the dropper copies itself (bumxxx.exe) to another folder and installs other downloaders (voixxx.exe) from the internet

    4) the downloaders begin to do their work - installing spyware, etc​

    How are you prepared to handle something like this?

    Ideally, I want to stop the exploit at 1): OS patches, browser security.

    But should that break down, I want to stop the exploit at 2)

    Because once the dropper is installed, usual detection methods may or may not stop the action.

    In another recent experience, a person was infected with Spy Sheriff after clicking on a link in an IM received from her son (who also had the virus unknowingly). She said her AV was up to date.

    In an article posted by ronjor in another thread was this statement:

    "Lindstrom noted that the long-term answer to dealing with what he called this type of "flotsam and jetsam" of constant security alerts is to install host intrusion prevention software to designate what software is allowed to run on a system and what it's allowed to do."

    Intrusion prevention software that creates a White List of executables already installed will prevent any other executable (trojan dropper) from being allowed to download/install - at the 2) point above.

    It's like having a guard at the gate, who has a list (White List) of authorized people. No one else is permitted in.

    In the case of the person above, the exploit worked, installed the dropper, and the AV didn't catch it. That is, the list of known threats (Black List) did not include information about the new exploit.

    So, how are you prepared for this type of intrusion?

    Assume you are preparing in case the exploit is not blocked at 1) above: What do you have in place to take over?

    I want something that will block at 2).

    My Image from the other thread:
    Http://www.rsjones.net/unionseek_wmf/dl_2.gif


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmmmm... sorry, I do not think an execution blocker only is quite enough protection for a 0-day exploit that doesn't get caught by the antivirus (or any signature-behaviour based protection). In fact, if this exploit had only destructive behavior, i.e. overwriting system files with random junk, an execution blocker would have been useless (yes I know you also use Deep Freeze btw).

    I do like the idea of executing everything that's not trusted in a sandboxed environment that denies at least (1) permanent writing to disk outside the sandbox and (2) obviously anything from working at kernel level, and with (3) the option to deny reaching outside the sandbox even for reading from files (this is the most difficult part, it is done in UNIX through chroot but nothing similar is supported in Windows, and it IS difficult to make many programs work in chroot environment in UNIX as well). Now, this, combined with execution and termination protection (a-la Process Guard), and with an obvious firewall seems a much mafer environment to me.
     
    Last edited: Dec 28, 2005
  3. Devilown

    Devilown Guest

    (1)+(2)+(3) closest fit is buffer zone. But it's no where has sophiscated, particularly for (3), which is envisioned as more a way to shield certain folders
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, I tested the exploit in IE in Sandboxie + full Process Guard and Deep Freeze and I had no doubt it wouldn't get anywhere, but point (3) is what I would like the most because it would guarantee that the exploit just has no ability to communicate anything useful on the outside. Now imagine IE running in an environment where it can't launch or read anything unless it's present in the sandbox too. Now that would kill the "xploit" spyware scum dead in their tracks.
     
  5. StevieO

    StevieO Guest

    Uncheck Run Script Commands in the player.

    Only associate those files you actually require to be played.

    Make sure that your FW prompts for ANY App that attempts outbound.

    Also set your DL to prompt you too.

    As well as the above, i have Winsonar which White Lists, and is an Anti exe too.

    I would think that something like AppDefend could help block attacks such as these.


    StevieO
     
  6. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Some Proxomitron Filters I wrote:

    The web filter will catch most .WMF images, but then there are those that are loaded through heavily encrypted JS files. This is where the Header filter comes in. It kills any connection to a URL with a .WMF extension.

    Web Page Filter:

    Header Filter:

     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm not following you here: how can there be any destructive behavior if the initial dropper is blocked from downloading?

    BTW - sandboxed environment is ideal - any articles that do a comparison between the various products? In threads around here, I get snippits of information - I've read a few FAQs but would be nice to have a comparison.

    ==StevieO - about Winsonar, if you install a new program, is it automatically updated to the White List?


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  8. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    It's not blocked from downloading, it's blocked from executing by anti-executable, but an exploit could be constructed to overwrite system files instead of downloading a file. There was a IE vulnerability example a couple of years ago on Bugtraq that overwrote the notepad.exe Windows file and it was no different in behavior from this one, all you had to do was visit a web page. Yes, the new notepad.exe would have been blocked by anti-executable, but the original would have been gone.

    Case in point, I ran this same exploit from yesteday on a different site that has picked it up (m.cpa4[dot]org... same rules as the other one, do not visit -- this is also a porn site anyway) and ~WRF0409.tmp was written in C: (I actually used Sandboxie so it was in its own directory, but it would have gone in C: if I didn't use Sandboxie). And this with Process Guard instructed to block all new and changed applications.

    http://img511.imageshack.us/img511/1448/immagine9bw.gif
     
    Last edited: Dec 28, 2005
  9. StevieO

    StevieO Guest

    Rmus

    Winsonar does NOT automatically update to the White List, thank goodness ! If it did that it wouldn't be very safe. It recognises the new exe and alerts you to it. All you have to do is click to allow it to be entered into your White list. Or you can go in and manually Enter/Delete/Update the list any time you choose.

    If you are online, or offline, you can toggle and choose to kill ALL unknown processes automatically, or not. The option is there so you can DL and install things without them getting zapped Instantly, as it does !

    It also has a very comprehensive set of Tools included such as

    Port scanner, on demand or on alert

    Registry checker, Autorun values

    Find all chained processes ID's and parent ID's

    Display all running processes

    File finder

    etc

    If people havn't tried it yet then i can highly recommend it, and it's Free !

    http://digilander.libero.it/zancart/winsonar.html


    StevieO
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I stand corrected: it does cache and then is blocked from executing. I was capturing screen shots so fast I didn't check. The blocking action, however, still keeps it in my point #2, that is, the dropper is blocked from doing anything.

    I'm aware of the other types of exploits you mention, hence,

    I wouldn't mess with these sites otherwise and I realize I'm limiting what I've said in this thread to the trojan-dropper malware that has been seen lately, and I should probably see about changing the title accordingly.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  11. Brinn

    Brinn Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    181
    Location:
    Canada
    Added to my filter. Thanks.
     
  12. Guessed

    Guessed Guest

    How do I add the filter?
     
  13. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    With the proper settings Maxthon users are protected.

    Take a look here
     
  14. Brinn

    Brinn Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    181
    Location:
    Canada
    You can either use the Proxo interface and add the filters line by line. Or you can open up default.cfg with Notepad and cut and paste Kye-U's filters (in the form they are quoted) into the proper places, save, then reload the configuration with the Proxo UI.
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    When ShadowUser is installed, I'm prepared, because it removes any change on my harddisk during the next reboot.

    A blacklist of threats will always be INCOMPLETE because the source is unreliable (the bad guys).
    Any AV/AS/AT/AK scanners and any shield, that uses blacklists can't be trusted.
    You really have to love these scanners and shields, because love makes you blind.

    A whitelist of good objects can be COMPLETE, because the source is reliable (the good guys).
    If I would ever create a scanner, it would work with a definition database of the GOOD OBJECTS.
    Any object on your harddisk, that does NOT exist in the definition database is reported by the scanner as dangerous.
    But I don't think you need a scanner for this, there must be other methods.
     
  16. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Ok, I've just made a big discovery with Proxomitron.

    Apparently it can match by Hex, which is significant, because I've written a filter that searches for the magic bytes for the .WMF file.

    I am now certain Proxomitron can now act as a very strong workaround for this issue, by killing all .WMF files, by identifying them by their magic bytes.

    If you've imported my Header filter, you can delete it. (And also delete the old Web Page filter.)

    This filter now only kills infected .WMF (or any extension) files.

    Here is the new Web Page filter:

    Code:
    [Patterns]
    Name = "Kill Infected .WMF Files [Kye-U]"
    Active = TRUE
    URL = "$TYPE(oth)"
    Limit = 5
    Match = "[%01][%00][%09][%00][%00]"
    Replace = "\k$ALERT(Infected .WMF File Killed on:\n\n\u)"
    You must also import this Header filter to filter all file extensions:

    Code:
    [HTTP headers]
    In = FALSE
    Out = TRUE
    Key = "URL: All File Extensions Force Filter (Out)"
    URL = "*.*"
    Replace = "$FILTER(true)"
     
    Last edited: Dec 29, 2005
  17. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    The problem with zero-day or zero-hour exploits is that it becomes a business
    ( http://www.zerodayinitiative.com/ ) and zero-days will certainly be more numerous in the future.
    So it's really difficult to prevent such attacks, even if Intrusion Systems are much more armored than antivirus against these threats (which concerns mostly corporates environments).
    That's why a white list protection (much more than the black list of scanners) is really interesting in this case.

    For the RMUS' example, interesting alerts and examples (which can be provided via a free newsletter) can be found on Websense site: http://www.websensesecuritylabs.com/

    A video of a recent example is available here: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=385

    Regards
     
  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    That's very, very nice indeed - my compliments :cool:

    regards,

    paul
     
  19. Guessed

    Guessed Guest

    Thanks again Kye-U. You Rock mate. We're not worthy we're not worthy....
     
  20. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Many thanks Mr. Wilders and Guessed.

    My post has been updated, with a Header filter added. Without it, Proxomitron would not be able to filter .WMF files (or anything other than HTM(L), CSS or JS)
     
  21. As I said try Bufferzone Home -free. Folders can be restricted so that they cannot be modified by programs running in the bufferzone. That is by default for all folders not in the bz.

    In addition, folders can also be set to 'confidential' so they can't be read.
    The default for this is pretty limited (mydoc), though you can easily set it up to be far more restricted.......

    But seriously what you want is the allmighty coreforce

    http://force.coresecurity.com/index.php?module=base&page=main

     
  22. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    These are the most up-to-date Proxomitron filters. (You need Proxomitron in order for these filters to work)

    By using these filters, you are able to kill WMF-Exploit Files, regardless of file extension.

    It uses a Hex-matching method to match the identifying 5 bytes and kills the connection immediately upon detection and alerts you of the offending URL.

    The header filter does allow Proxomitron to filter all file extensions, but the Web Page filter is very specific, and it only applies to files, not HTM(L), CSS, or JS files, so there will be little to no false positives.

    You need BOTH filters to be able to kill WMF-Exploit Files.

    Web Page:

    Code:
    [Patterns]
    Name = "Windows: Kill WMF-Exploit Files [Kye-U]"
    Active = TRUE
    Limit = 5
    Match = "[%01][%00][%09][%00][%00]"
    Replace = "\k$ALERT(Infected WMF-Exploit File Killed on:\n\n\u)"
    Header:

    Code:
    [HTTP headers]
    In = FALSE
    Out = TRUE
    Key = "!-|||||||||||| URL: All File Extensions Force Filter {JJoe} (out)"
    URL = "$FILTER(true)"
     
  23. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes! :D That seems to be close to what I was talking about. The fact that it uses OpenBSD code is really promising (I've been a OpenBSD user for years and I have never encountered a most stable and secure OS). I'll definitely give it a try.
     
Loading...
Thread Status:
Not open for further replies.