Presented at the February 2010 meeting of the Northeast Ohio Information Security Forum by Josh Kelley, Enterprise Security Analyst for a Fortune 1000 company.
2. What makes Aurora Impressive
It weaves together targeted Social
Engineering attacks, Zero-Day exploits,
and malware to successfully compromise
the networks of over 20 major international
corporations including the almighty
Google.
3. Two Separate Attack Vectors
SocialEngineering – Focused and
precise
Zero-day exploits – Internet Explorer
4. Social Engineering Vector
Severalkey things were done to
increase the success of the spear-
phishing emails:
Certain individuals within the companies
were targeted.
Friends of the targeted individuals were
targeted as well.
The targets are thought to have elevated
privileges within the companies (Sysadmins,
developers, etc.)
5. The Zero-Day Exploit
Microsoft Security Bulletin MS10-002
Affects Internet Explorer 5, 6, 7, and 8
HTML Object Memory Corruption
6. Why it works
IE has a bug in handling deleted objects
Allows the attacker to inject malicious
code that was in previously deleted
object.
7. The heap spray
Attackerutilizes heap spray technique to
put the payload in memory
9. Exploit Flow
HTML loads the image
JavaScript deletes it (Function EV1)
Then replaces it with a memory address
(Function EV2)
Which hits the Heap Spray
And executes the payload
10. DEP in a nutshell
DataExecution Prevention (DEP)
renders buffer overflows harder to
exploit due to the fact it adjusts stacks to
read-only.
DEP was often surprisingly hard to
bypass in browser exploits and typically
made heap spray attacks fairly difficult if
not impossible.
11. ASLR in a nut shell
Most exploits heavily rely off of hijacking
execution flow and typically are very
reliant on memory addresses.
ASLR randomizes the memory
addresses each reboot so that the
attacker can’t typically predict the
memory address to head over to.
12. Scary Stuff
The Aurora Attack
Bypassed Data
Execution Prevention (DEP)
13. Even Worse
DEP+ Address Space Location
Randomization (ASLR) was just recently
bypassed on Windows 7 + IE 8
Theonce impossible to bypass, can now
be bypassed.
14. So what this means…
Focused and organized attacks are on
the rise….
Attackerswill continue to get in through
the easiest route.
A combination of zero-days and the
human element was the root cause for
the success of this attack.
15. How to prevent
This
exploit has already been patched,
make sure you update.
IEis a large target, consider moving to
Firefox with No-Script enabled.
Kernelhooking HIPS could have
potentially stopped this attack.