SlideShare ist ein Scribd-Unternehmen logo

How Google Was Pwned: In-Depth Look into the Aurora Attacks

Northeast Ohio Information Security Forum
Northeast Ohio Information Security Forum

Presented at the February 2010 meeting of the Northeast Ohio Information Security Forum by Josh Kelley, Enterprise Security Analyst for a Fortune 1000 company.

TechnologieNews & Politik
1 von 15
Downloaden Sie, um offline zu lesen
In-Depth Look into the Aurora Attacks
What makes Aurora Impressive It weaves together targeted Social Engineering attacks, Zero-Day exploits, and malware to successfully compromise the networks of over 20 major international corporations including the almighty Google.
Two Separate Attack Vectors   SocialEngineering – Focused and precise   Zero-day exploits – Internet Explorer
Social Engineering Vector   Severalkey things were done to increase the success of the spear- phishing emails:   Certain individuals within the companies were targeted.   Friends of the targeted individuals were targeted as well.   The targets are thought to have elevated privileges within the companies (Sysadmins, developers, etc.)
The Zero-Day Exploit   Microsoft Security Bulletin MS10-002   Affects Internet Explorer 5, 6, 7, and 8   HTML Object Memory Corruption
Why it works   IE has a bug in handling deleted objects   Allows the attacker to inject malicious code that was in previously deleted object.
The heap spray   Attackerutilizes heap spray technique to put the payload in memory
Core of the exploit
Exploit Flow   HTML loads the image   JavaScript deletes it (Function EV1)   Then replaces it with a memory address (Function EV2)   Which hits the Heap Spray   And executes the payload
DEP in a nutshell   DataExecution Prevention (DEP) renders buffer overflows harder to exploit due to the fact it adjusts stacks to read-only.   DEP was often surprisingly hard to bypass in browser exploits and typically made heap spray attacks fairly difficult if not impossible.
ASLR in a nut shell   Most exploits heavily rely off of hijacking execution flow and typically are very reliant on memory addresses.   ASLR randomizes the memory addresses each reboot so that the attacker can’t typically predict the memory address to head over to.
Scary Stuff   The Aurora Attack Bypassed Data Execution Prevention (DEP)
Even Worse   DEP+ Address Space Location Randomization (ASLR) was just recently bypassed on Windows 7 + IE 8   Theonce impossible to bypass, can now be bypassed.
So what this means…   Focused and organized attacks are on the rise….   Attackerswill continue to get in through the easiest route.   A combination of zero-days and the human element was the root cause for the success of this attack.
How to prevent   This exploit has already been patched, make sure you update.   IEis a large target, consider moving to Firefox with No-Script enabled.   Kernelhooking HIPS could have potentially stopped this attack.

Empfohlen

Detection of running backdoors
Detection of running backdoorsDetection of running backdoors
Detection of running backdoors
mridulahuja
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
Chaitali Patel
 
Backdoor
BackdoorBackdoor
Backdoor
phanleson
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
Gaurav Dalvi
 
Computer security risks
Computer security risksComputer security risks
Computer security risks
Gilbert Pagapang
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoors
jibinmanjooran
 
Trojan backdoors
Trojan backdoorsTrojan backdoors
Trojan backdoors
seth edmond
 
Watering hole attacks case study analysis
Watering hole attacks case study analysisWatering hole attacks case study analysis
Watering hole attacks case study analysis
Cysinfo Cyber Security Community
 

Empfohlen

Detection of running backdoors
Detection of running backdoorsDetection of running backdoors
Detection of running backdoors
mridulahuja
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
Chaitali Patel
 
Backdoor
BackdoorBackdoor
Backdoor
phanleson
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
Gaurav Dalvi
 
Computer security risks
Computer security risksComputer security risks
Computer security risks
Gilbert Pagapang
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoors
jibinmanjooran
 
Trojan backdoors
Trojan backdoorsTrojan backdoors
Trojan backdoors
seth edmond
 
Watering hole attacks case study analysis
Watering hole attacks case study analysisWatering hole attacks case study analysis
Watering hole attacks case study analysis
Cysinfo Cyber Security Community
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
n|u - The Open Security Community
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Stephan Chenette
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
Cysinfo Cyber Security Community
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
Cysinfo Cyber Security Community
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with Metasploit
Prakashchand Suthar
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
wremes
 
Investigating Malware using Memory Forensics
Investigating Malware using Memory ForensicsInvestigating Malware using Memory Forensics
Investigating Malware using Memory Forensics
Cysinfo Cyber Security Community
 
Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware
Lumension
 
The Open Internet Of Things
The Open Internet Of ThingsThe Open Internet Of Things
The Open Internet Of Things
David Orban
 
Trojan horsies prez
Trojan horsies prezTrojan horsies prez
Trojan horsies prez
Studio Sheen
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
Ankit Mistry
 
Logic bomb virus
Logic bomb virusLogic bomb virus
Logic bomb virus
ssuser1eca7d
 
Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1
Cysinfo Cyber Security Community
 
Sophos intercept-x
Sophos intercept-xSophos intercept-x
Sophos intercept-x
Merrymary Tom
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
securityxploded
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojan
Cyphort
 
Sanmi's first pp
Sanmi's first ppSanmi's first pp
Sanmi's first pp
sanmitha rao
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 
2011 training presentation
2011 training presentation2011 training presentation
2011 training presentation
kaspersky-lab
 
Malware by Ms. Allwood
Malware by Ms. AllwoodMalware by Ms. Allwood
Malware by Ms. Allwood
Stavia
 
Banquet 24
Banquet 24Banquet 24
Banquet 24
Koubei UED
 
Trabant
TrabantTrabant
Trabant
guest8a9851
 

Weitere ähnliche Inhalte

Was ist angesagt?

Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Stephan Chenette
 
Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware
Lumension
 
Trojan horsies prez
Trojan horsies prezTrojan horsies prez
Trojan horsies prez
Studio Sheen
 
2011 training presentation
2011 training presentation2011 training presentation
2011 training presentation
kaspersky-lab
 

Was ist angesagt? (20)

Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
 
Advanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwaresAdvanced malware analysis training session1 detection and removal of malwares
Advanced malware analysis training session1 detection and removal of malwares
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with Metasploit
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Investigating Malware using Memory Forensics
Investigating Malware using Memory ForensicsInvestigating Malware using Memory Forensics
Investigating Malware using Memory Forensics
 
Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware
 
The Open Internet Of Things
The Open Internet Of ThingsThe Open Internet Of Things
The Open Internet Of Things
 
Trojan horsies prez
Trojan horsies prezTrojan horsies prez
Trojan horsies prez
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
 
Logic bomb virus
Logic bomb virusLogic bomb virus
Logic bomb virus
 
Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1Advanced malware analysis training session10 part1
Advanced malware analysis training session10 part1
 
Sophos intercept-x
Sophos intercept-xSophos intercept-x
Sophos intercept-x
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojan
 
Sanmi's first pp
Sanmi's first ppSanmi's first pp
Sanmi's first pp
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
2011 training presentation
2011 training presentation2011 training presentation
2011 training presentation
 
Malware by Ms. Allwood
Malware by Ms. AllwoodMalware by Ms. Allwood
Malware by Ms. Allwood
 

Andere mochten auch

Andere mochten auch (8)

Banquet 24
Banquet 24Banquet 24
Banquet 24
 
Trabant
TrabantTrabant
Trabant
 
Laiks Vīriem
Laiks VīriemLaiks Vīriem
Laiks Vīriem
 
(mini) China Financial IT Resourcing - Finance Tech Forum Jul 2010
(mini) China Financial IT Resourcing - Finance Tech Forum Jul 2010(mini) China Financial IT Resourcing - Finance Tech Forum Jul 2010
(mini) China Financial IT Resourcing - Finance Tech Forum Jul 2010
 
1960s
1960s1960s
1960s
 
Banquet 18
Banquet 18Banquet 18
Banquet 18
 
Banquet 08
Banquet 08Banquet 08
Banquet 08
 
Banquet 21
Banquet 21Banquet 21
Banquet 21
 

Ähnlich wie How Google Was Pwned: In-Depth Look into the Aurora Attacks

Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
Leigh Honeywell
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 

Ähnlich wie How Google Was Pwned: In-Depth Look into the Aurora Attacks (20)

Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
Introduction of exploit on window XP & Trick
Introduction of exploit on window XP & Trick Introduction of exploit on window XP & Trick
Introduction of exploit on window XP & Trick
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Code protection
Code protectionCode protection
Code protection
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
 
virus
virusvirus
virus
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
Virus&malware
Virus&malwareVirus&malware
Virus&malware
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Program threats
Program threatsProgram threats
Program threats
 
Program Threats
Program ThreatsProgram Threats
Program Threats
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 

Kürzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Kürzlich hochgeladen (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 

How Google Was Pwned: In-Depth Look into the Aurora Attacks

  • 1. In-Depth Look into the Aurora Attacks
  • 2. What makes Aurora Impressive It weaves together targeted Social Engineering attacks, Zero-Day exploits, and malware to successfully compromise the networks of over 20 major international corporations including the almighty Google.
  • 3. Two Separate Attack Vectors   SocialEngineering – Focused and precise   Zero-day exploits – Internet Explorer
  • 4. Social Engineering Vector   Severalkey things were done to increase the success of the spear- phishing emails:   Certain individuals within the companies were targeted.   Friends of the targeted individuals were targeted as well.   The targets are thought to have elevated privileges within the companies (Sysadmins, developers, etc.)
  • 5. The Zero-Day Exploit   Microsoft Security Bulletin MS10-002   Affects Internet Explorer 5, 6, 7, and 8   HTML Object Memory Corruption
  • 6. Why it works   IE has a bug in handling deleted objects   Allows the attacker to inject malicious code that was in previously deleted object.
  • 7. The heap spray   Attackerutilizes heap spray technique to put the payload in memory
  • 8. Core of the exploit
  • 9. Exploit Flow   HTML loads the image   JavaScript deletes it (Function EV1)   Then replaces it with a memory address (Function EV2)   Which hits the Heap Spray   And executes the payload
  • 10. DEP in a nutshell   DataExecution Prevention (DEP) renders buffer overflows harder to exploit due to the fact it adjusts stacks to read-only.   DEP was often surprisingly hard to bypass in browser exploits and typically made heap spray attacks fairly difficult if not impossible.
  • 11. ASLR in a nut shell   Most exploits heavily rely off of hijacking execution flow and typically are very reliant on memory addresses.   ASLR randomizes the memory addresses each reboot so that the attacker can’t typically predict the memory address to head over to.
  • 12. Scary Stuff   The Aurora Attack Bypassed Data Execution Prevention (DEP)
  • 13. Even Worse   DEP+ Address Space Location Randomization (ASLR) was just recently bypassed on Windows 7 + IE 8   Theonce impossible to bypass, can now be bypassed.
  • 14. So what this means…   Focused and organized attacks are on the rise….   Attackerswill continue to get in through the easiest route.   A combination of zero-days and the human element was the root cause for the success of this attack.
  • 15. How to prevent   This exploit has already been patched, make sure you update.   IEis a large target, consider moving to Firefox with No-Script enabled.   Kernelhooking HIPS could have potentially stopped this attack.