Handwritten Text Recognition for manuscripts and early printed texts
Evolving Threat Landscape
1. The Evolving Threat Landscape
Zheng Bu
Rahul Kashyap
M Af L b
McAfee Labs
Session ID: HT2-106
Session Classification: Intermediate
Insert presenter logo
here on slide master.
See hidden slide 2 for
directions
2. Agenda
g
Vulnerabilities and Exploitation
V l biliti d E l it ti
Targeted Attacks (APTs)
Cybercrime Goes Social
Q&A
Insert presenter logo
here on slide master.
See hidden slide 2 for
2 directions
4. 2010: Microsoft and Adobe
Vulnerabilities Snapshot
p
Security Patches
Security Patches
300
250
200 Microsoft
150 Adobe
100
50
0
2007 2008 2009 2010 Source: McAfee Labs
Insert presenter logo
here on slide master.
See hidden slide 2 for
4 directions
5. 2010: High-Profile Zero-Day Vulnerabilities
g y
Steady increase in
CVE-2010-0249: MS10-002 HTML Object Memory Corruption attacks targeting client
Vulnerability Operation
Vulnerability—Operation Aurora software
CVE-2010-2883: Adobe SING Tag Buffer Overflow Vulnerability Adobe and Microsoft
CVE-2010-2884: Adobe Reader, Flash Player Code Execution were popular exploit
Vulnerability
V l bilit victims.
victims
CVE-2010-1297: Adobe Flash Memory Corruption Vulnerability
CVE-2010-1885: Windows Help and Support Center Vulnerability
CVE-2010-1240: PDF/Launch Attack—Zeus
CVE-2010-2568: Windows Shortcut Icon Loading Vulnerability—
Stuxnet
CVE-2010-2729: Print Spooler Service Impersonation
Vulnerability—Stuxnet
Insert presenter logo
here on slide master.
See hidden slide 2 for
5 directions
6. Malware Writers Love Adobe
Vulnerabilities
Productivity Application Vulnerability Based Malware - 2010
MS Office (Word, Excel,
PowerPoint)
Adobe Reader, Acrobat
Source: MacAfee Labs
Insert presenter logo
here on slide master.
See hidden slide 2 for
6 directions
7. Which Adobe App Was Most Exploited
in 2010? The Winner Is Reader!
Adobe: Unique Malware Detected in the Wild
Adobe Flash
Adobe PDF
Source: McAfee Labs
Insert presenter logo
here on slide master.
See hidden slide 2 for
7 directions
8. Mitigation vs. Exploitation: a Catch-Up
Game
Stack Overflow Attacks
Stack Canary Checks Safe SEH
Heap Overflow Attacks
Heap Safe Unlink
Shellcode Execution
Data Execution Prevention DEP/NX
Address Space Layout Randomization (ASLR)
JIT Spray
p y Return Oriented Programming ROP
g g
Insert presenter logo
here on slide master.
See hidden slide 2 for
8 directions
9. Case Study: CVE-2010-2883
Adobe SING Tag Buffer Overflow Vulnerability
g y
“Classic” stack
overflow
Exploit does not
overwrite return
address
Overwrite pointer
in the stack to
bypass stack
protection
t ti
Source: McAfee Labs
Insert presenter logo
here on slide master.
See hidden slide 2 for
9 directions
10. Case Study: CVE-2010-2883
Adobe SING Tag Buffer Overflow Vulnerability
g y
Use
U ROP techniques i
h i in
the shellcode to bypass
DEP+ASLR.
Special staged shellcode
for this DLL
Source: McAfee Labs Insert presenter logo
here on slide master.
See hidden slide 2 for
10 directions
11. DEP+ASLR=Peace of Mind!
Exploitation
Vulnerability
y
technique
Adobe Products Authplay.dll Code Execution [CVE-2010-3654 ] ROP Shellcode
ROP Shellcode
Adobe Products Authplay dll Code Execution [CVE-2010-2884]
Authplay.dll
Adobe Flash Player, Reader, and Acrobat 'authplay.dll‘ [CVE-2010-1297] ROP Shellcode
Adobe Reader and Acrobat XFA TIFF Support Code Execution
ROP Shellcode
Vulnerability [CVE-2010-0188]
Adobe Reader 'CoolType.dll' TTF Font Vulnerability [CVE-2010-2883] ROP Shellcode
Adobe Reader and Acrobat 'newplayer()' JavaScript Method Vulnerability ROP Shellcode
[CVE-2009-4324]
Insert presenter logo
here on slide master.
See hidden slide 2 for
11 directions
12. Stealthy Exploitation
y p
AKA: Harmonious Exploitation(“和谐漏洞利用”)
Qualifications
No intrusive reconnaissance required
Application and platform awareness
Robust exploitation
No impact on availability of the target service
p y g
No impact on availability of the target application
Bypassing the security mitigations on the target (GS, DEP, ASLR, etc.)
Adaptive to
Ad ti t complex network environments, scalable, C&C ready,
l t k i t l bl d
Network Security Inspection Device evasion
Insert presenter logo
here on slide master.
See hidden slide 2 for
12 directions
13. Stealthy Exploitation: Case Study
y p y
Exploits that identify
Adobe Reader versions
Exploits that open a
legit
l i PDF file on
fil
successful exploitation
Exploits that
obfuscate to evade
NIPS inspection
Insert presenter logo
here on slide master.
See hidden slide 2 for
13 directions
14. Welcome to the “App Store” of Exploit Kits
pp p
Insert presenter logo
here on slide master.
See hidden slide 2 for
14 directions
15. Crimepack
p
Features include
Tracking website stats
Regular updated exploits
Geo location tracker
OS stats
Browser stats
Test attack before launching
Success rate
Insert presenter logo
here on slide master.
See hidden slide 2 for
15 directions
17. Case Study: Operation Aurora
y p
A coordinated attack targeting a rapidly growing list of companies, including
Google, Adobe, Juniper, Symantec, and others
Exploits a zero-day vulnerability in Internet Explorer
Lures users to malicious websites, installs Trojan malware on systems, uses
Trojan to gain remote access
Uses remote access to gain entry to corporate systems, steal intellectual
property (including source code), and penetrate user accounts
Insert presenter logo
here on slide master.
See hidden slide 2 for
17 directions
18. Operation Aurora: Modus Operandi
p p
1 2 3
Attack initiated Attack in progress Attack setup complete
User with IE vulnerability Website exploits vulnerability; Malware installed on user’s
user s
visits website infected with malware (disguised as JPG) system; malware opens back
Operation Aurora malware downloaded to user’s system door (using custom protocol
acting like SSL) that gives
access to sensitive data
Insert presenter logo
here on slide master.
See hidden slide 2 for
18 directions
19. Operation Aurora: Exploit
p p
Original obfuscated exploit
Payload has multiple levels
of obfuscation to disguise
the payload
Payload exploits a zero-day
y p y
vulnerability in Internet
Explorer De-obfuscated exploit
The attack uses heap spray
and downloads a fake
image—an XOR’ed binary.
The b kd
Th backdoor i now
is
installed and sends out fake
SSL traffic
Insert presenter logo
here on slide master.
See hidden slide 2 for
19 directions
20. Cybercrime Goes Social
Insert presenter logo
here on slide master.
See hidden slide 2 for
20 directions
21. Abusing Social Networks
g
Fake accounts on sale
Accounts can be used to send
spam, phishing, fake products/
services, or malicious
downloads
d l d
Prices vary depending on the
quality of account
Source: McAfee Labs
Insert presenter logo
here on slide master.
See hidden slide 2 for
21 directions
22. “Social” Hacktivism
2010 had several
instances of activist
i t f ti i t
groups launching protests
over the Internet
DDoS seems to be the
favorite vector
Lines bet een
between
cyberwarfare and
hacktivism continue
to blur
Insert presenter logo
Source: McAfee Labs here on slide master.
See hidden slide 2 for
22 directions
23. Operation Payback
p y
Insert presenter logo
here on slide master.
See hidden slide 2 for
23 directions
24. Operation Payback
p y
The attack tool was a modified, public open-source tool called LOIC
Created a “social botnet using HIVE mode
social botnet”
Attack vector is unsophisticated, but has temporary impact on global
enterprises
Insert presenter logo
here on slide master.
See hidden slide 2 for
24 directions
25. Conclusions
Client-side attacks are on the rise
There is no silver bullet for security, all the available known
defenses can be bypassed
Stealthy exploitation makes attacks more difficult to be detected
APTs leverage all of the latest exploitation techniques and are
becoming the most severe threats for businesses
Social networks have been leveraged by attackers and hacktivists
Do not completely rely on security protection from vendors. Use
extreme caution when you surf!
Insert presenter logo
here on slide master.
See hidden slide 2 for
25 directions