Friday, October 9, 2009

Automation in creating exploits

In most cases, one of the most common parts used in any attacks are exploits, and the world of malicious code as well. All attacks using malware and are carried out using the infrastructure of the Internet, as an essential component involving the exploitation of vulnerabilities.

Regardless of public vulnerabilities appear every day (and not including the type 0-Day) the most relevant, being the most exploited are those that exploit weaknesses in applications designed to view the files .pdf, .swf, and course, Windows.

In this sense, the fact that they are "fashion" is an attribute that I believe, is based primarily on the early awareness of security risks that still seem to have. That even today are exploiting vulnerabilities are resolved over three years is the clearest evidence, and that also constitute one of the key strategies used by botmasters to recruit zombies a large scale.

Even today, nobody is surprised that web applications designed to control and manage botnets through http protocol, modules are sold with pre-configured exploits, as in the case of YES Exploit System or Liberty Exploit System among many others.

Moreover, the business of design is constantly looking crimeware "resources" automated to optimize their "services" and begin to appear on the black market, resources designed not only to automate the development of threats but also to make those threats as more complex possible.

Encryption malware, anti-debugger techniques, anti-analysis techniques such as detection of controlled environments (VirtualBox, VMWare, Virtual PC, Sandbox, etc.), and automation in the creation of exploits are faithful bulk tests on the market clandestine crimeware.

This last point in particular exploits the automated production, has created significant problems in recent years. But go too far, remember the serious security problem which represented conficker late last year to spread through a vulnerability in the family of Microsoft operating systems. However, its origin was marked before his appearance.

The operating process is generated based on a critical vulnerability on the RPC service published on 23 October 2008 (MS08-067), which forced Microsoft released the patch breaking its usual cycle (the second Tuesday of each month). Immediately after it began to be exploited by the trojan Gimmiv and vulnerability exploited by an exploit created by "ph4nt0m".

From there, the vulnerability was exploited by several malicious codes. In November, is an application that helps automate the process of creating exploits for this security weakness, and also incorporates a port scanner which aims to find vulnerable computers. The application has its origin in China.

A curious fact is that the original version of this program contains no "surprises". However, later manipulated officiate malicious intent as a "booby trap" incorporating a backdoor that installs silently in the team who wants to use the application. That is, biter bit ...

Also during November 2008 is the first version of conficker, a worm that exploits this vulnerability effectively causing great unrest in many companies that suffered the consequences on their networks, and undoubtedly, one of the media of malicious code history.

During the year 2009, another known vulnerability (MS09-002), but this time in Internet Explorer 7, which allows code execution when accessing a website and begin to be incorporated into web applications for control and administration of botnets, the teams exploded through .pdf and .doc files, Drive-by-Download attacks and Multi-Stage attacks.

Among them, Phoenix Exploit's Kit, Fragus, Liberty Exploit System, Eleonore Exploits Pack, Unique Sploits Pack, among others.

But it's a tool to exploit the vulnerability through a process of creating specific exploits for it, it starts to circulate through forums Israeli origin.

The program generates a script obfuscated in JS that hides the exploit.

Thus, the exploit is spreading through websites exploiting Windows systems through vulnerable IE7 browser.

These exploits are actively used by cybercriminals to initiate dissemination and infection processes, and applications that automatically generate it's In-the-Wild, with agravente that its development isn't restricted to deep programming skills .

As we can see, management and deployment of security updates, both operating systems and applications, has no foundation trivial, but is a very important aspect in maintaining the health of equipment.

Related information
Conficker IV. Dominios relacionados... y controversiales
Conficker III. Campaña de propagación (...) de limpieza
Conficker II. Infección distribuida del gusano mediático
Conficker. Cuando lo mediático se hace eco (...) problema de fondo
Anatomía del exploit MS08-078 by FireEye

Jorge Mieres

No comments: