One-Day Exploits, Binary Diffing and Patch Management

Thursday, April 05, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

Recently ESET security firm has reported the latest version of the Blackhole exploit kit that has been updated to include a new exploit for the Java CVE-2012-0507 vulnerability.  

The exploit was discovered for the first time on March 7, 2012 and it first detected on March 12, 2012. Now a public module for the Metasploit Framework multi platform has been released for the exploitation of CVE-2012-0507.

I have opened the article with this information to introduce a really interesting topic, the 1-day exploit, those based on checking patched versions of software to identify what vulnerabilities have been patched, then analizing the patch management status of a system to know with vulnerability hasn't yet been patched.

Of course, compared to a 0-day vulnerabilities, 1-day exploits have a reduced possibility of success due the potential for patching by a target, but these attacks are still really insidious and cheaper in comparison to the 0-Days. Consider that it  is quite simple to retrieve this information on the internet and use tools to commit the attacks.

In the most complex cases we can imagine a researcher who through a reverse engineering of a released patch develops their own kit to a attack an unpatched target.

The majority of these exploits are related today to Java vulnerabilities due its large diffusion on multiplatform systems. Java exploits are in fact an effective way to install malicious programs on targeted machines - consider the recent spam campaigns that infected a huge number of machines and the incredible number of infected web sites that allow this kind of attacks.

The mechanism is simple: a legitimate web site is infected by introducing iFrames that redirect victims to the latest version of the Blackhole. The malicious domain name and infected webpage are identical to the legitimate one. Once on the infected website, the damage is done!

According ESET, the same infection methods and the same redirection methods have been used several times, most famously is the case of the popular news resource izvestia.ru where a modified versions of the Win32/TrojanDownloader.Carberp family were loaded onto the victim's machines.

Java vulnerabilities, and in particular every 1-day exploits, are increasing used by cyber crime and by state-sponsored a hackers. “This is the most effective way for exploiting end-user systems and is sometimes effective across a variety of platforms,” writes ESET.

Consider that the development of a 0-days is really expensive and time-consuming due to the intense research that must be conduced to discover and exploit the vulnerabilities, for this reason typically these kinds of exploits are used by governments.

Cybercrime has mass a market approach that does not necessary need a sophisticated attack methodology, that's why the 1-day exploit approach is taking place.

It's clear that few organizations are able to patch their systems in a short time. Consider large a organization with a complex architecture, for them the impact of a patch must be analyzed in detail to avoid problems in the IT infrastructure, and in this case it is necessary to extend the duration of the test phase.

Also, the phase of deployment can have a variable length of time. For example, in a company located over multiple locations with a high number of systems to patch that is heterogeneous, the deployment activities will be more expensive.

It is easy to understand that the time between the disclosure of Patch and its application in a production environment is the interval in which systems are vulnerable to 1-Day exploits.

ESET has demonstrated how quickly the Blackhole gang can react to the 1-day opportunity:

“There’s intense interest in vulnerability research, with legitimate research seized upon by malware authors for malicious purposes,” David Harley, a senior research fellow and co-author of this research told Infosecurity."

“The increase in volumes of 1-day exploits suggests that even if 0-days research prices itself out of the mass market for exploits, inadequate update/patch take-up among users is leaving plenty of room for exploits of already-patched vulnerabilities (as with the current spate of Tibet attacks).”

Just few minutes after the release of the patches, using binary diffing techniques, researchers and criminals are able to identify the vulnerabilities that have been fixed. The term difference is derived from the name of the command utility used for a comparison of files, in the same manner they are compared with the binary of a system before and after the patch is applied.

This binary diffing techniques are particular efficient against Microsoft's binaries because the company releases patches regularly, and inside the patch it is quite simple to identify the code for the vulnerability because it is usually concentrated in small portion of the binary code.

Today attackers have access to a huge number of tools to identify unknown vulnerabilities just patched, they only need to launch the attacks during the time frame users are applying patches.

During the patch applying time frame, the end users are more vulnerable and can be targeted using 1-day attacks. the most popular frameworks for Binary diffing are DarunGrim2 and Patchdiff2.

In reality, the process of reverse engineering of a patch is still complicated because each of the vendors use different compilers and optimization methods. Remember the case of the mystery related to the source code for Duqu... it was even difficult to understand the programming language used because the developers had adopted a compilation with special options.

The 1-day exploits are real threats that are happening every patch day. Sometimes some people have a different version of product, finding in their binaries vulnerabilities that are fixed silently .

So as the attacking technology improves, the protection techniques need to evolve accordingly, as we already have several anti diffing tools like "Hondon" - but it is also necessary that the major vendors adopt the strongest solution for the patching of their products.

In the meantime, the only guaranteed defense against the 1-day attack is to patch our system before the criminal exploits the vulnerability.

Source:

 Cross-posted from Security Affairs

Possibly Related Articles:
14525
Vulnerabilities
Information Security
Java Patch Management Metasploit Attacks Exploits Blackhole Exploit One-Day Exploit Binary Diffing ESET
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.