Archive for the ‘Strategy’ Category
Tuesday, March 3rd, 2009
Do I need ThreatFire? That’s a fairly common question on security forum boards. Yes, systems need a protective behavioral layer like ThreatFire next to an AV scanner, current built-in OS security functionality, and a firewall.
Not only do AV scanners have a difficult time keeping up with malware volume from the underground undetectables marketplace, but client side exploit activity, especially those attacking the most popular web browsers and third party plugins, is in extremely high volume. The obfuscation and variety in web based exploits often lead to an even lower detection rate here.
One of our first posts titled “How do Storm, NotFound and other threats infiltrate so many PC’s?” from August 2007 detailed a Windows structured exception handler overwriting technique that has been commonly abused over the past few years. It is something commonly seen in the attacks prevented by ThreatFire.
Matt Miller, who used to go by “skape” and rode alongside H.D. Moore of Metasploit fame, recently posted on a new functionality designed to combat this sort of reliable attack technique in the future. A new “Structured Exception Handler Overwrite Protection”, or SEHOP, will replace previous attempts (SafeSEH) at combating the technique. In other words, SEH continues to be bashed in the wild, even with the availability and efforts behind SafeSEH.
Interestingly, data supporting the need for SEHOP was based on the percentage of exploits in the Metasploit project that abuse SEH (that number is approximately 20%) and not on exploits observed in the wild.
So, will SEHOP have an impact on the future of client side exploits? Possibly, and more likely, it will have an impact on exploit and shellcode development. We have seen fantastic security attempts like much needed memory space randomization (ASLR) implemented, but even that effort was quickly smashed by the likes of talented researchers Mark Dowd and Alexander Sotirov. Granted, tricks were used to abuse various components released and implemented by default in the browser and OS. But that’s how the exploit market (black, grey, white hat) works. Underlying complexities in massive software projects facing deadlines to market, competitive pressure, and the need for powerful, flexible computing functionality often push software out the door with uncertain results. Creative new talent will continue to take advantage of the uncertainties inherent in this environment, even with creative talent implementing new protective features.
Yes, you need a behavioral layer like ThreatFire, now and for the foreseeable future.
Tuesday, February 24th, 2009
It’s always disappointing to see traditional antivirus scanners miss malware detections, especially those in the formal WildList (the WildList is not dead! Well, not completely). It does and will happen, even with the best performing scanners. And witnessing the detection rates and delays in AV detection updates for various malware families that are being run on end user systems but prevented by behavioral protection can be a bit overwhelming. Layered protection is an important part of keeping a system secure.
So when we observe “underground” activity, it’s never a surprise to see ongoing and more sophisticated efforts in developing malware that evades AV detection. Some of the efforts are getting more organized, and we continue to see more professional looking services and amateur looking betas popping up that replace the venerable and legitimate Virustotal and Jotti virusscan sites. We’ve presented before on some underground services, where blackhat developers offer to write fully undetected stubs (undetected by all of the major anti-virus products), and once they are detected, the developer sends on a limited number of new undetected stubs to their customers. When that limit is reached, the customer shells out some more cash for their new AV evasion kit.
Not only the major media grabbers like Storm, Waledac, and botnets related to McColo, but smaller, under-the-radar efforts like the distributors of rogueware and fakeav benefit financially and further this sort of work.
Below is a snapshot of one fairly recent effort put together with malicious intent, to help provide a confirmation that those stubs remain fully undetected without exposing the upload to distribution to AV companies (Virustotal and Jotti both distribute samples to AV companies). Many of the blackhat forums bring on new, unexperienced members that upload new undetected crypters to the legitimate sites, which sends the samples on to AV vendors and has been a problem for their efforts in the past. The site is in beta and slow as molasses.
Monday, December 8th, 2008
Sometimes you get a crystal ball prediction and gimmickry. Sometimes you get something with real insight. Dave Aitel’s real insight on DailyDave this morning focused on a NY Times article about the U.S. federal government’s National Security Presidential Directive 54/Homeland Security Presidential Directive 23 that Bush signed in January 2008:
“Faster, smashter. When I see 30 billion dollars, I can tell you what you’re going to get, as a taxpayer, for your money: Patch management, IDS, Anti-Virus, scanners of all shapes and sizes. Audits. Big rooms full of large screens correlating information that has absolutely no relevance to security. You can’t correlate what you can’t see. You can’t patch what you don’t know about.
Mr. Markoff is trying to tell us that the defenders are losing the battle. But if they are, it’s because they *chose* to. Hackers use 0day and always have. The defenders are off making millions selling things that don’t work against 0day.
I guess what I’m trying to say here is that at this point the attackers are just “reasonably competent”. When it comes to offensive information security, we ain’t seen nothing yet.”
NPR, the Washington Post, and the NYT have all been spending more time reporting on computer security. It was very interesting to hear a guest on Boston NPR’s hour long “On Point” this morning discussing characteristics of Secretary of Defense Robert Gates’ laptop and other PC based resources at the U.S. Department of Defense, as well as the legal arm-twisting used to silence individuals that have participated in security breach investigations. And therein lies the real problem. All the discussion in the world about network security is useless when talk about real issues is silenced, and the individuals that need to protect their organization’s data do not understand or cannot describe what they need to protect it from.