ThreatFire Research Blog » Strategy

Do I need ThreatFire?

admin — Tue, 03 Mar 2009 18:41:00 +0000

Do I need ThreatFire? That’s a fairly common question on security forum boards. Yes, systems need a protective behavioral layer like ThreatFire next to an AV scanner, current built-in OS security functionality, and a firewall.
Not only do AV scanners have a difficult time keeping up with malware volume from the underground undetectables marketplace, but client side exploit activity, especially those attacking the most popular web browsers and third party plugins, is in extremely high volume. The obfuscation and variety in web based exploits often lead to an even lower detection rate here.

One of our first posts titled “How do Storm, NotFound and other threats infiltrate so many PC’s?” from August 2007 detailed a Windows structured exception handler overwriting technique that has been commonly abused over the past few years. It is something commonly seen in the attacks prevented by ThreatFire.
Matt Miller, who used to go by “skape” and rode alongside H.D. Moore of Metasploit fame, recently posted on a new functionality designed to combat this sort of reliable attack technique in the future. A new “Structured Exception Handler Overwrite Protection”, or SEHOP, will replace previous attempts (SafeSEH) at combating the technique. In other words, SEH continues to be bashed in the wild, even with the availability and efforts behind SafeSEH.
Interestingly, data supporting the need for SEHOP was based on the percentage of exploits in the Metasploit project that abuse SEH (that number is approximately 20%) and not on exploits observed in the wild.

So, will SEHOP have an impact on the future of client side exploits? Possibly, and more likely, it will have an impact on exploit and shellcode development. We have seen fantastic security attempts like much needed memory space randomization (ASLR) implemented, but even that effort was quickly smashed by the likes of talented researchers Mark Dowd and Alexander Sotirov. Granted, tricks were used to abuse various components released and implemented by default in the browser and OS. But that’s how the exploit market (black, grey, white hat) works. Underlying complexities in massive software projects facing deadlines to market, competitive pressure, and the need for powerful, flexible computing functionality often push software out the door with uncertain results. Creative new talent will continue to take advantage of the uncertainties inherent in this environment, even with creative talent implementing new protective features.

Yes, you need a behavioral layer like ThreatFire, now and for the foreseeable future.

Antivirus Scanner Sites and the Quest for "Fully UndetecteD"

admin — Tue, 24 Feb 2009 16:30:00 +0000

It’s always disappointing to see traditional antivirus scanners miss malware detections, especially those in the formal WildList (the WildList is not dead! Well, not completely). It does and will happen, even with the best performing scanners. And witnessing the detection rates and delays in AV detection updates for various malware families that are being run on end user systems but prevented by behavioral protection can be a bit overwhelming. Layered protection is an important part of keeping a system secure.

So when we observe “underground” activity, it’s never a surprise to see ongoing and more sophisticated efforts in developing malware that evades AV detection. Some of the efforts are getting more organized, and we continue to see more professional looking services and amateur looking betas popping up that replace the venerable and legitimate Virustotal and Jotti virusscan sites. We’ve presented before on some underground services, where blackhat developers offer to write fully undetected stubs (undetected by all of the major anti-virus products), and once they are detected, the developer sends on a limited number of new undetected stubs to their customers. When that limit is reached, the customer shells out some more cash for their new AV evasion kit.
Not only the major media grabbers like Storm, Waledac, and botnets related to McColo, but smaller, under-the-radar efforts like the distributors of rogueware and fakeav benefit financially and further this sort of work.

Below is a snapshot of one fairly recent effort put together with malicious intent, to help provide a confirmation that those stubs remain fully undetected without exposing the upload to distribution to AV companies (Virustotal and Jotti both distribute samples to AV companies). Many of the blackhat forums bring on new, unexperienced members that upload new undetected crypters to the legitimate sites, which sends the samples on to AV vendors and has been a problem for their efforts in the past. The site is in beta and slow as molasses.

Dave’s $30 Billion Smashter Prediction

admin — Mon, 08 Dec 2008 18:35:00 +0000

Sometimes you get a crystal ball prediction and gimmickry. Sometimes you get something with real insight. Dave Aitel’s real insight on DailyDave this morning focused on a NY Times article about the U.S. federal government’s National Security Presidential Directive 54/Homeland Security Presidential Directive 23 that Bush signed in January 2008:
“Faster, smashter. When I see 30 billion dollars, I can tell you what you’re going to get, as a taxpayer, for your money: Patch management, IDS, Anti-Virus, scanners of all shapes and sizes. Audits. Big rooms full of large screens correlating information that has absolutely no relevance to security. You can’t correlate what you can’t see. You can’t patch what you don’t know about.
Mr. Markoff is trying to tell us that the defenders are losing the battle. But if they are, it’s because they *chose* to. Hackers use 0day and always have. The defenders are off making millions selling things that don’t work against 0day.
I guess what I’m trying to say here is that at this point the attackers are just “reasonably competent”. When it comes to offensive information security, we ain’t seen nothing yet.”

NPR, the Washington Post, and the NYT have all been spending more time reporting on computer security. It was very interesting to hear a guest on Boston NPR’s hour long “On Point” this morning discussing characteristics of Secretary of Defense Robert Gates’ laptop and other PC based resources at the U.S. Department of Defense, as well as the legal arm-twisting used to silence individuals that have participated in security breach investigations. And therein lies the real problem. All the discussion in the world about network security is useless when talk about real issues is silenced, and the individuals that need to protect their organization’s data do not understand or cannot describe what they need to protect it from.

Global cyber-intelligence

admin — Tue, 03 Jun 2008 14:11:00 +0000

You can check out a somewhat lengthy and fascinating article on recent cyber intelligence, SCADA systems and various actors on the global cyber stage at The National Journal.

‘Asked whether Washington knew of hacker involvement in the two blackouts, Joel Brenner, the government’s senior counterintelligence official, told National Journal, “I can’t comment on that.”’

Strategy and book review

admin — Mon, 31 Dec 2007 21:58:00 +0000

A “Strategy” thread was started on the DailyDave mail list by Dave himself, criticizing information warfare papers:
“If you’re reading an information warfare book or paper you’ll invariably see a lot of:
1. Inane references to Sun Tzu (or, in some even more horrible cases, any two of Sun Tzu, Clausewitz, and John Boyd)
2. Declarations that information warfare is an “asymmetric attack”

Dave goes on to drop a couple product names and then describe the money saving mono-culture Microsoft technology implementations within the US .com and .mil communities, and describes it as poor strategy:
“Bad strategies like this result in flailing and moaning as you get defeated over and over by someone with better strategy, not because the battlefield is inherently asymmetric.”

Unfortunately, this past year was a record year for data breaches, according to a couple of groups. (Although, I’m not sure that statement is completely true. It seems more to have been a record year for reporting breaches, due to a number of new factors. Incident reporting has always provided only a cloudy window into actual events.)
Any way you slice it, in light of the sheer volume of security breaches, Dave’s statement about the mono-culture of .com and .mil communities is a troubling one — in spite of a year of record profits for the .com community and record budgets for the .mil community, it seems that technology implementations still are not getting the budget or focus that they require when it comes to effectively addressing security needs.

Another poster on the list responded to Dave’s complaints by posting a book review about “Spec Ops: Case Studies in Special Operations Warfare: Theory and Practice” by William McRaven, a U.S. Navy SEAL commanding officer. I got a chance to check it out this past week and the eight case studies McRaven analyzes really are fascinating (if you’re a bit of a military history buff). The theory and principles at the beginning of the book (summarized on the DailyDave post) can be applied to analysis of the targeted attacks that have become much more commonplace on the net. It’s a stimulating read for security enthusiasts, and applies well to the ongoing security breaches around the world:
“If you can’t draw the parallels to general security practices from those principles then the book is not for you, otherwise you might find yourself ripping through the book and thinking in an entirely different light by the final chapter.”