Re: Single Stage Attacks?

Most attacks at the moment are server -> client, rather than client -> server (the wide deployment of firewalls, packet filtering rules, network segmentation has rendered the latter unprofitable). The typical sequence is the victim stumbles onto a malicious webpage (often an ad) and then is taken via a chain of iframes or similar to an exploit server which delivers the exploit (currently the vast bulk of attacks on the wire are via malicious PDF and secondarily SWF - Adobe is it apparently). The exploit shellcode then goes and fetches a dropper executable, which may in turn fetch more. Then there is generally some kind of callback protocol for command and control of the bot according to whatever the business model of the campaign is.

In targeted attacks, this scenario may be preceded by tempting emails etc, to get a particular victim to go to a designated attack point (rather than just culling random victims from the herd).

I have seen recent attacks as simple as a single bad PDF or SWF with no precursor at all other than the normal operation of the ad delivery ecosystem, and then the download of a single exe and no immediate callback.

I have not seen a recent example in the wild in which the payload was integrated into the exploit shellcode (there's obviously no real barrier to doing this other than administrative convenience for the attackers).

Stuart Staniford
Chief Scientist, FireEye

On May 16, 2009, at 11:39 PM, snort user wrote:

Greetings All,

Typically, network based attacks have multiple stages.
(reconnaissance, infection, download rootkit, call home, further infection etc)

Some attacks may have a single stage (without reconnaissance) to
compromise a host.
However, even those attacks have a post-compromise stage, such as call home
or transfer/steal data or something else.
Otherwise, what's the motivation for compromising in the first place?

Can someone enlighten me if there are attacks that only have a single stage?
Examples or scenarios is much appreciated.


Thanks



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


Relevant Pages

  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Bugtraq)
  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)
  • Re: [Full-disclosure] Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Full-Disclosure)
  • Re: ARP Spoofing and Routing
    ... I would like to know how to go abt spoofing arp caches, ... >What I was trying to do was arpspoof a server so that I could intercept ... Up to 75% of cyber attacks are launched on shopping carts, forms, ... Check your website for ...
    (Pen-Test)
  • RE: Penetration test of 1 IP address
    ... You could use a whole sleth of tools on some server, ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Check your website for vulnerabilities to SQL injection, ... Up to 75% of cyber attacks are launched on shopping ...
    (Pen-Test)
Quantcast