The Patch Window is Gone: Automated Patch-Based Exploit Generation
Published: 2008-04-18,
Last Updated: 2008-04-18 21:20:54 UTC
by John Bambenek (Version: 1)

The process often took minutes so when/if the method is improved it could be trivial to create something that grabbed patches ASAP, turn an exploit in minutes and start infected vulnerable machines before 3am during the monthly patch dump with automated patching.

http://isc.sans.org/diary.html?storyid=4310&rss

DH

The Patch Window is Gone: Automated Patch-Based Exploit GenerationYou know, there are a lot of bad things that can happen online. But I could also get hit by a truck leaving my front yard. I think people need to be reasonably vigilant in self-protection: a firewall, a good AV program... but it seems to me it'd be all too easy to get paranoid about this stuff.

it'd be all too easy to get paranoid about this stuff.

Sometimes there may be reason to be paranoid. But it would be good to realize that the worst case scenario for this is that your computer and every other computer on the Internet that is running Windows gets hit by worm a few minutes after a Patch Tuesday patch is released. So have a backup handy, the one that you would rely on if your hard disk suddenly failed, which can happen even when it is not Patch Tuesday.

Oh, wait, even a worm cannot spread if your Windows machine is not running a service that is listening to some port that is accessible to the public Internet, the kind of thing that Gibson's Shields Up! site tests for and that any reasonable firewall insures against. So that eliminates the scenario of every Windows machine in the world being taken over in a few minutes. How about every Windows server on the public Internet being taken down a few minutes after a Patch Tuesday patch is released? Not quite so bad. Serves them right for running Windows.

In any case, while I was typing this I thought of several workarounds that Microsoft could use to prevent this kind of automated generation of attacks from analysis of the Patch Tuesday patches. And I haven't even had my morning coffee yet. Maybe they'll even bother using some of them.

Personally, I'll stick to my Mac and Linux machines. They aren't perfect, but they really aren't so susceptible to these types of exploits.

You know, there are a lot of bad things that can happen online. But I could also get hit by a truck leaving my front yard. I think people need to be reasonably vigilant in self-protection: a firewall, a good AV program... but it seems to me it'd be all too easy to get paranoid about this stuff.

I think that most anti-virus programs are still mainly signature-based. Such would offer little or no protection against such "day 1" exploits, let alone "zero-day" exploits.

Firewalls are generally not designed to protect against this kind of threat. (However, Comodo firewall, for example, does monitor registry changes rather carefully , sometimes rather obnoxiously carefully , depending on how you set it up , or whatever. This type of firewall action could catch some "day 1" exploits.)

Something that actually DOES offer a significant degree of protection against such "day 1" threats (if I may use such a term to distinguish them from "zero-day" threats) is using NoScript extension of Firefox. Even after the exploits would be automatically generated from the Windows patches, the exploits still have to be "distributed" to previously infected web servers or to newly infected web servers, of which there are many, long unpatched, even on commercial and government web sites (i.e. not gangster owned web sites). NoScript lets you block Java, Flash, & other Plugins even on sites that you have whitelisted in NoScript. This can protect you against exploits of vulnerabilities even in non-Microsoft programs (plugins). That is you could be protected for example even against a compromised 3rd party Flash ad (i.e. the exploit would be a zero-day or day 1 hole in the Flash plugin engine) that somehow got uploaded onto a commercial web site that you trust to run Java-scripts.

Intrusion Detection and Prevention software offer additional protection above and beyond what NoScript does. For example, I use both Firekeeper and Finjan Safe Browsing extensions for Firefox. I'm not sure, but I don't think they are redundant to each other, that's why I have both.

Furthermore, online-database-based site vetting software such as McAfee SiteAdvisor or equivalent software from TrendMicro give you additional protection when searching for sites in Google (maybe Yahoo seach engine too, I think).

Gaining an equivalent level of protection when using MS IE is more difficult. You can raised security to high but then you have to manually add sites you NEED and TRUST to the trusted zone (which is significantly more work to the user than using NoScript in Firefox).

Using anti-virus and firewall alone offers about the same level of protection as wearing a mini-skirt without panties, some but not a lot. Although I can't claim that I have experimented with that wardrobe personally on my own self.

Of course, if one is very careful about what one clicks on and only visits the same small set of web sites over and over, e.g. Yahoo mail and one blog or one online group, then anti-virus and firewall only might be enough protection. Personally I search quite a bit on Google, so I would consider such limited protection foolish in my case.

David H.

By the way OpenDNS provides a number of free options above and beyond their free DNS service. One of which is a free parental control feature. I believe that the parental control feature does require installing some relatively small program on your Windows PC, but it's apparently much less intrusive than pay-for parental control software (and maybe just as good?).

I have not yet tried this yet but am strongly inclined to do so, just to protect against slipping the mouse a couple mm by accident when on Google, for example.

For those who have children or other untrustworthy residents or visitors to one's home and PC this service of OpenDNS might be quite useful.

David H.

In any case, while I was typing this I thought of several workarounds that Microsoft could use to prevent this kind of automated generation of attacks from analysis of the Patch Tuesday patches. And I haven't even had my morning coffee yet. Maybe they'll even bother using some of them.

I just read an article yesterday I think claiming that Microsoft will as a courtesy disable compromized Active-X controls of any developer/vendor who makes a formal request to them. As I understand it, such a disabling would be added to the monthly Windows patches. Basically, I think the principle is that they add a registry entry that sets a "kill bit" to disable the Active-X control provided that it has the "checksum" (or internal ID or whatever) of the compromised version of the Active-X control. So, if you actually have and/or get the patched Active-X control it would still work fine.

I lost the URL of the story and don't want to look for it :(

David H

Oh, wait, even a worm cannot spread if your Windows machine is not running a service that is listening to some port that is accessible to the public Internet, the kind of thing that Gibson's Shields Up! site tests for and that any reasonable firewall insures against.Exactly: a good firewall, a good AV program and some common sense and you personally can be reasonably confident that you personally are not going to get hit by the Internet equivalent of that bus. Nothing is 100% (not even Mac or Linux!), but I'm not going to lose sleep over the percentage point or two between what I'm doing and the theoretical best that can be done.

However, your comment about being able to figure out several ways Microsoft could protect against worst-case scenarios before you'd even had your morning coffee makes me even more annoyed than I usually am at Microsoft!

Exactly: a good firewall, a good AV program and some common sense and you personally can be reasonably confident that you personally are not going to get hit by the Internet equivalent of that bus. Nothing is 100% (not even Mac or Linux!), but I'm not going to lose sleep over the percentage point or two between what I'm doing and the theoretical best that can be done.

Social engineering is often quite effective. The very recent spearfishing attack in which fake federal subpoenas were emailed to tens of thousands of CEO's had enough accurate personal info (e.g. phone numbers) of the CEO's in them to dupe a significant percent (10%?) of the CEO's to click on a link in the email and thus get infected. Apparently only about 8 out of over 30 anti-virus programs caught the exploit and some of the major anti-virus vendors missed it.

TECHNICAL DETAILS: The malicious code that gets downloaded is a CAB with acrobat.exe inside. There is good AV coverage of this right now it looks like. The malware then creates a Browser Helper Object (BHO) at %WINDIR%\system32\acrobat.dll and opens a hidden IE window to communciate to the command and control server. The BHO will also steal any installed certificates installed on the system. The C&C server is hard-coded to an ISP in Singapore at this time. (Thanks to Matt Richard of Verisign for the info).

UPDATE 13:04 CDT: Here is the VirusTotal results... guess coverage isn't that good. If you have someone infected, backup data and reinstall, targetted phishes like this ought to concern us more than general ones, and the only way to be safe is to "burn it down" and start over if an infection happens.

UPDATE 13:14 CDT: Here is another malware varient of the same thing, but VirusTotal only has 3/32.

I'm assuming that when the nasty link is clicked, the email program has to fire up a browser, unless the victim happens to be using web mail in the first place.

It's not clear to me from the ISC diary how far the infection would get with Firefox. Apparently the BHO would actually have to execute for the ID theft to work. AFAIK MS IE would have to be run at least once for a BHO to do something. Firefox does not use BHO's.

I doubt that the payload would both be downloaded AND installed without further user action if one was using Firefox with NoScript.

3/32 detection rate with anti-virus apps is not very good.

Of course, there are a lot of users who would even willingly download and install an infected (i.e. bogus) document "reader" when the email scam artist tells the user that he needs to install the reader to display the document.

I'm not sure that "paranoia" is an inappropriate response. It's so easy to get infected email from a trusted friend if his computer is infected. And even if it's not from your trusted friend's computer, the only way you have a chance of knowing so is by looking at all the email headers, and who's going to take the trouble. Of course sometimes the bad English is a giveaway. However, cybercriminals should be able to hire people who have a few English writing skills.

By the way, there are a few remarks that might be interesting to lawyers in the quoted ISC article.

David H.

P.S. The automated generation of Windows exploits should be of little worry to those who have Windows updates set to automatic.

The same idea of automated generation of exploits would also apply to third party programs. Therefore it probably would be a good idea to set those 3rd party apps (e.g. plugins) you use for automatic check for updates if possible, even tho' that would slow down your windows PC boot up.

Unfortunately, some, like Adobe Flash currently only let you set it to check every 7 days at the most frequent. And what's even more disgusting is that you have to visit a special Flash page on adobe.com [?] to even be able to set the option to 7 days.

Currently I only run Secunia Personal Software Inspector "on demand" instead of "resident". I'm thinking that it might be worthwhile to keep it resident since I do use Real Player, Quicktime, Flash, Java, to view multimedia movie clips, etc.

I'm not sure that "paranoia" is an inappropriate response. It's so easy to get infected email from a trusted friend if his computer is infected. And even if it's not from your trusted friend's computer, the only way you have a chance of knowing so is by looking at all the email headers, and who's going to take the trouble.If I get hit, that's what backups are for.