The Dangers of Exploits and Zero-Days, and Their Prevention.

You don’t need to hear it from me that the Internet is a really interesting phenomenon, and mega-useful for all those who use it. But at the same time its openness and uncontrollability mean that a ton of unpleasantness can also await users – not only on dubious porno/warez sites, but also completely legitimate, goody-two-shoes, butter- wouldn’t-melt-in-mouth sites. And for several years already the Internet has been a firm fixture on the list of the main sources of cyber-infections: according to our figures, in 2012 33% of users have at least once been attacked via the web.

If you dig deeper into the structure of net-based unpleasantness, you always come across three principle categories of threats: Trojans, exploits, and malicious tools. According to data from our cloud-based KSN (video, details), the break-down is as follows:

The ten-percenter in the above pie chart as you can see belongs to so-called exploits (their share will actually be greater in reality, since a lot of Trojans have a weakness for exploiting… exploits). Exploits are mostly exotic peculiarities to non-professionals – while a real headache for security specialists. Those of you more in the latter category than the former can go straight here. For the rest of you – a micro-lesson in exploits…

Software is designed by humans, and humans forget things and make mistakes. Plus, to date there hasn’t been invented a “perfect” method of programming. As a result, practically every bit of software contains vulnerabilities – that is, errors in its programming code via which attackers can take control of a system, mess it up, etc. And the code that exploits vulnerabilities in programs is called… wonder of wonders – an exploit.

So which programs are most often attacked by exploits? Here are our statistics for 2011:

(So much hassle caused by Adobe Reader. Eh? And all it does is display pdfs, as plenty of other programs do… Agh, the inhumanity.)

Vulnerabilities can be used by exploits, or go unexploited, depending on the popularity and functionality of the given program and, correspondingly, the level of attention it gets from the cyber-rascals. A typical example was the recent Flashback Mac-Trojan incident last month. The vulnerability was in Java, which was discovered as early as the beginning of the year, but the exploit for Mac appeared a month later. What’s important is that if a vulnerability in a specific program isn’t found – that doesn’t mean it doesn’t exist. It only means that (i) it’s used by too few folks for a vulnerability to be found by mistake, or (ii) it’s so insignificant a program that it’s not worth the bother (of the cyber-baddies) digging into it to search for mistakes.

A usual scenario goes like this: A vulnerability is discovered by a researcher, who reports it to the developer. The developer then urgently patches the vulnerability with… yep, a patch. Only then does the cyber underground pull itself together, come up with an exploit, and try to attack users who haven’t got round to installing the patch yet.

I write a usual scenario, but maybe it’d be better to describe such a scenario as what we’d prefer to have each time (with a time gap between the vulnerability’s discovery and the exploit’s appearance). I say this because what often actually happens is the exploit appears together with the first news about the vulnerability, or the developer (for example Apple in the Flashback incident) drags its feet in releasing a patch and as a result the exploit gets set into the wild before a patch becomes available. An exploit for which there’s no patch yet is called a zero-day exploit (zero days after (i.e., before!) the patch). And it’s zero-day (or 0-day) exploits/attacks that are the nastiest variety.

Here’s some interesting info on the geographical distribution of sources of web attacks, the majority of which use exploits:

The location of an attacking site does not necessarily mean that who’s behind the attack is also from there. Far from it. The cyber swine can easily register a site to a front company or non-existent individual abroad and conduct the malicious activity from there.

Now, two of the most widespread methods of attacks via exploits are:

  • Drive-by downloads (85% of all attacks via the Internet). These entice you to a site which, with the help of an exploit kit, scan the browser for vulnerabilities and, if found, unnoticeably infect the computer. This method is widely used in mass attacks for reaching the maximum destructive effect. Approximately in a third of cases, the attacking site turns out to be a legitimate website of some respected organization of other, which was hacked and injected with a special malicious code.
  • Targeted attacks. Here, a user unsuspectingly (foolishly? :) launches an infected file (for example, a pdf), which scans the installed software it runs on (in the pdf example, Adobe Reader) for vulnerabilities, and, if found, infects the computer though them. The file itself can be delivered by all sorts of different routes – e-mail, web file archives, USB sticks, etc. Targeted attacks are precision attacks with a particular pinpointed target – like the missiles taking out those Range Rovers at the end of Syriana – not mass attacks of anything and everything (like carpet bombing). Targeted attacks are also sometimes called Advanced Persistent Threats (APT). They target specific individuals or organizations and distinguish themselves by using sophisticated social engineering techniques.

Now here’s the thing: the 10% share of Web-originating threats coming from exploits in our statistics (first pie-chart – above) in actual fact amounts to just as much of a problem as the 83% share of threats coming from Trojans! For example, at the moment the most widespread exploit kit is one called Blackhole, which is able to infect over 30% of the computers visiting a compromised website (depending on the traffic, installed software and security). Not a single Trojan could ever even dream of such a figure!

We’ve been fighting exploits for years now, with an impressive success rate. Our products have a dedicated database containing signatures of known exploits, malicious URLs via which infections are loaded, and also special heuristic and proactive technologies for detecting the future challenges of this type of threat. If this kind of malicious code is found, the program is blocked, the user and sysadmin are warned, and the actions of the attack are rolled back. We also provide a very useful feature for on-demand scanning for the presence of vulnerabilities:

And now for a spoiler about a very tasty morsel of a feature in the upcoming version of KIS/KAV. With the release of the new version of our Endpoint Security in the first quarter of next year it will be accessible to corporate users too. As you’ll have guessed, this feature has something to do with protection against exploits. To be more precise – against unknown exploits, that is, those same zero-days!

I often get asked how it’s possible to provide protection against something that’s unknown. My answer is always: by closely observing evolving threats. We have about a thousand top-notch R&D specialists all around the world who model threats, research trends, and generally in all sorts of weird and wonderful ways think about tomorrow’s world and your computer’s security in it.

First of all we have one of the most progressive multi-level arsenals for the fight against future threats – emulation, heuristics, HIPS, behavior blockers, cloud-based reputation services, whitelisting, application control, and a whole array of proactive technologies. Secondly, “unknown” in computer security speak is not as mysterious and inconceivable as in real life!

Of course there’s always some likelihood of the appearance of some absolutely new kind outbreak, which can hardly be foreseen or proactively protected from. But in the majority of cases maliciousness generally acts according to a certain pattern of conduct and uses particular tools. And this is how we catch them out! And as experience shows – rather successfully.

So, what’s that tasty morsel for protection against unknown exploits in KIS/KAV 2013 going to be?

Here’s what: we’ll significantly improve the System Watcher module (which monitors programs’ activity) with new Automatic Exploit Prevention (AEP) technology. Its title is fairly self-explanatory as regards what it does, but preceisly how it does it requires some detail.

Actually, AEP is the umbrella name for a whole spectrum of anti-exploit features. First, we added to our database special patterns of exploits’ behavior. System Watcher uses these templates for controlling the actions of applications (for example, browsers) and detecting suspicious activity and blocking it. Second, the system tracks the source of the files and counteracts the drive-by downloads. In addition to that, we’re integrating the Attachment Execution Service (AES) and distinguishing files created with and without the knowledge of the user. Third, for the most critical programs and extra modules (for example, plugins for browsers), we’ll enforce using ASLR technology. Each time it’s used, ASLR changes the structure of the address space of attacked programs in a random way. As a result, even if an exploit exploits a vulnerability, it won’t be able to launch the malicious code, since it won’t know its exact location!

AEP is currently being tested and showing impressive results. We put through it a whole mass of exploits for Flash Player, QuickTime, Adobe Reader, Java and other programs – and we got a 100% detection rate! Especially fab was the successful detection of an exploit for the recent well-publicized vulnerability in Windows Media Player: the exploit allowed to infect a computer via a specially created MIDI music file, and worked on all versions of Windows from XP onwards. What’s critical here is that thanks to AEP we catch 100% of the exploits of the Blackhole exploit kit while the industry’s average score is only 94%.

To conclude, a few more preventive measures – in addition to the above-described technologies.

As they say, put your faith in the antivirus, but don’t mess up yourself. By this is meant key in prevention is abiding by simple rules, like “wash your hands before eating”. An attack of malware or an exploit in the above-described way is possible via all sorts of suspicious sites. Think long and hard before visiting these porno/warez sites – are they really worth the risk? And of course, never forget the golden rule of computer hygiene: don’t under any circumstances open suspicious attachments.

16 Responses to “The Dangers of Exploits and Zero-Days, and Their Prevention.”

  1. Welcome MMXIII. INDIA awaits you.

  2. You guys are Fantastic..

Trackbacks/Pingbacks

  1. Safe Money: A Virtual Safe for Virtual Money – that Actually Works. | Nota Bene - August 14, 2012

    […] to thieve data, take screenshots, and log keyboard strikes. Infection frequently occurs via a vulnerability in popular […]

  2. Windows 8: We’re Ready Already | Nota Bene - September 6, 2012

    […] and specific features have been covered here on this blog of mine – for example posts about automatic protection from vulnerabilities and making secure […]

  3. Safe Money: Un Sistema di Sicurezza Online per le transazioni economiche online – che realmente funziona. | Nota Bene - September 17, 2012

    […] sincronizza tutti i componenti del prodotto (includendo [avevo forse dimenticato di parlarne?] Automatic Exploit Prevention per bloccare sia glia attacchi conosciuti che quelli sconosciuti) per garantire la sicurezza delle […]

  4. Protection Bancaire : Une Sécurité Virtuelle pour l’Argent Virtuel – Ça Fonctionne Vraiment ! | Nota Bene - September 17, 2012

    […] est en train de taper sur son clavier. L’infection a lieu régulièrement à travers une vulnérabilité dans un software […]

  5. Les dangers des “exploits” et des “zero-day”, et comment les prévenir. | Nota Bene - September 17, 2012

    […] sur ces problèmes. Pour ceux qui font partie de ces derniers, vous pouvez aller directement ici. Pour les autres, voilà un petit cours de rattrapage sur les […]

  6. Dinheiro Seguro: Um cofre virtual para dinheiro virtual que realmente funciona | Nota Bene - September 17, 2012

    […] fazer capturas de ecrã e atacar o nosso teclado. As infecções geralmente acontecem através de vulnerabilidades no software mais […]

  7. Os perigos dos exploits e dias zero e como preveni-los | Nota Bene - September 17, 2012

    […] em segurança. Quem pertencer a esta última categoria pode avançar directamente para aqui. Para todos os outros, aqui fica uma mini-aula sobre […]

  8. Los peligros de los Exploits y los Días-Cero, y su Prevención. | Nota Bene - September 17, 2012

    […] para los expertos en seguridad. Quienes pertenezcan a la segunda categoría pueden ir directamente aquí. Para el resto, aquí encontrarán una mini lección en […]

  9. In Denial about Deny All? | Nota Bene - October 3, 2012

    […] As you’ll probably be able to guess, these two security stances represent two opposing positions in the balance between usability and security. With Default Allow, all launched applications have a carte-blanche to do whatever they damn-well please on a computer and/or network, and AV here takes on the role of the proverbial Dutch boy – keeping watch over the dyke and, should it spring a leak, frenetically putting his fingers in the holes (with holes of varying sizes (seriousness) appearing regularly). […]

  10. Kaspersky Lab Developing Its Own Operating System? We Confirm the Rumors, and End the Speculation! | Nota Bene - October 16, 2012

    […] (costs) are normally cut on this kind of activity, and patches are released only if a certain exploit has been found and put on the Internet. In fairness, this is true for common, garden variety […]

  11. Windows 8: We’re Ready Already | Eugene Kaspersky - November 6, 2012

    […] and specific features have been covered here on this blog of mine – for example posts about automatic protection from vulnerabilities and making secure […]

  12. In Denial about Deny All? | Eugene Kaspersky - November 6, 2012

    […] As you’ll probably be able to guess, these two security stances represent two opposing positions in the balance between usability and security. With Default Allow, all launched applications have a carte-blanche to do whatever they damn-well please on a computer and/or network, and AV here takes on the role of the proverbial Dutch boy – keeping watch over the dyke and, should it spring a leak, frenetically putting his fingers in the holes (with holes of varying sizes (seriousness) appearing regularly). […]

  13. Safe Money: A Virtual Safe for Virtual Money – that Actually Works. | Eugene Kaspersky - November 6, 2012

    […] to thieve data, take screenshots, and log keyboard strikes. Infection frequently occurs via a vulnerability in popular […]

  14. It’s Not All Just Antivirus, You Know. Introducing Kaspersky Security for Business. | Nota Bene - January 31, 2013

    […] Automatic Exploit Prevention – already tried and tested and praised to the hilt in our home products. AEP incidentally was the tech that blocked the attack through the vulnerability used in operation Red October before the operation was uncovered. Neat. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: