Automated Google-Hacking

Hackers are conducting reconnaissance efforts on a massive scale.  Attackers are increasingly leveraging the power of search engines, like Google, to carry out probe and enumeration exercises against vulnerable websites, according to a report by Imperva.  Google and other search engines have put in place “anti-automation” measures to hamper search engine abuse, but staying ahead of a determined opponent is proving to be quite challenging.

Dubbed “Google Hacking,” hackers are using specially crafted search queries run on their botnet zombies’ browsers to generate more than tens of thousands of queries a day and by-pass the deterrent measures.  The aim of running these queries is to ultimately identify potential attack targets and to build an accurate picture of the resources within that server that can be potentially exposed.  By automating the queries, using zombies to distribute the load and parse the results, the attacker can carry out a very large number of search queries, filter the returned results and only needs to bother with a short list of potentially exploitable sites in a very short time and with minimal effort.  Hackers take advantage of a botnet’s dispersed nature, giving search engines the impression that specific individuals are performing a routine search.

One common feature of most search engines is that they can be directed to return results that are focused on specific potential targets by using a set of query operators.  For example, the attacker may focus on all potential victims in a specified geographic location (i.e. per country).  In this case, the query includes a “location” search operator.  In another scenario, an attacker may want to target
all vulnerabilities in a specific web site, and achieves this by issuing different queries containing the “site” search operator.  Only those sites that expose that particular weakness or use that specific code will be present in the results displayed.

From the report, here is the Hacker’s 4 Step Industrialized Attack: Continue reading →

Chrome & Win-7 Security By-Passed

French security company Vupen says that it’s hacked Google Chrome, sidestepping the browser’s built-in “sandbox” AND also evading Windows 7’s integrated anti-exploit technologies.  The claims have not yet been confirmed by the vendors.

The exploit is one of the most sophisticated pieces of code that Vupen has created so far, according to their blog.  The exploit can be served from a malicious Web site, and if a Chrome user surfed to that site, the exploit executes various payloads to download an executable from a remote location, launching it outside the sandbox at “Medium integrity level”.  It is silent (no crash after executing the payload), it relies on undisclosed (‘zero-day’) vulnerabilities and it works on all Windows systems.

Vupen posted a video demonstration of its exploit on YouTube.  That is what I call “fugly”.  I hope that Vupen keeps this code wrapped up tightly until both Microsoft and Google have had a crack at patching against it.

ComputerWorld

Google Buys Malware Research Firm Zynamics

Google has bought reverse-engineering and analysis tools firm Zynamics. Financial terms of the deal, announced on Tuesday, were undisclosed. 

Google’s security focus has been geared towards managing search engine optimisation (SEO), a tactic that causes links to fake-AV sites to appear prominently in searches for topical terms, and in the classification and blocking of malicious websites.  I expect that Zynamics existing malware analysis tools including BinDiff, BinNavi and VxClass,will aid in this effort.

http://www.theregister.co.uk/2011/03/02/google_reverse_eng_buy/

Google Stings Microsoft

Google’s executives have grown suspicious of how closely Microsoft’s search engine results mirror their own. On Feb. 1, the blog Search Engine Land detailed Google’s “sting operation” against Bing.  

• First, Google found some search terms with no matches on either search engine.
• Next, Google created “honeypot” pages that appeared on top of its search results for those terms.
• When a portion of Bing search results mirrored Google’s honeypot tainted results, accusations flew.

Continue reading →

Google, Microsoft Hosted Malware Laced Ads

For a few days this week, criminals managed to infect Google’s DoubleClick and Microsoft’s Hotmail online ad networks with malicious advertisements that attacked users’ PCs, according to security consultancy Armorize.  The attacks started around Dec. 5 and lasted a few days, sending victims who clicked on the ads to malicious Web pages.  The pages took advantage of known software bugs to install backdoor programs, giving the attackers control of the victims’ PCs, or installing Fake-AV software that made it appear as though the PCs are filled with malicious software which can be removed, for a price…  NetworkWorld

“Help & Support” Exploit Used On 10,000 Systems

Nearly a month after a Google engineer (shame) irresponsibly disclosed details of a new Windows XP flaw, criminals are ramping up online attacks that leverage this bug.  Microsoft reported Wednesday that it has now logged more than 10,000 attacks.   At first it was only legitimate researchers testing proof-of-concept code.   Then on June 15th, the first real public exploits began to emerge.

“Those initial exploits were targeted and fairly limited.  In the past week, however, attacks have picked up.”  The attacks, which are being launched from malicious Web pages, are concentrated in the U.S., Russia, Portugal, Germany and Brazil, Microsoft said.   PCs based in Russia and Portugal, in particular, are seeing a very high concentration of these attacks.

To avoid falling victim, Microsoft advised users to turn off the part of the Help and Support system that is vulnerable. It has produced an automated tool that can do this for users.

BBCnews

Lessons Learned from Aurora

As Operation Aurora highlighted, advanced persistent threats (APT) are an increasingly common form of complex and directed attacks that use insidious techniques for gaining access to privileged systems and maintaining that access until all of the attackers’ goals and objectives have been met. Operation Aurora employed an APT technique that proved extremely successful in targeting, exploiting, accessing, and exfiltrating highly valuable intellectual property from its victims. This paper details Operation Aurora and provides some insight into what was learned and how to prevent such attacks from being successful in the future.

http://www.net-security.org/malware_news.php?id=1223

On Wednesday March 17th at 1PM EST, NetWitness and Forrester are hosting a webinar to investigate what qualifies as an APT, the latest APT methods, network forensics studies of true APT attacks on commercial and government organizations, and countermeasures to protect your enterprise and assets from these most insidious and persistent adversaries. Register

Google / Adobe Hacking Event Follow-up – APT Malware

I did not have much of an opportunity to blog about the Google and Adobe compromise when details came to light in January.  I put up a quick 10 liner on the 17th and moved on as I was too busy with the real details of protecting and detecting exploitation attempts from this and many other vulnerabilities.  So here I am with a quick summary of events and a little bit of detail provided mostly by Mandiant and Wired Magazine’s Kim Zetter.

It’s been about 3 weeks since Google announced that it had been targeted by a sophisticated and coordinated attack dubbed “Operation Aurora”.  Adobe, and roughly 30 other so far un-named US companies were also targeted.  So far we’ve been told that the attackers made use of a new vulnerability in Internet Explorer and obtained source code as well as access to Gmail accounts of 2 human rights activists whose work revolves around China.  We also know a few details about how the stolen data was extricated, flowing to IP addresses in Taiwan.

Mandiant, a leading computer forensic firm, is providing the closest look so far at the nature of these attacks and the attackers’ profiles.  Their report never mentions Google or Adobe by name, but focuses on information gathered from “hundreds of forensic investigations” the firm has conducted that appear identical to what is known about the Google attack.  These attacks are identical to attacks that have quietly plagued thousands of other companies and government agencies since 2002.  They represent a major shift from the kinds of common, disorganized, opportunistic attacks that have hit networks and made headlines, and they are rapidly growing in number.

Kevin Mandia states ”The scope of this is much larger than anybody has every conveyed.  There are thousands of companies compromised. Actively, right now.”  Mandiant released the report last week in an effort to make companies aware of the threat.

Advanced Persistent Threats

These attacks are distinct in the uniqueness and complexity of the software used, the kinds of data the attackers target, and are rarely detected by antivirus and intrusion detection programs.  These new weapons are being called Advanced Persistent Threats (APT).  APT’s goals are twofold. 

1. They steal information to achieve economic, political and strategic advantage. 
2. More importantly, they establish and maintain an occupying force in their target’s environment, a force they can call on at any time. 

When the APT wants additional data from a target, they don’t need to re‐establish a presence.  They simply call on their existing assets, locate, steal and exfiltrate the data they need.

Financial system attackers, like those that attacked Heartland and RBS, tend to use SQL injection attacks to breach front-end servers.  They typically target quickly gatherable low hanging fruit, financial data or sensitive customer data, for cash conversion or identity theft.  Classical hackers also employ detectable smash-and-grab guerrilla tactics, and are fairly easy to kick off a network once detected.  After they grab what they want, they have little interest in sticking around. 

The APT attackers employ much harder to detect, zero-day exploits and social engineering techniques against employees to breach their networks.  They do not currently target customer or credit card data.  Instead, their focus is on higher value espionage, establishing a long-term occupying force inside a company’s perimeter.  They attempt to take every single Microsoft Word, PowerPoint and Adobe PDF document from every machine they compromise, as well as all email that they can find.  One common characteristic shared by all known APT attack victims is that they have dealings in China, including more than 50 law firms.

In 2008, Mandiant investigated a breach at a law firm that was representing a client in a lawsuit related to China.  The attackers were in the firm’s network for a year before law enforcement advised them that they had been hacked.  The intruders harvested thousands of emails and attachments from mail servers, and had uncontrolled access to every server, desktop, and laptop on the firm’s network.

APT attackers also appear to be well funded and organized.  In some cases, multiple groups were detected inside a network, each pursuing their own data in a seemingly uncoordinated fashion.  Last year, for example, an unidentified defense contractor discovered 100 compromised systems on its network, and found that the intruders had been inside since at least 2007. 

No one is immune to APT attackers, striking defense contractors and government agencies as well as private companies.  A recent story revealed that three U.S. oil companies were hacked in what appears to be an APT attack.  These attacks have been kept fairly quiet as most organizations do not volunteer information when they’ve been breached, or share the details of how they were hacked.  Most breaches are detected and reported to the victim company by a third party, often law enforcement.  By then, the attack and the extraction of data is long over, and little trace evidence is left.

 

Attack Techniques

APT attacks are sophisticated, however they use simple techniques to gain entry, and once inside, demonstrate to a clear pattern. 

1. The attackers conduct reconnaissance to identify workers to target in spear-phishing attacks.  Key executives, researchers and administrative assistants who have access to sensitive information are popular targets.
2. Malicious emails or instant messages that appear to come from a trusted colleague or friend are sent to the targets.  The communications have an attachment or provide a link to a file containing zero-day malware that exploits Microsoft Office or Adobe Reader vulnerabilities.
3. Once the attackers have a foothold on one system, they focus their efforts on obtaining elevated access privileges and burrow further into the network.  This is done by grabbing employee password hashes from network domain controllers and either use a “pass-the-hash” tool that tricks the system into giving them access with the encrypted hash, or using brute-force decrypting tools on them.  At this point, they own the network and move freely through it, compromising Windows systems as they go.
4. Stolen email messages and documents are collected and stored on a staging server inside the company’s network perimeter, encrypted and compressed into .rar files.
5. The files are then siphoned out in small random bursts using normal protocols with spoofed headers to disguise the activity.  In the case of the Google hack, the attackers used an SSL port but a custom protocol.

 Some of the more sophisticated malware the attackers use is packed using customized packers to make it harder for investigators to reverse engineer and determine what it’s doing.  Some attackers also use self-destructing malware that erases itself if it fails to reach its destination.  The attacks tend to go undetected because most victims only monitor data coming into their networks, not inside a network or what is going out of it. 

APT attackers have used sniffers to grab headers from a company’s authenticated proxy communications to dynamically create their own credentials to mimic the communication.  They’ve also spoofed SSL certificates and hijacked chat programs to conduct communication between malware and command & control servers.

They will also disguise their activities by using process injections and stub malware.  In a process injection, malicious code is introduced into a trusted process already running on a system in order to conceal malicious activity.  Stub malware is code with only minimal functionality keeping its footprint small.  The attackers then remotely add new capabilities to it, which generally live and run in virtual memory, without requiring a disk-write to succeed.  It would be difficult to detect these additional capabilities unless memory was analyzed at the same time the new capability was uploaded and executed.

Remediation

Many compromised organizations remain compromised, even after they’ve instituted containment and clean-up measures.  If they do manage to eradicate the intruders, the most they can hope for is a brief reprieve before the attackers return.  Since the vulnerabilities typically used are considered zero-day, there is no patch for them.  Social engineering is also commonly applied, and there is still no patch for stupidity or gullibility.  Once in, the software used may lay dormant for months, with one report from Mandiant indicating a malware agent laying dormant for a year before awakening and sending a beacon to an external command center signaling that it was alive and ready to function, long after the company had detected and thought it had eradicated a malware infection.

Last December, Mandia was about to eradicate malware from one network when it suddenly stopped beaconing to its command & control center.  Symantec had updated its virus definitions and the security software was now detecting and stopping the malware.  Ordinarily this would be good news, but in an APT attack this means the attackers will be back to install new undetectable malware and start extracting their target data once more.

Mandiant’s Report:  http://www.mandiant.com/news_events/article/mandiant_releases_first_annual_m-trends_report_at_u.s._department_of_d/

Wired’s Article:  http://www.wired.com/threatlevel/2010/02/apt-hacks