March 21, 2012
The past few months Anonymous has been actively taking part in attacking hundreds of websites. Using a Distributed Denial of Service (DDoS) attack, Anonymous took an initiative in striking the Central Intelligence Agency (CIA) causing the website to shutdown for more than two hours following the attack. No particular motives were reported nor was any particular group or person held responsible for the attack after it had been executed.
However, Anonymous did take responsibility for the compromising of US Department of Homeland Security website which was recovered within minutes. According to Anonymous’ twitter feed they tweeted saying they defaced for the “lolz” referring to the online abbreviation “laugh out loud”.
In the month of February, Anonymous released an audio recording of a conference call between Britain’s Scotland Yard and the US Federal Bureau of Investigation marking the individuals of the widely untraceable group. This was said to be a part of a campaign known as “FuckFBIFriday”.
Additionally, during the past few weeks, websites of money exchange operators NASDAQ were also attacked by Anonymous causing hindrance for individuals trying to visit the site. The sites were attacked using the DDoS attack method. According to the NASDAQ’s spokesman, Joseph Christinat, the website was not really compromised as no information was stolen. The attackers were only successful in trying to block the users from accessing the website for some time.
A few weeks later an attack on the Intelligence Knowledge Network (IKN) portal of United States Army allowed Anonymous to gain access to 400mb of data which was leaked on Rapidshare in two parts. IKN is a portal that allows members of the Intelligence agencies to communicate and investigate internationally.
Only recently as retaliation to the arrest of six suspected Anonymous hackivists in Spain, Anonymous attacked the official site of the National Police after leaving a tweet regarding the arrest that was of course a direct response of the arrest of the group members. Anonymous Tweet: “@AnonOps 6 #Anonymous were caught by the police in Spain. They’re talking about a big anti-hack operation we know. Expect uspolicia.es DOWN | #Anonymous #Spain”.
A new tool to attack has been noticed in recent Anonymous activity known as “WebLOIC” rather than their conventional style of hacking using the DDoS tool. WebLOIC requires no downloading and is much simpler to use than the DDoS tool. It sends the requests to the user’s browser via Javascript, which allows sending more than hundreds of requests to the target via your IP address, escorted with a slogan. Anonymous is also planning on using a new tool known as Reflective DNS Amplification DDoS that is based on AntiSec’s DHN.
Anonymous has also taken their skills to the Android Mobile market using the WebLOIC in the form of an application known as “LOIC para Android by Alfred”. This application is made reachable through different existing Anonymous social network accounts in order to exploit an attack against the Argentinian government.
Lastly, Anonymous has announced a “Global Blackout” on March 31st taking down 13 root DNS servers, which is the primary mechanism in allowing the Internet to run as it does today. We can only wait and watch the consequences that may arise if Anonymous actually goes ahead and executes their plan.
February 13, 2012
Using an ATM machine is something we all do often but we do not realize the importance of protecting sensitive information while using an ATM. During the past few years ATM skimming has gained a lot of attention as victims suffer, resulting in loss of millions of dollars. Skimming is act of capturing the information or data that is on the magnetic strip of an ATM card through different techniques and further cloning it on a blank ATM card that has a similar magnetic strip which then allows the bad guys to use cards of the victims of ATM skimming.
Bad guys are able to intercept personal identification information using various custom and homemade devices attached to ATM machines. Skimmers use portable data collectors by mounting them over the regular card reading slot where the card is swiped in an ATM machine or fake keypads can be mounted over existing keypads to gather information. After the transaction is complete, the criminal retrieves the device that was placed on the ATM that contains a mini portable storage behind the device that actually captures the information of various ATM users.
Some of the information that is included on the magnetic strip includes the user’s full name, account number, bank details along with other series of information that is required to allow the card to function properly. As a result, a card that is swiped in a slot that has been tampered gives bad guys the ability to steal large amount of cash. Some of the places where these skimming devices are mounted include the lighting fixtures of an ATM, the brochure plastic case, the ATM card swipe slot itself, and the keypad. Skimmers use a number of ways to gain sensitive information of users. One of the mostly used technique is through the use of spy cameras after mounting the card skimmer in the card swipe slot. One such example is shown in the picture below where the scammer has placed a camera in a small wood box that was then attached to the ATM machine along with the card skimmer.
The following picture shows a closer view of the card skimming device that was attached to the card swipe slot which was aimed to gain and record data from the magnetic strip on the ATM cards. Criminals may then use the financial information gained along with the PIN that is achieved through spy cameras and withdraw cash from accounts of victims.
Only recently did ATM skimming hit Pakistan when a couple of university students in Islamabad designed a skimmer and robbed people off millions of rupees before being caught by the Federal Investigation Agency (FIA). According to the investigative report a total of Rs. 12 million was robbed through a single skimming device which included 187 PSO cards and a second skimming device for 1192 ATM cards. The university students that were held responsible for the crime included, Nasir Abbas, Muhammad, Zaheer Ahmed, Mustaqeem and Amir Shahzad, Javed.
According to the FIA, Zaheer Ahmed owned two skimming devices which caused a loss of almost Rs. 12 million to the government and private sector. The skimmer that Ahmed owned was used to derive information of credit cards through the magnetic strip behind a card which holds the card owner’s details after which a clone of the cards were made and were used for fraudulent reasons or the information derived from the cards were also used to make transactions online. The second skimmer was a device that is mounted to an ATM machine which gathers the information of ATM users once they swipe their cards in the slot along with a device that records the keystrokes entered to gather the personal identity numbers (PINs) of ATM users.
Skimmers are getting better at what they do day by day. Over the past couple of months, new skimming devices have been introduced by criminals which allow skimmers to connect to the devices attached on ATM machines through which wirelessly transmit sensitive information of the victim as soon as he enters.
Skimming is not easy to detect but ATM users can be aware of some signs to prevent being victims of such a crime. There are many ways to protect yourself from becoming a victim. It is very important to observe the ATM machine before swiping your card in i.e. whether the ATM looks normal other than the usual wear and tear markings or is there anything strange in the appearance of the machine such as glue residue, cracks, exposed wires, etc. Check the card device reader; whether it looks normal or seem to have an attached device to it. One of the most important ways that you can protect yourself while using an ATM machine is by covering the keypad when typing in your PIN since if there is any chance of a hidden camera being present your PIN would be protected and the criminals would be unable to gain that very vital information. Also it is very important to always be aware of your surroundings because you may never know who or what can be spying on you.
According to law enforcement, ATM skimming is a process that is hard to track which makes it very attractive for thieves. ATM skimming maybe on the rise but staying informed and educated can reduce the likelihood being swiped by criminals.
January 31, 2012
Carrier IQ also known as CIQ is a software that is installed not only on smartphones but also on tablets. Carrier IQ was developed to reduce the number of dropped calls, extend battery life and for the device and services to work efficiently at all times which will actually help understand the experience of mobile users. Operators want to develop and enhance the services all the time and this can only be done by knowing when exactly the mobile user is having a bad experience.
Historically operators use their network to solve problems but today’s network and devices are too complex to understand if you can’t see the device itself. Carrier IQ examines a large amount of data from each device to capture and summarize what exactly is working and what is not. For example, the operators and the device manufacturers need to know where exactly was a call dropped or which applications drained the battery life of the device and most importantly they need to know how to solve the user’s problems when you call them.
Carrier IQ’s technology counts and summarizes problems. According to CIQ, it is not providing key strokes or tracking tools. Carrier IQ’s technology is the user’s advocate because operators and handset manufacturers, for the first time are getting an understanding of the users day to day problems.
Developers, on the other hand, believe that CIQ is a low level software that is installed by Samsung and HTC at the command of the mobile carrier such as AT&T. According to them, it basically records metrics i.e. every key that is pressed, every touch on the screen, every application launched, every website visited or any kind of traffic entering or leaving the phone or every time the battery is changed, etc.
Carrier IQ calls this software the Mobile Intelligence Platform (MIP). CIQ works with mobile manufacturers such as Samsung and HTC to embed the agent within the Smartphone to track all the data. The biggest issue behind CIQ is the threat to privacy since the software works in a similar manner to a spyware.
Carrier IQ has recently gotten immense attention of the public. With growing concerns of threat to the privacy of users, CIQ is facing a lot of pressure not only from the general public but also has lawsuits filed against their software. Developers are coming up with new ways of disabling the software according to the wish of the users allowing them to control exactly what information they are willing to share.
January 22, 2012
The cyber war between India and Pakistan continue to rises as an Indian blackhat group Indishell defaced 30 Pakistani government websites only a few days ago including sites such as pak.gov.pk, paknavy.gov.pk, sindh.gov.pk, etc. The reason behind this recent attack was in retaliation to the hacking of the official website Bharatiya Janata Party (BJP) of Karnataka which was defaced by a Pakistani blackhat group. We fear that this war is going to continue to rise to increasing numbers in the near future.
Prior to this attack, Indishell already attacked other high profile Pakistani sites. Indishell believes that the government of Pakistan is involved with various Pakistani attackers instructing them to hack Indian sites. The Pakistani government also received a notice from Indishell as a message on one of the recently hacked websites.
The rivalry between Indian and Pakistani hackers has been going on since years now. This only goes to show that the governments of both Pakistan and India fail to understand the importance of securing official websites along with other websites from attackers, due to which huge security vulnerabilities seem to exist which makes it extremely simple for attackers to exploit.
How did the situation get so bad? In all honesty, it’s the fault of the hosting provider and the application developer of the websites that got attacked. First of all, the hosting infrastructure should have been properly secured and segregated. Applications and servers should have been audited for security and hardened according to a standard. Blackhats tend to target the web application first and exploit it to access the server hosting the website. So, it’s a jack pot for an attacker if he gets access to the server which hosts multiple sensitive websites. Following is a list of Pakistani government websites that were hosted on a single server (50.23.225.39-static.reverse.softlayer.com) that got attacked:
It’s very saddening to know that so many high profile government websites are hosted at a third-party hosting provider and possibly even on a same server, a poor practice for websites that has information of extreme sensitive nature. This is the same server that hosts websites for National Telecommunication Corporation (NTC)– www.ntc.net.pk – Official IT&T Service Provider for Government of Pakistan and the abandoned National Response Centre for Cyber Crimes (NR3C) – www.nr3c.gov.pk. We wonder if these organizations actually noticed this defacement and decided to take security seriously. It’s never advised to put all eggs in one basket. Moreover, even when hosting multiple websites on the same box, server should be configured in such a way that even though if an attacker is able to exploit an application, he should not be able to access the server and other websites.
January 15, 2012
Iran captured US stealth drone by spoofing its GPS coordinates which tricked the bird to land within the Iranian territory instead of where it was actually programmed to land. The actual landing zone of the drone was Afghanistan, but with the proudly claimed method by Iranian engineers only a few months back, the drone’s GPS was reconfigured and made it land in Iran.
Iran has a long border with Afghanistan and NATO monitors it for weapon smuggling into Afghanistan. Three years ago the Iranians claimed that they had designed their own drone that had a range of 300 miles and could reach Israel. The stealth plane has been built with very sophisticated technology. It is the same kind of stealth plane that was monitoring the US raid on Osama Bin Laden’s compound in Pakistan. This is a $6 million stealth plane manufactured by Lockheed Martin.
According to the US officials, RQ in its name means that it is unarmed and some industry experts who have written about the Sentinel stealth is that its design makes it more of an operational platform not an intelligence gathering aircraft. It was used to fly support during the Bin Laden raid. Nonetheless, according to the Iranian news, the drone was shot down and recovered almost completely intact which goes as a warning to the US.
An unnamed Iranian engineer has been working on the American bat-wing RQ-170 Sentinel who confirmed that the spoofing method that was used allowed the Iranians to divert the landing of the bird according to where they wanted it to land, that too without hacking into the remote-control signals of the American control centre.
The US RQ-170 Sentinel stealth captured by Iran
US military officials have feared the GPS weakness of aircraft for a long time. According to the US officials, this kind of attack is much more sophisticated than jamming since it is executed under cover and there is no way to find out until the spoofing has already been done. The attack allows the GPS receiver to send wrong GPS signals which makes believe that it is located somewhere in space where as in reality it actually isn’t. The US officials claim their loss of their drone to be a malfunction from their end.
According to the Iranian engineer, he claims that the GPS navigation is the weakest point. Once the bird has been “jammed” through sending noise over the communications, the bird automatically goes into autopilot mode and doesn’t know what to do next. It can then be commanded to do whatever the controller wants it to.
Not a single current GPS system is “spoof proof” due to several reasons. The main reason being it is almost impossible to validate consistently on a “one way” communications channel because of “replay attacks”. Therefore they all require an additional channel of some type that is not possible to jam.
According to some sources, claims have been made that Iran has sold the stealth to China so that China may undertake serious investigations. However, this has still not been confirmed.
January 6, 2012
‘Anonymous’ is a well-known international blackhat group which has been active since 2003. Anonymous beginnings make it difficult to understand the identity even though the concept of anonymous has always existed. They believe themselves to be simply ideas without an origin.
The recent attack by Anonymous was on COX DNS servers when all the DNS servers collapsed which resulted in Colorado, Texas, New Mexico and Louisiana to have no internet access. The main reason that led to this attack was because of COX’s latest message to the consumers mentioning their “Data usage quota” stating the consumers would not be able to access the internet if they exceed their limit.
During the past couple of years, Anonymous has managed to take down some of the high profile websites on the internet by causing a distributed denial-of-service (DDoS) attack. They believe themselves to be the “internet hate machine” or “hackers on steroids”. Anonymous includes a number of members that work together to attack a country’s internet coverage like in the case of the Toronto attack. When such a huge scale attack takes place, people from within the country join the Anonymous group in order to help them in carrying out the attack usually because they share similar motives behind the attacks. These blackhat activities usually take place against a stance they disagree with. According to some members of the group, membership to Anonymous can be gained easily but only under conditions which is as short as being concealing one’s identity when carrying out the activities.
The Anonymous mostly uses the Low Orbit Ion Cannon (LOIC), an open source network stress testing and denial of service application, to achieve its DDoS attacks. Potential members of Anonymous allow their computers to be connected to a Botnet by downloading the LOIC. The AnonOps (a pathway for communication within the group) then direct the Botnet against the target while coordinating their attacks on ITC which allows the individual to become a member of the Anonymous blackhat group.
The DDoS attack acts in a similar manner as a huge surge in the amount of individuals visiting the site. The main aim is to delay the access to prove their point; it directly does no damage to the site. Similar to a protest where hundreds of people get together at a certain place which as a result slows the traffic down from that area which brings even more attention to the protestors’ motives. However, in this case instead of protests and people its the internet and computers.
In past few years, Anonymous has attacked New York Stock Exchange, the Westboro Baptist Church, the Recording Industry Association of America and government sites in Malaysia, Egypt, Tunisia and Zimbabwe. Only recently, Anonymous planned on taking down Mexico’s most feared drug dealer Zetas after posting a video on YouTube stating that Zetas had kidnapped a member of theirs and if he was not freed then they would publicize the people linked to Zetas including taxi drivers, local police officers and journalists. However, this issue was resolved soon after in favor of Anonymous.
Anonymous has received a lot of media attention internationally due to their on-going attacks on high profile websites on the internet. KTTV Fox 11 aired a story on them after they attacked a Myspace user who mentioned his account being hacked several times by Anonymous. Additionally, the English version of Al Jazeera publishes regular articles on the activities of Anonymous.
Regardless of all the controversies going on about whether Anonymous is doing the right thing or not, there are a number of people who continue supporting their actions since they share similar motives. A number of members of the Anonymous group have been caught by the police every now and then yet they remain as a strong hacking group with similar morals, motives and thoughts and they continue working in the same direction.
December 15, 2011
Duqu is a sophisticated malware that was discovered on September 1st, 2011. Some experts claim that Duqu could only have been created by creators of the Stuxnet because nobody else could have the source code to create such a sophisticated malware that is identical to Stuxnet but serves an entirely different purpose as a malware. The three major similarities that have been come to attention between Stuxnet and Duqu are firstly, the components that are signed is done through stolen certificates. Secondly, similar to Stuxnet, Duqu uses a zero-day vulnerability to attack Windows system and lastly, the way Duqu is targeted it requires advanced intelligence to operate it again similar to Stuxnet.
Highlighted few weeks ago by Symantec, researchers have discovered how Duque infects the targeted computers. The malware hides in a Word file (. doc) sent through email to the victims. Once opened, it exploits an 0-day vulnerability in the Windows kernel to execute code and infects the system through service.exe. The infected computers can then be remotely controlled by attackers, who can spread the malware on the network and retrieve data in the process. Symantec issued a diagram summarizing the performance of the intrusion.
With this new discovery, security researchers are now confident that Duqu is designed to address specific high profile critical infrastructures via Word documents designed to look legitimate. Symantec has identified six organizations contaminated in 8 countries: Iran, Sudan, Vietnam, India, France, the Netherlands, Switzerland and Ukraine. To which is added a list of identifications made by other experts in Austria, Hungary, Indonesia and the United Kingdom.
If Duqu starts attacking Pakistani networks, Pakistan would face a huge threat regardless of the existing on-going cyber war between Pakistan and India. Duqu, on the other hand, is a much more powerful malware which if targeted towards Pakistani networks, it could collect intelligence data and assets from high profile entities, with the purpose of conducting a future attack without much effort against additional third parties.
Today remains to be seen whether future changes made by Microsoft will be sufficient to stem the problem. At present, the source of Duqu has not yet been identified. Many measures may be taken to prevent this situation from reaching a system. It is important to have a backup of all exiting data but even more importantly since Duqu is a powerful malware the best way to prevent any potential attacks from it is by protecting and securing critical infrastructure networks from such threats. Microsoft has finally patched the flaw being exploited by the Duqu.
Moreover, a recent discovery was made which states that Duqu has shut down all operations and has cleaned up all their commands leaving security experts almost no evidence for their further research. According to Kaspersky Lab, Duqu has been active since 2007 and was only discovered in October 2011 which proves that several systems might have been infected with the Duqu since years and possibly still not detected.
A further discovery was made that Duqu undertook a global clean on October 20th which cleaned up all their activities since the year 2009 as a result leaving almost no trace of their existence throughout these years. This goes to prove that the aim of attackers behind Duqu was to keep it a secret and as soon as the word got out it was banished. Even now the command & control (C&C) servers behind Duqu remain undiscovered which only goes to show the capability and power of the attackers behind this malware.
Experts were able to point out that servers were hacked through brute-forcing the root password rather than the believed zero-day theory and as soon as the attackers gained control over the servers they upgraded OpenSSH 4.3 to version 5.8 which explains that the newer version of the software must hold such importance.
December 1, 2011
Recently many Pakistani websites have faced attacks from various international blackhat groups, which continue to be a huge concern for Pakistani cyber space. The main reason behind this remains the lack of secured hosting infrastructure along with badly coded web applications. Such websites can be extremely vulnerable and may be easily compromised by attackers.
Telenor Pakistan Hacked
Pakistani websites may be vulnerable to various attacks, which include blogs, forums, government, telecommunication, and banking websites. Only recently some of the high profile websites that were defaced include LG Electronics Pakistan, WorldCall Telecom Limited, DunyaTV, Supreme Court of Pakistan, Telenor Pakistan, National University, and few more.
Moreover, a newer form of malware has been discovered which has been attacking Pakistani websites not only does this malware attack the target website but also mobile devices. More than hundreds of Pakistani government sites including Ministry of Information and Broadcasting – Government of Pakistan (infopak.gov.pk), PESC – Peshawar Electric Supply Company (pesco.gov.pk), Pakistan Navy (paknavy.gov.pk) are under attack by this malware, known to be controlled by an Indian blackhat. Most of the websites initially fail to understand the importance of having a secured web application and consequently lack the information security knowledge for securing their online information.
Malware Alert on the Infected Pakistani Websites
That is where we usually get involved and get to know about such incidents. Our team protects customers’ infrastructure from such attacks and performs constant monitoring. Rewterz already has a reputation of securing information for a number of high profile organizations. By providing services such as penetration testing, incident handling, application code review, forensics analysis, and security outsourcing, we ensure complete security to an affected website.
Today hacking is a career which is backed by strong institutes estimating about $2 billion annually. The cyber war between Pakistani and Indian blackhat community has been going on since years and this is not the first time we have seen rise in such attacks. The best way to protect the information available online on websites is by having secured hosting infrastructure which mitigates vulnerabilities that attackers may be looking to get into in order to carry out an attack. Taking such measures is becoming critically important in the cyber world and must be understood by personnel who make critical information available online before it’s too late.
February 5, 2011
PDF, a portable file format, had gained popularity among general users due to its extensive features, portability and availability of free tools to read and author the documents. With the increasing popularity this file format has gained among the general users, it has also become vulnerable to various malware which exploit the document for executing malicious attacks, and which uses the PDF files as malware depositing source to attack specific item or even the entire system.
Over the last three or four years, PDF malware have become increasingly devastating for computer security. The reason behind this increasing success is the achievement of blackhat community in attaining the hand-full of PDF distribution with which various malicious PDFs are being utilized to jeopardize the computer’s security. Before going into the depth of the PDF security system, let’s get a closer look at the different distribution channels, the attackers use to deposit malware in the computer. Among a variety of different PDF distribution channels, three dominating channels are Mass-Mailing, Drive-By Downloads, and Targeted Attacks.
In mass-mailing PDF distribution technique, a user is lured to open an email and receives the malware unsuspected by downloading the attached PDF file in the email. These kind of spam emails contain major subjects like IRS emails, Political or current affairs or any controversial subjects. While, drive-by -downloads deposits the malware into the system when the user visits an infected website and downloading a hosted PDF file. Malware authors utilize web exploits packs to trigger malware creation on websites. The hosted PDFs contain shell codes which on being executed download malicious content from the internet. In contrast, PDF targeted attacks are directed to individuals or organizations to give themselves a disguise of an authentic source which, consequently, will enable the user to launch the PDF file attached. What makes targeted attacks relatively successful is the use of zero-day exploits which renders the victim unaware of the fact that his system’s security is at stake.
Now, to make matters worse, each distribution channel uses different exploit techniques which are classified into two categories, namely: JavaScript based exploits and Non-JavaScript based exploits. Now, almost all the PDF exploits are utilizing JavaScript in different forms because of its use of a malicious code called heap spray code (a JavaScript code that is executed at first to set up the process memory of the reader with a shell code which as a result exposes the system to the malicious attack).
Utilizing exploit techniques in different PDF distribution methods might have given the antiviruses and malware detection products to detect the presence of malicious PDF or the attack incorporated within the PDF file. To evade the possibilities of coming into antivirus detection, Malicious Acroform Stream is utilized by malware authors. This kind of evasion method misleads the user to believe that the malicious PDF file is simple a corrupt file and crashes the PDF reader so that it keeps on working in the background and remains undetected from both the user and the virus detecting product.
When your system’s security is jeopardized and various significant items are exposed to vulnerability, what can you do to protect your system to be infected with malicious content?
A bundle of considerable protective actions can be taken by the user which may keep his system safe from possible targeted or un-targeted attack from malware authors.
First and the foremost way to avoid system infection are keeping it up-to-date with all applications and softwares patches for your PDF reader. Second of all, keep your virus-detecting product up-to-date. Wherever possible, disable JavaScript so that the JavaScript based exploits may be prevented. Last but not the least; considerable discretion should be exercised while executing a PDF document from an untrusted location.
February 4, 2011
Vulnerabilities, malwares and exploits have been out there since the existence of software themselves. Running with malicious intentions, these programs have always been a thorn in application developers’ sides, and keep ongoing a continuous game of cat and mouse between developers and attackers.
Being the most popular OS in the world, Windows and its associated applications have been the most frequent target of malicious exploits, and Internet Explorer is no exception. Back in December 2010, a new vulnerability affecting IE 6, 7 and 8, running Windows Vista and above was published on a full-disclosure security list, labeled IE CSS 0-day vulnerability and was later addressed in Microsoft’s Security Advisory 2488013.
This exploit reportedly targeted users of IE 6 through 8, allowing the execution of a malicious code on an affected user’s computer through the currently logged in account just by visiting a website containing a malicious CSS script. Microsoft currently believes the attack hasn’t affected many users, and while it can be easily circumvented, it is a serious threat that can be used at a much larger scale causing massive damage.
Let’s try to understand how this whole thing works. As the name suggests, this vulnerability relies on a loophole within Internet Explorer’s processing of Cascading Style Sheets (CSS). Normally, a CSS file (which dictates the look and feel of an HTML file) would already be loaded when you visit a website, but if the style sheet imports itself, it wreaks havoc on IE’s memory management, allowing any unauthorized code to execute while bypassing the usual IE downloads’ security checks, including the new Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
DEP is designed to perform additional checks on memory to help prevent malicious code from running on a system. Specifically, if a remote attacker manages to crash a running application on your system, the areas of memory where the application stored its run-time data, including stack and heap, are marked un-executable, so even if malicious code makes it into memory bytes, the operating system would prevent it from running. Hence, DEP will prevent any unauthorized code execution unless the attack targets those memory sectors where code has already been marked executable, which is where ASLR comes in.
ASLR loads programs and DLLs in a different, random location each time they are executed, and since bypassing DEP requires you to know exactly where executable code is going to be, the randomization offered by ASLR ensures that the attacker can never accurately predict which memory blocks to target. He may opt to perform a search operation, but the code required to perform the search would be blocked by DEP in the first place. Hence, from the outside, it would seem that Microsoft has created the perfect security barrier.
Hats off to Microsoft, though, for they have, most unfortunately, allowed each DLL to decide for itself whether it supports ASLR or not. The Internet Explorer is a huge collection of DLLs itself, some of which execute at run-time to render the content that IE downloads. Now, with a malicious CSS code causing a memory heap to go berserk, the attacker would send otherwise-safe files to IE causing it to load the known DLLs. And, if any of these DLLs does not support ASLR (which they don’t), then their location in the memory is already known, and DEP simply goes out the window. One specially designed web-page is all a malicious attacker needs to gain execution access on your machine, without your knowledge at all.
While most modern browsers have entirely switched to the newer, safer versions of CSS handling, Microsoft’s prized internet browser still utilizes the same old DLLs to handle CSS rendering, and with the still-very-large user base of IE, such exploits can become disastrous should someone decide to take advantage of it. Microsoft’s security advisory suggests that the exploit is public knowledge, but neither used on a mass level yet nor critical enough to merit an out-of-band security release.
While Microsoft figures out a patch, one easy workaround could be to use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). This would allow you to force named applications to perform ASLR on every DLL that is loaded, irrespective of whether the DLL supports it or not. That way, DEP again comes into effect for every code that depends on a memory overload, and would at least bypass this particular vulnerability.
|
|
|
|
