RMISC - ISACA Denver Chapter
advertisement
Update your Software or Die! Wolfgang Kandek Qualys, Inc. RMISC 2012 Denver - May 18, 2012 Advanced Persistent Threat(APT) Advanced Persistent Threat(APT) Or Mass Malware Attacks Attack Example #1 ExploitKits ExploitKits CVE-2006-0003 (MDAC) ExploitKits CVE-2006-0003 (MDAC)… CVE-2011-3544 (Rhino) Website Website ExploitKit Server Website ExploitKit Server C&C Server Website • Has Traffic • Was exploited to plant links ExploitKit Server C&C Server Website • Has Traffic ExploitKit Server • Serves Exploits • Was exploited to plant links • Browser/ Plug-in vulnerabilities C&C Server Website • Has Traffic ExploitKit Server C&C Server • Serves • Controls Exploits malware • Was exploited to plant links • Browser/ Plug-in vulnerabilities Live Demo Patching CVE-2011-3544 Java Rhino CVE-2011-2140 Flash 10 CVE-2011-2100 Adobe Reader CVE-2011-0611 Flash 10 CVE-2010-3971 IE8 … Patching Apps Patching Apps and Browser Patching Apps and Browser and OS Attack Example #2 CVE-2011-0611 CVE-2011-0611 Flash 0-day Attack Vector E-Mail The Attachment Flash 0-day running The Embedded Attachment The Malware Poison Ivy mincesur.com DEP Data Execution Prevention XP SP2 forward Live Demo Attack Example #3 Java Applet Attack Pentest Special Uninstall Java Restrict Java Internet Explorer 1C00 to 0 In Zone 3 1C00 to 0 In Zone 3 Google Chrome Google Chrome Mozilla Firefox Mozilla Firefox Mac OS X Mac OS X Mac OS X Made it now simpler Mac OS X Made it now simpler Java 1.6U31 will autodisable if Not used in 35 days Restrict Java IE – trusted sites Attack Example #4 CVE-2011-2462 CVE-2011-2462 Adobe Reader 0-day No JavaScript in Adobe Reader Live Demo Counter-measures Latest Patches DEP Restrict Java JavaScript in Adobe Reader Non-admin User Flash 0-day Adobe Reader 0-day Microsoft Office 2010 Protected View Sandbox Flash 0-day Autorun off NoDriveTypeAutoRun -> FF MSFT SIR: Malware propagation Latest Software Win 7 > XP Office 2010 > 2007 Adobe Reader X > 9 IE9 > 8,7,6 How to apply what you have seen Configure for Safety Force DEP On Whitelist Java on the Internet No Javascript in Adobe Reader Non Admin User Autorun off How to apply what you have seen Run latest software Office 2010 Adobe Reader X Be fully patched Applications OS Questions? 100 Thank you. wkandek@qualys.com @wkandek http://laws.qualys.com Bonus Slides No Javascript in Adobe Reader 1C00 -> 0 in Zone 3
