Another Proof-of-Concept (POC) Revealed

The changing threat landscape has brought about more sophisticated Web threats and left the online population clamoring for better security features in the systems and applications that they use. This has pushed Microsoft to develop security mechanisms within its applications like Windows’ Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR).

Both DEP and ASLR are security mechanisms that Microsoft included in its latest Windows releases starting with XP SP2 and Vista, respectively, which should ideally protect systems from being attacked by exploit codes. DEP prevents the execution of code (including malicious shellcode) from certain regions of computer memory (nonexecutable). ASLR, on the other hand, randomizes the layout of regions (data areas) in memory to make guessing the exact location more difficult. But what if these security mechanisms are not so secure after all?

This is what Berend-Jan Wever aka Skylined (the security researcher responsible for disclosing the heap-spraying technique) came to discover as he reported a new exploit technique that bypasses DEP if the ASLR feature is disabled. In Wever’s full disclosure of the exploit, he discusses the method on how to go around DEP and ASLR using return-to-libc attacks wherein an attacker uses existing code (of the applications being exploited or of the library functions) to carry out the attack rather than run his/her own code.

Possibilities Explored

Although these features make it more difficult to launch code execution on a system, these mechanisms are not perfect and can be bypassed, as revealed in Wever’s exploit codes. This exploit may take advantage of an already fixed vulnerability in Internet Explorer (IE) but this new technique may pave the way for new exploits that can defeat DEP.

As Trend Micro researcher Rajiv Motwani puts it, “History could repeat itself. After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not farfetched that the release of this new POC could lead to the same scenario—new exploits could start using return-to-libc to achieve DEP bypass.”

Furthermore, because the exploit affects DEP, which Microsoft only recently introduced with Windows XP SP2, and ASLR was only enabled by default from Windows Vista onward, we can expect to see more reliable code execution vulnerabilities on new versions of Windows.

Thoughts on Public Disclosure

Given the increasing number of POCs that have gone public, there seems to be a need to give responsible disclosure considerable thought. Trend Micro global director for education David Perry notes that there seems to be a lot of disclosure rather than response on the exploit. Public disclosures currently act as double-edged swords that both contribute and complicate the threat landscape.

On one hand, disclosures raise public awareness and push developers to act quickly. On the other hand, however, putting such critical information in the hands of the public could lead to significant exploits, as we recently saw with the most recent zero-day IE vulnerability.

While actual exploits of this vulnerability have yet to be seen in the wild, Trend Micro Deep Security™ already shields users from potential future exploits. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the latest IDF filters.

Additional text by Ria Rivera

As the security industry evolves, underground cybercriminals are constantly looking for ways to counter the technology challenges presented to them. I recently found out that the bad guys have begun offering services to track the blacklisting of domain names through reputation checks. The number of “businesses” offering this type of service is growing and the service itself has now become semi-automated.

This semi-automation can trace the list of requested domain names against the different Web reputation databases. The most recent service I studied is found on www.{BLOCKED}ervice.net, which offers customers solutions wherein the list of the domain names are regularly checked for blacklisting against Google BlackList (Firefox), ZeuS Tracker, MalwareDomainList.com, SpamHaus, and others. The monthly fee for such a service is currently around US$30 for 100 domains.

The message above translates to:

Zeus TRACKER
Added cheking on ZEUS TRACKER
Join now!
JABBER BOT!
Now clients of our service can use jabber bot, which can help in code crypting and check if the  domain is in black list, check your domains in a real time for the black listing.
Join! It’s easy!
Added API!
Now clients of our service can use our algorithms via API.
This means you can now integrate the algorithms into your software products.

This service offers a Web-based interface for a manual site by site check and a bulk check mechanism. It utilizes an application programing interface (API) and uses Jabber as a communication protocol. Note that this is not the main business of the said site and it still prioritizes bulky JavaScript obfuscation.

These new services demonstrate how adept the cybercriminals have become at using new technologies and resources to their advantage. The security industry finally understands the need for and has employed technologies such as reputation checks and the bad guys have already come along and misused the technology to their advantage in order to make even more money.

Trend Micro protects users from potential attacks via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service.