May 1, 2006

SANS warns of zero day attacks

Author: Joe Barr

The SANS Institute conducted a security briefing today in a teleconference hosted by Alan Paller, director of research at SANS, with a guest panel of Internet security experts on hand to elaborate. A press release from SANS warns of a surge in zero day attacks -- those which have been identified in the wild but have not yet patched by the vendors or projects involved -- and in attacks on the Apple OS X platform.

Rohit Dhamankar, editor, manager of security research at TippingPoint, a division of 3Com, Dr. Johannes Ullrich, CTO of the SANS Internet Storm Center, Gerhard Eschelbeck, CTO at Webroot, Amol Sarwate, Manager of the Vulnerability Management Lab at Qualys, Ed Skoudis, SANS “Hacking Exploits” Course Director and Senior Security Analyst at Intelguardians, were on the panel with Paller.

The press release itemizes eight major trends to be aware of:

  1. Rapid growth in critical vulnerabilities being discovered in Mac OS X.
  2. Substantial decline in the number of critical vulnerabilities in Windows Services.
  3. Continuing discovery of multiple zero-day vulnerabilities in Internet Explorer.
  4. Rapid growth in critical Firefox and Mozilla vulnerabilities.
  5. Zero-day attacks focused on infiltration for profit.
  6. Rapid growth of data-oriented attacks.
  7. Continuing surge of file-based attacks (media/image/Excel files).
  8. Rapidly spreading scourge of spear-phishing attacks.

The last two items, file-based attacks and spear-phishing deserve special attention. If you think accepting files only from "trusted" sites and friends means you are immune to infestation, think again. A friend's Excel file might contain back-door code which opens your system up like a ripe melon. Same for media or graphics files from "trusted" sites. EBay, for example, does not screen images uploaded for its auctions, and could very well spread malware to unwary surfers.

Spear-phishing seems like it may be more of an intelligence-gathering operation than traditional phishing for dollars. Traditional phishing attacks consist of bulk messages that try to tempt users into giving up their credentials for their bank or eBay, spear-phishing is a more directed attempt.

Instead of broadcasting millions of attempts in hopes of reaching a few users of a specific bank, auction site, or whatever, spear-phishing specifically targets a small group with frightening accuracy. At a military base, for example, 50 soldiers might receive an email ostensibly from their commanding officer directing them to visit a specific site or download a patch. The backdoors installed as a result seem to be focused on immediately harvesting information from the infected machine and sending it elsewhere.

Although he couldn't reveal details, Paller says that the past couple of weeks have seen a frenzy of activity in various federal agencies trying to clean up after such an infestation and prevent new ones from occurring.

Time to rename Internet Explorer?

While Windows back-end services appear to be getting more secure, the plague that is the Windows desktop and browsing experience continues to be a world of chronic zero day vulnerabilities, which may be known about but not patched for months at a time.

Dhamankar says "I think it is almost time to rename Internet Explorer to Internet Exploiter." The trend -- more vulnerabilities discovered -- has been steadily increasing the past six months. He added these vulnerabilities are used mostly to install spyware or keystroke loggers, neither of which is a good thing.

As noted in item number four, Firefox and Mozilla are also being targeted, so Windows users are still not completely safe even if they trade in IE for another browser.

A bad quarter for Apple

Apple platforms are increasingly coming under attack, and as they do, attackers are discovering vulnerabilities. Skoudis believes Apple users have been operating with a false sense of security -- "I'm not using Internet Explorer, so I must be safe" which has been proven not to be the case.

Skoudis noted that as Apple OS X becomes more mainstream, not just in terms of customer base but in hardware and software compatibility, as in moving to the Intel processor and the advent of Bootcamp, which opens the machine to whatever vulnerabilities Windows users must cope with, it will become more and more of a target.

Skoudis also pointed out that at "hacker" conferences, about 70% of those presenting are using the Macintosh platform. As more and more "bad guys" use Apple, they will discover more and more vulnerabilities.

How bad is it? Apple OS X users are now experiencing the same sort of infections that have been seen in the Windows world for some time. They have become infected with malware after visiting certain Websites, and the malware opens their system to remote control.

Ullrich noted that Apple is slow in patching its products once vulnerabilities are discovered when compared to the speed with which open source products are patched, thus extending the window of vulnerability for Apple OS X users.

The SANS Institute still sees OS X as a safer alternative than Windows, but notes that recent exploits have its image of being bullet-proof in tatters.

Linux and Unix: a cautionary tale

Linux was not specifically mentioned during the briefing. I asked specifically if the Firefox and Mozilla vulnerabilities mentioned had a cross-platform implication for the installation of spyware on Linux, or if only Windows users needed to be worried about the threat. Sarwate replied that "the vulnerabilities from Firefox, most of them are on all the platforms, they are not platform dependent, and yes, we see them on Windows and Linux, all the platforms that Firefox runs on."

When asked if there were any examples of spyware being spread on Linux in this fashion, Sarwate says that he doesn't think so. "Really, the majority of spyware is affecting the Windows platform, and I think if you say 99.9 percent then you're probably right on there."

My advice to Linux users is never to assume that you're safe simply because you're running Linux. Apple OS X users are learning that lesson now, not because their kernel is insecure, but because applications like Safari are wrapped around it, and they are not as secure as the kernel. Especially proprietary code, because, as SANS pointed out today, such code is not patched as quickly as are flaws in open source projects.


  • Security
Click Here!