Hackers used IE zero-day vulnerability to attack Google and Adobe
Attackers have leveraged a Zero-Day vulnerability in Microsoft Internet Explorer to infiltrate and steal sensitive information. VeriSign iDefense has cited the total number of victims at 33 -- but in all its cases the evidence was the same. Microsoft has released a Security Advisory regarding the Internet Explorer vulnerability. If the user was running IE -- which is the dominant browser in enterprises -- simply visiting the site triggered the exploit. The exploit then dropped a piece of malware on the now-compromised machine, "phoned home" to a command-and-control server, and downloaded additional second-stage malware. The malware arrived encrypted, said Alperovitch, was decrypted by the exploit code, then opened yet another backdoor channel to a different server.
The Vulnerability Point
With its tentacles around the compromised PC, the malware scoured the company's network, gathering usernames, passwords, confidential information and other data. "This is very sophisticated on a number of levels," said Alperovitch. "It's very well done. We've never seen anything this good in the commercial space. In [attacks on] government, yes, but not commercial."
Incidents such as these highlight the need for a new approach to endpoint protection. Adobe and Google most certainly utilize antivirus solutions. These antivirus solutions failed to detect and prevent the dropped malware and attackers were able to peruse these systems for almost a month and steal sensitive information. Antivirus vendors relying upon definitions and heuristics are at the breaking point and many customers are fed up with AV failure.
The Failure Point
Zero-Day attacks that leverage vulnerabilities in Internet Explorer and Acrobat Reader are nothing new nor are the opportunistic attackers that utilize them to drop designer malware. Remember Conficker? While Confickers' methods of infection and intended goals were different, Conficker was at one time an unknown/undiscovered threat easily bypassing traditional antivirus software. In fact this endless cycle has been in place for many years and is clearly illustrated here:
The endless threat/vulnerability cycle
1. A vulnerability is discovered by potential attackers
2. Attackers begin crafting custom malware to exploit vulnerable systems
3. Attackers use the newly found not yet patched vulnerability to achieve their desired goal
4. Firewalls, IPS/IDS and antivirus systems fail to detect and prevent the custom malware
5. The attackers succeed, organizations as well as individuals experience data theft, system outages and other issues depending on the goals set forth by the attackers
6. Antivirus vendors release updates in response to customer incidents, customers begin cleanup process
Two weeks later another vulnerability is discovered, back to step 1.
BluePoint Security Prevents Zero-Day Attacks
It's clearly an impossible feat to prevent all attack vectors and vulnerabilities, however it is possible to prevent these type of attacks from occurring in the future. All of these types of attacks have one thing in common; they must be able to run and execute unknown code (designer malware). Using these attacks as an example, if the attackers were unable to execute the malware payload they would have been unsuccessful in attacking these organizations.
Antivirus companies such as McAfee and Symantec attempt to classify malware on the very factors that are almost always unique in these type of attacks; signatures and behavior. This is clearly a flawed approach when it comes to preventing designer malware. These attackers will continue to be successful and thrive using these technologies.
At BluePoint Security, we are well aware that many of these incidents could have been easily prevented. When attackers discover new vulnerabilities (and they always will!) BluePoint Security thwarts any attempt to run unknown malicious code preventing a Zero-Day incident such as this before it ever begins.
UPDATE 1/19/2010
Microsoft has published a list of affected software here