Dailydave mailing list archives
Re: The strategic difference of 0day
From: Andre Gironda <andreg () gmail com>
Date: Wed, 15 Jun 2011 10:06:50 -0700
On Tue, Jun 14, 2011 at 8:31 PM, Rafal Los <rafal () ishackingyou com> wrote:
Maybe I'm just living too closely to this world but, Dave you already answered your own question. Why slave over nOP sleds and guessing at just the right memory addresses and hoping a system doesn't crash when you can walk right in through the web app and take what you want, or worse, implant yourself
Your capabilities of pivoting may be slightly different from the client-side than from the server-side. The Internet-facing web application layer will be closed out soon -- perhaps simply because the exploits are not under the radar. 0day (i.e. anything ROP based or at least in that category of "win") is under the radar.
I think organizations have "figured out" how to lock down ports after nearly three decades of security people preaching, and since there are much easier ways in...well hell why bother?
I see many blurring lines between CNA and CNE, and these lines are increasing. In the case of these popular SQLi/RFI/webapp-remotes, these are typically CNA. The "attack" is on the character, political views, or "social-capital" of an organization. It's typically short-lived: like a jab instead of an upper-cut. It really amounts to a DoS/DDoS just like regular CNA (e.g. the 2007 cyberattacks on Estonia). When SYN attacks, DNS SOA or other reflected/amplification attacks, or HTTP starvation attacks occur, CNA is typically a direct attack on the infrastructure-capital. SQLi utilized in Longcat style attacks, aka ADoS "Application DoS" does blur the lines a little here. Most CNA attacks cause an enemy/target to "lose face", become demoralized, and fear future retribution. It may sometimes cost the source just as much money as the target, which is why the attacks are typically not sustained. On the other hand, ROP/0-day/client-remotes are typically CNE. CNE is usually individual-capital focused, as in the case of ZeuS/SpyEye/banking-trojans. However, it can also become intellectual-capital focused as in the case of Aurora. Either way, these are surveillance programs that are often the result of heavy intelligence, counter-intelligence, and reconnaissance work (i.e. social engineering). There are SQLi/RFI botnets just like there are client-side malware infected botnets, however the SQLi/RFI kind are not as common or dominant yet. SQLi/RFI/webapp-remotes are typically not "sustained" exposures. If the goal is to get data -- typically it's a "get in and get out" op, which typically results in the degradation of that data. CNE operations are focused on long-term, sustained access. Stuxnet is sort of an anomaly because it was a botnet used to demoralize the enemy. It wasn't obfuscated (i.e. it did not use self-modifying or self-integrity-checking code and was successfully reverse engineered), nor did it even try. It's almost as if it wanted to be caught.
So in the end I believe the answer is a mixture of risk/reward shift from attacking services and towards readily open applications, and some combination of "black hats keeping their cool 0day secret", too many script kids, and apathy.
There is no shift going on. Client-side is "elite" because of its unique characteristics and perspective. It's difficult to code a weaponized 0-day exploit. A SQLi, on the other hand, takes 1-2 days tops to exploit, and that's if it's time-based blind over high-latency, high-jitter (i.e. constantly changing latency) networks. Most adversaries are looking for multiple statement queries, not just because they are faster than blind techniques, but also because they easier to exploit for file operations so as to gain shell access. Attacking services is interesting from the inside of the network, like Robert Lemos said: "inside the firewall". I'll additionally add "under the radar" because remotes against IIS and Apache are a little too obvious. What you'll find in Canvas is an over-focus on exploits for Enterprise applications. What's more useful for someone trying to stay under the radar: a remote-0day on Apache, or a remote-0day on Perforce? Apache might be monitored with all sorts of security technology such as IDS, IPS, WAF -- but also marketing technologies such as AWStats, webalizer, or Webtrends. We're just going to see more attacks of all types. They'll be used in coordination together, and hit the business process of the target organizations with everything they've got. -Andre _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The strategic difference of 0day Dave Aitel (Jun 14)
- Re: The strategic difference of 0day Anton Chuvakin (Jun 14)
- Re: The strategic difference of 0day Rafal Los (Jun 15)
- Re: The strategic difference of 0day Andre Gironda (Jun 15)
- Re: The strategic difference of 0day security curmudgeon (Jun 15)
- Re: The strategic difference of 0day Rafal Los (Jun 15)
- Re: The strategic difference of 0day Robert Lemos (Jun 15)
- Re: The strategic difference of 0day Anton Chuvakin (Jun 14)