MALAGA, SPAIN–While the high-profile attacks against RSA, Google and others over the last couple of years has focused a lot of attention on defending against advanced, targeted attacks, the fact remains that most attackers are in fact relying on crimeware packs loaded with commodity exploits for older vulnerabilities that have no trouble bypassing the security systems deployed at the vast majority of enterprises today.
So-called APT attacks that involve the use of sophisticated attack techniques, sometimes exploiting previously unknown vulnerabilities in browsers or other common platforms have generated a lot of headlines and a repeating cycle of worries about campaigns from hostile nations, loosely organized online activists and professional cybercrime groups looking to steal valuable corporate assets. However, such attacks are the rare exception rather than the norm, and the type of attacks that most enterprises see today still come from mass malware that defenders haven’t yet figured out a good way to stop.
“Everyone wants to figure out how we’re going to stop APT and we haven’t solved the mass malware problem,” researcher Dan Guido of iSEC Partners said in a talk at the Kaspersky Lab Security Analysts’ Summit here Monday. “How do we expect as an industry to stop APT if we can’t even stop our users from getting owned by accident? We don’t know how to tell if what we’re doing is useful or effective.”
Guido researched many of the major crimeware packs that are in use today, including kits such as Zeus, Spyeye and others, and looked at what kind of exploits they’re using. What he found is that not only did the huge majority of the exploits target a handful of widely deployed platforms, only a tiny percentage of them could possibly be called sophisticated. In 2010, the crimeware packs mostly targeted just five platforms with vulnerabilities discovered that year: Java, Adobe Flash, Adobe Reader, QuickTime and Internet Explorer.
And only five of the exploits seen in the last two years have used any bypass of the ASLR and DEP exploit mitigations included in many browsers, and those were mostly based on publicly available code written by a security researcher.
“Actually, the people doing this are somewhat unsophisticated. The way they’re selecting exploits is on the availability of public information,” Guido said. “They’re choosing to use zero-day disclosures by white hat researchers. They’re not finding unknown vulnerabilities, they’re not implementing unique exploit code. Crimepack authors don’t write exploits.”
Despite a lot of discussions in recent months about new techniques that are able to bypass memory protections in browsers on various platforms, Guido found that in the real world, those exploits are not being used much, mostly because they’re difficult to implement and attackers in general will take the path of least resistance.
“It’s very hard to bypass ASLR and DEP and very few people are willing to invest the time to do that and then post it for free online,” he said. “These kinds of attackers may not be able to traverse the harder exploitation paths. You’re not going to use advanced techniques if you don’t need them to achieve your goals.”
All of this isn’t to say that advanced targeted attacks against unknown vulnerabilities aren’t happening; they are, Guido said. But they’re rare, comparatively speaking, and the lion’s share of attacks still are going after older bugs with the aim being to steal sensitive data that could be monetized in some way. APT-style attacks are a different animal.
“APT invests an incredible amount of resources into compromising the most valuable assets a company can have: it’s intellectual property,” Guido said.