Search This Blog

Wednesday, January 20, 2010

"Aurora" attacks: anti-virus/spyware versus intergrated application protection

(Disclaimer: I advise Promon AS  on some issues, so my opinion about Integrated Application Protection could be biased. In that case, feel free to point out tools from other sources that achieve the same functionality. I am also not on their payroll, so this not a sales pitch).

The recent targetting of Google, Adobe and IE flaws raised a lot of eyebrows and gives plenty of thought to the security analyst. This has nothing to do with  the specific Microsoft/Adobe vulnerabilities involved in the case. Software will always have vulnerabilities. It has also nothing to do with infrastructure vulnerabilities (spoofed SMTP headers, DNS targetting, more to come in a latter arcticle ). They will always be there. The question is why setups with highly capable people fail to address attacks that might be zero day (or near zero day) but they are still preventable.

In order to give an answer to this question, I can't help but notice the shortcomings of common desktop anti-virus/spyware packages. Today, most people have a desktop/server anti/virus/spyware package installed on their computer to defend themselves against various types of malware. The vendors that produce these tools do a tremendous amount of work to ensure that they protect you against many types of threats. In essence, they have industrialised the process of producing signatures (non ambigous ways of describing the malware) and then they throw a bit of heuristics to compensate for the things the signature will not catch (you cannot know everything in advance). This combination is good to catch most types of attacks, but not all (many of these products did not detect the recent aurora attacks for various reasons).

If we rely daily on computers for critical tasks, is a "good for most things" type of protection acceptable? Personally for me, it is certainly not. Sure, I use known desktop and servers anti/virus products and I always recommend them, but I always say their development strategy has many pitfalls. I am going to outline them in the next paragraphs and then prescribe a solution to these problems.

Anti-malware scanners tend to use heuristics to address (amongst other issues) the polymorphic payload of malware. Is is interesting to note that the recent "Aurora" style attacks used either malware with different payloads or different payload wrappings. This can downgrade the ability of the most carefully crafted heuristic signatures of anti-malware vendors. In fact, heuristic signatures are also responsible for "false positives", a known issue not only in the anti-malware world but also in the field of Intrusion Detection/Prevention (IDS/IPS).

Take the fact of the previous paragraph and combine it with the variety of attack techniques, operating system modules and the even greater number of applications and combine it with the need for an infrastructure to safely distribute (on almost a daily basis) the updates for the heuristics threshold and signatures and you get...the chaos. In my view, this is the very reason behind the fall back of many anti-malware vendors in the race of malware writers and
anti-malware analysts. They just can't and will not (I dare to say) keep up with these techniques. Their approach is useful but it needs a more focused complement.

As a side note, it is useful to note that beyond the anti-malware scanners, the "Aurora" style attacks can also bypass OS protection techniques such as the Data Execution Protection (DEP), at least Dan Kaminski thinks so. Other OS protection features such as Address Space Layout Randomization (ASLR) are considered immune to this type of attack when combined with DEP.

The next reasonable question is what can be a desirable complement. The answer is obvious. What is the most valuable component in the software stack that interacts and allows access to data? Yes, the application. And after the mail browser, the most critical (and for long time universal) application that gets data from the Internet and sends data to the Internet is the web browser. Application integrated protection is the key complement most people need to render stack overflow and other types of similar attacks useless.

It would also be good to minimize the reliance on a continuous update distribution channel. Infrequent updates would satisfy bad Internet connectivity scenarios, as well as lazy user and system administrators.

There are many companies out there that offer integrated application protection. And a notable one is the Norway based Promon.

Promon's Integrated Application Protection (IAP) achieves this functionality. The concept behind Promon's technology is unique and has a sound theoretical basis: If the data and the information flow are the most valuable things, the most important thing is to stop information leaking out and in to the application, making a virtual shield around it. The details of this shield are of course a trade secret and proprietary, so I hate I cannot analyze the details here. However, the important thing is that their tool caters for minimum installation hassle, minimum user intervention and a small number of updates.

I was curious to find out whether their tool could stop the "Aurora" attack payloads. It turns out that it does. showing the technology in action. Here is a video that demos their technology against "Aurora" payloads (thanks Sondov!):

demo video

md5sum: 45fc6ae7844baf243c005d0c9122d19f  aurora.mp4


On the left hand side you can see a Vmware instance simulating the victim's system and on the right hand side is the bad guy that likes to hand out malware payloads. Watch what happens on the first instance. The victim's system connects to 'evil.com' (effectively exploiting of the IE vulnerability) and then various things happen to the poor desktop. The second part repeats the experiment under the shield of Promon's guard. The application immediately detects the exploit by sensing essentially suspicious information flow in and out of IE and then it drops the bad application.

I will try to outline the technology behind promon's concept in a latter article. My point is to show that effective technology to protect (and complement other tools) vital applications in cyberinfrastructures does exist and is quite effective against professionally designed and executed attacks such as those of the recent "Aurora" wave.

7 comments:

  1. Great critique of AV systems. Enjoyed reading it!

    ReplyDelete
  2. I am not sure I understand your comment about the use of DEP and ASLR. I believe that heap strike attacks against ASLR have been successful. Kaminski's view is out of date.

    Cheers
    Dave

    ReplyDelete
  3. Great work George.

    The main problem with Auroa was the highly obfuscated code thus 99% of existing malware protection could not see it, this leads to the problem where code is now so highly obfuscated that it is boarding on encryption. Promon solution seems interesting and I will read more about it!

    Interesting you mention ASLR as since I have moved over to OSX (and a nice shiny Macbook Pro) I was surprised to notice that OSX does make use of ASLR where as Windows 7 does.. I suppose it all boils down to more people intent on bringing down Microsoft, but one day that focus will shift no doubt.

    ReplyDelete
  4. So, why some AV vendors did detect the attacks? (I agree with your general comments)

    ReplyDelete
  5. I agree with the fact the we have fallen behind malware writers, but to be 100% objective I must also say that you underestimate the techniques of AV and spyware scanners.

    You present the AV engines as a combination of signatures and heuristics. That's not entirely true. AV do and can have (beyond our products) more sophisticated techniques (including DLL memory addressing/flow patterns that I suspect is employed by promon)that can match Promon's functionality.

    I understand that some AV products have missed these attacks and I acknowledge the problems you mention, but to imply that the AV is gone to pieces is far fetched (I also dare mentioning that as a virus analyst).

    VA

    ReplyDelete
  6. Nice story. I would also prompt you to clarify the bit about ASLR.

    Claudio

    ReplyDelete
  7. VA thanks for your comments. I certainly do not underestimate any AV techniques. On the contrary, my article makes clear that Promon's technology should be used as a complement to AV products. In essence, what I am saying is this: Trying to find techniques to cleverly detect a range of apps and issues is more difficult than focusing on core application that handle sensitive data.

    GM

    ReplyDelete