Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

There are no more Passive Exploits

Published: 2006-10-05
Last Updated: 2006-10-05 21:03:14 UTC
by John Bambenek (Version: 1)
0 comment(s)
The class of so-called "passive exploits" are more serious than previously considered. In the past, you would have to "trick" users to visit webpages or otherwise go to the exploit. This has shown to be easy enough, some users will click on anything. However, with the ubiquity of wireless, it is not only easy to get around the passive part of the exploit with wireless man-in-the-middle attacks, it allows for targetting the exploits to certain classes of people or organizations for maximum impact.

Wireless man-in-the-middle attacks are pretty trivial and can take several forms. For instance, "airpwn" which debuted at DefCon some time ago would focus on replacing images when victim machines would surf the web. It would be easy, for instance, to inject harmful malware into innocuous web traffic and infect machines unknowingly to the user. The Intel wireless driver vulnerability suggests that it is possible to exploit wireless drivers directly. The mindless expansion of wireless availability without thinking of the security implications means we need to play a little catch up.

The downside of using wireless exploits is that it ties the hacker to a geographical area. The upside is that it allows you to highly target your victims without "spamming the world". This helps malware developers avoid their malware getting detected by AV/Anti-Spyware applications.

It is trivial to determine if your malware is detected by these applications, you can simply scan the file yourself. If your malware doesn't trip the heuristics or the signatures, the malware will slip past anything used to defend a PC. If you spead this malware on a local basis, it makes it that much more difficult for AV/Anti-Spyware vendors to find the malware, reverse engineer it, and develop a signature. The malware has to find the AV/Anti-Spyware companies, in a sense, before it can be examined. It's not impossible, but it is another large barrier of defense. Anti-Virus/Anti-Spyware applications are, by design, set up for maximum privilege (as opposed to least privilege). Anything that doesn't trip their rules is allowed.

The particular application here isn't the general script kiddie, mass identity theft stunts that are all too common. The application is corporate espionage or espionage proper. Here's an example:

Alpha Industries has invested massive amounts of R&D and developed products far ahead of the competition, Zulu, Inc.  Zulu, realizing they are being left in the dust and suffering from a bout of "moral flexibility" decides to try to spy on Alpha Industries. They know the headquearters is near a popular coffee shop with wireless that many Alpha employees frequent. They pay a hacker to sit in the coffee shop and silently inject malware onto any machine that connects.

This malware is pretty simply.  All it does is search a desktop machine for any "office files" that it sees, takes a few, zips them with a password, and then silently mails them to a dropbox read by Zulu, Inc. employees. Those employees then take the, hopefully, proprietary information and starts to get a leg-up.

The basic point here is that it became much more important to patch even those "passive exploits" if you have information to protect, to start thinking about how to layer defense against malware, and to develop policies and procedures to protect confidential information especially if laptops containing it "go on the road."

John Bambenek, bambenek (at) gmail [dot] com
University of Illinois - Urbana-Champaign
0 comment(s)
Diary Archives