Last week USENIX held its 20th Security Symposium in San Francisco, and I attended a number of interesting and inspiring presentations.

On Monday during the WOOT 11 workshop Chris Kanich from UCSD gave a talk that was closely related to our own BrowserCheck work here at Qualys, but used some very creative means to gain access to test subjects. He and his fellow researchers, Stephen Checkoway and Keaton Mowery, used Amazon’s Mechanical Turk crowdsourcing service to advertise a task and then fingerprint the security of the browsers used by the interested workers.

Amazon’s Mechanical Turk is a “crowdsourcing” marketplace for tasks that are best solved with or even require human intelligence. An example might be the identification and labeling of an image, the translation of a foreign text or the categorization of a website. These tasks are called HITs (Human Intelligence Tasks) and are coded by the HIT requestor as webpages. They are labeled with both an expected duration for each HIT (often less than a minute) and also the offered pay for each HIT (often in the cents range). The workers (“turkers”) use normal web browsers to navigate the site and select HITs that they feel competent to complete. At the end of a paycycle, Amazon’s payment system charges requestors and pays turkers.

The UCSD team put up a very simple HIT that consisted of typing in the name of the Antivirus (AV) program used by the user, and offered to pay 1 cent for the answer. When the turker accepted the HIT, the webpage prompted for the name of the AV in use and also ran JavaScript code to identify the browser and its installed plugins.

Once the HIT is executed, the turker is offered another task, slightly more complex (download and run a script) and better paid (between 5 and 15 cents). The script to execute has roughly the same purpose – record the security status of the workstation in use.

The results mirror very closely our data from BrowserCheck – over 80% of all participating turkers have at least one vulnerable plugin that could be used to take over the machine:
Looking at the data from the more complex follow-up HIT, where the turker ran a script to provide more detail on the machine configuration, confirmed the vulnerability data gathered by JavaScript and provided an additional insight into the AV configurations in use: over 90 percent of all turkers have AV installed, but many of them are using outdated AV definitions. The US is particularly disappointing: over 75 percent have outdated AV definition files on their machines, a fact that the researchers attribute to the common pre-installation of “teaser” AV installations that come with a newly purchased PC, but that stop updating after six months unless the user buys a full subscription.


“Up to date” percentages that are in such a low range make me question whether we (the internet´s users as a whole) would not be better off if PC manufacturers refrained from including commercial AV packages in their standard builds for consumers. Future versions of our BrowserCheck initiative will add an “AV updated” check and we will see if we can confirm this tendency in both the end user version (https://browsercheck.qualys.com) and also for the users of the Business Edition (www.qualys.com/browser).

BTW, the real purpose of the research was to determine if Amazon’s Mechanical Turk can provide an efficient way to install malware on machines, i.e. to see if a botnet could be constructed that way. Answer: it depends. Read the full paper “Putting Out a HIT: Crowdsourcing Malware Installs” itself for a detailed answer to the question and more insight into this fascinating experiment.

Good Software Hygiene mandates fast patching, but most organizations prioritize the roll-out of patches and take into account severity and applicability.

To help organizations tune their prioritization process we added last week a knowledgebase enhancement that extends our severity rating with an “ExploitKit” mapping. The new mapping groups all QIDs that are used in the so called ExploitKits that are available for purchase on the black markets. ExploitKits, such as Crimepack, IcePack and Phoenix offer the attacker a suite of exploits that can be used to attack common OS, browser and application vulnerabilities and automate the setup of malicious webservers necessary in the malware infection cycle and focus (for the moment) on the Windows OS.

ExploitKits are behind many of the mass malware infections (Zeus, SpyEye, etc) that group the affected machines into botnets that are remotely controlled to send SPAM, participate in DDoS attacks and intercept banking credentials by monitoring browser usage. Affected machines can also be used as beachheads for further incursions into the enterprise networks they participate in, which are widely spread. Gartner estimates that between 4-8% of all workstations in enterprise environments are infected.

Organizations can protect themselves from infection by hardening their installation and patching all of their workstations against the vulnerabilities abused by the ExploitKits. The “ExploitKit” mapping can be used in targeted scans or in reporting to aid in the hardening process.

References:

• Francois Paget at AvertLabs – Initial overview
  
• Mila Parkour at Contagiodump.blogspot.com – Mapping data
  
• ExploitKit WhitePaper from Team Cymru – for some history on ExploitKits – see attached PDF

Attachments

A Criminal Perspective on Exploit Packs 5.0 M

On Friday April 15th, The Oak Ridge National Laboratory (ORNL) disconnected its Internet access to contain an intrusion and interrupt the theft of data. Attackers had gained access to the ORNL network on April 7 through a phishing e-mail attack carrying malware with an exploit for a 0-day vulnerability in Microsoft Windows Internet Explorer.

Previously, we had seen a similar attack on the security company RSA, where data related to SecurID, RSA’s two-factor token authentication product was extracted. In RSA’s case, the phishing e-mail involved an Excel spreadsheet purporting to be about the hiring budget for 2011. The spreadsheet contained an exploit for a 0-day vulnerability in Adobe Flash.

At the same time Verizon’s 2011 Data Breach Investigations Report (DBIR) affirms for the 3rd year in a row that the majority of data breaches (96 %) could have been avoided with the implementation of simple countermeasures.

Organizations can effectively protect themselves by implementing good software hygiene, which starts by introducing a structured patching process aimed at installing critical updates for all software within a short timeframe, we recommend within 10 days. Organizations that have implemented such fast patching have seen a significant improvement in the robustness of their infrastructures and have been documenting their progress publicly (see reference section on processes in use at Goldman Sachs and US State Dept).

Fig 1: Motivation for Patch Speed at Goldman Sachs (From SPO-208 RSA US 2009)

Fast patching will prevent infection from all of the common malware exploit kits that are available for purchase. The toolkit “Phoenix 2.5” for example offers 5 exploits based on the PDF file format, 3 on Java and 1 each for Quicktime and Adobe Flash, all of them abusing vulnerabilities that are already patched.

Further resilience can be gained by controlling installed software and its configuration. The ORNL case would have been countered by the consistent use of an alternative browser. The Excel attack could have been prevented by prohibiting active content in Microsoft Office Trust Center or uninstalling Adobe Flash, preferably both. Switching to a more modern version of the base OS or even an alternative OS will also help to add resilience against malware (i.e. Windows7 64bit, Mac OS X or Linux).

This level of tightening of IT configurations raises the bar significantly and will keep most classes of attackers out of enterprises networks. Talk to your industry peers to see what they are doing; a number of organizations are already operating their networks in this way and can attest to the effectiveness of these measures.

References:

• Top Federal Lab Hacked in Spear-Phishing Attack – ThreatLevel by Kim Zetter
• Anatomy of an Attack – RSA blog post on background of attack
• DBIR 2011 – Verizon RISK Team
• Fast patching – RSA USA 2009 by Paul Griffiths, Goldman Sachs
• More Security, Less Waste – John Streufert, Dept. of State CISO before Congress