Forgot your password?
typodupeerror
Security Internet Explorer

IE Zero-Day Exploit Disappears On Reboot 103

Posted by samzenpus
from the poof-it's-gone dept.
nk497 writes "Criminals are taking advantage of unpatched holes in Internet Explorer to launch 'diskless' attacks on PCs visiting malicious sites. Security company FireEye uncovered the zero-day flaw on at least one breached U.S. site, describing the exploit as a 'classic drive-by download attack'. But FireEye also noted the malware doesn't write to disk and disappears on reboot — provided it hasn't already taken over your PC — making it trickier to detect, though easier to purge. '[This is] a technique not typically used by advanced persistent threat (APT) actors,' the company said. 'This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods.'"
This discussion has been archived. No new comments can be posted.

IE Zero-Day Exploit Disappears On Reboot

Comments Filter:
  • Yay! (Score:5, Funny)

    by jargonburn (1950578) on Monday November 11, 2013 @03:27PM (#45393589)
    Another Windows problem that can be fixed by having the user restart his or her computer!
    • Works for me, but then Windows isn't the default grub entry.

      (I kid - XP is actually all right. Which explains why Microsoft are getting rid of it in a few months.)

      • Re: (Score:2, Insightful)

        XP is very much inferior to Windows 7 or 8. A single process can stall out every application on an XP machine. Under Windows 7 or 8, and probably even Vista, the same process is forced to share the CPU so the machine is still usable.
        • Could you explain this scheduling issue more precisely, please. What common insoluble problem justifies the "very much inferior" label?

          • by g0bshiTe (596213)
            I'd say the biggest boost was Session 0 isolation.

            Then they took a crap and revisited the Windows 2k days by creating the turd that is Windows 8.

            If I wanted my desktop to act like a phone with the phone widgets I'd have used a fucking phone for my desktop, thanks.
        • by g0bshiTe (596213)
          Yet Windows 7 or 8 are still as crap as XP, when a 15 year old XP flaw is still found on those boxes.
          • by TGoss (3006907)

            Yet Windows 7 or 8 are still as crap as XP, when a 15 year old XP flaw is still found on those boxes.

            That's actually a side-effect of the NSA spyware code. It's not a bug. It's a feature!

        • Why don't you tell that to my Windows 7 install when some horrible abomination in the background on a page somewhere stalls out not only Firefox but the entire PC.

          Oh, and what site, you say? *Facebook.* Hangs with the OS completely unresponsive for an entire minute or more. And this is with NoScript, too.

          • by mlts (1038732) *

            So far, I've tried various operating systems for a VM for Web browsing. Believe it or not, XP is the best. If FB stalls or the VM has issues, a quick rollback to a known good snapshot (one that hasn't touched the Net except for updates.) It performs well in 512 MB of RAM for most Web browsing. That way, if FB decides to hang, you are just a few minutes (less if you snapshot the VM while it is on and suspended.)

            • Well sure, if you never use bookmarks or care about cached sessions and stuff...

              • by mlts (1038732) *

                I copy/paste bookmarks to a different file, so that really isn't an issue. Cached sessions are not a worry either. In fact, being able to dump all state, no matter how much identifying info is left behind is a win for privacy.

    • Re:Yay! (Score:5, Informative)

      by higuita (129722) on Monday November 11, 2013 @03:57PM (#45393793) Homepage

      Don't forget that now that is harder to do, thanks to the infinite wisdom from microsoft!!

      In windows 8 (and 8.1), when you "shutdown" windows, you are really just hibernating the PC, not doing the XP shutdown... When it starts again, it will load the previous state into memory and the malware is still there (and bugs, and crashs, and trash running, etc, etc)

      To really "shutdown" a windows, you need to "reboot" it (or press the power button!!)

      The real solution is to use linux :)

    • by Ravaldy (2621787)

      The reboot trick is for all software, not just Windows. You haven't been in IT long enough if you've only seen MS OS require this.

      I have a bunch of self contained Linux based boxes we have to restart on a regular basis due to memory leak issues in software. I think the OS on it's own is fine, but start adding garbage on top of any OS and you have trouble. Reboots are a common practice for fixing a number of issues for any software you may come across regardless of OS.

      I have Windows Servers that get rebooted

      • by DarkOx (621550)

        I have a bunch of self contained Linux based boxes we have to restart on a regular basis due to memory leak issues in software.

        Memory leaks (unless they are IN the kernel or some very core process like init ) should never require a reboot. Once the process is killed, and the OOM killer should do that at some point, all the memory used/leaked will be freed, by a proper kernel. Which is not to say the application or even the entire system might not be thrashing and nearly at a stand still.

        I give it 99% odds you could put a cron job on those Linux boxes to kill and restart the offending process at whatever interval your "regular bas

  • by sinij (911942) on Monday November 11, 2013 @03:28PM (#45393601) Journal
    Disappears on reboot is a limitation, not a feature. If you get root you could always remove payload, if it disappears on its own then it is likely limitation of specific sandbox bypass method. If I had to guess, Zero-Day is related to ElevationPolicy fix for CVE-2013-3186.
    • by Anonymous Coward

      If all you wanted was the data on the end users disk; e.g. credit card numbers, logins, cookies, email passwords, etc; then this is a desirable feature as it makes it much harder for an individual defending systems to get a copy of the code and exploit.

      Additionally, if the worm or virus agent is polymorphic in nature, then this assists in avoiding detection by antivirus scans. Remember, those scans slow down end user machines, many companies only do them once a week. By the time the antivirus company upda

      • by sinij (911942)
        They attempted polymorphism with they key change. Fireeye blog stated: "this 4-byte key is present at offset 0 and changes with each subsequent beacon.". I have no idea how effective this would be, but my guess is that it would defeat all off-the-shelf detectors. If you use static key AV vendors simply add a rule to signature detection. Cryptographically speaking, exploit authors are not 'encrypting' this to keep data secret, or they wouldn't use 4-byte key.

        Re:" Copy of the code and exploit"
        You have ex
      • by fluffy99 (870997)

        If all you wanted was the data on the end users disk; e.g. credit card numbers, logins, cookies, email passwords, etc; then this is a desirable feature as it makes it much harder for an individual defending systems to get a copy of the code and exploit.

        Additionally, if the worm or virus agent is polymorphic in nature, then this assists in avoiding detection by antivirus scans. Remember, those scans slow down end user machines, many companies only do them once a week. By the time the antivirus company updates their heuristics algorithm your code is commited to cybernetic oblivion.

        That's my take as well. If you're a thief breaking into a building to get a copy of important files, you don't leave a busted out window and the safe sitting wide open. The best theft is the one no-one realized happened. For example, the break into Bit-9 where they stole a digital signing cert would have been far more useful if it wasn't detected. Or instead of stealing something, you're leaving something behind such as installing a trusted root cert that you control.

    • Disappears on reboot is a limitation, not a feature

      The most sophisticated malware in modern times, Stuxnet, had a built in self-destruct. How is it that a feature that disappears after a certain number of days a feature, but after a reboot not a feature?

      If you get root you could always remove payload, if it disappears on its own then it is likely limitation of specific sandbox bypass method.

      Small comfort to those who enter their credit card data and then wake up to $-300 dollars, two weeks to pay day, rent due, and not enough gas or food to last. People need to stop being so puritanical about exploits... "Oh, it disappears after reboot, big deal!" ... If it manages to do damage, it doesn't matt

      • by sinij (911942)
        To answer your question - one is controlled entirely by exploit/malware authors and other is not.
        • To answer your question - one is controlled entirely by exploit/malware authors and other is not.

          Yeeeeah... a difference that's sufficiently important why again? Most computer today don't reboot; they hibernate. It could be days to weeks now before they actually wipe it. Weeks during which, it's hoover-vacing every piece of data you put in your browser. Now, let's be honest -- how much do you really do with your computer if your internet is down?

          o____o

          • how much do you really do with your computer if your internet is down?

            I usually keep enough reading material or coding projects on my laptop to last a few hours of being offline. This comes in handy on my bus commute, as I don't have to pay hundreds of USD per year for cellular broadband.

  • This is the first time I've ever seen the value being used in an XOR loop referred to as a "key".

    • by daveoj (319762)

      It's because it's being used in the context of a simple XOR-based encryption scheme -- very common in malware, actually.

      • by sinij (911942)

        In this specific case XOR with the short key appears to be used as a method to avoid heuristic detection. If left in plaintext things like kernel32.WriteProcessMemory will trip exploit detectors even if you have Zero-Day.

  • It's maybe complicated unless forensics are capturing a memory image... which they should be these days.

  • Rootkit vs. CRIT (Score:5, Interesting)

    by Anonymous Coward on Monday November 11, 2013 @04:01PM (#45393831)

    Two broad approaches exist.

    Firstly, the rootkit: 'implant' an agent (monolithic or multipartite) which stays as persistent as possible, maintaining control of the system. The most extreme case I've seen writes new firmware to the NIC, which is loaded by the BIOS or UEFI code; this alters the CPU microcode slightly to change TLB handling and then chains a hypervisor into the boot process which is (thanks to the TLB update) hard to detect, and a major barnacle to get rid of - the payloads dropped by the hypervisor's code injections are nowhere near as ninja but somehow keep coming back. (Now you know one more place to look and the general class of attacks if you didn't notice before.)

    Alternatively, the CRIT (Covert Remote Intrusion Tool): a non-persistent agent which runs a stealthy process, and when it's done, unloads itself from RAM. Notably, CRITs are never truly reset-proof: this is a conscious design decision. An ideal CRIT leaves absolutely no forensic trace on disk or RAM of the target machine after it disappears (although traces of the vector of infection might need to be cleaned up, and there's always the possibility of server logs from something else - if anyone even knows to look at it). The real world, of course, is rarely so elegant, as anyone who remembers how TSRs weren't always quite so trouble-free.

    It is a difference in intent, signalled via design. One prioritises maintaining control above stealth; the other prioritises maintaining stealth above control.

    It is telling that the NSA and GCHQ attacks found in the wild so far or described in leaked documents have all been rootkits and never CRITs. Of course, that may be because CRITs simply weren't written of, weren't leaked yet, or were more unlikely to be discovered, but it seems more likely that this is a wide, strategic decision: maintaining control of an asset as long as is possible, even if its cover is blown.

    It is very hard to conceive of effective countermeasures - it is, as I unfortunately predicted a little over 15 years ago when I first publicly described such a possibility, likely to become (and now remain) an arms race, between state actors (who, it seems, always wear the black hats), and between non-state actors (black-hats and white-hats alike). In truth, all such agents are terribly dangerous, particularly those with autonomous spreading capabilities, or merely capricious greedy idiots at the keyboard. Perhaps they should be regulated via treaty, like the biological weapons their action resembles: that is an act for politicians and those who lie with a smile on their face. Perhaps we, as engineers, should concentrate on fixing the bugs the vectors exploit; but alas, I fear that may be like trying to sail a giant colander across the Pacific armed only with tape.

    I have grave concerns about the direction this whole mess is headed. They have taken what may be the greatest achievement of humankind, and threaten it more than any terrorist ever could, because terrorists don't have a billion dollar budget and a whole world's trust to undermine. We can but try, and do what we can, to fix such damage, and route around it, wherever we find it and whomever perpetrates it for whatever reason - it is all, simply, a bug, at its heart, and bugs need fixing. Perhaps we can build protocols, and software, far more resilient at their core; but until they are ready, please at least let me have my cat pictures and my tea and my discourse and my computer games, lest I become mad as hell and cannot take it anymore. I grow weary. And quietly bitter.

    • by sinij (911942)
      ^^^ Mod parent up please.
    • by Arker (91948)

      You are right, and it's a colander instead of a nearly seaworthy boat that just needs some holes patched because of 'nimble' development practices and several decades of constantly reinventing the wheel and selling it over and over again with a little more gee-whiz each time.

      If you want a secure computer you need a conservative stack, free from the ground up, with security designed in from day one, and an emphasis on mathematically correct code rather than features. Otherwise, you are trying to bail a colan

    • by Anonymous Coward
      "Two broad approaches exist" ..

      The only safe solution is to eliminate Microsoft Windows ...
    • > Firstly, the rootkit: 'implant' an agent (monolithic or multipartite) which stays as persistent as possible, maintaining control of the system. The most extreme case I've seen writes new firmware to the NIC, which is loaded by the BIOS or UEFI code

      That is _nasty_. May I safely assume that virtual machines, with their hosting server based software NIC's, are immune from this vector? And do you have a reference to this mode of attack?

  • Sure it dissapears!

    Unless you're running IE as admin, you have UAC disabled and the malware has installed a hypervisor and you're hickjacked forever without having any chance to detect it. How long before we see that?

Life is difficult because it is non-linear.

Working...