Bestand wählen

Comparing the incomparables

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Erkannte Entitäten
now I could ask you how the party last the density of the casualties so I could be gentle you and needs presentation light and entertaining for you but I'm not a nice person so I will make even an easier than sort of just jump right into this but I'm I'm going to do what is incompatible in the landscape areas that we are moving meaning the mother of course smaller groups writing groups and mother protection program especially the protection program so every major constituent is thoroughly tested and their qualities are measure and the Internet is for the protection of the products of the melodic tested by Ontotext and even the the Special EPP protection devices each other as claimed that themselves to be untestable knowledge and can be tested because you hear about it from yesterday presentation by FIL tumble actually today by what they have to be more detail about how all the test is the answers even the best answer some measure of against the the objective criteria by the end of the distance that nest organization there is 1 single immediately and was never tested and those of the other articles and that's not fair should be aware of their capabilities and not only but but also because actually there is an actual war going on between them and us and the 1st rule of law is that you have to know your enemy if you go on your on your enemy your defends his view that you know that if you underestimate them we are going to to get to if you all that estimated capabilities down your efforts in protection you be misplaced and the rule-based your efforts in areas that you shouldn't based on the use should not concentrate efforts as just as an example if you have a house which is full each variable stuff and getting and the you want to protect it and you're afraid of tuberculosis in the neighborhood there are a couple of options you can choose so you can view the ball all around the house of the meter rival of let the electric fence on the people that would effectively the just let as we all know only 2 . 5 meter but that's to be expected because of lost with your for the outside it has also illustrating the effects on the vegetation brand of all soul if you happen to know that they become blogger in your neighborhood of of just covered school they're not the that became because this is the standard operating version here and then you would know that the all these use less is not necessary you should strengthen your locks and the windows and doors that would be another measure for you much cheaper and would be still protected now if still wouldn't defend you against missions states forms or the press MSE and the lights but chances are before MSE with that that you there will be about 5 sessions side the primary groups so the Chinese in APT groups maybe 1 Israeli and France the people at that so you have to prepare for the vast majority of explored that you have to know all the capabilities of the other tests and that's the point of evaluating the all these model of course of the APT groups and the command cyber crime and as the point of my presentation not how do you Emily these groups held the measure of the spheres of of them there are a couple of problems with the testing in the 1st of all the subjects in these mother not all groups of commitment principles and they have different purposes some of them wanted your uh banking and access information so that it was still your money from the others want someone says that these documents from your heart like this 1 to 1 just the story wouldn't their facilities physically so they have different purposes they have different targets some of the getting formulas others are large corporations get the the uh groups of target non-governmental organizations the target range is also like and because of that they have to the different defenses for home users there is only problem of free enterprise solutions for for large corporate users was also in that the differences in place events from the advanced protection devices and for that the and that the classrooms a very different approaches and the was some already had the just 7 efficient e-mail the backstage is some nice complex click here and you'll be fine on the other side using common explicitly the last using his your that exploits from there is a wide range of tools but they are using test so that the task is how to measure and and qualified players who were on a very wide range of activities and that the solution is something like this uh professor source on doing in university classes they have right do they have the local students with a wide range of capabilities they are going to give them a problem to solve and based on that the level of the understanding of the problem and the skill visual in the solution and they're going to to raise the students that's what I'm going to do i'm impersonating at teacher other people are going to be the students not for that that's were the problem has to be solvable if is not solvable it's not there's no point in the text it also has to be difficult enough so if anyone's course perfect from the past that it is not a comparative tests also is that that's the problem has to to be good enough to differentiate between a wide range of skills and lastly every student in the classroom has to be motivated to solve the problem if this problem that the only that attempts and of them is interested in solving them the best results we would not be usable for our purposes and measuring a large number of these models sold what is going to be the test problem
that this problem is going to be all over Europe 1 it's it was discovered last year is that each that's for about 5 former vulnerability and at least 1 memory what action now did you know and the yesterday so doesn't of the the determinants and methods I'm going to talk about should be family stories that was very expensive and would overview of the generic principles and this is the this is going to be a practical implementation and this is no but I referred to in the introduction that I'm going to to be tough review because in order to understand the results of the best you have to understand the methodology of the tests and the methodology of the tests relies on you understanding cults exploitation products now use all of the it is the has the onset the name the the 2 thousand 65 I'm going to refer to this other disciplines 1609 estimated using certify acceptance of presentation anyhow this is the new version of the of the uh and that exploit and every possible model for group is just very happy to get their hands about and you know that 1 of the key and export so they are very much what motivated in using 2 because it is a powerful tool in effect and users so if you need the original unicursal description all this exploit it will be sort of a DVD to say that it fx all possible but good very good versions that they're there at the time so all of them which are listed on this on this list are 1 honorable and possibly exploitable by the small number of the model that in theory there is no difference between theory and practice however in practice that is used in France so if you would guess but be a guess how many of these as well but good versions were actually affected have been dishonorably to know the silence I think it is 0 because a slightly more than that and actually 1 version was ever affected by this 1 and it follows of 2000 to the service but to exhibit the ocean and the reason is that and even though all of the other versions exploitable and could have been exploited successfully the practical implementation exploit heavily lied on absolute memory of steps taken from a particle over in those compliments must considerable sees a particle of information and that 1 was only by default installed by his Office 2010 tenants of respect to it would have been straight for tools to border so of it at all of the other disclosure of it didn't have why wide you knew probably understand around the middle of this presentation so let's talk about a bit about the exploration process itself from from of a very rapid overview there is a rich text format exploiting documents vulnerability trigger a shot would gets executed and at the the end of the year with is dropped in the system of some sort of Trojan mouse to that is based on scene of slight problem in this chain and that's like problem is called the entire execution progression which means that it is uh relatively easy to form to full of words into into writing shall called intra memory area on the it is quite easy also to convince to jump into that memory area harvested if you this is not a and not possible with that in presence to actually execute called to because these data in areas where there was a 2nd here are declared at the sum of contemporary was operating system as non-executable you can inject your code that you cannot execute so before you can execute your show that would drop and execute that the final solution to the system you will have to make sure that the the child called in these executable at its mode executable page so that would exploitation started there uh component that will work on command or look a new memory broke maybe that's an executable memory just copies the show for their and lexicons from that's pretty easy there's 1 slight problem in order to to make use of location you have to executable told what the problem executable call it
you cannot exist in the cold because of data execution prevention and he becomes the concept of the rope exploiting some it into programming and which means that you cannot execute the code of the 2 places in memory but you can execute calls that are already placed in the memory by the system at the bond explication heroes there are about the doesn't solve single system libraries already loaded into the memory for your convenience and this means that there is that I have uh than Bansal megabytes of laying the memory that you can use knowledge of that of that has to do is to be small snippets all of the schools and think about them as fossils uh get these fossils from the legal system libraries and just hold the chain them together so that they would have accomplished the functionality that you really during the exploitation and then the American Educational Resource you just diverse the normal execution to jump to the 1st fossil of your cold and it will just good guess and the the surrounded that you jump from positive possibility of the chain together but he fully had them they will complete the task you on the so the positive side are often very limited capabilities sets so you will need a lot of causes the completion of the of the smallest asked me that there's not another 1 of the problem which is a yes a the restlessly of randomization which means that if you want to use the sponsors you have to know that the are memory 99 % of the those libraries are placed randomly in the memory that are only a few of them which have the load and the users libraries of extreme values for to exploit from the test and has constant that is used by the woman with the spinal cord sold the exploitation sparsity confusing taking him making him uh at the TU Wien execution by him and then starts the integral chain which would look at memory for other executable memory for the show caught and executed diaries another slide problems in this particular case which means that the beach in which which means that benefit of 1st as diversity and it gives a diabetic with small memory feature map and the small number region cannot hold an entire structure that is another memory region that the upper classes can control which can cost a lot of the time but it is not their 1st gets diverted so the boot loader of this explanation process is further divided into 2 2 parts there a bootloader of the book that the initial change we should make sure that the execution is directed to the large that which already costing the entire chain that change in that and I will create an executable memory range copies the show what their mission was executed multiple stages locates the payload that takes you don't see it executed and the that that is the that the installed Trojan now is a good test problem for the model close because it is these grammars modifying the final payload is the FPT task for the smaller modifying the shell as this up every day but it is made with the molecular basis batch the rope changed now that's that's a highly skilled operation and not many of them that's the way to do that so here we have the other general problem for the mother so if you don't between between the 2 in into that's sport itself it is a mnemonic what action of honorable deviation and of the table of pointers to all function blue gets over time during the exploitation of debate happens and active documents can contain the school that i tables which have several different parameters for lists and that the name in the text of the local the document now the debate going this this that I've tables is stored in a buffer acid memory and the you mean structures of memory and the other the other this is of these structures are stored in a but I will be allocated memory region now believe that what happened to be a somewhat more of these and already I structures expects that it will be the 1st such over the boundary of the town located memory and the water right whatever comes after the and as the number of corruption of the student and the execution and in
particular uh at a certain memory addresses that is a point of people in the MS the all the EU so pretty meaningless but this for me as a function table and not to mention the fancy functions and of course in the process of passing the malformed out here the the man of the other this is all that is that i tables that at the allocative region and override this this function table so that's something unrelated point later in the code execution of called would be made to into this function table but instead of taking the appropriate function from muscles the of this call will be the the address for all the way from bundle the useful that I about and this and this would be an absolute number location and you inside the and misconceived there was
and the initial chain as I said does nothing but transfers the execution larger profit which is controlled by the I mean there is a deep inside the histogram structure that is this level text box there which don't was a large chunk of binary data as large chunk is going to be the main of chain and the shape of 1st work now and is for the right table contains the of the rest of this stuff so really the initial change has nothing to do but execute the single call into that that that is still there and into the level that often like I said that the role of the Baroque attention what the puzzles that the values from the from the middle loaded system libraries are very limited capabilities so the single single costing assembly instruction and you need 6 different models to we need to execute disco them and just as in the illustration of the complexity of the task the 1st of the rest of this of the 1st cognitive uh stored in money so that table but in the obvious fact about 5 it's actually is actually stored in 4 different bases that combine different 4 different things for example the 1st by the H is the value of the the and the level of an efficiency and the fact that they are the have at least city to this amount was to be a and hexadecimal so that the 1st byte 48 is it's actually a Pittsfield and several of the mediated texts included in the RTS combining for example is the largest in the world the GC and 0 and the lowest of the low and this that and world knowledge that he's setting forth the 2nd in Interspeech that that's how it is combined render and finally the last 2 white area in the level of numbers that the after 5 uh what this uh slash also 588 the notes the big hexadecimal value of 5 in the following a stroke is the best thing 27 which is follows the so in order to control 1 single addressed in in the Europe change you would have to modify list 4 different places for different and distinct basis at at the at at 5 uh use this expedition is an emerging requires an intimate knowledge of the octave structure uh and representation so that as in all other and the fact and this addressing them consider all 6 of you find the small world called fragment this is this is going to be the 1st puzzle in solving the and the court transfer after that the execution was on the larger the text of for Europe chain that is for the of the memorial location now that 1 is a bit longer and the and as the explosion that I mean that the applicants have no absolute control over the cold war between developed gadget so they do what they want and they do a bit more than that in some cases apart from doing whatever something to they perform light samples from the sets that which is not needed for the actual execution box because there is a bold and it is not avoidable that has to be something on the step that is spoken to register this is definitely there never use so it really developed change that a few unused bytes which has no significance for the exploitation they have to be there so that something could be meaningless support places so these fights are not used it could be any rate and think that the the mean of change and the very logic is very simple you know look it's a new memory copies the share their and Johnston and but because the people get limited capability acquires about 10 to the 12th building roles direct at completion this task so if you look from the the RTF perspective in place of the text with RDF 5 thoughts some sort of had followed by some sort of irrelevant information the exploit figure the initial Cheney scattered throughout the texture of the of the fire the 1st regional chain is stored in the in the lab text buffers uh uh along with the 1st patient was 2nd quality and the payload is usually up the this some binary time at the end of the of 5 amount from the at that point I mean from the test point of view because of that gene that's an additional hidden loaded into the test like every decent model for that would modify the random binary search for them the babies that small problem the 1st picture quality is easily recognizable in relatively easily recognizable in the latter is the effect on it looks like a buffer of bytes that a decent mother right there can can comprehend and and modify the initial change for that you have to move the really deeply understand the active structure so apart from the immediate and the granularity the exploitation itself there is a general at in understanding the RTF as structure itself so it is a very defined and granular test task for the project and don't going to do so
going to rank there but there are some the light on the miscues so they are showing us so starting from from the ceiling knowledge the knowledge means that they're buying 1 in the underground market space is a generator and they're going to generate a sample of it is a basic skills that you've all replacing the very organized thing sampling that media knowledge and that just can modify or the the scheduled steel plants try to make some trivial modification in the chain itself uh advanced protesters and uh you can meet me significant modifications in the chain and or the exports again and and the you would once can control every single aspect of the expectation that is going to be the still the value placed the the uh it the office so that the 1st version of this research was published in February at the top of the uh I'm not going to touch on all of the families and the groups that are mentioned in that because that would be be the wrong representation uh and you can go there and and check that but I'm going to mention a few additional bonds between which were not known at the time of writing that so let's start feature subspaces you and the 1st thing ever sample that it identified using this where this is going to be the point of from back of comparison as it turned out that all of the for the samples that derived from this 1 that was more independent development going on in this but this was a destructive for German appeared last April and that it is stated according to some media partners seeking advertisement clearly in because of this kind of and destructive thing you know what it was not used in the targeted that as you would expect from from and the the the player who deployed as he had already I think it was deliberately it really is a leader before Microsoft the the basis for property that is an example and perhaps the name but that the cover extracts because if there is only 1 single entity who who knows and uses this 1 another the every every evidence pointing to the that election for their start using it it will get scattered anyway and in this case the documents thought to be a large chunks kilobytes of uh the John content context not users are not displayed but it is a very convenient for identifying everyone else will stop being based on the theory that is guided by the developed it was a highly
skilled uh there was some of but uh Monday after this so the initial sample was used as a couple of targeted at that so there are no more further using this form of uh mainly by the to do group that was recently ruled by bias if you look at it over remote and it was targeted against the diplomatic targets and they they made a very significant modifications to the expletive document for example they cut that all of the chinese that was at the beginning of the file and uh and they is down in merely to the meaning the the the article want that and also changed the memory location locations integral chain solve they made very significant changes in in the the export of documents I'm not saying it is not possible to do all that is not the answer but it's very alive to that some my guess would be that they have prior prior knowledge of this exploit before they started working it if I had to guess I would say that uh this is the group that is most closely connected to the source of the exports but now there that you would have the reputation of being supported by the Russian government government they have huge financial resources and they have a history of using 0 they export so it is not an unreasonable assumption that they were the 1st one to use the successful but there is no they're tested evidence pointing into that direction and all because of the the the changes they made to the rope chain in clearly uh dangerous and broke the women uh that is some died
descendants but they're using the what in our sample and they didn't do anything as a box of objects for the subject there with the binary that which and at the end that's to live in a very busy no modification of the samples of the development of pompeii after about 1 month after the you know originally duties and they are going to be used by the Party tied up in the book uh when I said then mean change anything that's not entirely true they change that also him from his mind is my at least my beach is something you could do it in 2 seconds in the text the so that doesn't constitute as a as a major scale anyway but this is his group showed that the basic skills of expert knowledge and
entrance interesting strain which is not destroyed and and that in this sentence from uh at the school it is a great tool for research form for penetration testing understanding the the explored and so it is also a great tool for model of our thoughts and they are using it extensively for generating samples which light uh indicates is I'm going to show you and the the Metasploit module appears about the laughter village another use of the players the command and the clearly of the what where they could that module and some of the the atop exploitation at least to the level that as I mentioned that in the game and made of chain that are some unused to the Lovebytes in each of their own and for that matter to people in meaningful and meaningless less than that it's not being used overview of endogenous sample the be forced upon hotspots now in the middle school booklet model today there are data from domains the use of these devices that could make best possible to identify whether the post reading Metasploit for samples and wait for the development of of the skills export as 1 of the dialects descendants from other storage room for was the the have X small which was my should also mention this presentation as part of being a magic except for an looking for industrial control systems but then I created the size and then know that this will be possible to look at the inside the another 1 and another example and that was the section group it was reported by blue called uh and later on my the policy of class and the dielectric connected to the building instead of over campaign anyhow but they they they generated a sample of blood Metasploit then stabbed share called and the payload and just replaced the glass additionally gives a few sections of a program with another exploit look at the beginning within the lower level of the however arguing that they messed up about the of some structure this is a very delicate her own ability and if you must have developed a structured break and that happened in the case of the section will be generated about 3 so that the government and with the sex with acid in 11 of them the expert was actually brought them so they generated a sample with Metasploit just who use this vulnerability and they brought it them in about 90 % of the cases that's really on 1 hand and their skills because they're ties to share the codes and the payload on the other hand it is scheduled a little by the fact that but about the created was not working any help there is a
few which a group of samples using exploit that they're using go some sort of generate got some generator and what they're good at matter support is also generally for but not here I'm talking about commercial was that releasing the underground and surface 1 of I don't know what the genetic to reside on the name for it because will be in in deported here we just see that hundreds of samples are generated by a lot of come on banking Trojan families of being distributed and decide how dominating the the exploitation singular so the largest chunk of text with the documents that just right on the databases are generated by this tool uh it has apart from the day and the main broke me level textbook that was the rope chain and called an additional of 2 additional blocks that have the same feeling where were over them it is not used it is pointless but it can use it can be used as the watermark to point out that all the samples that are created by the school anyhow because they the bachelor to beat all the video of the level of text structures and the exploitation stuff sort phonemic intermediates yourself with boss Weber was writing this this generates another from Microsoft loading through their In it was brought by the fire I think and later this year just a few weeks ago yeah of might be part of this 1 that's the other large chunk of her life with examples that using this vulnerability also hundreds of developments created with it and I suggest that indeed they are people because it's very interesting and I don't have the time to go into the include a candidate has had a very distinctive characteristics and it is 1 of the very very few cases than the the model of those actually but little change and the uh they use an alternative rock change in some of the origin of on so it is performing the same task it could be achieved finest moral building blocks it is about too but the men's generated by this tool kit explored see different 1 of is within the same archaeophytes and also uh doesn't sold mostly banking Trojans personal distributed by don't mention generated by the school and how they have these of skill sets that the output of this sold because the actually they have to touch the change history of someone who understands exploitation at a higher level a really interesting case was that of temperament OK so now I'm am I'm a physicist but by education and allows a programmer when I have to do programming I there was a physicist I taken example program modified to my needs and the 2 distinct continue to fix surprising to see that there may be people to Chinese repeated follow just about the same path of development
Nachbarschaft <Mathematik>
Gewichtete Summe
Gewichtete Summe
Hinterlegungsverfahren <Kryptologie>
Gewöhnliche Differentialgleichung
Perfekte Gruppe
Kette <Mathematik>
Vervollständigung <Mathematik>
Dichte <Physik>
Einheit <Mathematik>
Service Pack
Ordnung <Mathematik>
Charakteristisches Polynom
Tabelle <Informatik>
Lesen <Datenverarbeitung>
Selbst organisierendes System
Wort <Informatik>
Mathematische Logik
Demoszene <Programmierung>
Determiniertheit <Informatik>
Äußere Algebra eines Moduls
Ganze Funktion
Nabel <Mathematik>
Elektronisches Wasserzeichen
Prozess <Physik>
Atomarität <Informatik>
Familie <Mathematik>
Auflösbare Gruppe
Lineares Funktional
Trojanisches Pferd <Informatik>
Konfiguration <Informatik>
Arithmetisches Mittel
Betrag <Mathematik>
Oktave <Mathematik>
ROM <Informatik>
Physikalische Theorie
Puffer <Netzplantechnik>
Speicher <Informatik>
Physikalisches System
Objekt <Kategorie>
Nabel <Mathematik>
Formale Grammatik
Gesetz <Physik>
Deskriptive Statistik
Metropolitan area network
Shape <Informatik>
Kategorie <Mathematik>
Güte der Anpassung
Gebäude <Mathematik>
Wurm <Informatik>
Schwach besetzte Matrix
Kontextbezogenes System
Software Development Kit
Dienst <Informatik>
Familie <Mathematik>
Office <Programm>
Klasse <Mathematik>
Überlagerung <Mathematik>
Spannweite <Stochastik>
Arithmetische Folge
Inhalt <Mathematik>
Elektronische Publikation
CMM <Software Engineering>
Abstimmung <Frequenz>
Web log
Gemeinsamer Speicher
Kartesische Koordinaten
Stützpunkt <Mathematik>
Figurierte Zahl
Funktion <Mathematik>
Nichtlinearer Operator
Zentrische Streckung
Prozess <Informatik>
Verkettung <Informatik>
Funktion <Mathematik>
Kombinatorische Gruppentheorie
Ausdruck <Logik>
Wurm <Informatik>
Zusammenhängender Graph
Zeiger <Informatik>
Einfache Genauigkeit
Mapping <Computergraphik>
Singularität <Mathematik>


Formale Metadaten

Titel Comparing the incomparables
Serientitel Hacktivity 2015
Teil 17
Anzahl der Teile 29
Autor Szappanos, Gábor
Lizenz CC-Namensnennung 3.0 Deutschland:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/18838
Herausgeber Hacktivity
Erscheinungsjahr 2015
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract It is common belief that APT groups are masters of exploitation. If anyone, they should know everything about it, right? Our research into the real world uses of the CVE-2014-1761 vulnerability shows that it is far from being true. It is a common practice in the anti-malware world that the security products are compared to each other in comparative tests. Even the tests themselves can be evaluated by the criteria of the Anti-Malware Testing Standards Organization. The only players, who are not rated, are the malware authors. This is for a good reason: their activities cover a wide range of operations, that don’t fully match and can’t be exactly measured. The deep analysis of the samples using the CVE-2014-1761 vulnerability gave us a rare opportunity to compare the skills of a few different malware author groups. This is not a full and comprehensive test, but given the complexity of the exploit we could estimate the skills only in a very narrow slice of the full set: the understanding of the exploit. But the situation is the same as with any other test: if you know exactly what you are measuring, you can make valid conclusions. The presentation will detail the exploitation process, explaining the role and implementation of the RTF elements used in the process, the ROP chain and the shellcodes. We will investigate the different malware families that were using this vulnerability, and discuss the depth of modification into the exploit. This will give us a chance to rate the understanding and exploiting skill of the authors behind these malware families. The comparative analysis gave an opportunity to draw a relationship chart between the different malware families, showing strong correlation with previously known intelligence, and adding a couple of new relations. The final purpose of the comparative analysis is to understand the strengths and weaknesses of our enemies in the cyber warfare. The more we know about them, the greater our chances are for successful defense.

Zugehöriges Material

Ähnliche Filme