In the modern age vulnerabilities are discovered in one of two ways; organizations, researcher, testers and white hats test applications for vulnerabilities due to their line of work or simply to build a reputation. Once these individuals find vulnerabilities they inform the vendor, wait for a fix to be developed and deployed before revealing details to the general public and in return the vendor will generally give them credit for the find. On the other side of the spectrum we have black hats who look for vulnerabilities with the intent of making a profit or otherwise using that vulnerability for personal gain. When a black hat finds a new vulnerability which is yet undisclosed he can either keep it for himself and use it to gain access to systems he targets or sell it for a profit. In any case a vulnerability found by a black hat will be used and kept as low profile as possible in order to remain undetected for as long as possible. The value of these exploits remains as long as there is no fix for that vulnerability.
The biggest threat that such undiscovered exploits can cause is when they are used for a specific targeted goal like what happened to Google last week. Google was targeted by hackers. Various attacks originating from China were launched against Google and some other organizations. These attacks used a new, at the time unknown, exploit now called the Aurora Exploit. This exploit consisted of two parts. The actual exploit was hosted on a web server and a social engineering attack got the victim to actually visit the infected link. From Google’s analysis it seemed that the attack was targeted hoping to get access to the Gmail accounts of human rights activists in China.
The attack wasn’t targeted at Google itself alone but to at least another 20 organization in various industries, not just IT.
The vulnerability in question is a classic Buffer overflow that can be exploited to execute any code the attacker wishes. McAfee report that the version they saw downloaded the payload, an XORed Trojan disguised as a picture. Once downloaded the Trojan would be installed giving access of the compromised machine to the malicious attacker.
Every version of Internet Explorer since version 6 seems to be vulnerable to this attack except for Internet Explorer Version 8 provided DEP (Data Execution Prevention) is left Active.
Until a patch is issued by Microsoft people should either not use Internet Explorer for the time being or if that’s not an option upgrade to Internet Explorer version 8 and ensure DEP is enabled (technically it should be by default)
This attack was basically what every security professional most dreads. That is when a group of skilled hackers get their hands on a vulnerability that is as yet unpatched and use it in a targeted way to gain access to something specific. Keeping your systems up to date would not protect against something unknown such as this. Anti-viruses will, in most cases, not help before the malware is identified and definitions for it are distributed. So what can one do to protect an organization from such a scenario?
Education can help mitigate the social engineering element of this attack. However this will never be 100% effective as social engineering attacks can be quite sophisticated and seem genuine. Monitor access to your systems, have mechanisms in place that can inform an administrator when unauthorized or suspicious connections are taking place. Have monitoring software that regularly scans the network for any changes that might occur such as new open ports, new software installed, new users / groups or even new hardware that suddenly appears on a server or workstation. At the end of the day it might not always be possible to stop an intruder; however, if such an unfortunate event were to happen it is essential that monitoring mechanisms are in place that will advise the Administrator of the breach as soon as possible.
Finally an important aspect is to have a disaster recovery plan for an Intrusion / Trojan infection. Having such a plan available can significantly reduce down time as well as the time it will take to stop the intruder.