Guest editorial by Matthew Olney (Sourcefire)
So, let’s pretend you are Rob, Mr. Head of IT, are sitting in your office on March 9th, working on your fantasy baseball draft (I hear Albert Pujols is the way to go…) when one of your staff walks in and says that Microsoft has another zero-day running around.
Internet Explorer 6 and 7 are vulnerable to a condition where invalid pointer that is accessed after an object is deleted. Putting on your best manager hat, you ask the hard question: “OK, what do we know?”
She tells you that because you bought into the anti-Vista hype (in her head, she’s calling you moron but she doesn’t say it out loud, she isn’t crazy, just proud), there isn’t much that can be done currently. There were some mitigations provided, but they mainly involved Vista and Server 2003 and 2008. Now you know that your boss is going to be calling any moment and here is what you know: Something about an invalid pointer, the fact that it is “in the wild”, a CVE number and “Microsoft is working on it”, you probably shouldn’t tell him that Vista part. The phone rings.
Let’s switch to the view of the attacker. Something that was incredibly valuable has suddenly moved to a very short timeline. The moment that exploit that you paid fifty large for gets patched, you’re toast. You can’t even trade it at this point, because that code is out there, and no one is going to pay you anything for released code that they can find themselves and easily rework. All you can do now is broaden your attacks and drop as many bots as possible so in the future you have some pivot points to launch your attacks. Maybe you’ll get lucky and hit somewhere that has some interesting information. Time to bust out the mass mailer. You love irony, so your subject line is “Information on Microsoft IE 0-day, please read.”
[ ALSO READ: Advanced Persistent Threats: Should your panties be in a bunch, and how do you un-bunch them? ]
Security researchers everywhere are scrambling and the ones that understand this process are starting to share information about the attack. The race is on to get enough information out so that organizations can protect themselves. Many of these researchers are working for “free”, knowing that getting their name out there on an issue like this is a great way to increase their employability going forward. Others are working for well known research organizations, Sourcefire and in this case, importantly, a little firm named McAfee. In a blog post on this on the evening of March 9th they named a site that was associated with the attack: https://notes.topix21century.com.
Now this information, for those paying attention is really important. I’m all for giving credit where good work is done, so kudos to McAfee for putting this information out. First, it provides researchers with a location where they can find the exploit. Secondly, it gives Rob something he can do. Now he can check the IP addresses associated with topix21century.com and block them at his firewall. Then he can watch his firewall logs and DNS logs for evidence that one of his hosts are trying to get to this site. Now he knows which hosts are owned and he can begin the remediation process. He still doesn’t understand the attack, but he can take care of the first wave.
[ SEE: IE zero-day flaw leaks out; Exploit code published ]
By the time Rob gets into work the next day someone named Moshe Ben Abu is suddenly really important. Overnight he had created a Metasploit module that generated the attack and less than 24 hours had passed from the point that the Microsoft announcement was up. (Note and additional kudos to Moshe Ben Abu: He has contributed 10 exploits to the Metasploit package in the last 3 years). Now Rob had two new things to work with. One, he had a known attack that he could use to test this detection strategy and more importantly, his hot-shot security staff could look at the Metasploit module and figure out what this detection strategy is going to be.
Metasploit modules typically are very clean and even a moderately talented security person can pull the stings that are important to look for. In this case, “setAttribute('s',window)” and “#{j_object}.addBehavior('#default#userData');” look interesting. Now they have all the information they need to configure their detection systems, whatever they are, to detect the attack. This time, when the phone rings, Rob is ready.
For many, many security shops, who don’t have commercial data feeds, haven’t had the opportunity to find their way to numerous “back channel” IRC channels and mailing lists and don’t have the budget for a multitude of “APT-KILLING” solutions this is the way (hopefully) that these two days played out. This isn’t the only time this timeline occurred either. Metasploit had exploits for Microsoft’s Aurora and Adobe’s JBIG2, media_newplayer and utilprintf before there was a patch. Yet there was some degree of backlash against McAfee because initial reports had Mr. Abu gleaning technical details from McAfee’s site to generate his exploit. As it turns out, he did the research himself based on the link above. There is also (always) grumbling when Metasploit puts out a module, even when it affects things that have long had a patch.
Unfortunately, this situation led to McAfee making the following declaration:
“McAfee Labs does not support the release of exploit code, particularly in advance of a security patch being made available. We regularly sanitize blog content to prevent providing information that might assist attackers, while at the same time providing a service to customers and the security community to help improve protection levels…Future blog posts will be subject to additional sanitization.”
So here is the new debate…shops like Sourcefire and McAfee have the resources to hire some very intelligent, very talented people to do their work for them. Yet McAfee has made the decision that it will further limit information from their blog so that exploits cannot be developed. This is, unfortunately, purely a PR move. The people who use these exploits have no need for the Metasploit module. This isn’t to say they wouldn’t use that code if they had it available, using widely published code instead of custom built code obfuscates who created the exploit. But if it weren’t available they would still have access to the code, either through back channel sharing or their own reverse engineering. Let’s not pretend these guys don’t have talent. This decision does nothing but save face for McAfee and reduce the information that security shops have to work with. I guess that’s a business decision; hopefully they just said that to make people go away and they’ll do what they want going forward.
