Re: The strategic difference of 0day

[Andre Gironda <andreg () gmail com>]

On Tue, Jun 14, 2011 at 8:31 PM, Rafal Los <rafal () ishackingyou com> wrote:
> Maybe I'm just living too closely to this world but, Dave you already answered your own question. Why slave over nOP 
> sleds and guessing at just the right memory addresses and hoping a system doesn't crash when you can walk right in 
> through the web app and take what you want, or worse, implant yourself

Your capabilities of pivoting may be slightly different from the
client-side than from the server-side. The Internet-facing web
application layer will be closed out soon -- perhaps simply because
the exploits are not under the radar.

0day (i.e. anything ROP based or at least in that category of "win")
is under the radar.

> I think organizations have "figured out" how to lock down ports after nearly three decades of security people 
> preaching, and since there are much easier ways in...well hell why bother?

I see many blurring lines between CNA and CNE, and these lines are increasing.

In the case of these popular SQLi/RFI/webapp-remotes, these are
typically CNA. The "attack" is on the character, political views, or
"social-capital" of an organization. It's typically short-lived: like
a jab instead of an upper-cut. It really amounts to a DoS/DDoS just
like regular CNA (e.g. the 2007 cyberattacks on Estonia). When SYN
attacks, DNS SOA or other reflected/amplification attacks, or HTTP
starvation attacks occur, CNA is typically a direct attack on the
infrastructure-capital. SQLi utilized in Longcat style attacks, aka
ADoS "Application DoS" does blur the lines a little here. Most CNA
attacks cause an enemy/target to "lose face", become demoralized, and
fear future retribution. It may sometimes cost the source just as much
money as the target, which is why the attacks are typically not
sustained.

On the other hand, ROP/0-day/client-remotes are typically CNE. CNE is
usually individual-capital focused, as in the case of
ZeuS/SpyEye/banking-trojans. However, it can also become
intellectual-capital focused as in the case of Aurora. Either way,
these are surveillance programs that are often the result of heavy
intelligence, counter-intelligence, and reconnaissance work (i.e.
social engineering).

There are SQLi/RFI botnets just like there are client-side malware
infected botnets, however the SQLi/RFI kind are not as common or
dominant yet. SQLi/RFI/webapp-remotes are typically not "sustained"
exposures. If the goal is to get data -- typically it's a "get in and
get out" op, which typically results in the degradation of that data.
CNE operations are focused on long-term, sustained access.

Stuxnet is sort of an anomaly because it was a botnet used to
demoralize the enemy. It wasn't obfuscated (i.e. it did not use
self-modifying or self-integrity-checking code and was successfully
reverse engineered), nor did it even try. It's almost as if it wanted
to be caught.

> So in the end I believe the answer is a mixture of risk/reward shift from attacking services and towards readily open 
> applications, and some combination of "black hats keeping their cool 0day secret", too many script kids, and apathy.

There is no shift going on. Client-side is "elite" because of its
unique characteristics and perspective. It's difficult to code a
weaponized 0-day exploit. A SQLi, on the other hand, takes 1-2 days
tops to exploit, and that's if it's time-based blind over
high-latency, high-jitter (i.e. constantly changing latency) networks.
Most adversaries are looking for multiple statement queries, not just
because they are faster than blind techniques, but also because they
easier to exploit for file operations so as to gain shell access.

Attacking services is interesting from the inside of the network, like
Robert Lemos said: "inside the firewall". I'll additionally add "under
the radar" because remotes against IIS and Apache are a little too
obvious. What you'll find in Canvas is an over-focus on exploits for
Enterprise applications. What's more useful for someone trying to stay
under the radar: a remote-0day on Apache, or a remote-0day on
Perforce? Apache might be monitored with all sorts of security
technology such as IDS, IPS, WAF -- but also marketing technologies
such as AWStats, webalizer, or Webtrends.

We're just going to see more attacks of all types. They'll be used in
coordination together, and hit the business process of the target
organizations with everything they've got.

-Andre
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave