Re: We got owned by the Chinese and didn't even get a "lessons learned"

[Nicolas RUFF <nruff () security-labs org>]

> Oh, come on! And what if the malware exploits some kernel bug (we all
> have seen several such bugs last year, haven't we)? Obviously running as
> privilege user will not help in this case (although it's a very good
> idea indeed).

Of course there is always the possibility of a targeted, 0day, kernel
attack through email (BTW, I'm eager to see the first one).

My point was that attackers:
- were able to reverse MSO.DLL (wow :)
- were able to find a reliably exploitable flaw in there
- made a "stealth" shellcode, silently repairing the Word document
- started a targeted attack, using legible document names and email
addresses

... and they used "c:\~.exe" instead of "%TEMP%\~.exe" at the end.

Chinese stuff breaks too easily :)

As some colleague pointed out, the best HIPS ever should restrict
program execution to "%ProgramFiles%" and "%SystemRoot%" (excluding
"%temp%" and "%tmp%" maybe). Combined with a low privilege user, I don't
think any existing spyware/malware/otherware would execute flawlessly
with such restrictions.

Regards,
- Nicolas RUFF