IDS mailing list archives
Re: Single Stage Attacks?
From: "Stuart Staniford" <sstaniford () FireEye com>
Date: Wed, 20 May 2009 09:47:38 -0700
Most attacks at the moment are server -> client, rather than client -> server (the wide deployment of firewalls, packet filtering rules, network segmentation has rendered the latter unprofitable). The typical sequence is the victim stumbles onto a malicious webpage (often an ad) and then is taken via a chain of iframes or similar to an exploit server which delivers the exploit (currently the vast bulk of attacks on the wire are via malicious PDF and secondarily SWF - Adobe is it apparently). The exploit shellcode then goes and fetches a dropper executable, which may in turn fetch more. Then there is generally some kind of callback protocol for command and control of the bot according to whatever the business model of the campaign is.
In targeted attacks, this scenario may be preceded by tempting emails etc, to get a particular victim to go to a designated attack point (rather than just culling random victims from the herd).
I have seen recent attacks as simple as a single bad PDF or SWF with no precursor at all other than the normal operation of the ad delivery ecosystem, and then the download of a single exe and no immediate callback.
I have not seen a recent example in the wild in which the payload was integrated into the exploit shellcode (there's obviously no real barrier to doing this other than administrative convenience for the attackers).
Stuart Staniford Chief Scientist, FireEye On May 16, 2009, at 11:39 PM, snort user wrote:
Greetings All, Typically, network based attacks have multiple stages.(reconnaissance, infection, download rootkit, call home, further infection etc)Some attacks may have a single stage (without reconnaissance) to compromise a host.However, even those attacks have a post-compromise stage, such as call homeor transfer/steal data or something else. Otherwise, what's the motivation for compromising in the first place?Can someone enlighten me if there are attacks that only have a single stage?Examples or scenarios is much appreciated. Thanks -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Current thread:
- Single Stage Attacks? snort user (May 19)
- Re: Single Stage Attacks? Jamie Riden (May 19)
- Re: Single Stage Attacks? dreamwvr (May 20)
- Re: Single Stage Attacks? Stuart Staniford (May 20)