Taking apart a double zero-day sample discovered in joint hunt with ESET (opens in new tab)

(cloudblogs.microsoft.com)

67 pointsChris9117y ago8 comments

8 comments

Just looking at the list of steps that needs to happen for these modern exploits is mind blowing for a layman. Can any expert comment on how easy/hard it is to find such exploits. How much of it is skill and how much luck. How does one come up with them. Is it primarily based off knowledge (which is essential ofcourse) or more some people have an intuitive knack for it.

mcpherrinm7y ago

There are two parts here: an exploit for Adobe Reader, and a local privilege escalation for Windows.

The Adobe one is a standard memory safety bug. This is the kind of thing you can find with fuzzers pretty easily, or by examining file formats for potential overflows. The exploitation techniques here are using ROP chains to get execution to shellcode from a JavaScript heap-sprayed shellcode. Both are widely used techniques, and there are tools to assist exploit writers in finding and using ROP gadgets.

I don't know Windows as well, so I can't speak to the second exploit.

3pt141597y ago

There is an offensive security conference called Infiltrate that has videos floating around that you can find online. Finding 0days in constantly attacked stuff like Windows is getting harder, but the tools these guys are building are getting more complex / interesting. I'd say the bar is higher, but it's still not hard to do and some lesser known platforms like QNX are straight easy if you have some time.

Much like, say, JavaScript development the tooling and instruction is of a much higher quality and much more diffuse. If you're smart and you put in a couple of years you can do it too, and some of these vulns fetch millions, though they're frequently blown on pwn2own contests or otherwise responsibly disclosed. I suspect that that is going to change over the next couple years as every major government amps their cyberwarfare / int budgets.

parliament327y ago

Virustotal has been well known for a while now as a honeypot for catching new strains of malware and zero-days. Chances are it was uploaded by an unknowing "customer" of a malware author.

juliusmusseau7y ago

I don't understand how VirusTotal was able to catch this. I suspect the malware author uploaded it because they wanted to ensure it appeared clean to all malware detectors - VirusTotal is a great way to test that!

It seems VirusTotal is a tool for running 70 anti-virus products at once against the same file. How can VirusTotal catch freshly developed malwares? How would VirusTotal even suspect that an uploaded file was fresh malware? That doesn't make sense to me.

agnsaft7y ago

VT is more than just the antivirus engines. If you subscribe (expensive!) you can actively hunt for malware using Yara-rules and a powerful search engine. if you know some patterns in malware you are tracking, you can add Yara rules that will run each time a file is uploaded and will notify you of any matches.

Lets assume you know a threat actor always uses the same variable names during heap sprays, you can discover new malware from this threat actor with a Yara rule to look for this pattern.

2 more replies

j / k navigate · click thread line to collapse