An Overview of
Three Zero-Days

Affected product: Adobe Flash Player

  • Defining the concepts
  • Technical details
  • Analysis & impact
  • RTB & Malvertising
  • When patching is not enough
  • Practical solutions
  • Conclusion
Adobe Flash Player

Defining the concepts

  • A Vulnerability, is a bug in an application (or operating system) that might be used by someone to execute unauthorized code on a machine.
  • An Exploit, is a piece of code that triggers the vulnerability and executes a malicious action (payload) inside the vulnerable application (or Operating System) without the knowledge of the attacked user.
  • A Zero-Day attack is an exploit for an unpatched vulnerability (no patch avail.) where even the most up-to-date system could get infected.

Technical Details

CVE ID CVE-2015-0310 CVE-2015-0311 CVE-2015-0313
Flash Player version Flash 15.0.0.242 Flash 16.0.0.257 Flash 16.0.0.296
Exploit Kit Angler EK Angler EK HanJuan EK
Date discovered 01/16/15 01/21/15 02/02/15
In the wild since* 01/16/15 01/21/15 12/10/14
Discovered by Kafeine Kafeine TrendMicro
Patched 01/22/15 01/24/15 02/05/15

* This is an estimate based on the data available

Analysis & impact

All three zero-days were found in non-targeted attacks distributed via exploit kits with malvertising being one of the primary infection vectors.Malicious ads placed on popular websites (DailyMotion, The Huffington Post, Answers.com, etc.) were responsible for exposing millions of visitors to these zero-days.

logos

Consumers and businesses even running the latest versions of Internet Explorer or Firefox and the Flash Player were susceptible to becoming immediately infected (provided they had no other security solution that blocked the attack and malware).

One of the zero-days (CVE-2015-0313) was active in the wild for almost two months, an unprecedented length of time for such a wide malvertising campaign.

timeline

Figure 1: Timeline of a zero-day via a malvertising campaign

RTB & Malvertising

For the CVE-2015-0313 campaign, cyber-criminals paid an average of $0.75 per each 1000 (CPM) pre-qualified users exposed to the infected adverts. However, this dropped to as low as $0.06 per CPM during less trafficked times of day and on lesser-known websites.

This nefarious use of the online ad industry is facilitated by a mechanism known as real-time bidding (RTB). RTB allows advertisers to bid in real-time for specific targets (based on age, geolocation, device type, etc) and display creatives (the adverts) only for these users.

This is not only cost-efficient (you only pay for the auctions you win) but also very effective because rogue advertisers can leverage the power of ad networks to weed out non-genuine users or those that should not be targeted by exploits (i.e. non Windows operating systems).

real time bidding

When patching is not enough

Exploit kit authors leverage the most popular software vulnerabilities to build the most effective tool they can. For years they simply reused older flaws which could be dealt with by patching on a regular basis.

In the past year, this position has changed and new vulnerabilities are found and weaponized at a much faster rate. Combine this trend with the fact that rolling out patches requires time and testing for businesses and you see the issue: A window of opportunity to exploit systems emerges.

Practical solutions

While keeping systems up to date remains one of the most important pieces of advice against exploits, zero-days make it completely irrelevant.

The threat landscape is evolving at a rapid pace and cyber criminals are getting better, not simply reusing old code and vulnerabilities but finding new ones of their own. This is a game changer because there is a lack of awareness on zero-day threats and most businesses or consumers aren’t properly equipped to deal with them.

Most of the current solutions at the gateway or end-point are reactive and based on signatures. As we have seen it time and time again, this approach is ineffective against brand new exploits and malware.

Introducing Anti-Exploit technology

Anti-Exploit technology bridges the gap between vulnerabilities (known and unknown) and malware infections by mitigating exploits. Malwarebytes Anti-Exploit uses a combination of an enforcement layer and protection layers to block exploits.

The enforcement layer makes sure that DEP and ASLR are active on x64 systems and also adds anti-heap spraying (memory exploitation) technique. The protection layers monitor for Operating System bypassing techniques and malicious API calls as well as unintended application behaviors.

Layer 0

Enforcement Layer, set DEP on, Anti-Heap Spraying, Bottom-UP ASLR.

Layer 1

Stop OS Protection bypassing techniques (ROP, Stack Pivoting…)

Layer 2

Stop malicious Windows API calls.

Layer 3

Stop malicious behavior of an application based on its family (Office, web browser, multimedia family, PDF…)
Figure 2: Malwarebytes Anti-Exploit protection layers

Malwarebytes Anti-Exploit stopped (CVE-2015-0313) two months before it was patched and also neutralized both CVE-2015-0310 and CVE-2015-0311, thanks to its proactive approach.

Conclusion

While one could have foreseen Flash zero-days for the year 2015 (based on the recent shift as the most desirable plugin to exploit), witnessing three zero-days happening in large scale attacks so close to one another was a unique situation.

To face this new reality, businesses and consumers must adapt as well by adopting new tools to safeguard their assets. This is especially important with the kind of malware that is dropped by exploit kits, and in particular ransomware.

Companies can literally be crippled by such malware, lose customers and in some cases put their business in jeopardy.
On top of drive-by download attacks exploiting flaws, businesses should be aware of the ever-present social engineering tactics where employees are tricked into downloading malware.

This is one of the reasons why a layered approach to security works best because some threats come from software flaws while others from humans.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language