Presentation on theme: "By Hiranmayi Pai Neeraj Jain"— Presentation transcript:
1By Hiranmayi Pai Neeraj Jain Zero-day AttacksByHiranmayi PaiNeeraj Jain
2Table of Contents Introduction Evolution of Vulnerabilities and ThreatsPropagation of Zero-Day ThreatsCharacteristics of Zero-day attackDetecting a Zero-Day CompromisePrevention of Zero Day InfectionsConclusion
3Introduction What is a Zero-day attack? A zero-day or zero-hour attack or threat is an attack that exploits a previously unknown vulnerability in a computer applicationThe developer creates software containing an unknown vulnerability.The attacker finds the vulnerability before the developer does.The attacker writes and distributes an exploit while the vulnerability is not known to the developerThe developer becomes aware of the vulnerability and starts developing a fix.
4Evolution of Vulnerabilities and Threats In the past, IT security professionals, researchers and developers would publicly announce they found a vulnerability, primarily to motivate the vendor to release a patch.The average time to identify a vulnerability using reverse engineering techniques is only nine days from the time the patch is released.But, attackers are becoming more efficient, creative and faster at creating exploits these days.
5Propagation of Zero-Day Threats Example 1(Windows 2000 dll)The earliest known zero-day exploit was discovered in March 2003 when the military realized one of their web servers had been compromised. The exploit involved an unchecked buffer overflow in the Windows 2000 dynamic link library, Ntdll.dll
6Propagation of Zero-Day Threats Example 2 (Internet Explorer)In October 2003, a zero-day exploit known as the Qhosts Trojan surfaced. The exploit attacked the Internet Explorer Object Data Remote Execution vulnerability. The Trojan horse would automatically be downloaded and executed on an unsuspecting victim’s system only when specific code embedded in a banner ad was accessed with Internet Explorer.
7Propagation of Zero-Day Threats Example 3(Adobe Reader)Cybercriminals are using a new PDF exploit that bypasses the sandbox security features in Adobe Reader X and XI, in order to install banking malware on computers.The attack fails in Google Chrome because Chrome provides additional protection for the Adobe Reader component, while the attack is successful using IE or Firefox
8Propagation of Zero-Day Threats Example 4(Java Zero day )When a compromised page is accessed, it forces the system to download an arbitrary payload, for example, a keylogger or calc.exe, without requesting any prior confirmation.
9Propagation of Zero-Day Threats Example 5 (Internet Explorer)The attacks install the Poison Ivy backdoor Trojan when unsuspecting people browse a compromised website using a fully patched version of Windows XP running the latest versions of IE 7 or IE 8 and the Trojan hijacks the system.
10Propagation of Zero-Day Threats Example 6 (RSA) In March RSA revealed that their data related to their SecurID™ product was stolen. This stolen data was then used in further attacks against a number of military contractors. The attachment contained an embedded Flash file which exploited CVE in order to install a Backdoor program.Once the attackers had backdoor access they were able to install the PoisonIvy remote access tool in order to iterate through the network gathering credentials and eventually getting to the target machine which contained the sought-after data.
11Characteristics of zero-day attack The most dangerous and likely vector of propagation for zero-day threats is a blended threat.Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack.
12Characteristics of zero-day attack Causes harmPropagates by multiple methodsAttacks from multiple pointsSpreads without human interventionExploits vulnerabilities
13Detecting a Zero-Day Compromise Behavior-based systems (IDS and IPS) alertsAntivirus software alerts as a result of heuristic scanningUnusual events in the system log files (i.e. failed logons)Poor system performanceUnexplained system rebootsNetwork traffic on unexpected ports, especially on ports known to be backdoorports for known blended threats (i.e. MyDoom: TCP ports 3127 through 3198)Increased network traffic on a legitimate portIncreased scanning activityUnusual SMTP traffic, especially originating from systems that should not beusing SMTP
15Prevention of Zero Day Infections Border ProtectionSystem HardeningAntivirus SoftwarePatch ManagementVulnerability ManagementApplication HardeningBlocking AttachmentsHoneypots
16Conclusion Zero-day threats are only in the beginning stages. If the history of vulnerabilities and exploits is any indicator, zero-day threats will progressively get worse and present the biggest challenge to guard against.New technologies that actively protect against Zero-day threats need to be developed by vendors.