Inside Cyber Warfare - Jeffrey Carr [91]
Targeted Attacks Against Military Brass and Government Executives
Attacks against military brass and government executives make for great news stories. Media outlets often will report that “machines have been compromised” and “data has been stolen” but provide few details as to how the attacks were carried out. This section discusses the means by which targeted attacks are executed. The attack described here is based on actual attacks that have occurred. Several technical details have been changed, but the major characteristics of the attacks are intact.
Research is the key to offensive capabilities
Sophisticated, targeted attacks begin with research. A tremendous amount of time, money, and human brain power is dedicated to finding new vulnerabilities in widely used software such as Microsoft Word, Internet Explorer, Mozilla FireFox, and even the most widely used operating system in the world, Microsoft Windows. When a new vulnerability is discovered, the discovering organization gains an advantage: it has a weapon that that doesn’t have a specific defense, and the defender has zero knowledge that the exploit exists. These vulnerabilities are known as “0day” (pronounced “zero day” or sometimes “oh-day”) vulnerabilities. These 0day vulnerabilities are the “tip of the spear” in the offensive cyber world. These attacks result in a tremendous amount of damage, and the victim seldom realizes they’ve been compromised. DDoS attacks gain a lot of media attention because they are noisy and easy to detect, but targeted 0day attacks with custom attack payloads are silent, almost impossible to detect reliably, and represent the most powerful attack available to offensive cyber units. It is these types of attacks that represent the true capability of an offensive cyber unit.
In this example, the attacking organization has found vulnerability in the word-processing software Microsoft Word. Word is popular widely used the US government, and the attacker knows that. For the sake of clarity, the specific technical details of the exploit will not be covered; instead, this section will cover the major points of the vulnerability.
First, it is important to understand that prior to Microsoft Office 2007, all Office documents were served as a binary file format.
NOTE
More information about binary file formats can be found on Wikipedia at http://en.wikipedia.org/wiki/Binary_file.
Programs like Microsoft Word that consume binary file formats have a reputation of being difficult to secure and have been known to be affected by vulnerabilities that can corrupt the memory of the computer system attempting to parse the binary file format. If an attacker can corrupt the system’s memory in a controlled manner (through the use of what is known as “shellcode”), then the attacker will be able to gain access to the target system.
The exploit, along with the attacker’s shellcode, is hidden deep inside the raw binary contents of the malicious Word document. The binary structure of the Word document makes it impossible for the average user to determine whether the it contains malicious code. For example, Figure 10-2 shows a typical Word document as displayed by Microsoft Word.
Figure 10-2. Microsoft Word document as viewed in Microsoft Word
Opening the same document in a hex editor shows the raw contents of the file, which are quite different than what the user sees within Microsoft Word. The average user will not be able to comprehend or detect whether malicious content exists within the binary structure of the Word file. It is within this raw binary data where the attacker will place his exploit and shellcode. A portion of the raw binary contents are shown in Figure 10-3. Would you be able to spot an exploit in the binary data?
Figure 10-3. Raw data content from a Microsoft Word document
Sophisticated organizations