unexpectedlocalsettings
localsettings 时间:2021-04-12 阅读:()
Protectingtheirreplaceable|f-secure.
comStudyoneffectivenessofpopulardefensemeasuresJarnoNiemel.
VirusBulletin2013Twitter:@jarnomnStatisticallyeffectiveprotectionagainstAPTattacksWhyThisResearchWasMadeApplyinghardeningincorporateenvironmentisexpensiveThusIwantedtogivedecisionmakingsupporttoolsforcorporatesecurityInthisresearchweevaluatedpopularhardeningapproachesagainstasetofexploitsAttacksanddefensesevolveconstantlysowefocusedmoreondifferentstylesofapproachratherthanexactsettingsortoolsFortestsweobviouslyusedpubliclyavailabletoolsExploitsUsedInTestsTheusedexploitsetconsistedof~930confirmedexploitdocumentsamplesSamplesinthewild2010-2013CVEidentificationwasdonebyscanresultsMostexploitshaveshortlifespaninactiveuseAPTnatureverifiedbycontextidentificationPressevents,conferenceproceedingsDiplomatic/politicalreports,analysisHumanrights/activismreports,articlesMilitaryreports,events,analysisBusinessrelatedmailF-SecureOctober10,20133050100150200250300051015202530354045500102030405060708090100110120130140150051015202530354045501.
1.
101.
3.
101.
5.
101.
7.
101.
9.
101.
11.
101.
1.
111.
3.
111.
5.
111.
7.
111.
9.
111.
11.
111.
1.
121.
3.
121.
5.
121.
7.
121.
9.
121.
11.
121.
1.
131.
3.
13AnalysisMethodWetestedsampleswithWindowsXPSP3AdobeAcrobat8.
0.
0AdobeFlashplayer6.
0Office2003WeintentionallyusedobsoletesoftwareversionstoenableasmanyexploitsaspossibleWeusedautomaticforensicstocheckforexploitsuccessindicatorsNetworkcommunicationProcesscreationFilecreationEachexploitwasverifiedtoworkconsistentlyinbasesystemF-SecureOctober10,20134ProtectionMethodsApplicationmemoryhandlingmitigationsApplicationSandboxingHardeningapplicationsettingsHardeningoperatingsystemF-SecureOctober10,20135ApplicationSanboxingChrome,Acrobat,etcpopularappshavebuiltinsandboxingTheproblemwiththemisthatattackerhastocircumventtheminordertoexploitThuswewantedtotestexploitsagainstunexpectedsandboxingWeusedSandboxie3.
76ProwithcustomconfigurationOwnsandboxforeachdocumenttypeFileexecutiondeniedforanyfilescreatedbysandboxedapplicationNofileaccessoutsidethesandboxforAcrobatAccessto%documents%%recent%andnetworkdrivesforOfficeapplicationsF-SecureOctober10,20136ChangestoOfficeInstalledOfficefilevalidationInstalledMOICEisolationSetMacrosecurityleveltohighDisabledtrustonadd-onsandtemplatesChangestoAcrobatDisabledopeningnon-PDFattachmentsDisabledtrustinmultimediacomponentsDisabledmultimediaplayerDisabledJavascriptF-SecureOctober10,20137HardenedSecuritySettingsForClientAppsAdvisoriesoftenhavemitigationinstructionswhattodobeforepatchisavailableWewantedtofindouthoweffectivethosemeasuresareingeneralWhoonearthneedsaflashcontentinPDFfileinthefirstplaceAfterVBpapersubmissionNSAcameoutwiththeirAcrobatguidelineshttp://www.
nsa.
gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.
pdfHardenedSystemAccessPoliciesInT22011weannouncedresearchpointingtothathardeningbreaksmalwareHoweverAPTsarequiteadifferentbeastcomparedtoplainoldmalwareWetestedthesamplesagainstfollowinghardenedsystemsettingsBlockedfilewritingtorootsofC:\,D:\,etc,%localsettings%,%appdata%BlockedfilewritingrecursivelytoC:\windows,%programfiles%PreventedfileexecutionfromC:\,%documents%,c:\RECYCLER,%temp%,%APPDATA%,%localsettings%F-Secure10.
lokakuuta20138ApplicationMemoryHandlingMitigationsMemoryhandlingmitigationspreventtypesofmemoryoperationsneededbyexploitsThusnormalappsaremostlyunhinderedwhileexploitsfailtoworkCurrentlyonlytoolprovidingsuchcapabilitiesisMicrosoftEMETAllocationmitigations(SEHOP,Heapspray,ASLR,Nullpage)Codeexecutionorloadingmitigations(DEP,ROP,Bottomuprnd,EAF)Hookingpreventions(Deephooks,Antidetours,Bannedfunctions)ForthisresearchweusedEmet4.
0bwhichwasthelatestavailableF-SecureOctober10,20139ApplicationSandboxingResultsUnfortunatelySandboxieinterferedwithourautomaticforensicsWewereabletogetresultsfor452sampleswith100%protectionOftheremainingsampleswetested60randomsampleswhichhad100%protectionSowecantsaywithfullcertainty,butthirdpartysandboxingseemstobeeffectiveBuiltinpayloadsweredroppedbutnotexecutedSampleswhichtriedtodownloadwereblockedF-SecureOctober10,201310CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-565921CVE-2008-48411CVE-2009-09271CVE-2009-3129219CVE-2009-43249CVE-2010-01886221231CVE-2010-08068CVE-2010-12975CVE-2010-257217CVE-2010-288382CVE-2010-3333133946CVE-2010-365429CVE-2011-00971CVE-2011-010168CVE-2011-061121CVE-2011-12691CVE-2012-0158144916CVE-2012-07792GrandTotal894556737HardenedClientAppsresultsHardeningapplicationsgave80%totalprotectionagainstexploitsCVE-2010-0188failedasnotallsampleswereusingJavaScriptCVE-2010-0188failedaswedidnotthinkifisolatingRTFfilesCVE-2012-0158alsofailedduenotisolatingRTFfilesInOffice2013OFVandMOICEarebuiltinInAcrobattherecommendationsstillapplyF-SecureOctober10,201311HardenedSystemAccessPoliciesresultsHardenedsystemaccesspoliciesgaveverysmalltotalprotectionof~10%~7%werepartiallymitigatedNetworkwasblockedin40samplesProcesscreationblockedin28samplesSointotalsystemhardeningisineffectiveF-SecureOctober10,201312CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-5659201CVE-2008-48411CVE-2009-09271CVE-2009-3129159528CVE-2009-4324324CVE-2010-01882942CVE-2010-080671CVE-2010-12975CVE-2010-2572287CVE-2010-2883327250CVE-2010-3333182141CVE-2010-365411126CVE-2011-00971CVE-2011-010145113CVE-2011-0611192CVE-2011-12691CVE-2012-015815217CVE-2012-07792GrandTotal34634115189MemoryHandlingMitigationsResultsEMETwasabletostopeverysingleexploit!
However4.
0bisnewerthansamples,soresultscanbeskewedThereareclaimsthatEMETcanbecircumventedButinourtestswecouldnotfindasamplethatactuallydoessoMemoryhandlingmitigationsarenoteffectiveagainstallexploittypesIfexploitisbasedonotherthancodeexecution,EMETwillnothelpButsuchexploitsareveryrareandwecouldnotfindinthewildsampleF-SecureOctober10,201313CVEfailedsuccesscve-2004-021001cve-2006-249201cve-2006-359003cve-2007-5659021cve-2008-484101cve-2009-092701cve-2009-31290219cve-2009-432409cve-2010-01880296cve-2010-080608cve-2010-129705cve-2010-2572017cve-2010-2883082cve-2010-3333098cve-2010-3654029cve-2011-009701cve-2011-0101068cve-2011-0611021cve-2011-126901cve-2012-0158043cve-2012-077902GrandTotal0927DefenceInDepth,HardenYourNetworkPreventlateralmovementwithinyournetworkIsolateeverythinginnetwork,noinboundtoclientsnooutboundfromserverBlockremoteexecutionandRDPfromotherthanadminnetworksegmentAllowusertologinonlytohisworkstationsIsolateemailtoapprovedbusinessuseonlyAllowemailonlyovercompanymailserverDon'tallowmailsendingwithoutuserauthenticationControlDNSresolution,donotallowunknowndomainstoresolveMostAPTC&CinfrarelyonbeingabletoresolvedomainnamesMakedatadifficulttostealUseDRMtomakestolendocumentsworthlessUserightsmanagementservertoprovidetransparentcryptofordocumentsValiduserscanreaddocuments,stolendocsareworthlessoutsidecompanyWatermarkcompanybrowsersandcheckwatermarkinserverHaveownbrowserthatcanaccessonlyintra.
CheckagainstthatintheserverWatermarkcanbefaked,buthardtoget100%rightonthefirstgo->alarmUsetokenbasedemailcertificatesandcryptoforallinternalmailDirectstealingofmailfilesbecomesuselessAttackerneedstodecryptmessagesbeforestealing,whichslowsdownattackandgivesyoutimetoreactConclusionsWiththeexceptionofOShardeningallothermethodswereveryeffectiveVeryfewattackersaimatanythingbutdefaultconfigurationWhichmethodstousedependsonwhatyourcorporateITfindseasiesttodeployAsruleofthumballapplicationsthatdealwithexternaldatashouldbehardenedPersonallyIwouldrecommendacombinationofhardenedapplicationsettingsandEMETSandboxingisalsoveryeffectivebutcanrequireefforttomakeittransparenttousersMostimportantthingtodoisnottorelyonasinglesecuritylayerOurcorporatesecurityproductisverygoodatcatchingexploitsbutnosinglelayerisgoingtobeenoughF-SecureOctober10,201316
comStudyoneffectivenessofpopulardefensemeasuresJarnoNiemel.
VirusBulletin2013Twitter:@jarnomnStatisticallyeffectiveprotectionagainstAPTattacksWhyThisResearchWasMadeApplyinghardeningincorporateenvironmentisexpensiveThusIwantedtogivedecisionmakingsupporttoolsforcorporatesecurityInthisresearchweevaluatedpopularhardeningapproachesagainstasetofexploitsAttacksanddefensesevolveconstantlysowefocusedmoreondifferentstylesofapproachratherthanexactsettingsortoolsFortestsweobviouslyusedpubliclyavailabletoolsExploitsUsedInTestsTheusedexploitsetconsistedof~930confirmedexploitdocumentsamplesSamplesinthewild2010-2013CVEidentificationwasdonebyscanresultsMostexploitshaveshortlifespaninactiveuseAPTnatureverifiedbycontextidentificationPressevents,conferenceproceedingsDiplomatic/politicalreports,analysisHumanrights/activismreports,articlesMilitaryreports,events,analysisBusinessrelatedmailF-SecureOctober10,20133050100150200250300051015202530354045500102030405060708090100110120130140150051015202530354045501.
1.
101.
3.
101.
5.
101.
7.
101.
9.
101.
11.
101.
1.
111.
3.
111.
5.
111.
7.
111.
9.
111.
11.
111.
1.
121.
3.
121.
5.
121.
7.
121.
9.
121.
11.
121.
1.
131.
3.
13AnalysisMethodWetestedsampleswithWindowsXPSP3AdobeAcrobat8.
0.
0AdobeFlashplayer6.
0Office2003WeintentionallyusedobsoletesoftwareversionstoenableasmanyexploitsaspossibleWeusedautomaticforensicstocheckforexploitsuccessindicatorsNetworkcommunicationProcesscreationFilecreationEachexploitwasverifiedtoworkconsistentlyinbasesystemF-SecureOctober10,20134ProtectionMethodsApplicationmemoryhandlingmitigationsApplicationSandboxingHardeningapplicationsettingsHardeningoperatingsystemF-SecureOctober10,20135ApplicationSanboxingChrome,Acrobat,etcpopularappshavebuiltinsandboxingTheproblemwiththemisthatattackerhastocircumventtheminordertoexploitThuswewantedtotestexploitsagainstunexpectedsandboxingWeusedSandboxie3.
76ProwithcustomconfigurationOwnsandboxforeachdocumenttypeFileexecutiondeniedforanyfilescreatedbysandboxedapplicationNofileaccessoutsidethesandboxforAcrobatAccessto%documents%%recent%andnetworkdrivesforOfficeapplicationsF-SecureOctober10,20136ChangestoOfficeInstalledOfficefilevalidationInstalledMOICEisolationSetMacrosecurityleveltohighDisabledtrustonadd-onsandtemplatesChangestoAcrobatDisabledopeningnon-PDFattachmentsDisabledtrustinmultimediacomponentsDisabledmultimediaplayerDisabledJavascriptF-SecureOctober10,20137HardenedSecuritySettingsForClientAppsAdvisoriesoftenhavemitigationinstructionswhattodobeforepatchisavailableWewantedtofindouthoweffectivethosemeasuresareingeneralWhoonearthneedsaflashcontentinPDFfileinthefirstplaceAfterVBpapersubmissionNSAcameoutwiththeirAcrobatguidelineshttp://www.
nsa.
gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.
pdfHardenedSystemAccessPoliciesInT22011weannouncedresearchpointingtothathardeningbreaksmalwareHoweverAPTsarequiteadifferentbeastcomparedtoplainoldmalwareWetestedthesamplesagainstfollowinghardenedsystemsettingsBlockedfilewritingtorootsofC:\,D:\,etc,%localsettings%,%appdata%BlockedfilewritingrecursivelytoC:\windows,%programfiles%PreventedfileexecutionfromC:\,%documents%,c:\RECYCLER,%temp%,%APPDATA%,%localsettings%F-Secure10.
lokakuuta20138ApplicationMemoryHandlingMitigationsMemoryhandlingmitigationspreventtypesofmemoryoperationsneededbyexploitsThusnormalappsaremostlyunhinderedwhileexploitsfailtoworkCurrentlyonlytoolprovidingsuchcapabilitiesisMicrosoftEMETAllocationmitigations(SEHOP,Heapspray,ASLR,Nullpage)Codeexecutionorloadingmitigations(DEP,ROP,Bottomuprnd,EAF)Hookingpreventions(Deephooks,Antidetours,Bannedfunctions)ForthisresearchweusedEmet4.
0bwhichwasthelatestavailableF-SecureOctober10,20139ApplicationSandboxingResultsUnfortunatelySandboxieinterferedwithourautomaticforensicsWewereabletogetresultsfor452sampleswith100%protectionOftheremainingsampleswetested60randomsampleswhichhad100%protectionSowecantsaywithfullcertainty,butthirdpartysandboxingseemstobeeffectiveBuiltinpayloadsweredroppedbutnotexecutedSampleswhichtriedtodownloadwereblockedF-SecureOctober10,201310CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-565921CVE-2008-48411CVE-2009-09271CVE-2009-3129219CVE-2009-43249CVE-2010-01886221231CVE-2010-08068CVE-2010-12975CVE-2010-257217CVE-2010-288382CVE-2010-3333133946CVE-2010-365429CVE-2011-00971CVE-2011-010168CVE-2011-061121CVE-2011-12691CVE-2012-0158144916CVE-2012-07792GrandTotal894556737HardenedClientAppsresultsHardeningapplicationsgave80%totalprotectionagainstexploitsCVE-2010-0188failedasnotallsampleswereusingJavaScriptCVE-2010-0188failedaswedidnotthinkifisolatingRTFfilesCVE-2012-0158alsofailedduenotisolatingRTFfilesInOffice2013OFVandMOICEarebuiltinInAcrobattherecommendationsstillapplyF-SecureOctober10,201311HardenedSystemAccessPoliciesresultsHardenedsystemaccesspoliciesgaveverysmalltotalprotectionof~10%~7%werepartiallymitigatedNetworkwasblockedin40samplesProcesscreationblockedin28samplesSointotalsystemhardeningisineffectiveF-SecureOctober10,201312CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-5659201CVE-2008-48411CVE-2009-09271CVE-2009-3129159528CVE-2009-4324324CVE-2010-01882942CVE-2010-080671CVE-2010-12975CVE-2010-2572287CVE-2010-2883327250CVE-2010-3333182141CVE-2010-365411126CVE-2011-00971CVE-2011-010145113CVE-2011-0611192CVE-2011-12691CVE-2012-015815217CVE-2012-07792GrandTotal34634115189MemoryHandlingMitigationsResultsEMETwasabletostopeverysingleexploit!
However4.
0bisnewerthansamples,soresultscanbeskewedThereareclaimsthatEMETcanbecircumventedButinourtestswecouldnotfindasamplethatactuallydoessoMemoryhandlingmitigationsarenoteffectiveagainstallexploittypesIfexploitisbasedonotherthancodeexecution,EMETwillnothelpButsuchexploitsareveryrareandwecouldnotfindinthewildsampleF-SecureOctober10,201313CVEfailedsuccesscve-2004-021001cve-2006-249201cve-2006-359003cve-2007-5659021cve-2008-484101cve-2009-092701cve-2009-31290219cve-2009-432409cve-2010-01880296cve-2010-080608cve-2010-129705cve-2010-2572017cve-2010-2883082cve-2010-3333098cve-2010-3654029cve-2011-009701cve-2011-0101068cve-2011-0611021cve-2011-126901cve-2012-0158043cve-2012-077902GrandTotal0927DefenceInDepth,HardenYourNetworkPreventlateralmovementwithinyournetworkIsolateeverythinginnetwork,noinboundtoclientsnooutboundfromserverBlockremoteexecutionandRDPfromotherthanadminnetworksegmentAllowusertologinonlytohisworkstationsIsolateemailtoapprovedbusinessuseonlyAllowemailonlyovercompanymailserverDon'tallowmailsendingwithoutuserauthenticationControlDNSresolution,donotallowunknowndomainstoresolveMostAPTC&CinfrarelyonbeingabletoresolvedomainnamesMakedatadifficulttostealUseDRMtomakestolendocumentsworthlessUserightsmanagementservertoprovidetransparentcryptofordocumentsValiduserscanreaddocuments,stolendocsareworthlessoutsidecompanyWatermarkcompanybrowsersandcheckwatermarkinserverHaveownbrowserthatcanaccessonlyintra.
CheckagainstthatintheserverWatermarkcanbefaked,buthardtoget100%rightonthefirstgo->alarmUsetokenbasedemailcertificatesandcryptoforallinternalmailDirectstealingofmailfilesbecomesuselessAttackerneedstodecryptmessagesbeforestealing,whichslowsdownattackandgivesyoutimetoreactConclusionsWiththeexceptionofOShardeningallothermethodswereveryeffectiveVeryfewattackersaimatanythingbutdefaultconfigurationWhichmethodstousedependsonwhatyourcorporateITfindseasiesttodeployAsruleofthumballapplicationsthatdealwithexternaldatashouldbehardenedPersonallyIwouldrecommendacombinationofhardenedapplicationsettingsandEMETSandboxingisalsoveryeffectivebutcanrequireefforttomakeittransparenttousersMostimportantthingtodoisnottorelyonasinglesecuritylayerOurcorporatesecurityproductisverygoodatcatchingexploitsbutnosinglelayerisgoingtobeenoughF-SecureOctober10,201316
- unexpectedlocalsettings相关文档
- eu_directiveslocalsettings
- spotlightlocalsettings
- 华为localsettings
- SIGNlocalsettings
- greatestlocalsettings
- attachedlocalsettings
OneTechCloud(31元),美国CN2 GIA高防VPS月
OneTechCloud发布了本月促销信息,全场VPS主机月付9折,季付8折,优惠后香港VPS月付25.2元起,美国CN2 GIA线路高防VPS月付31.5元起。这是一家2019年成立的国人主机商,提供VPS主机和独立服务器租用,产品数据中心包括美国洛杉矶和中国香港,Cera的机器,VPS基于KVM架构,采用SSD硬盘,其中美国洛杉矶回程CN2 GIA,可选高防。下面列出部分套餐配置信息。美国CN...
萤光云(20元/月),香港CN2国庆特惠
可以看到这次国庆萤光云搞了一个不错的折扣,香港CN2产品6.5折促销,还送50的国庆红包。萤光云是2002年创立的商家,本次国庆活动主推的是香港CN2优化的机器,其另外还有国内BGP和高防服务器。本次活动力度较大,CN2优化套餐低至20/月(需买三个月,用上折扣+代金券组合),有需求的可以看看。官方网站:https://www.lightnode.cn/地区CPU内存SSDIP带宽/流量价格备注购...
美国Cera 2核4G 20元/45天 香港CN2 E5 20M物理机服务器 150元 日本CN2 E5 20M物理机服务器 150元 提速啦
提速啦 成立于2012年,作为互联网老兵我们一直为用户提供 稳定 高速 高质量的产品。成立至今一直深受用户的喜爱 荣获 “2021年赣州安全大赛第三名” “2020创新企业入围奖” 等殊荣。目前我司在美国拥有4.6万G总内存云服务器资源,香港拥有2.2万G总内存云服务器资源,阿里云香港机房拥有8000G总内存云服务器资源,国内多地区拥有1.6万G总内存云服务器资源,绝非1 2台宿主机的小商家可比。...
localsettings为你推荐
-
0.21网易yeahflashwind用flashwind这个加速器玩游戏,会被盗号吗?会被封号吗?360公司迁至天津请问360公司的全称是什么?青岛网通测速中国联通宽带,青岛地区咋样,与网通有啥区别厦门三五互联科技股份有限公司厦门三五互联科技股份有限公司广州分公司 待遇怎么样啊,电话营销的网站方案设计求一篇校园网络设计的方案网站制作套餐做一个网站要多少钱艾泰科技闻泰科技是做什么的啊?有人能告诉我吗?艾泰科技艾泰的品牌介绍建站之星建站之星和凡科建站哪个系统好用呢?