August 28, 2013 By Dana Tamir 2 min read

When we discuss exploit prevention, we often talk about “targeted applications.” This term refers to end-user applications that can be exploited by hackers for malicious purposes. There are a few requirements that define these applications:

Targeted Applications Receive External Content

In order to deliver the exploit, the attacker must be able to provide the user with specially crafted content that contains the malicious exploit, aka weaponized content. For example, this could be an HTML Web page that contains a hidden Java applet, or an email attachment, such as a Word document, Excel spreadsheet or PDF document, that contains hidden code. This code executes when the application opens the content and exploits vulnerabilities in these applications to download malware on the endpoint. If an application does not receive external content, it would be impossible for the attacker to deliver the weaponized content and the exploit.

They Have Vulnerabilities

Vulnerable applications provide the attacker with an opportunity to develop an exploit. Some applications contain more vulnerabilities than others, and some vulnerabilities are easier to exploit. An application that has many exploitable vulnerabilities will be targeted more often. Zero-day vulnerabilities, which are vulnerabilities that are unknown to the public, are more likely to be successfully exploited because there is no patch available. However, zero-day vulnerabilities are not a requirement. Interestingly, known application vulnerabilities are still exploited because many users do not apply security patches in a timely manner.

They Are Common Applications

Common applications that can be found on most user endpoints are targeted more often than uncommon, specialized applications. Of course, the more common the application is, the wider the attack surface it provides.

There Are Exploits Available

Exploit code must be developed in order to exploit the application’s vulnerability. If the vulnerability exists but no exploit code was developed, the risk remains theoretical.

Common Targets

Considering the listed requirements for targeted applications, it is not surprising that the most-targeted end-user applications are browsers, Java applications, Adobe Acrobat, Flash, Word, Excel, PowerPoint and Outlook. These are all common applications found on most user endpoints. They all receive external content that can be weaponized. They all contain vulnerabilities — most of them are known, but periodically, we hear about zero-day vulnerabilities. Also, exploit kits that contain exploit codes are widely available.

If we take, for example, the 2011 RSA breach, the attacker used a spear-phishing campaign to deliver a weaponized attachment to employees. The spear-phishing email included a weaponized Excel spreadsheet that contained a zero-day exploit object. The attachment exploited an Adobe Flash vulnerability (CVE-2011-0609) to silently install a customized remote access Trojan known as Poison Ivy RAT. Both Excel and Adobe Flash are commonly targeted applications that can be found on most user endpoints.

Any advanced threat protection and exploit prevention technology must ensure these targeted end-user applications are not successfully exploited. Since these applications are very different from each other, special controls may be required for each application. For example, Java applications are vulnerable to both native exploits (executed at the memory level) and applicative exploits (executed in the user space by breaking out of the Java virtual machine sandbox). Solutions that apply granular controls at the OS level to protect against native exploits wouldn’t be able to protect against applicative exploits.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today