Targeted Email Attacks and the Recent Adobe U3D Vulnerability

Users are the weakest link in any organization’s security posture, and while we like to take a more nuanced approach, there is little doubt that the inclination to click on anything does cause issues, particularly when that something looks like it was meant for you. Over the course of the last few years there has been a lot of talk around targeted email attacks, because attackers do see users as a potential weakness, somewhere they can get a foot in the door without setting off too many alarms.

One of the techniques we’ve seen them use is putting malicious code email attachments, yet making the contents of the email seem enticing or familiar to the end user.  In the case of more technically proficient attackers, it is not completely uncommon to see the use of 0day vulnerabilities.  The term social engineering is used frequently, and at the most basic level this activity is just exploiting the social nature of people, the desire to communicate with one another.  While we could write a great deal more on this, we want to instead focus on the technical nature of this problem and how network security technology can defend against 0day attacks targeting your users.

Just because something is a 0day attack does not mean that it’s something that can’t be blocked.  There are really two different elements in any attack scenario, and you can stop an attack by approaching either successfully.  The first, and most common way, is using signatures that block known vulnerabilities. While that will defend organizations of the vast majority of attack activity on the internet, it won’t do much good if the exploit is targeting a vulnerability nobody knows about.

So, that leaves the exploit. While it’s quite possible that a given exploit might be new, the question arises of whether of not the exploit technique is new, or something we’ve never thought of.  Often times the answer to that is no.  Malicious code in attachments and files is one of the most common ways to attack an end user, and as such, at the network layer we can look for things like machine code running in places where it shouldn’t be.  We don’t have to know about the vulnerability if we can determine that the network traffic is suspicious.

One example of this would be spotting something like flash where it shouldn’t be.  The important element here is being able to distinguish the characteristics of normal behavior from abnormal.  Lately, we have seen this activity evolve to embedding Adobe Flash files in things like Microsoft Word/Excel.  This is designed to trick both users and security technology into thinking they were looking at a normal document, not a piece of malicious code. At some point, attackers recognized that there are vulnerabilities that can be hard to leverage by themselves, but become practical in the context of a document that can be shared on the Internet, such as via email, that just so happens to leverage this social engineering concept too. We have even seen a Flash file inside of a Flash file inside of a common document type.  In this scenario, the first Flash object may be setting up an environment for the second Flash object to exploit the actual vulnerability involved.  When you look at these examples compared to legitimate network traffic, red flags go up.

The second element here is false positives, and in many ways this is just as important as being able to actually block the malicious attachment.  If you create a heuristic technology that blocks malicious traffic, along with a bunch of other traffic, that’s going to have a negative impact on your business and you can experience a variety of consequences including loss of productivity and/or revenue.  A used and abused phrase, but security really is a process, and the quality assurance process associated with network security controls is certainly a testament to that.  QA can be the difference between a heuristic technology or signature that is successful in a lab and one that is successful on your network. Changes in things like legitimate obfuscation cause us to constantly tune and refine our technology.  For this reason, X-Force invests heavily in the quality and improvement of our various “ahead of the threat” and heuristic technologies.

Over the course of the last week there has been a lot of discussion around the 0day attacks that targeted the previously unknown Adobe U3D vulnerability.  X-Force obtained PDF samples targeting this vulnerability and discovered that these attacks were blocked by a signature we shipped back in 2008 (PDF_JavaScript_Hex)!  This signature is part of our “ahead of the threat” coverage and was designed not to protect a certain vulnerability, but to look for certain ways JavaScript appears in malicious PDF files.  X-Force has now distributed specific coverage for the vulnerability should other code ever be written targeting this vulnerability.

Robert Freeman

Senior Manager, IBM X-Force Research

Robert Freeman is a seasoned research and development manager, leader and inventor/technologist. His expertise spans a...