unexpectedlocalsettings
localsettings 时间:2021-04-12 阅读:()
Protectingtheirreplaceable|f-secure.
comStudyoneffectivenessofpopulardefensemeasuresJarnoNiemel.
VirusBulletin2013Twitter:@jarnomnStatisticallyeffectiveprotectionagainstAPTattacksWhyThisResearchWasMadeApplyinghardeningincorporateenvironmentisexpensiveThusIwantedtogivedecisionmakingsupporttoolsforcorporatesecurityInthisresearchweevaluatedpopularhardeningapproachesagainstasetofexploitsAttacksanddefensesevolveconstantlysowefocusedmoreondifferentstylesofapproachratherthanexactsettingsortoolsFortestsweobviouslyusedpubliclyavailabletoolsExploitsUsedInTestsTheusedexploitsetconsistedof~930confirmedexploitdocumentsamplesSamplesinthewild2010-2013CVEidentificationwasdonebyscanresultsMostexploitshaveshortlifespaninactiveuseAPTnatureverifiedbycontextidentificationPressevents,conferenceproceedingsDiplomatic/politicalreports,analysisHumanrights/activismreports,articlesMilitaryreports,events,analysisBusinessrelatedmailF-SecureOctober10,20133050100150200250300051015202530354045500102030405060708090100110120130140150051015202530354045501.
1.
101.
3.
101.
5.
101.
7.
101.
9.
101.
11.
101.
1.
111.
3.
111.
5.
111.
7.
111.
9.
111.
11.
111.
1.
121.
3.
121.
5.
121.
7.
121.
9.
121.
11.
121.
1.
131.
3.
13AnalysisMethodWetestedsampleswithWindowsXPSP3AdobeAcrobat8.
0.
0AdobeFlashplayer6.
0Office2003WeintentionallyusedobsoletesoftwareversionstoenableasmanyexploitsaspossibleWeusedautomaticforensicstocheckforexploitsuccessindicatorsNetworkcommunicationProcesscreationFilecreationEachexploitwasverifiedtoworkconsistentlyinbasesystemF-SecureOctober10,20134ProtectionMethodsApplicationmemoryhandlingmitigationsApplicationSandboxingHardeningapplicationsettingsHardeningoperatingsystemF-SecureOctober10,20135ApplicationSanboxingChrome,Acrobat,etcpopularappshavebuiltinsandboxingTheproblemwiththemisthatattackerhastocircumventtheminordertoexploitThuswewantedtotestexploitsagainstunexpectedsandboxingWeusedSandboxie3.
76ProwithcustomconfigurationOwnsandboxforeachdocumenttypeFileexecutiondeniedforanyfilescreatedbysandboxedapplicationNofileaccessoutsidethesandboxforAcrobatAccessto%documents%%recent%andnetworkdrivesforOfficeapplicationsF-SecureOctober10,20136ChangestoOfficeInstalledOfficefilevalidationInstalledMOICEisolationSetMacrosecurityleveltohighDisabledtrustonadd-onsandtemplatesChangestoAcrobatDisabledopeningnon-PDFattachmentsDisabledtrustinmultimediacomponentsDisabledmultimediaplayerDisabledJavascriptF-SecureOctober10,20137HardenedSecuritySettingsForClientAppsAdvisoriesoftenhavemitigationinstructionswhattodobeforepatchisavailableWewantedtofindouthoweffectivethosemeasuresareingeneralWhoonearthneedsaflashcontentinPDFfileinthefirstplaceAfterVBpapersubmissionNSAcameoutwiththeirAcrobatguidelineshttp://www.
nsa.
gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.
pdfHardenedSystemAccessPoliciesInT22011weannouncedresearchpointingtothathardeningbreaksmalwareHoweverAPTsarequiteadifferentbeastcomparedtoplainoldmalwareWetestedthesamplesagainstfollowinghardenedsystemsettingsBlockedfilewritingtorootsofC:\,D:\,etc,%localsettings%,%appdata%BlockedfilewritingrecursivelytoC:\windows,%programfiles%PreventedfileexecutionfromC:\,%documents%,c:\RECYCLER,%temp%,%APPDATA%,%localsettings%F-Secure10.
lokakuuta20138ApplicationMemoryHandlingMitigationsMemoryhandlingmitigationspreventtypesofmemoryoperationsneededbyexploitsThusnormalappsaremostlyunhinderedwhileexploitsfailtoworkCurrentlyonlytoolprovidingsuchcapabilitiesisMicrosoftEMETAllocationmitigations(SEHOP,Heapspray,ASLR,Nullpage)Codeexecutionorloadingmitigations(DEP,ROP,Bottomuprnd,EAF)Hookingpreventions(Deephooks,Antidetours,Bannedfunctions)ForthisresearchweusedEmet4.
0bwhichwasthelatestavailableF-SecureOctober10,20139ApplicationSandboxingResultsUnfortunatelySandboxieinterferedwithourautomaticforensicsWewereabletogetresultsfor452sampleswith100%protectionOftheremainingsampleswetested60randomsampleswhichhad100%protectionSowecantsaywithfullcertainty,butthirdpartysandboxingseemstobeeffectiveBuiltinpayloadsweredroppedbutnotexecutedSampleswhichtriedtodownloadwereblockedF-SecureOctober10,201310CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-565921CVE-2008-48411CVE-2009-09271CVE-2009-3129219CVE-2009-43249CVE-2010-01886221231CVE-2010-08068CVE-2010-12975CVE-2010-257217CVE-2010-288382CVE-2010-3333133946CVE-2010-365429CVE-2011-00971CVE-2011-010168CVE-2011-061121CVE-2011-12691CVE-2012-0158144916CVE-2012-07792GrandTotal894556737HardenedClientAppsresultsHardeningapplicationsgave80%totalprotectionagainstexploitsCVE-2010-0188failedasnotallsampleswereusingJavaScriptCVE-2010-0188failedaswedidnotthinkifisolatingRTFfilesCVE-2012-0158alsofailedduenotisolatingRTFfilesInOffice2013OFVandMOICEarebuiltinInAcrobattherecommendationsstillapplyF-SecureOctober10,201311HardenedSystemAccessPoliciesresultsHardenedsystemaccesspoliciesgaveverysmalltotalprotectionof~10%~7%werepartiallymitigatedNetworkwasblockedin40samplesProcesscreationblockedin28samplesSointotalsystemhardeningisineffectiveF-SecureOctober10,201312CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-5659201CVE-2008-48411CVE-2009-09271CVE-2009-3129159528CVE-2009-4324324CVE-2010-01882942CVE-2010-080671CVE-2010-12975CVE-2010-2572287CVE-2010-2883327250CVE-2010-3333182141CVE-2010-365411126CVE-2011-00971CVE-2011-010145113CVE-2011-0611192CVE-2011-12691CVE-2012-015815217CVE-2012-07792GrandTotal34634115189MemoryHandlingMitigationsResultsEMETwasabletostopeverysingleexploit!
However4.
0bisnewerthansamples,soresultscanbeskewedThereareclaimsthatEMETcanbecircumventedButinourtestswecouldnotfindasamplethatactuallydoessoMemoryhandlingmitigationsarenoteffectiveagainstallexploittypesIfexploitisbasedonotherthancodeexecution,EMETwillnothelpButsuchexploitsareveryrareandwecouldnotfindinthewildsampleF-SecureOctober10,201313CVEfailedsuccesscve-2004-021001cve-2006-249201cve-2006-359003cve-2007-5659021cve-2008-484101cve-2009-092701cve-2009-31290219cve-2009-432409cve-2010-01880296cve-2010-080608cve-2010-129705cve-2010-2572017cve-2010-2883082cve-2010-3333098cve-2010-3654029cve-2011-009701cve-2011-0101068cve-2011-0611021cve-2011-126901cve-2012-0158043cve-2012-077902GrandTotal0927DefenceInDepth,HardenYourNetworkPreventlateralmovementwithinyournetworkIsolateeverythinginnetwork,noinboundtoclientsnooutboundfromserverBlockremoteexecutionandRDPfromotherthanadminnetworksegmentAllowusertologinonlytohisworkstationsIsolateemailtoapprovedbusinessuseonlyAllowemailonlyovercompanymailserverDon'tallowmailsendingwithoutuserauthenticationControlDNSresolution,donotallowunknowndomainstoresolveMostAPTC&CinfrarelyonbeingabletoresolvedomainnamesMakedatadifficulttostealUseDRMtomakestolendocumentsworthlessUserightsmanagementservertoprovidetransparentcryptofordocumentsValiduserscanreaddocuments,stolendocsareworthlessoutsidecompanyWatermarkcompanybrowsersandcheckwatermarkinserverHaveownbrowserthatcanaccessonlyintra.
CheckagainstthatintheserverWatermarkcanbefaked,buthardtoget100%rightonthefirstgo->alarmUsetokenbasedemailcertificatesandcryptoforallinternalmailDirectstealingofmailfilesbecomesuselessAttackerneedstodecryptmessagesbeforestealing,whichslowsdownattackandgivesyoutimetoreactConclusionsWiththeexceptionofOShardeningallothermethodswereveryeffectiveVeryfewattackersaimatanythingbutdefaultconfigurationWhichmethodstousedependsonwhatyourcorporateITfindseasiesttodeployAsruleofthumballapplicationsthatdealwithexternaldatashouldbehardenedPersonallyIwouldrecommendacombinationofhardenedapplicationsettingsandEMETSandboxingisalsoveryeffectivebutcanrequireefforttomakeittransparenttousersMostimportantthingtodoisnottorelyonasinglesecuritylayerOurcorporatesecurityproductisverygoodatcatchingexploitsbutnosinglelayerisgoingtobeenoughF-SecureOctober10,201316
comStudyoneffectivenessofpopulardefensemeasuresJarnoNiemel.
VirusBulletin2013Twitter:@jarnomnStatisticallyeffectiveprotectionagainstAPTattacksWhyThisResearchWasMadeApplyinghardeningincorporateenvironmentisexpensiveThusIwantedtogivedecisionmakingsupporttoolsforcorporatesecurityInthisresearchweevaluatedpopularhardeningapproachesagainstasetofexploitsAttacksanddefensesevolveconstantlysowefocusedmoreondifferentstylesofapproachratherthanexactsettingsortoolsFortestsweobviouslyusedpubliclyavailabletoolsExploitsUsedInTestsTheusedexploitsetconsistedof~930confirmedexploitdocumentsamplesSamplesinthewild2010-2013CVEidentificationwasdonebyscanresultsMostexploitshaveshortlifespaninactiveuseAPTnatureverifiedbycontextidentificationPressevents,conferenceproceedingsDiplomatic/politicalreports,analysisHumanrights/activismreports,articlesMilitaryreports,events,analysisBusinessrelatedmailF-SecureOctober10,20133050100150200250300051015202530354045500102030405060708090100110120130140150051015202530354045501.
1.
101.
3.
101.
5.
101.
7.
101.
9.
101.
11.
101.
1.
111.
3.
111.
5.
111.
7.
111.
9.
111.
11.
111.
1.
121.
3.
121.
5.
121.
7.
121.
9.
121.
11.
121.
1.
131.
3.
13AnalysisMethodWetestedsampleswithWindowsXPSP3AdobeAcrobat8.
0.
0AdobeFlashplayer6.
0Office2003WeintentionallyusedobsoletesoftwareversionstoenableasmanyexploitsaspossibleWeusedautomaticforensicstocheckforexploitsuccessindicatorsNetworkcommunicationProcesscreationFilecreationEachexploitwasverifiedtoworkconsistentlyinbasesystemF-SecureOctober10,20134ProtectionMethodsApplicationmemoryhandlingmitigationsApplicationSandboxingHardeningapplicationsettingsHardeningoperatingsystemF-SecureOctober10,20135ApplicationSanboxingChrome,Acrobat,etcpopularappshavebuiltinsandboxingTheproblemwiththemisthatattackerhastocircumventtheminordertoexploitThuswewantedtotestexploitsagainstunexpectedsandboxingWeusedSandboxie3.
76ProwithcustomconfigurationOwnsandboxforeachdocumenttypeFileexecutiondeniedforanyfilescreatedbysandboxedapplicationNofileaccessoutsidethesandboxforAcrobatAccessto%documents%%recent%andnetworkdrivesforOfficeapplicationsF-SecureOctober10,20136ChangestoOfficeInstalledOfficefilevalidationInstalledMOICEisolationSetMacrosecurityleveltohighDisabledtrustonadd-onsandtemplatesChangestoAcrobatDisabledopeningnon-PDFattachmentsDisabledtrustinmultimediacomponentsDisabledmultimediaplayerDisabledJavascriptF-SecureOctober10,20137HardenedSecuritySettingsForClientAppsAdvisoriesoftenhavemitigationinstructionswhattodobeforepatchisavailableWewantedtofindouthoweffectivethosemeasuresareingeneralWhoonearthneedsaflashcontentinPDFfileinthefirstplaceAfterVBpapersubmissionNSAcameoutwiththeirAcrobatguidelineshttp://www.
nsa.
gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.
pdfHardenedSystemAccessPoliciesInT22011weannouncedresearchpointingtothathardeningbreaksmalwareHoweverAPTsarequiteadifferentbeastcomparedtoplainoldmalwareWetestedthesamplesagainstfollowinghardenedsystemsettingsBlockedfilewritingtorootsofC:\,D:\,etc,%localsettings%,%appdata%BlockedfilewritingrecursivelytoC:\windows,%programfiles%PreventedfileexecutionfromC:\,%documents%,c:\RECYCLER,%temp%,%APPDATA%,%localsettings%F-Secure10.
lokakuuta20138ApplicationMemoryHandlingMitigationsMemoryhandlingmitigationspreventtypesofmemoryoperationsneededbyexploitsThusnormalappsaremostlyunhinderedwhileexploitsfailtoworkCurrentlyonlytoolprovidingsuchcapabilitiesisMicrosoftEMETAllocationmitigations(SEHOP,Heapspray,ASLR,Nullpage)Codeexecutionorloadingmitigations(DEP,ROP,Bottomuprnd,EAF)Hookingpreventions(Deephooks,Antidetours,Bannedfunctions)ForthisresearchweusedEmet4.
0bwhichwasthelatestavailableF-SecureOctober10,20139ApplicationSandboxingResultsUnfortunatelySandboxieinterferedwithourautomaticforensicsWewereabletogetresultsfor452sampleswith100%protectionOftheremainingsampleswetested60randomsampleswhichhad100%protectionSowecantsaywithfullcertainty,butthirdpartysandboxingseemstobeeffectiveBuiltinpayloadsweredroppedbutnotexecutedSampleswhichtriedtodownloadwereblockedF-SecureOctober10,201310CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-565921CVE-2008-48411CVE-2009-09271CVE-2009-3129219CVE-2009-43249CVE-2010-01886221231CVE-2010-08068CVE-2010-12975CVE-2010-257217CVE-2010-288382CVE-2010-3333133946CVE-2010-365429CVE-2011-00971CVE-2011-010168CVE-2011-061121CVE-2011-12691CVE-2012-0158144916CVE-2012-07792GrandTotal894556737HardenedClientAppsresultsHardeningapplicationsgave80%totalprotectionagainstexploitsCVE-2010-0188failedasnotallsampleswereusingJavaScriptCVE-2010-0188failedaswedidnotthinkifisolatingRTFfilesCVE-2012-0158alsofailedduenotisolatingRTFfilesInOffice2013OFVandMOICEarebuiltinInAcrobattherecommendationsstillapplyF-SecureOctober10,201311HardenedSystemAccessPoliciesresultsHardenedsystemaccesspoliciesgaveverysmalltotalprotectionof~10%~7%werepartiallymitigatedNetworkwasblockedin40samplesProcesscreationblockedin28samplesSointotalsystemhardeningisineffectiveF-SecureOctober10,201312CVEFailed:networkeventFailed:fileeventFailed:processeventSuccessCVE-2004-02101CVE-2006-24921CVE-2006-35903CVE-2007-5659201CVE-2008-48411CVE-2009-09271CVE-2009-3129159528CVE-2009-4324324CVE-2010-01882942CVE-2010-080671CVE-2010-12975CVE-2010-2572287CVE-2010-2883327250CVE-2010-3333182141CVE-2010-365411126CVE-2011-00971CVE-2011-010145113CVE-2011-0611192CVE-2011-12691CVE-2012-015815217CVE-2012-07792GrandTotal34634115189MemoryHandlingMitigationsResultsEMETwasabletostopeverysingleexploit!
However4.
0bisnewerthansamples,soresultscanbeskewedThereareclaimsthatEMETcanbecircumventedButinourtestswecouldnotfindasamplethatactuallydoessoMemoryhandlingmitigationsarenoteffectiveagainstallexploittypesIfexploitisbasedonotherthancodeexecution,EMETwillnothelpButsuchexploitsareveryrareandwecouldnotfindinthewildsampleF-SecureOctober10,201313CVEfailedsuccesscve-2004-021001cve-2006-249201cve-2006-359003cve-2007-5659021cve-2008-484101cve-2009-092701cve-2009-31290219cve-2009-432409cve-2010-01880296cve-2010-080608cve-2010-129705cve-2010-2572017cve-2010-2883082cve-2010-3333098cve-2010-3654029cve-2011-009701cve-2011-0101068cve-2011-0611021cve-2011-126901cve-2012-0158043cve-2012-077902GrandTotal0927DefenceInDepth,HardenYourNetworkPreventlateralmovementwithinyournetworkIsolateeverythinginnetwork,noinboundtoclientsnooutboundfromserverBlockremoteexecutionandRDPfromotherthanadminnetworksegmentAllowusertologinonlytohisworkstationsIsolateemailtoapprovedbusinessuseonlyAllowemailonlyovercompanymailserverDon'tallowmailsendingwithoutuserauthenticationControlDNSresolution,donotallowunknowndomainstoresolveMostAPTC&CinfrarelyonbeingabletoresolvedomainnamesMakedatadifficulttostealUseDRMtomakestolendocumentsworthlessUserightsmanagementservertoprovidetransparentcryptofordocumentsValiduserscanreaddocuments,stolendocsareworthlessoutsidecompanyWatermarkcompanybrowsersandcheckwatermarkinserverHaveownbrowserthatcanaccessonlyintra.
CheckagainstthatintheserverWatermarkcanbefaked,buthardtoget100%rightonthefirstgo->alarmUsetokenbasedemailcertificatesandcryptoforallinternalmailDirectstealingofmailfilesbecomesuselessAttackerneedstodecryptmessagesbeforestealing,whichslowsdownattackandgivesyoutimetoreactConclusionsWiththeexceptionofOShardeningallothermethodswereveryeffectiveVeryfewattackersaimatanythingbutdefaultconfigurationWhichmethodstousedependsonwhatyourcorporateITfindseasiesttodeployAsruleofthumballapplicationsthatdealwithexternaldatashouldbehardenedPersonallyIwouldrecommendacombinationofhardenedapplicationsettingsandEMETSandboxingisalsoveryeffectivebutcanrequireefforttomakeittransparenttousersMostimportantthingtodoisnottorelyonasinglesecuritylayerOurcorporatesecurityproductisverygoodatcatchingexploitsbutnosinglelayerisgoingtobeenoughF-SecureOctober10,201316
- unexpectedlocalsettings相关文档
- eu_directiveslocalsettings
- spotlightlocalsettings
- 华为localsettings
- SIGNlocalsettings
- greatestlocalsettings
- attachedlocalsettings
EtherNetservers年付仅10美元,美国洛杉矶VPS/1核512M内存10GB硬盘1Gpbs端口月流量500GB/2个IP
EtherNetservers是一家成立于2013年的英国主机商,提供基于OpenVZ和KVM架构的VPS,数据中心包括美国洛杉矶、新泽西和杰克逊维尔,商家支持使用PayPal、支付宝等付款方式,提供 60 天退款保证,这在IDC行业来说很少见,也可见商家对自家产品很有信心。有需要便宜VPS、多IP VPS的朋友可以关注一下。优惠码SUMMER-VPS-15 (终身 15% 的折扣)SUMMER-...
阿里云服务器绑定域名的几个流程整理
今天遇到一个网友,他之前一直在用阿里云虚拟主机,我们知道虚拟主机绑定域名是直接在面板上绑定的。这里由于他的网站项目流量比较大,虚拟主机是不够的,而且我看他虚拟主机已经有升级过。这里要说的是,用过阿里云虚拟主机的朋友可能会比较一下价格,实际上虚拟主机价格比云服务器还贵。所以,基于成本和性能的考虑,建议他选择云服务器。毕竟他的备案都接入在阿里云。这里在选择阿里云服务器后,他就蒙圈不知道如何绑定域名。这...
HostKvm香港VPS七折:$5.95/月KVM-2GB内存/40GB硬盘/500GB月流量
HostKvm是一家成立于2013年的国外主机服务商,主要提供VPS主机,基于KVM架构,可选数据中心包括日本、新加坡、韩国、美国、俄罗斯、中国香港等多个地区机房,均为国内直连或优化线路,延迟较低,适合建站或者远程办公等。商家本月针对香港国际机房提供特别7折优惠码,其他机房全场8折,优惠后2G内存香港VPS每月5.95美元起,支持使用PayPal或者支付宝付款。下面以香港国际(HKGlobal)为...
localsettings为你推荐
-
wordpressWordPress 是什么?flashwind谁能教我怎么在360里下载个flashwind?linux防火墙设置怎么更改linux的防火墙设置?搜狗360360浏览器为什么不能让我自动登录了ym.163.comfoxmail设置163免费企业邮箱outlookexpress系统自带的outlook express有什么用?怎么用?波音737起飞爆胎为什么客机每次起飞都要先跑一段距离文档下载怎样把手机里的文件直接下载或复制到U盘里discuz伪静态求虚拟主机Discuz 伪静态设置方法联系我们代码卸载失败!请联系我们帮助您解决!(错误代码13)--是什么情况