Vulnerabilities / Threats
07:12 AM
Dark Reading
Dark Reading
Quick Hits

Below The Application: The High Risk Of Low-Level Threats

In-memory attacks and rootkits may hit your systems below the OS. Here are some tips to help your defense

Excerpted from "Below the Application: The High Risk of Low-Level Threats," a new report posted this week on Dark Reading's Advanced Threats Tech Center.]

In all of the publicity around application attacks, cloud security and virtualization, many experts in the security field have let lower-level, more direct system attacks fall by the wayside. While there may be a reason to relax a little, given the huge leaps forward in network and computer system security, there are many good reasons to continue to pay special attention to these types of attacks.

While we have secured the perimeter, hardened our operating systems and trued up our weakest points, low-level threats have evolved -- and become more and more sinister.

Even more disturbing is that we don't have a full understanding of these threats, not to mention that fact there is more funding and resources behind them than ever.

Delving into the details of what defines traditional low-level attacks, we find ourselves looking at the attack surface and its evolution during the last few decades. The one thing that hasn't changed is the exploitation life cycle that these attacks utilize.

Attack surfaces range from physical ports to virtual ports and from browsers to operating systems. Effectively, Anything that can process or be processed is going to effectively expand the attack surface of a given system. And with the expansion of USB 2.0, FireWire and other high-speed data transfer technologies, local attack surfaces are more vulnerable than ever.

"Hacking hasn't changed," says Daniel Clemens, owner of Packetninjas. "We still have code, we still have data. Exploiting memory corruption vulnerabilities is effectively flipping data to code for creative execution."

He's right. The trend of focusing on the application has desensitized us to the more traditional threats that are still evolving.

"I think the downside we face is a false sense of security because many have been trained to abstract only to the 'web application level,'" he adds. "In the end, configuration, implementation and design flaws exist from the human endpoint to the structures pushed onto the stack in the CPU."

Applications also make it much easier for the notorious eighth layer--the users--to fall victim to drive-by downloads and spear phishing attacks that ultimately lead to low-level compromises.

For the purposes of differentiation, we have broken down attack types into categories: Advanced volatile threats (AVTs), memory attacks, advanced persistent threats (APTs), firmware attacks, and rootkits.

Originally coined by anti-malware vendor Triumfant, the term "advanced volatile threat" (AVT) refers to attacks made on a computer's volatile memory, such as RAM, which are dynamic and are never stored in long-term memory. Triumfant, whose highly-granular endpoint change management technology is able to detect such attacks, states that AVTs are becoming an increasingly popular attack vector, and Triumfant CEO John Prisco warns that AVTs may one day replace APTs as the most common form of obfuscated online attack.

AVTs are a new spin on (and almost the opposite in some ways of ) the traditional APT. Rather than write data to disk to maintain access and expand capabilities, an AVT will simply stay in memory and per form its malicious actions in that location entirely. By avoiding writes to disk, the AVT makes itself even harder to detect and a lot harder to perform forensic analysis on.

By staying in memory, the AVT will disappear on reboot or when it's overwritten, effectively leaving no trace at all. This presents challenges on both ends. Attackers don't get the persistence, so they would be required to re-exploit the system should they need access after the memory flush. At the same time, the lack of persistence makes it especially challenging to know you've even been attacked.

In most cases, the primary overall goal of the AVT will mirror that of the APT. AVTs, however, are considered more advanced due to the fact that they operate exclusively from RAM.

To read about other low-level attacks -- including memory attacks, APTs, firmware attacks, and rootkits -- and what you can do about them, download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.