Notable Zero Day Attacks in 2012



A number of high-profile attacks in 2012 utilized zero-day vulnerabilities. In March RSA revealed that they were the victim of a targeted attack in which data related to their SecurID™ product was stolen13. This stolen data was then used in further attacks against a number of military contractors. In order to gain access to the RSA network the attackers first sent a crafted email message to a number of employees with the subject line “2011 Recruitment Plan”. The message contained an attachment called 2011 Recruitment Plan.xls, as shown in figure D.6.

Figure D.6: Example of email used in notable targeted attack. Source: Symantec

The attachment contained an embedded Flash file which exploited CVE-2011-0609 in order to install a Backdoor program. Once the attackers had backdoor access they were able to install the PoisonIvy remote access tool in order to iterate through the network gathering credentials and eventually getting to the target machine which contained the sought-after data.


W32.Duqu was discovered in September 2012 was determined to have been based on the same source code as W32.Stuxnet. W32.Duqu is designed to capture and exfiltrate data which may be used to enable a future Stuxnet-like attack.

The initial W32.Duqu installer was a Microsoft Word document (.doc) which exploited a previously unknown kernel level vulnerability that allows code execution. This vulnerability was later named as CVE-2011-3402, Win32k True Type Font Parsing Vulnerability. The .doc was sent as an attachment to the targeted organization. The .doc was crafted to specifically target the recipient organization, e.g. by taking a document from the organization’s website, such as a form, and modifying it in order to exploit the vulnerability. When launched, the document triggers the exploit code which then loads shellcode to decrypt the driver and installer. The shellcode executes the driver which then in turn injects the installer into services.exe. The following diagram illustrates the infection routine:

Figure D.7: Process involved in W32.Duqu targeted attack. Source: Symantec

The Sykipot Attacks

The Sykipot threat has been in existence since 2006 but gained attention in December 2012 due to a series of targeted attacks in which it exploited CVE-2011-2462 - Adobe Reader/Acrobat U3D Memory Corruption Vulnerability, a zero-day vulnerability. This wasn’t the first time that the Sykipot attackers used a zero-day vulnerability. In March 2010 the same attackers used an Internet Explorer zero-day to download and install Backdoor.Sykipot - CVE-2010-0806, Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability.

In the December 2012 attacks, the attackers sent targeted emails with a malicious PDF attachment, as shown in figure D.8.

Figure D.8: Example of email used in Sykipot targeted attack. Source: Symantec
The targeted email was sent to a number of individuals in a variety of organizations which cover many industry sectors, such as:
  • Defense contractors
  • Telecommunications
  • Computer Hardware
  • Chemical
  • Energy
  • Government Departments
  • When the PDF attachment is launched it exploits CVE-2011-2462 in order to install the Backdoor program, Backdoor.Sykipot. Backdoor.Sykipot can then receive a variety of commands from the attackers, ultimately leading to the exfiltration of sensitive documents.

Window of Exposure for Zero-day Vulnerabilities

The window of exposure for vulnerabilities is the difference in days between the time when exploit code affecting a vulnerability is made public and the time when the affected vendor makes a patch publicly available for that vulnerability. During this time, the computer or system on which the affected application is deployed may be susceptible to attack. Attackers will attempt to maximize the window of exposure by making swift use of exploits in attacks.


An example of attackers taking advantage of the window of exposure is the usage of CVE-2011-2462 Adobe Acrobat and Reader U3D Memory Corruption Vulnerability. This vulnerability was used in targeted attacks in the wild on December 1st 2011. An advisory was published by the vendor on December 6th 201114 confirming that the vulnerability was being exploited in attacks against Adobe Reader 9.x. Version 10.x was also vulnerable but was not being exploited in the wild. On December 16 Adobe Reader and Acrobat version 9.4.7 was released to correct this vulnerability for versions 9.x. Version 10.2 was released on January 10th 2012 to correct version 10.1.

The window of exposure for Adobe Reader and Acrobat 9.x was therefore 10 days. During this time heightened activity was seen against this vulnerability. The vulnerability was being exploited in crafted PDFs which were sent as email attachments. Once launched the attachment would exploit CVE-2011-2462 in order to install a backdoor program onto the victim’s machine. observed a significant spike in these malicious attachments in the period just after the vulnerability was published:

Figure D.9: CVE-2011-2462: Attack Volume by Day. Source: Symantec

The vulnerability was used in limited targeted attacks in the period leading up to public disclosure. A few days after the vulnerability was publicly disclosed by the vendor, the vulnerability was seen being exploited in reasonably widespread attacks. It was actively used in the wild for 6 days, leading up a patch being released on December 16. The numbers above demonstrate the attractiveness of a zero-day vulnerability to attackers and how they will attempt to maximize the effectiveness of the exploit code during the window of exposure.

0 yorum: