About the importance of patches and security software from the exploitation of Nday Vulnerabilities

About the importance of patches and security software from the exploitation of Nday Vulnerabilities
I. Blood cases caused by CVE-2014-6332

At the end of last year, 360 security center monitoring found that the number of webpage Trojans that had been relatively calm for a period of time had soared, and the spread of malware began to surge, A large number of cases of Trojan attacks caused by vulnerabilities continue to emerge. 360 web page protection is also being updated quickly. It dynamically intercepts a large number of Trojan attacks and intercepts access to a large number of Trojan websites.

After analysis, found that a large number of Trojan attacks mainly from the vulnerability-CVE-2014-6332. this vulnerability is widely used because it has a wide range of impact and is published after the service is stopped by Microsoft xp. No official patches are available under xp.

Excerpt from the publicly available online exploitation code:

Excerpt from the page Code that has been used to spread Trojans:

Attackers can use the publicly available test code to modify the code to spread Trojans. Large-scale spread of Trojans through illegal sites, advertising chains, and other means.

II.6332 coming soon

The vulnerabilities have been fixed in various browsers. After security protection is completed, the vulnerability exploitation code has been quietly transplanted to the advertisement pages built in the program. This vulnerability was affected by a large number of players that embedded the IE browser kernel for advertisement presentation, and then triggered a new wave of vulnerability attacks. It also has a huge impact. The following figure shows the number of yesimck attacks blocked by the player before:

 

III. 0-day and Nday

0-day (zero-day) vulnerabilities are vulnerabilities that have not been fixed by the vendor. Nday is a vulnerability where the vendor has released patches. Due to time, habits, security awareness, and other reasons, many people have not patched the patches.

This also hides a risk: as a security researcher or enthusiast, if you have mastered the 0-day vulnerability exploitation code, the vast majority of people are still conscious not to disclose this code (whether it is white hats out of industry self-discipline or black hats out of commercial interests ). Therefore, this vulnerability has limited security hazards to the public.

However, Nday is completely different. After a vulnerability is fixed, many vulnerabilities will be published or analyzed. On the Internet, public vulnerabilities can be found to exploit code or methods ...... Once the patch is not timely, the vulnerability exploitation code is no longer a bloody secret weapon as it was on 0 day, but it becomes a weapon of mass destruction.

The above CVE-2014-6332 vulnerability is a typical Nday vulnerability caused by large-scale Trojan outbreak.

IV. flash Trojans

Shortly after the outbreak of 6332, we added the client software to the 6332 vulnerability interception scope. attackers began to try to use several flash vulnerabilities to launch Trojans, affecting several domestic players and system recovery software, because these vulnerabilities have been effectively intercepted, this trojan attack will soon be suppressed.

V. CVE-2015-5122 again

In the CVE-2014-6332 vulnerability storm tossing a year has not been resolved, the use of CVE-2015-5122 vulnerability code again because Hacking Team was cracked and exposed.

Soon there was a vulnerability exploitation tutorial on the Internet (excerpt ):

With the exposure of the vulnerability exploitation code and methods, we have also monitored a large number of websites that exploit the vulnerability to spread malware.

360 interception of such Trojan sites:

 

360 web shield's interception of vulnerability attacks:

At the same time, it also captured a large number of samples that exploited the vulnerability to exploit the Code. The Code is very similar to the Code published on the Internet, and even the obfuscation method is the same:

After Adobe releases an official patch, the vulnerability is still being exploited. In middle October, this vulnerability began to erupt on a large scale as an advertising alliance promoted several ads with vulnerabilities.

CVE-2015-5122 vulnerability Trojan page:

Distribution of interceptions on the vulnerability in the last week:

By blocking Trojan websites and the Alliance, the alliance was forced to turn off flash advertisements with vulnerability attacks, and the spread of Trojans began to drop significantly.

VI. Talk about the importance of patches and Security Software

From last year's CVE-2014-6332 to this year's CVE-2015-5122. For different reasons, different products, but have similar results, two Nday vulnerability exploitation attacks. Through the vulnerability exploitation code published on the internet, attackers can possess "heavy weapons" at a low cost ", all of a sudden, the term "software vulnerabilities" has been linked to our daily online lives.

Some "Computer City merchants" will be driven by their own commercial interests (some are just afraid of trouble), and will instill some distorted theories into the majority of small white users-"patch is useless, the system will be slowed down. "anti-virus software is useless. Will the system be stuck? ". Even some "computer experts" around us will say, "You see, I am not installed to kill soft and streaking, and have never been poisoned for a few years." As long as we develop good Internet surfing habits, if the website is not messy, it will not be poisoned." -- The "Jin Yu liangyan" in this sentence is still in our ears ......

Patch is used to fundamentally eliminate problems existing in earlier versions of programs from the source and remove existing software vulnerabilities. Good Internet habits are important, but the existence of third-party advertisements, network hijacking, ARP attacks and other risks makes it difficult for users to browse the Web even if the website/software itself is not evil, security when using software. Especially in the case of network hijacking, even if the user does not open any website, it is possible to seek help if the computer is connected to the network.

Even if you are able to promptly update software and install patches, there are still ubiquitous malicious software and malicious code that can be seen everywhere. A reliable security software, as a computer protector, can help you defend against Trojan attacks in most cases and prevent the spread of malware. Trojans targeting the masses aim to make profits rather than show their presence. Notice: You have never been poisoned or have no idea about yourself. It is never a concept!