6

There have been several critical 0-day exploits in the past days/weeks in Flash alone. Nobody knows how long the 0-days have been exploited, and it is reasonable to expect that there are 0-days being exploited at this moment, but we don't know.

The practice of patching/updating flash plugin after 0-day has been discovered seems inadequate to me.

How could one check, if particular machine has been exploited? The 0-day in flash allows arbitrary code execution. AFAICT, The executed code could be anything

Is there any way to find out, that an exploit was used and that some code was executed?

Martin Vegter
  • 1,826
  • 4
  • 27
  • 39
  • One could [make the randomness it uses for TLS and other key agreement protocols reproducible] and [store all traffic to-and-from it] and [look over that traffic after a patch is installed]. –  Feb 03 '15 at 09:30
  • 1
    @Ricky Demer - I don't understand what you are trying to say. Could you please reformulate your comment? – Martin Vegter Feb 03 '15 at 11:05
  • @RickyDemer patching Flash after the system is compromised won't have any effect; the vulnerability is only required to install the malware, but once it's there, you can even uninstall Flash completely and the malware will still run and cause damage. –  Feb 04 '15 at 08:37
  • Capture the traffic from the machine while it's not used and see if there's anything suspicious, the malware should somehow communicate with its command/control server so you will see it if it does; of course this isn't entirely reliable as you can design malware to be sneaky, disguise its communication as if it was another program or only transmit while the machine is used but you can still try. This shouldn't be used to ensure the machine is clean, only to prove that the machine is compromised. –  Feb 04 '15 at 08:41
  • @AndreDaniel: Yes, but traffic to/from the computer after a patch is installed presumably can't directly exploit the bug; that's the point of looking over the stored traffic at that time rather than waiting longer and having more traffic to look over. –  Feb 04 '15 at 08:43

3 Answers3

1

Well inadequacy is relative, in that you don’t know what they’re doing, but if you’re willing to do the research then you can find out i guess?

Sandbox the browser using something like Sandboxie, which will then tell you what its trying to access, you could also install Wireshark on a machine and point all traffic going out from that machine to the machine with Wireshark on it, so to see what packets are being sent and received.

Besides that, a console that will allow you to see what calls Flash makes to your local system.

Personally, I don’t use Flash anymore and opt in for HTML5, but then again there are not enough sites using it fully as of yet.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Rio Hazuki
  • 55
  • 2
  • how can I get a console and see what calls Flash makes? – Martin Vegter Feb 03 '15 at 11:07
  • you can do this through debugging, here is a link to adobes site that will help: https://helpx.adobe.com/flash-player/kb/configure-debugger-version-flash-player.html. you can also use the browser debuger using F12 in firefox. im not usre about other browsers however, so please look up Debug under the browser you wish to use. – Rio Hazuki Feb 03 '15 at 11:22
  • 1
    @RioHazuki this assumes that Flash itself was affected as a result of the 0-day. The problem is that Flash is an infection vector where the arbitrary code could have affected anything on the system (like installing a bot) – schroeder Feb 03 '15 at 19:41
0

The problem is that a vulnerable Flash version is a conduit into your system. There will be no way to see if your system was compromised via Flash. At best you will be able to see that you have some kind of infection/corruption in general, but you won't be able to tell how it happened.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • OK, but even if flash/browser is compromised, the attacker only gets user level access, not root. he cannot install anything (rootkit). What can he do apart from stealing my data? – Martin Vegter Feb 03 '15 at 20:38
  • 1
    "cannot install anything" is a tricky thing to state. There is a lot one can do with "just" user-level access. This new question is very difficult to answer in a short summary without having detailed understanding of your specific environment. – schroeder Feb 03 '15 at 20:41
  • Allowing User Level compromise is pretty late in the game and an underestimation. You don't have to catch a rootkit to be owned at the user level and to have leaked everything. Google applications that install in userland are a pretty good demonstration that a lot less than nothing gets installed ;^). – Fiasco Labs Feb 04 '15 at 04:09
0

If you setup log management and send event logs as syslogs, as seen in the following document -- then you can monitor for IoCs (or hunt through the events).

http://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262

For example, if Flash crashes, EMET alerts, or your AV describes a particular related issue, then you will likely be able to track down exploitability. The only way to know for certain is if a process can be viewed at runtime or in-memory (e.g., via Volatility Framework), but the event logs will definitely provide a hunter a path forward.

Another tool in this space is El Jefe from Immunity Security, but most others are covered in that SANS paper linked above.

Others commented about using packet captures from the network. I don't think this is a great approach, but the network information may corroborate evidence with the suggestions I provided here.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • Can you please also look at this question and state your opinion? https://security.stackexchange.com/questions/96285/does-the-microsoft-emet-protects-against-latest-hacking-team-adobe-flash-0-day-e/ – vasili111 Aug 08 '15 at 08:35