January 13, 2016

Hunting a Zero-Day: How Kaspersky Lab Discovered a Dangerous Vulnerability in a Web Technology

Hunting a Zero-Day: How Kaspersky Lab Discovered a Dangerous Vulnerability in a Web Technology

Woburn, MA – January 13, 2016 -Kaspersky Lab has discovered a zero-day vulnerability in Silverlight, a web technology used to display multimedia content. The vulnerability would allow an attacker to gain full access to a compromised computer and execute malicious code to steal secret information and perform other illegal actions. The vulnerability (CVE-2016-0034) was fixed in the latest Patch Tuesday update issued by Microsoft on January 12, 2016. The discovery was the result of an investigation that started over five months ago from an article published by Ars Technica.

In the summer of 2015 a story about the cybercriminal attack against the Hacking Team (a known “legal spyware” developer) hit the news. One of the articles about the topic, published in Ars Technica, mentioned leaked correspondence allegedly between Hacking Team representatives and Vitaliy Toropov, an independent exploit-writer. Among other things, the article mentioned the correspondence in which Toropov tried to sell a particularly interesting zero-day to Hacking Team: a four-year old and still unpatched exploit in the Microsoft Silverlight technology. This piece of information piqued the interest of Kaspersky Lab researchers.

There was no additional information about the exploit in the article, so researchers started their investigation using the name of the seller. They quickly found that a user who named himself Vitaliy Toropov was a very active contributor to Open Source Vulnerability Database (OSVDB), a place where anyone can post information about vulnerabilities. By analyzing his public profile on OSVBD.org, Kaspersky Lab researchers discovered that in 2013, Toropov had published a proof-of-concept (POC) which described a bug in the Silverlight technology. The POC covered an old vulnerability that was known and currently patched. However, it also contained additional details which gave Kaspersky Lab researchers a hint about how the author of the exploit tends to write code.

During the analysis performed by Kaspersky Lab experts some unique strings in the code really stood out. Using this information they created several detection rules for Kaspersky Lab protection technologies: once a user, who agreed to share threat data with the Kaspersky Security Network (KSN), encountered malicious software that demonstrated the behavior covered by those special detection rules, the system would flag the file as highly suspicious and a notification would be sent to the company for analysis. The assumption behind this tactic was simple: if Toropov tried to sell a zero-day exploit to Hacking Team, it was highly probable that he did the same with other spyware vendors. As a result of this activity, other cyber espionage campaigns could be actively using it in the wild to target and infect unsuspecting victims.

The assumption was correct. Several months after implementation of the special detection rules, a Kaspersky Lab customer was targeted in an attack that used a suspicious file with the characteristics we were looking for. Several hours after that, someone (possibly a victim of the attacks) from Laos uploaded a file with the same characteristics to a multiscanner service. Kaspersky Lab experts analyzed the attack to discover that it was actually exploiting an unknown bug in the Silverlight technology. The information about the bug was promptly reported to Microsoft for validation.

“Although we don’t know if the exploit we discovered is in fact the one that was mentioned in the Ars Technica article, we have strong reasons to believe it is indeed the same. Comparing the analysis of this file with the previous work of Vitaliy Toropov makes us think that the author of the recently discovered exploit, and the author of POCs published on OSVDB in the name of Toropov, is the same person. At the same time we do not completely exclude the possibility that we found yet another zero-day exploit in Silverlight. Overall, this research helped to make cyberspace a little safer by discovering a new zero-day and responsibly disclosing it. We encourage all users of Microsoft products to update their systems as soon as possible to patch this vulnerability,” said Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.

Kaspersky Lab products detect the CVE-2016-0034 exploit with the following detection name: HEUR:Exploit.MSIL.Agent.gen.

Learn more about the discovery of the vulnerability in a blogpost published at Securelist.com    

If you’d like to learn how to write effective YARA rules and catch new APTs and zero-days, why not take our elite YARA training before SAS 2016?Hunt APTs with Yara like a GReAT Ninja(with trainers Costin Raiu, Vitaly Kamluk and Sergey Mineev).

Learn more about Kaspersky Lab advanced protection technologies and security services here: http://www.kaspersky.com/enterprise-security

About Kaspersky Lab

Kaspersky Lab is one of the world’s fastest-growing cybersecurity companies and the largest that is privately-owned. The company is ranked among the world’s top four vendors of security solutions for endpoint users (IDC, 2014). Since 1997 Kaspersky Lab has been an innovator in cybersecurity and provides effective digital security solutions and threat intelligence for large enterprises, SMBs and consumers. Kaspersky Lab is an international company, operating in almost 200 countries and territories across the globe, providing protection for over 400 million users worldwide.


Learn more at www.kaspersky.com.

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact
Sarah Kitsos