• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog

 | 

AI for Cybersecurity: Building Trust in Your Workflows

 | 

Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

 | 

New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

 | 

Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

 | 

'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

 | 

Hackers exploit Microsoft flaw to breach Canada ’s House of Commons

 | 

Norway confirms dam intrusion by Pro-Russian hackers

 | 

Zoom patches critical Windows flaw allowing privilege escalation

 | 

Manpower data breach impacted 144,180 individuals

 | 

U.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical FortiSIEM flaw under active exploitation, Fortinet warns

 | 

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 

SAP fixed 26 flaws in August 2025 Update, including 4 Critical

 | 

August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

 | 

Dutch NCSC: Citrix NetScaler zero-day breaches critical orgs

 | 

Chrome sandbox escape nets security researcher $250,000 reward

 | 

Smart Buses flaws expose vehicles to tracking, control, and spying

 | 

MedusaLocker ransomware group is looking for pentesters

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Cyber warfare
  • Hacking
  • Malware
  • Security
  • 1-day exploits,Binary Diffing & patch management.The side threats

1-day exploits,Binary Diffing & patch management.The side threats

Pierluigi Paganini April 04, 2012

Recently ESET security firm has reported the latest version of the Blackhole exploit kit that has been updated to include a new exploit for the Java CVE-2012-0507 vulnerability.  The exploit was discovered for the first time on 7.03.2012 and it first detections were dated on March 12, 2012 and today a public module for Metasploit Framework multi platforms has been released for exploitation of CVE-2012-0507.

I have opened the article with this information to introduce a really interesting topic, the 1-day exploit, exploits based on checking patched versions of software to identify what the vulnerabilities that have been patched actually are. The concept is quite simple, simply analizing the patch management status of a system it possible to know with vulnerability haven’t yet patched. exploiting these vulnerabilities it is possible to attack an unpatched system.

Of course compared to a 0-day vulnerabilities we have reduced possibility of success due the correct patching of a target but this attacks are really insidious and cheaper respect the 0Days. Consider also that for this vulnerabilities is quite simple to retrieve on internet information and tool to make an attacks.

In the most complex case we can imagine a research that through a revers engineering of a released patch develop its own kit to a attack unpatched target.

The majority of this exploits are related today to Java vulnerabilities also due its large diffusion on multiplatform sistems. Jave exploits are in fact an effective way to inslall malicious programs on target machine, consider the recent spam campaign that have infected a huge quantity of machine or the incredible number of infected web sites that allow this kind of attacks. The mechanism is simple, a legitimate web site is infected introducing iFrames that redirect victims to the latest version of Blackhole. The malicious domain name and infected webpage are identical to the legitimate one. Once on the infected website the damage is done!

According Eset same infection method and the same redirection methods have been used several times, famous the case of the popular news resource izvestia.ru where a modified versions of the Win32/TrojanDownloader.Carberp family were loaded onto the victim machines.

Java vulnerabilities and in particular every 1-day exploits is increasing used by cyber crime and state sponsored a hackers.

“This is the most effective way for exploiting end-user systems and is sometimes effective across a variety of platforms,” writes ESET. Consider that the development of a 0-days is really expensive and time-consuming due the intense research that must be conduced to discovery and exploit the vulnerabilities, for this reasons typically this kind of exploit are used by governments.

 

Cybercrime has mass market approach that not necessary needs a so sophisticated attack methodology, that’s why the 1-day exploit approach is taking place.  To give an idea of a typical patching process I have designed the following chart, its duration is highly variable depending on the structure of the organization that implement the procedures and the duration of each stage components.

It’s clear that few organizations are able to patch their systems in a short time. Consider large organizzation with complex architectures, for them the impact of a patch must be analyzed in detail to avoid problems to IT infrastructure, then this case in is necessary to extend the duration of the test phase.

Also the phase of deployment can have variable length, for example in a company located over multiple locations with a high number of systems to patch and strongly heterogeneous. the deployment activities will be more expensive.  It ‘easy to understand that the time between the disclosure of Partch and its application in a production environment is the interval in which systems are vulnerable to 1-Day vulnerabilities.

ESET has demonstrated how quickly the Blackhole gang can react to the 1-day opportunity.

“There’s intense interest in vulnerability research, with legitimate research seized upon by malware authors for malicious purposes,”

David Harley, a senior research fellow and co-author of this research told Infosecurity:

“The increase in volumes of 1-day exploits suggests that even if 0-days research prices itself out of the mass market for exploits, inadequate update/patch take-up among users is leaving plenty of room for exploits of already-patched vulnerabilities (as with the current spate of Tibet attacks).”

Just few minutes after the release of patches, using binary diffing techniques researchers and criminals are able to identify the vulnerabilities that the have been fixed. The term diff derive from the name of the command utility used for a comparison of files, in the same manner are compared binary of a system before and after the patch is applied.

This binary diffing technique are particulary efficient against Microsoft’s binaries because the company releases patchs regularly and inside the patch code quite simple to identify the code that patch the vulnerability usually concentrated in small portion of the binary code.
Today an attackers have access to a huge quantity of tools to identify unknown vulnerabilities just patched, they only need to launch the attacks during the time frame users or corporates are applying patches.

During patch applying time frame, the end users are more vulnerable and targeted using 1-day attack. Most famous frameworks for Binary diffing are DarunGrim2 and Patchdiff2.

In the reality the process of reverse engineering of a patch is more complicated because each vendors use different compilers and optimization methods. Remember the case of the mystery related to the source code of malware Duqu … it was even difficult to understand the programming language used because the developers had adopted a compilation with special options.

The 1-day exploit are real threats that happening every patch days. Sometimes some people diff different version of product, finding in their binaries vulnerabilities fixed silently . So as the attacking technology improves, the protection techniques need to evolve accordingly, we already have several anti diffing tools like “Hondon” but is also necessary that the major vendors will adopt strongest solution for the patching of their products.

In the meantime the only guaranteed defense against the 1-day attack is to patch our system before the criminal exploits.

Pierluigi Paganini

http://www.blackhat.com/presentations/bh-usa-09/OH/BHUSA09-Oh-DiffingBinaries-PAPER.pdf

 


facebook linkedin twitter

0-day 1-day exploits cyber threats Cybercrime duqu exploit malware reverse engineerig vulnerabilities Zero-Day Exploits

you might also like

Pierluigi Paganini August 19, 2025
Analyzing evolution of the PipeMagic malware
Read more
Pierluigi Paganini August 19, 2025
U.S. CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog

    Hacking / August 19, 2025

    AI for Cybersecurity: Building Trust in Your Workflows

    Security / August 18, 2025

    Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

    APT / August 16, 2025

    New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

    Malware / August 15, 2025

    Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

    Security / August 15, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT