• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Cyber warfare
  • Hacking
  • Malware
  • Security
  • 1-day exploits,Binary Diffing & patch management.The side threats

1-day exploits,Binary Diffing & patch management.The side threats

Pierluigi Paganini April 04, 2012

Recently ESET security firm has reported the latest version of the Blackhole exploit kit that has been updated to include a new exploit for the Java CVE-2012-0507 vulnerability.  The exploit was discovered for the first time on 7.03.2012 and it first detections were dated on March 12, 2012 and today a public module for Metasploit Framework multi platforms has been released for exploitation of CVE-2012-0507.

I have opened the article with this information to introduce a really interesting topic, the 1-day exploit, exploits based on checking patched versions of software to identify what the vulnerabilities that have been patched actually are. The concept is quite simple, simply analizing the patch management status of a system it possible to know with vulnerability haven’t yet patched. exploiting these vulnerabilities it is possible to attack an unpatched system.

Of course compared to a 0-day vulnerabilities we have reduced possibility of success due the correct patching of a target but this attacks are really insidious and cheaper respect the 0Days. Consider also that for this vulnerabilities is quite simple to retrieve on internet information and tool to make an attacks.

In the most complex case we can imagine a research that through a revers engineering of a released patch develop its own kit to a attack unpatched target.

The majority of this exploits are related today to Java vulnerabilities also due its large diffusion on multiplatform sistems. Jave exploits are in fact an effective way to inslall malicious programs on target machine, consider the recent spam campaign that have infected a huge quantity of machine or the incredible number of infected web sites that allow this kind of attacks. The mechanism is simple, a legitimate web site is infected introducing iFrames that redirect victims to the latest version of Blackhole. The malicious domain name and infected webpage are identical to the legitimate one. Once on the infected website the damage is done!

According Eset same infection method and the same redirection methods have been used several times, famous the case of the popular news resource izvestia.ru where a modified versions of the Win32/TrojanDownloader.Carberp family were loaded onto the victim machines.

Java vulnerabilities and in particular every 1-day exploits is increasing used by cyber crime and state sponsored a hackers.

“This is the most effective way for exploiting end-user systems and is sometimes effective across a variety of platforms,” writes ESET. Consider that the development of a 0-days is really expensive and time-consuming due the intense research that must be conduced to discovery and exploit the vulnerabilities, for this reasons typically this kind of exploit are used by governments.

 

Cybercrime has mass market approach that not necessary needs a so sophisticated attack methodology, that’s why the 1-day exploit approach is taking place.  To give an idea of a typical patching process I have designed the following chart, its duration is highly variable depending on the structure of the organization that implement the procedures and the duration of each stage components.

It’s clear that few organizations are able to patch their systems in a short time. Consider large organizzation with complex architectures, for them the impact of a patch must be analyzed in detail to avoid problems to IT infrastructure, then this case in is necessary to extend the duration of the test phase.

Also the phase of deployment can have variable length, for example in a company located over multiple locations with a high number of systems to patch and strongly heterogeneous. the deployment activities will be more expensive.  It ‘easy to understand that the time between the disclosure of Partch and its application in a production environment is the interval in which systems are vulnerable to 1-Day vulnerabilities.

ESET has demonstrated how quickly the Blackhole gang can react to the 1-day opportunity.

“There’s intense interest in vulnerability research, with legitimate research seized upon by malware authors for malicious purposes,”

David Harley, a senior research fellow and co-author of this research told Infosecurity:

“The increase in volumes of 1-day exploits suggests that even if 0-days research prices itself out of the mass market for exploits, inadequate update/patch take-up among users is leaving plenty of room for exploits of already-patched vulnerabilities (as with the current spate of Tibet attacks).”

Just few minutes after the release of patches, using binary diffing techniques researchers and criminals are able to identify the vulnerabilities that the have been fixed. The term diff derive from the name of the command utility used for a comparison of files, in the same manner are compared binary of a system before and after the patch is applied.

This binary diffing technique are particulary efficient against Microsoft’s binaries because the company releases patchs regularly and inside the patch code quite simple to identify the code that patch the vulnerability usually concentrated in small portion of the binary code.
Today an attackers have access to a huge quantity of tools to identify unknown vulnerabilities just patched, they only need to launch the attacks during the time frame users or corporates are applying patches.

During patch applying time frame, the end users are more vulnerable and targeted using 1-day attack. Most famous frameworks for Binary diffing are DarunGrim2 and Patchdiff2.

In the reality the process of reverse engineering of a patch is more complicated because each vendors use different compilers and optimization methods. Remember the case of the mystery related to the source code of malware Duqu … it was even difficult to understand the programming language used because the developers had adopted a compilation with special options.

The 1-day exploit are real threats that happening every patch days. Sometimes some people diff different version of product, finding in their binaries vulnerabilities fixed silently . So as the attacking technology improves, the protection techniques need to evolve accordingly, we already have several anti diffing tools like “Hondon” but is also necessary that the major vendors will adopt strongest solution for the patching of their products.

In the meantime the only guaranteed defense against the 1-day attack is to patch our system before the criminal exploits.

Pierluigi Paganini

http://www.blackhat.com/presentations/bh-usa-09/OH/BHUSA09-Oh-DiffingBinaries-PAPER.pdf

 


facebook linkedin twitter

0-day 1-day exploits cyber threats Cybercrime duqu exploit malware reverse engineerig vulnerabilities Zero-Day Exploits

you might also like

Pierluigi Paganini July 07, 2025
Taiwan flags security risks in popular Chinese apps after official probe
Read more
Pierluigi Paganini July 07, 2025
U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

    Security / July 06, 2025

    Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 06, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT