Yesterday, Microsoft issued Security
Advisory 2953095 to announce a vulnerability in Microsoft Word 2010 that could
allow remote-code execution, “…if a user opens a specially crafted RTF file
using an affected version of Microsoft Word, or previews or opens a specially
crafted RTF email message in Microsoft Outlook while using Microsoft Word as
the email viewer. An attacker who successfully exploited the vulnerability
could gain the same users rights as the current user.”
As you may know, EnCase
Analytics is designed to provide early representations of anomalous
behavior on network endpoints, so it can be used to scan for signs of the
exploit. One anomaly likely to be seen in this particular exploit that can be
found by EnCase Analytics is the execution of the backdoor that is dropped by
the main shellcode. According to Microsoft’s advisory, the backdoor is an
executable, svchost.exe, that is run from the temp directory. As most security and IT experts know, svchost.exe typically does not execute
from the temp directory, but usually
in the Windows system32 folder.
Because EnCase Analytics collects and aggregates endpoint
data across an entire enterprise, with this tool, you can visualize common process
filenames that are associated with multiple file paths across your
organization. By doing so, you can quickly identify anomalies such as processes
named svchost.exe that are executed
from an atypical file path. Detecting
such an anomaly would identify a symptom of a threat like the one documented by
Microsoft yesterday without the need for a signature. The use of such technology would also ensure that future threats leveraging similar techniques can be identified even before an official advisory is issued.
Have a Question or Comment?
I welcome discussion in the Comments section below.
Alfred Chung is the Product Manager for EnCase Analytics at Guidance Software.
No comments :
Post a Comment