Skip to main content
Springer Nature Link
Log in

Update State Tampering: A Novel Adversary Post-compromise Technique on Cyber Threats

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10885))

  • 1898 Accesses

Abstract

With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker’s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim’s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker’s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Update State Checker Project GitHub: https://github.com/ksj1230/Update-State-Checker.

References

  1. Strom, B.E., Battaglia, J.A., Kemmerer, M.S., Kupersanin, W., Miller, D.P., Wampler, C., Whitley, S.M., Wolf, R.D.: Finding Cyber Threats with ATT&CKTM-Based Analytics, MITRE Technical report (2017)

    Google Scholar 

  2. The MITRE Corporation. Presentation: Detecting the Adversary Post-Compromise with Threat Models and Behavioral Analytic. https://www.mitre.org/publications/technical-papers/presentation-detecting-the-adversary-post-compromise-with-threat. Accessed 27 Feb 2018

  3. Yadav, S., Mallari, D.: Technical aspects of cyber kill chain. Commun. Comput. Inf. Sci. 536, 438–452 (2016)

    Google Scholar 

  4. Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44885-4_5

    Chapter  Google Scholar 

  5. Malone, S.: Using an Expanded Cyber Kill Chain Model to Increase Attack Resiliency. Black Hat US (2016)

    Google Scholar 

  6. Smith, V., Ames, C.: Meta-Post Exploitation, Black Hat US (2008)

    Google Scholar 

  7. The MITRE Corporation. ATT&CK Matrix. https://attack.mitre.org/wiki/ATT&CK_Matrix. Accessed 27 Feb 2018

  8. Speulstra, P.: Accessibility Features. https://attack.mitre.org/wiki/Technique/T1015. Accessed 27 Feb 2018

  9. Tilbury, C.: Registry Analysis with CrowdResponse. https://www.crowdstrike.com/blog/registry-analysis-with-crowdresponse/. Accessed 27 Feb 2018

  10. Jerzman, B., Smit, T.: Modify Registry. https://attack.mitre.org/wiki/Technique/T1112. Accessed 27 Feb 2018

  11. Kaspersky Lab. The Regin Platform Nation-State Ownage of GSM Networks. https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf. Accessed 27 Feb 2018

  12. FireEye Threat Intelligence. APT28: A Window Into Russia’s Cyber Espionage Operations? https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf. Accessed 27 Feb 2018

  13. Falcone, R.: Shamoon 2: Return of the Disttrack Wiper. https://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper. Accessed 27 Feb 2018

  14. Microsoft. Use the System File Checker tool to repair missing or corrupted system files. https://support.microsoft.com/eu-es/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files. Accessed 27 Feb 2018

  15. Microsoft. How to get an update through Windows Update. https://support.microsoft.com/en-us/help/3067639/how-to-get-an-update-through-windows-update. Accessed 27 Feb 2018

  16. Microsoft. Microsoft Baseline Security Analyzer. https://technet.microsoft.com/en-us/security/cc184924.aspx. Accessed 27 Feb 2018

  17. Microsoft. Understanding Component-Based Servicing. https://blogs.technet.microsoft.com/askperf/2008/04/23/understanding-component-based-servicing/. Accessed 27 Feb 2018

  18. Microsoft. Manage the Component Store. https://technet.microsoft.com/en-us/library/dn251569.aspx. Accessed 27 Feb 2018

  19. Russinovich, M.E., ‎Solomon, D.A., Ionescu, ‎A.: Windows Internals, Part 2, 6th edn, p. 525 (2012)

    Google Scholar 

  20. Microsoft. Code Integrity. https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx. Accessed 27 Feb 2018

  21. Microsoft. Kernel-Mode Code Signing Walkthrough. https://msdn.microsoft.com/en-us/library/windows/hardware/dn653569(v=vs.85).aspx. Accessed 27 Feb 2018

  22. The MITRE Corporation. CVE-2017-0114. https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144. Accessed 27 Feb 2018

  23. Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: SIGCOMM Workshop on LSAD (2006)

    Google Scholar 

  24. Joh, H., Malaiya, Y.K.: Defining and assessing quantitative security risk measures using vulnerability lifecycle and CVSS metrics. In: International Conference on Security and Management (SAM) (2011)

    Google Scholar 

  25. Microsoft. Process Monitor v3.50. https://docs.microsoft.com/en-us/sysinternals/downloads/procmon. Accessed 27 Feb 2018

  26. AhnLab. MyPCInspector. http://www.ahnlab.com/kr/site/product/productView.do?prodSeq=86. Accessed 27 Feb 2018

  27. Rapid7. Metasploit. https://www.metasploit.com/. Accessed 27 Feb 2018

  28. OpenVAS. OpenVAS. http://www.openvas.org/. Accessed 20 Apr 2018

  29. Greenbone Networks. Greenbone. https://www.greenbone.net/en/. Accessed 20 Apr 2018

  30. Tenable. Nessus Home. https://www.tenable.com/products/nessus/nessus-professional. Accessed 20 Apr 2018

  31. Rapid7. Nexpose. https://www.rapid7.com/products/nexpose/. Accessed 20 Apr 2018

  32. Microsoft. Further simplifying servicing models for Windows 7 and Windows 8.1. https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/. Accessed 20 Apr 2018

  33. Microsoft. How to verify that MS17-010 is installed. https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed. Accessed 27 Feb 2018

  34. The MITRE Corporation. CWE-120. https://cwe.mitre.org/data/definitions/120.html. Accessed 20 Apr 2018

  35. Cichonski, P., Millar, T., Grance, T., Scarfone, K.: Computer security incident handling guide. NIST Special Publication, 800-61 (2012)

    Google Scholar 

Download references

Acknowledgement

We would like to thank our shepherd Adam Doupe and our anonymous reviewers for their valuable comments and suggestions. We would also like to thank Sungryoul Lee, Seunghun Han, Junghwan Kang, Hyunyi Yi and Wook Shin for their feedback and advice.

Author information

Authors and Affiliations

  1. National Security Research Institute of South Korea, P.O.Box 1, Yuseong, Daejeon, Republic of Korea

    Sung-Jin Kim, Byung-Joon Kim & Hyoung-Chun Kim

  2. Graduate School of Information Security, Korea University, Seoul, Republic of Korea

    Dong Hoon Lee

Authors
  1. Sung-Jin Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Byung-Joon Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hyoung-Chun Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dong Hoon Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sung-Jin Kim .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Cristiano Giuffrida

  2. CEA, Palaiseau, France

    Sébastien Bardin

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kim, SJ., Kim, BJ., Kim, HC., Lee, D.H. (2018). Update State Tampering: A Novel Adversary Post-compromise Technique on Cyber Threats. In: Giuffrida, C., Bardin, S., Blanc, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2018. Lecture Notes in Computer Science(), vol 10885. Springer, Cham. https://doi.org/10.1007/978-3-319-93411-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-93411-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-93410-5

  • Online ISBN: 978-3-319-93411-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation