843-606-6255 | INFO@NETCERTPRO.COM
NEWS



Lifecycle of an Exploit



Posted: October 29th, 2018

By Jeremy Sonntag


Lifecycle of an Exploit

Software updates can be inconvenient and can sometimes break components. For these reasons people frequently postpone updates or avoid doing them all together. Some are not even aware that software updates exist, or that the updates only exist to provide new features.

This article is to explain how a virus, or exploit, is developed and why software updates are important.


Bug Discovered

The bigger the software (the amount of code), the more complex. This simple fact makes plenty of room for potential flaws (more opportunity for bugs). Remember, humans create software and nobody is perfect. Keep in mind when I say "software", this means EVERYTHING on a computer such as; websites, operating systems, photo editing, drivers, firmware and so on. Hackers, good and bad alike, continuously seek out flaws to find a means to exploit them. The good, or ethical, hackers are known as "white hat"(researchers) and the bad ones as "black hat" (criminals). What happens next depends on who discovers the software bug, develops the proof of concept, and exploits first.


What is a "ZERO-DAY"

A previously unknown and unpatched software bug, developed into an exploit is referred to, in the industry, as a "zero-day". These 0-days are VERY valuable to both the white and black hats. I'll explain why shortly, but be mindful that these bugs are sought after like diamonds because of their value.

Both hats work meticulously, and often, without sleep in order to discover the next 0-day. This all happens in the dark so that nobody is aware. Although it is exciting for the hacker, once found, its reveal would mean a pay cut. Yes, both hats get paid for their efforts, so they keep quiet until the paycheck has arrived.


The Criminal

When a black hat finds a bug and develops the exploit first, like any business, they begin making plans on how to use it to maximize profit. A criminal may stockpile exploits to use in combination for a big money making scheme, or to utilize on its own. An attack is carefully planned and obfuscated so the payoff is worth the effort and the risk of exposure is little. Many times with 0-days the hack is done and the criminal has cleaned their tracks before anyone notices a problem.

Once discovered, as the recipients of the attack recovers, developers of the affected software become aware of the exploit and build a patch to close the security hole that was so brutishly revealed. The exploit is public knowledge now. If this update is for a client facing software such as Adobe Reader or Windows, each user will have to install the update to close that hole. Too often, users do not take updates seriously, and therefore do not update their software, leaving room for more criminals to enter the scene. The new bad guys can now use this exploit and target all of the systems which have not applied the update. Sometimes, you might see the same virus floating around the internet years or even decades later, because it is still effective when computers are not updated.


The Criminal Industry

So why do these bad guys find work so hard to break and exploit your software? The short answer is "MONEY". The long answer is there are many ways an attacker can make money from exploiting your system. In fact, it has become a billion dollar industry. There are sometimes lone hacker types but there are also large organizations with CFOs, project managers and even HR people to hire talent. An underground, criminal business so to speak. I will not go into detail here but some of the most common ways these bad guys make money are; ransomware, cryptojacking / coin mining on your system, selling your personal data such as passwords, SSNs, credit cards, etc. for identity theft, blackmail, extortion and more. Compromised systems are also used to launch further attacks so the attacks are de-centralized and more difficult to track, each system would report back to a "command and control system". There are even cybercrime service companies which might offer virus packages, and support for when it does not work properly. They are limited only by their imagination.


The Researcher

The white hat / researcher goes through a different process to make money on a discovered bug. After their research and proof of concept is complete, they responsibly contact the developer of the software with a write-up on how the exploit accomplished. Many software companies have "bug bounty" programs where a researcher can submit a bug and once verified, will receive a substantial reward. Google paid out almost $3M in 2017 for bug bounties. As seen in this Tech Crunch Article: https://goo.gl/YtMBL9. Following which, the developer will build and release a patch, and again, if it is a client side software, users are supposed to install the update. It is the gap from the time when the patch is released to when the user installs the update that becomes interesting. Black hats begin reverse engineering the patch to see what was fixed, then they can begin their campaign to exploit all of the unpatched systems.


Updating

While software updates may be inconvenient, it can make the difference between a good day and a really bad day. It is good practice to utilize a system which checks for and manages updates automatically, while informing you of updates that have failed to install.