Focus on IDS
Single Stage Attacks? May 17 2009 06:39AM
snort user (snort user gmail com) (3 replies)
Re: Single Stage Attacks? May 20 2009 04:47PM
Stuart Staniford (sstaniford FireEye com)
Most attacks at the moment are server -> client, rather than client ->
server (the wide deployment of firewalls, packet filtering rules,
network segmentation has rendered the latter unprofitable). The
typical sequence is the victim stumbles onto a malicious webpage
(often an ad) and then is taken via a chain of iframes or similar to
an exploit server which delivers the exploit (currently the vast bulk
of attacks on the wire are via malicious PDF and secondarily SWF -
Adobe is it apparently). The exploit shellcode then goes and fetches
a dropper executable, which may in turn fetch more. Then there is
generally some kind of callback protocol for command and control of
the bot according to whatever the business model of the campaign is.

In targeted attacks, this scenario may be preceded by tempting emails
etc, to get a particular victim to go to a designated attack point
(rather than just culling random victims from the herd).

I have seen recent attacks as simple as a single bad PDF or SWF with
no precursor at all other than the normal operation of the ad delivery
ecosystem, and then the download of a single exe and no immediate

I have not seen a recent example in the wild in which the payload was
integrated into the exploit shellcode (there's obviously no real
barrier to doing this other than administrative convenience for the

Stuart Staniford
Chief Scientist, FireEye

On May 16, 2009, at 11:39 PM, snort user wrote:

> Greetings All,
> Typically, network based attacks have multiple stages.
> (reconnaissance, infection, download rootkit, call home, further
> infection etc)
> Some attacks may have a single stage (without reconnaissance) to
> compromise a host.
> However, even those attacks have a post-compromise stage, such as
> call home
> or transfer/steal data or something else.
> Otherwise, what's the motivation for compromising in the first place?
> Can someone enlighten me if there are attacks that only have a
> single stage?
> Examples or scenarios is much appreciated.
> Thanks
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

[ reply ]
Re: Single Stage Attacks? May 19 2009 08:22PM
dreamwvr (dreamwvr dreamwvr com)
Re: Single Stage Attacks? May 19 2009 04:33PM
Jamie Riden (jamie riden gmail com)


Privacy Statement
Copyright 2010, SecurityFocus