
Taking apart a double zero-day sample discovered in joint hunt with ESET - Chris911
https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/
======
tmd83
Just looking at the list of steps that needs to happen for these modern
exploits is mind blowing for a layman. Can any expert comment on how easy/hard
it is to find such exploits. How much of it is skill and how much luck. How
does one come up with them. Is it primarily based off knowledge (which is
essential ofcourse) or more some people have an intuitive knack for it.

~~~
mcpherrinm
There are two parts here: an exploit for Adobe Reader, and a local privilege
escalation for Windows.

The Adobe one is a standard memory safety bug. This is the kind of thing you
can find with fuzzers pretty easily, or by examining file formats for
potential overflows. The exploitation techniques here are using ROP chains to
get execution to shellcode from a JavaScript heap-sprayed shellcode. Both are
widely used techniques, and there are tools to assist exploit writers in
finding and using ROP gadgets.

I don't know Windows as well, so I can't speak to the second exploit.

------
parliament32
Virustotal has been well known for a while now as a honeypot for catching new
strains of malware and zero-days. Chances are it was uploaded by an unknowing
"customer" of a malware author.

~~~
juliusmusseau
I don't understand how VirusTotal was able to catch this. I suspect the
malware author uploaded it because they wanted to ensure it appeared clean to
all malware detectors - VirusTotal is a great way to test that!

It seems VirusTotal is a tool for running 70 anti-virus products at once
against the same file. How can VirusTotal catch freshly developed malwares?
How would VirusTotal even suspect that an uploaded file was fresh malware?
That doesn't make sense to me.

~~~
agnsaft
VT is more than just the antivirus engines. If you subscribe (expensive!) you
can actively hunt for malware using Yara-rules and a powerful search engine.
if you know some patterns in malware you are tracking, you can add Yara rules
that will run each time a file is uploaded and will notify you of any matches.

Lets assume you know a threat actor always uses the same variable names during
heap sprays, you can discover new malware from this threat actor with a Yara
rule to look for this pattern.

~~~
badrabbit
Not just using yara rules but any file in VT you can find by hash,name,etc...
And you get extra metadata like where it was uploaded from.

