Update state tampering: A novel adversary post-compromise technique on cyber threats

Sung Jin Kim, Byung Joon Kim, Hyoung Chun Kim, Dong Hoon Lee

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker’s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim’s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker’s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.

    Original languageEnglish
    Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings
    PublisherSpringer Verlag
    Pages141-161
    Number of pages21
    ISBN (Print)9783319934105
    DOIs
    Publication statusPublished - 2018 Jan 1
    Event15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018 - Saclay, France
    Duration: 2018 Jun 282018 Jun 29

    Publication series

    NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    Volume10885 LNCS
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Other

    Other15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018
    Country/TerritoryFrance
    CitySaclay
    Period18/6/2818/6/29

    Keywords

    • Cyber threat
    • Post-compromise
    • Windows update

    ASJC Scopus subject areas

    • Theoretical Computer Science
    • Computer Science(all)

    Fingerprint

    Dive into the research topics of 'Update state tampering: A novel adversary post-compromise technique on cyber threats'. Together they form a unique fingerprint.

    Cite this