Introducing The Malware Script Detector

(MSD)By

d0ubl3_h3lixhttp://yehg.net

Tue Feb 19 2008

Agenda• Counter Strategy

• Overview

• XSS Coverage

• Versioning Info

• Standalone MSD

• Detection Screenshots

• Why MSD?

• Weaknesses

Counter Strategy

• Using the Power of JavaScript,

Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript

Overview

• Run on Gecko browsers (Firefox, Flock, Netscape, …etc)

• GreaseMonkey addon needed

• Acted as Browser IDS

• Intended for Web Client Security

• Recommended for every web surfer

• Please don’t underestimate MSD by looking its simplest source code

Overview (Cont.)

• Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF

• Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon

XSS Coverage

MSD was coded to detect the following XSS exploitation areas:

• data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html

• jar: protocol exploitation

• file: protocol exploitation by locally saved malicious web pages

XSS Coverage

• Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc

• unicode injection• utf-7,null-byte (\00), black slash injection

(u\r\l), comments star slash injection (/* */),injection like \u00, \x00....etc

XSS Coverage

• MSD was thoroughly tested with:

- RSnake’s XSS CheatSheet - XSS-ME Addon Attack List

- Dabbledb.com’s Xssdb list - CAL9000 XSS List

Versioning Info

GreaseMonkey Version

• Main Objective: Alert XSS Attacks to users• Must be Installed by users• Requires Gecko Browser + GreaseMonkey

Addon• Version 1 – Detect Malware Scripts• Version 2 – Detect Malware Scripts +• Prevailing XSS

Versioning Info

Standalone Version

• Main Objective: Alert XSS Attacks to users & webmaster

• Must be Deployed by web developers• Browser-Independent• No Checking if users have GreaseMonkey

version• Version 1 – Detect Malware Scripts +

Prevailing XSS

Standalone MSD

• Standalone version was created as single .js file for web developers

• To embed in their footer files • To notify both visitors and webmasters

of XSS injection attempts & attacks• Browser-independent unlike

GreaseMonkey Script version• Intended for web application security as

a portable lightweight solution

Detection Screenshots

Why MSD?

• XSS Payloads like

• http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc

Why MSD? (Cont.)

• Never get DETECTED by

Web Server-level Firewall/IDS/IPS

• Because the code is Totally Executed at Client’s Browser

Why MSD? (Cont.)

• Malicious sites intentionally embed malicious JavaScript attack frameworks

• Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users

Why MSD? (Cont.)

• No ways to detect such Malware scripts unless we check HTML source codes

• Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases

• According to above scenarios,MSD becomes a nice solution for us

Oh, But …

Weaknesses

• Doesn’t check POSTS/COOKIES variables

• No guarantee for full protection of XSS

• Many ways to bypass MSD

• XSS Filtering needs to be updated regularly where extensive filtering may cause false alerts and much annoyance to users

Where Can I get it ?

Check Under Tools Sectionhttp://yehg.net/lab/#tools.greasemonkey

If you wish to contribute, there is a smoketest page.

Insert your own XSS payload to defeat MSD.

Notify me of whenever new Attack frameworks are created

Special Thanks

Goes to

Mario, http://php-ids.org

Secgeek, http://www.secgeeks.com

Andres Riancho, http://w3af.sf.net

For encouragements and suggestions

Reference

• XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth FogieSyngress PublishingISBN-13:987-1-59749-154-9

Thank you!