nullcon 2010 - signature based malware detection poc for websites
DESCRIPTION
nullcon 2010 - Signature based Malware Detection PoC by Anant KochharTRANSCRIPT
![Page 1: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/1.jpg)
Proof-Of-Concept: Signature Based Malware
Detection for Websites and Domain Administrators
- Anant Kochhar
![Page 2: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/2.jpg)
2
Malware /`mæl.weə(ɹ)/
Software developed for the purpose of causing harm to a computer system and its users.
Back Door, Key Logger, Botnet Zombie
![Page 3: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/3.jpg)
3
![Page 4: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/4.jpg)
4
Know them, “Trust” them
![Page 5: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/5.jpg)
5
Drive-By Downloads AKAIFRAME and Script Injections
![Page 6: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/6.jpg)
6
![Page 7: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/7.jpg)
7
![Page 8: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/8.jpg)
8
![Page 9: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/9.jpg)
9
First Wave: Mass SQL Injection
First noticed in late 2007.
Tool based.
Identified vulnerable pages across the internet using search engines.
Sprayed them with SQL injection payloads-• Inserted script injections indiscriminately in all database columns
• Infected data was reflected in dynamic pages
![Page 10: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/10.jpg)
10
Payload
Source: http://www.f-secure.com/weblog/archives/00001427.html
![Page 11: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/11.jpg)
11
Affected Page With Rubbish Data
![Page 12: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/12.jpg)
12
Source: http://www.scmagazineus.com/mass-sql-injection-attack-compromises-70000-websites/article/100497/
Source: http://www.scmagazineus.com/sql-attack-hits-125000-sites/article/159445/
![Page 13: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/13.jpg)
13
Bulk of the spread: Self Propagation
Inserts IFrame/ Script injections in all web pages in the victim’s machine •If victim = website admin, all his websites will be updated with infected pages.
Or steals FTP passwords from victims’ computer and updates the pages directly on the web server.
![Page 14: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/14.jpg)
14
Movies
College
Fashion
Sports
.abc.xyz
![Page 15: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/15.jpg)
15
![Page 16: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/16.jpg)
16
PC Based Security for Malwares
•Source: http://www.cyveillance.com/web/docs/WP_CyberIntel_H1_2009.pdf
![Page 17: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/17.jpg)
17
Movies
College
Fashion
Sports
.abc.xyz
![Page 18: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/18.jpg)
18
![Page 19: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/19.jpg)
19
![Page 20: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/20.jpg)
20
Prevention…
“Process”.
Use linux-based dedicated machines for website administration.
But even the best process cannot be 100% effective because…
![Page 21: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/21.jpg)
21
Indirect Risks:The Legitimate can also
becomes Dangerous
All internal and external users of the “clean” site A are also at risk now.
![Page 22: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/22.jpg)
22
Accept the risk… the Alternative: Fast Detection and Quick Remedy
1. Contain the spread of infection.
2. Protect reputation of the website.
![Page 23: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/23.jpg)
23
Detection Part 1:
Detect ALL External Sites Linking from your websites
![Page 24: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/24.jpg)
24
2 Methods
Internal Scans- Scanners that reside in the web server and scan all web pages for external links.
External Scans- Crawlers, not residing in the web server, that will scan all pages from the internet.
![Page 25: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/25.jpg)
25
Internal Scans
ProsWill be exhaustive and will scan pages behind authentication.
ConsWill affect web server performance and can even crash the server.
![Page 26: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/26.jpg)
26
External Scans
ProsCan be run as often as possible.
Has virtually no affect on the web server.
ConsWill depend on network conditions.
Breadth and the Depth of the scan may not be exhaustive.
![Page 27: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/27.jpg)
27
The Scanner Must:
Detect and list all external sites in a website.
Ideally NOT visit any external websites• Because it may put the system at risk.
![Page 28: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/28.jpg)
28
Detection Part 2:
Detecting malware spreading sites in the list of external sites.
![Page 29: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/29.jpg)
29
Behavior Analysis Detection ModelVisit the external site
Download suspected malware
Analyze it
And determine if it is malware or not.
![Page 30: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/30.jpg)
30
fashion.abc.xyz
efg.xyz
•Iframe redirection•Malware
•Legitimate
•Dynamic Scan
![Page 31: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/31.jpg)
31
Behavior Analysis
Expensive- requires a dedicated setup.
Slow- takes time to analyze all codes downloaded from external websites.
Newer malwares are designed to fool it- delayed activation etc.
Will not detect infected ‘site B’
![Page 32: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/32.jpg)
32
Signature Based Detection Model
Downloads signatures of malware infected sites.
Compares the list of external sites to the signatures.
![Page 33: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/33.jpg)
33
•Multi Sourced Signatures
•List of external sites.
•Positive Matches
![Page 34: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/34.jpg)
34
Signature Based
Cheap- can be done on any machine.
Several “freely” available sources of signatures.
Fast- comparison takes a fraction of the time.
Safe- malware is not downloaded on the machine.
Will detect infected ‘site B’.
![Page 35: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/35.jpg)
35
Final Model
External Scanner/ crawler that will continuously scan the entire domain for external sites.
At least 2 sources of signatures. Update as frequently as possible.
![Page 36: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/36.jpg)
36
Ideally…
Crawl time > Signature update time.
On every signature update, the list of external site from (n-1)th crawl should be used for full comparison.
![Page 37: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/37.jpg)
37
On A Positive Match
Immediately remove the malware site link from the infected page.
Run AV and malware detection scans on the affected server.
Or quarantine suspected computers…
Change FTP password.
![Page 38: nullcon 2010 - Signature based Malware Detection PoC for Websites](https://reader034.vdocuments.us/reader034/viewer/2022051609/546c3b35b4af9f8e2c8b5094/html5/thumbnails/38.jpg)
38
•Multi Sourced Signatures
•List of external sites.
•Positive Matches
•Continuous Crawl
•Compare