Introducing  The Malware Script Detector (MSD) By d0ubl3_h3lix http ://yehg.net Tue Feb 19 2008
Agenda <ul><li>Counter Strategy </li></ul><ul><li>Overview </li></ul><ul><li>XSS Coverage </li></ul><ul><li>Versioning Inf...
Counter Strategy <ul><li>Using the Power of JavaScript, Malware Script Detector detects JavaScript Malwares which use the ...
Overview <ul><li>Run on Gecko browsers (Firefox, Flock, Netscape, …etc) </li></ul><ul><li>GreaseMonkey addon needed </li><...
Overview (Cont.) <ul><li>Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Pro...
XSS Coverage <ul><li>MSD was coded to detect the following XSS exploitation areas: </li></ul><ul><li>data: protocol exploi...
XSS Coverage <ul><li>Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:...
XSS Coverage <ul><li>MSD was thoroughly tested with: </li></ul><ul><li>  - RSnake’s XSS CheatSheet   - XSS-ME Addon Attack...
Versioning Info <ul><li>GreaseMonkey Version </li></ul><ul><li>Main Objective: Alert XSS Attacks to users </li></ul><ul><l...
Versioning Info <ul><li>Standalone Version </li></ul><ul><li>Main Objective: Alert XSS Attacks to users & webmaster </li><...
Standalone MSD <ul><li>Standalone version was created as single .js file for web developers  </li></ul><ul><li>To embed in...
 
Detection Screenshots
Why MSD? <ul><li>XSS Payloads like </li></ul><ul><li>http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxx...
Why MSD? (Cont.) <ul><li>Never get DETECTED by  Web Server-level Firewall/IDS/IPS </li></ul><ul><li>Because the code is To...
Why MSD? (Cont.) <ul><li>Malicious sites intentionally embed malicious JavaScript attack frameworks </li></ul><ul><li>Bad ...
Why MSD? (Cont.) <ul><li>No ways to detect such Malware scripts unless we check HTML source codes </li></ul><ul><li>Disabl...
<ul><li>  Oh, But … </li></ul>
Weaknesses <ul><li>Doesn’t check POSTS/COOKIES variables </li></ul><ul><li>No guarantee for full protection of XSS </li></...
Where Can I get it ? <ul><li>  Check Under Tools Section http://yehg.net/lab/#tools.greasemonkey </li></ul><ul><li>If you ...
Special Thanks <ul><li>Goes to </li></ul><ul><li>Mario, http://php-ids.org </li></ul><ul><li>Secgeek, http://www.secgeek s...
Reference <ul><li>XSS Attacks & Defenses  by PDP, RSnake, Jeremiah, Aton Rager, Seth Fogie Syngress Publishing ISBN-13:987...
<ul><li>Thank you! </li></ul>
Upcoming SlideShare
Loading in...5
×

Introducing Malware Script Detector

2,822

Published on

The version 2 is similar to XSS warning addon. Look for URL string for XSS payloads. Detect and stop XSS attacks from evil bad guys to you in addition to detection of Malicious JavaScript embedded in malicious sites. This script has been tested for false positives thoroughly. False positives may occur at those sites which use crypto strings like order.php?token={a:xC2;id:ac3f52233;[]} and Squirrel mail sites which use URL strings like compose.php?to=John<joh@abc.net&gt;. We can\'t fix it for the sake of security. If you know this one, you can feel assured this is safe to accept and go on.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,822
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
36
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Templates created by Aung Khant &lt;aungkhant@flashband.net&gt;
  • Introducing Malware Script Detector

    1. 1. Introducing The Malware Script Detector (MSD) By d0ubl3_h3lix http ://yehg.net Tue Feb 19 2008
    2. 2. Agenda <ul><li>Counter Strategy </li></ul><ul><li>Overview </li></ul><ul><li>XSS Coverage </li></ul><ul><li>Versioning Info </li></ul><ul><li>Standalone MSD </li></ul><ul><li>Detection Screenshots </li></ul><ul><li>Why MSD? </li></ul><ul><li>Weaknesses </li></ul>
    3. 3. Counter Strategy <ul><li>Using the Power of JavaScript, Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript </li></ul>
    4. 4. Overview <ul><li>Run on Gecko browsers (Firefox, Flock, Netscape, …etc) </li></ul><ul><li>GreaseMonkey addon needed </li></ul><ul><li>Acted as Browser IDS </li></ul><ul><li>Intended for Web Client Security </li></ul><ul><li>Recommended for every web surfer </li></ul><ul><li>Please don’t underestimate MSD by looking its simplest source code </li></ul>
    5. 5. Overview (Cont.) <ul><li>Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF </li></ul><ul><li>Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon </li></ul>
    6. 6. XSS Coverage <ul><li>MSD was coded to detect the following XSS exploitation areas: </li></ul><ul><li>data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html </li></ul><ul><li>jar: protocol exploitation </li></ul><ul><li>file: protocol exploitation by locally saved malicious web pages </li></ul>
    7. 7. XSS Coverage <ul><li>Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc </li></ul><ul><li>unicode injection </li></ul><ul><li>utf-7,null-byte (0), black slash injection (u l), comments star slash injection (/* */),injection like u00, x00....etc </li></ul>
    8. 8. XSS Coverage <ul><li>MSD was thoroughly tested with: </li></ul><ul><li> - RSnake’s XSS CheatSheet - XSS-ME Addon Attack List </li></ul><ul><li> - Dabbledb.com’s Xssdb list - CAL9000 XSS List </li></ul>
    9. 9. Versioning Info <ul><li>GreaseMonkey Version </li></ul><ul><li>Main Objective: Alert XSS Attacks to users </li></ul><ul><li>Must be Installed by users </li></ul><ul><li>Requires Gecko Browser + GreaseMonkey Addon </li></ul><ul><li>Version 1 – Detect Malware Scripts </li></ul><ul><li>Version 2 – Detect Malware Scripts + </li></ul><ul><li>Prevailing XSS </li></ul>
    10. 10. Versioning Info <ul><li>Standalone Version </li></ul><ul><li>Main Objective: Alert XSS Attacks to users & webmaster </li></ul><ul><li>Must be Deployed by web developers </li></ul><ul><li>Browser-Independent </li></ul><ul><li>No Checking if users have GreaseMonkey version </li></ul><ul><li>Version 1 – Detect Malware Scripts + Prevailing XSS </li></ul>
    11. 11. Standalone MSD <ul><li>Standalone version was created as single .js file for web developers </li></ul><ul><li>To embed in their footer files </li></ul><ul><li>To notify both visitors and webmasters of XSS injection attempts & attacks </li></ul><ul><li>Browser-independent unlike GreaseMonkey Script version </li></ul><ul><li>Intended for web application security as a portable lightweight solution </li></ul>
    12. 13. Detection Screenshots
    13. 14. Why MSD? <ul><li>XSS Payloads like </li></ul><ul><li>http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc </li></ul>
    14. 15. Why MSD? (Cont.) <ul><li>Never get DETECTED by Web Server-level Firewall/IDS/IPS </li></ul><ul><li>Because the code is Totally Executed at Client’s Browser </li></ul>
    15. 16. Why MSD? (Cont.) <ul><li>Malicious sites intentionally embed malicious JavaScript attack frameworks </li></ul><ul><li>Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users </li></ul>
    16. 17. Why MSD? (Cont.) <ul><li>No ways to detect such Malware scripts unless we check HTML source codes </li></ul><ul><li>Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases </li></ul><ul><li>According to above scenarios, MSD becomes a nice solution for us </li></ul>
    17. 18. <ul><li> Oh, But … </li></ul>
    18. 19. Weaknesses <ul><li>Doesn’t check POSTS/COOKIES variables </li></ul><ul><li>No guarantee for full protection of XSS </li></ul><ul><li>Many ways to bypass MSD </li></ul><ul><li>XSS Filtering needs to be updated regularly where extensive filtering may cause false alerts and much annoyance to users </li></ul>
    19. 20. Where Can I get it ? <ul><li> Check Under Tools Section http://yehg.net/lab/#tools.greasemonkey </li></ul><ul><li>If you wish to contribute, there is a smoketest </li></ul><ul><li>page. </li></ul><ul><li>Insert your own XSS payload to defeat MSD. </li></ul><ul><li>Notify me of whenever new Attack frameworks are created </li></ul>
    20. 21. Special Thanks <ul><li>Goes to </li></ul><ul><li>Mario, http://php-ids.org </li></ul><ul><li>Secgeek, http://www.secgeek s .com </li></ul><ul><li>Andres Riancho , http://w3af.sf.net </li></ul><ul><li>For encouragements and suggestions </li></ul>
    21. 22. Reference <ul><li>XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth Fogie Syngress Publishing ISBN-13:987-1-59749-154-9 </li></ul>
    22. 23. <ul><li>Thank you! </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×