Wreck-utation             Dan Hubbard           Stephan Chenette         Websense Security Labs             CanSec 2008
Reputation: is the opinion (more technically, a     social evaluation) of the public toward a person, a group of people, o...
Reputation: is the opinion (more technically, a          social evaluation) of the public toward a      person, a group of...
Best thing since sliced bread?
Best thing since sliced bread? “Reputation systems are the future          defense against    malicious code and SPAM”
Best thing since sliced bread? “Reputation systems are the future          defense against    malicious code and SPAM”    ...
Best thing since               sliced bread?                 “Reputation systems are the future                          d...
Good *or* Bad
Good *or* BadMozilla.org
Good *or* BadMozilla.org   Russian Business Network
Good *and* Bad
Good *and* BadMSNBC Sports
Good *and* BadMSNBC Sports   MSNBC Sports Stats
Good *gone* Bad
Good *gone* BadSuper Bowl Site
Good *gone* BadSuper Bowl Site   0wned from China
Using Reputation for Security Decisions
Using Reputation for Security Decisions          Web Reputation          Email Reputation         Domain Reputation       ...
GEO          AGE                HISTORYLEXICAL                REPUTATION      NEIGHBORS    COUSIN                   TYPOS ...
Web ReputationTHE BLOG TAIL                 THE LONG TAIL  TOP    CURRENT   REGIONAL      PERSONAL  100     EVENTS       &...
Web ReputationTHE BLOG TAIL                 THE LONG TAIL  TOP    CURRENT   REGIONAL      PERSONAL  100     EVENTS       &...
Web Wreck-utationTHE BLOG TAIL                 THE LONG TAIL  TOP    CURRENT   REGIONAL      PERSONAL  100     EVENTS     ...
Web Wreck-utationTHE BLOG TAIL                   THE LONG TAIL  TOP    CURRENT   REGIONAL        PERSONAL  100     EVENTS ...
Web Wreck-utationTHE BLOG TAIL                      THE LONG TAIL  TOP    CURRENT      REGIONAL        PERSONAL  100     E...
Web Wreck-utationTHE BLOG TAIL                         THE LONG TAIL  TOP       CURRENT      REGIONAL        PERSONAL  100...
mysql>
mysql> SELECT COUNT  FROM vurldb           WHERE hostname RLIKE     (.+.)?(googlepages|geocities|yahoo|     facebook|myspa...
The BLOG TAIL / WEB TWO      DOT UH OH
The BLOG TAIL / WEB TWO                 DOT UH OHBlogger: Allows embedded URL’s to malicious code
The BLOG TAIL / WEB TWO                 DOT UH OHBlogger: Allows embedded URL’s to malicious codeCalendar + DOCS: allow em...
The BLOG TAIL / WEB TWO                 DOT UH OHBlogger: Allows embedded URL’s to malicious codeCalendar + DOCS: allow em...
The BLOG TAIL / WEB TWO                 DOT UH OHBlogger: Allows embedded URL’s to malicious codeCalendar + DOCS: allow em...
Using Reputation for Security Decisions
What’s the Problem ?The webs most visited sites are increasingly being used              to host malicious code  Spammers,...
eBay input validation eBay is unquestionably one of the most   popular websites (high reputation)eBay does some input but ...
Seller ReputationWe blogged in the past of sellers makingtheir reputation go from 0 to “Power Seller”
Seller ReputationWe blogged in the past of sellers makingtheir reputation go from 0 to “Power Seller”
“make me a        power seller”• How did this user accomplish this?
Congrats, your have been 0wned
Adding malicious listings to eBay…
eBay Sploit
eBay Sploit
90 minutes later.....
Easy as Pie?
Easy as Pie?
Everything has a price!Buying good Reputation
Expired Domaindreamcast.com
IFRAME:  Content Injection> 20,000 sites infected today (all had good                reputation)   ZDNet.com, news.com, hi...
IFRAME:Content Injection
IFRAME: Content InjectionAttacks are using a bot to automaticallysearch inside Blogdigger search engine.In turn Blogdigger...
IFRAME:Content InjectionIFRAME is able to escape the parent tag
IFRAME:  Content Injection Unsuspecting user who trust the site isredirected automatically to this PUS site
Email Wreck-utation
Email Wreck-utation    Has been around for a lot longer than              Web Reputation       Several sender technologies...
Email Wreck-utation
Email Wreck-utation     Start your own company and add         SPF, SenderID, etc records,              and move around
Email Wreck-utation     Start your own company and add         SPF, SenderID, etc records,              and move around   ...
Email Wreck-utation               Start your own company and add                   SPF, SenderID, etc records,            ...
Email Wreck-utation               Start your own company and add                   SPF, SenderID, etc records,            ...
Email Wreck-utation  “Legit Sender”
Email: “Legit” SPF
Email: “Legit” SPF"Theres never been a better time to get a new car"       mail.yakdrive.com [67.218.177.112]       mail.j...
Email: “Legit” SPF
Email: “Legit” SPF
MS Live Sending SPAM
MS Live Captchas
Gmail Captchas
Cruel Irony: Google           Redirectshttp://www.google.com/pagead/iclk?sa=3Dl&ai=3DoOfDzh&num=   =3D07504&adurl=3Dhttp:/...
Moving Targets
Moving Targets: SPLOG
Moving Targets: SPLOG
Moving Targets: SPLOG
Domain Reputation
Domain Reputation            Mostly used for email    Some people are re-factoring for Web      Domain tasting best exampl...
Domain Wreck-utation
Domain Wreck-utation       Web 80 - 20 rule works against this    Compromised sites are not accounted for    Domain steali...
Application reputation  Packer heuristics are commonly used tocategorize a malicious binary, because 90% of      all malic...
Storm Ecard     Application reputationSections look normal
Storm EcardApplication reputationEntry point matches MinGW GCC
Storm Ecard       Application reputation• Eventually a call to the packed code…
Storm Ecard    Application reputation  How did it do this? There are multipleprograms to scramble the true identity….i.e. ...
Conclusion
ConclusionReputation systems for security are effective in long tail of                        Internet
ConclusionReputation systems for security are effective in long tail of                        InternetReputation can be u...
ConclusionReputation systems for security are effective in long tail of                        InternetReputation can be u...
Conclusion
Conclusion
Conclusion
THANKS !dhubbard | schenette <at>websense.com
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008
Upcoming SlideShare
Loading in...5
×

Web Wreck-utation - CanSecWest 2008

1,672

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,672
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web Wreck-utation - CanSecWest 2008

  1. 1. Wreck-utation Dan Hubbard Stephan Chenette Websense Security Labs CanSec 2008
  2. 2. Reputation: is the opinion (more technically, a social evaluation) of the public toward a person, a group of people, or an organization.It is an important factor in many fields, such as business, online communities or social status.
  3. 3. Reputation: is the opinion (more technically, a social evaluation) of the public toward a person, a group of people, or an organization. It is an important factor in many fields, such as business, online communities or social status. Online Reputation is a factor in any online communitywhere trust is important. Examples include eBay, an auction service which uses a system of customer feedback to publicly rate each members reputation.
  4. 4. Best thing since sliced bread?
  5. 5. Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM”
  6. 6. Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM” “You are only as good as your reputation”
  7. 7. Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM” “You are only as good as your reputation”“Reputation is the next stage in the antivirus evolution”
  8. 8. Good *or* Bad
  9. 9. Good *or* BadMozilla.org
  10. 10. Good *or* BadMozilla.org Russian Business Network
  11. 11. Good *and* Bad
  12. 12. Good *and* BadMSNBC Sports
  13. 13. Good *and* BadMSNBC Sports MSNBC Sports Stats
  14. 14. Good *gone* Bad
  15. 15. Good *gone* BadSuper Bowl Site
  16. 16. Good *gone* BadSuper Bowl Site 0wned from China
  17. 17. Using Reputation for Security Decisions
  18. 18. Using Reputation for Security Decisions Web Reputation Email Reputation Domain Reputation Bonus: Binary Reputation
  19. 19. GEO AGE HISTORYLEXICAL REPUTATION NEIGHBORS COUSIN TYPOS TRAFFIC
  20. 20. Web ReputationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE
  21. 21. Web ReputationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE PHISH, FRAUD, SPAM
  22. 22. Web Wreck-utationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE PHISH, FRAUD, SPAM
  23. 23. Web Wreck-utationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE HOSTING + REGIONAL + PHISH, COLLATERAL FRAUD, DAMAGE SPAM
  24. 24. Web Wreck-utationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE BIG NAME HOSTING + COMPROMISES REGIONAL + PHISH, & SEO COLLATERAL FRAUD, DAMAGE SPAM
  25. 25. Web Wreck-utationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE BIG NAME HOSTING + EXPLOIT PHISH, COMPROMISES REGIONAL + 2.0 & SEO COLLATERAL FRAUD, DAMAGE SPAM
  26. 26. mysql>
  27. 27. mysql> SELECT COUNT  FROM vurldb WHERE hostname RLIKE (.+.)?(googlepages|geocities|yahoo| facebook|myspace|google|live).com AND category IN (Malicious Web Sites, Spyware, Keylogger) AND add_date BETWEEN 2008-02-01 AND 2008-02-29; mysql> 3032
  28. 28. The BLOG TAIL / WEB TWO DOT UH OH
  29. 29. The BLOG TAIL / WEB TWO DOT UH OHBlogger: Allows embedded URL’s to malicious code
  30. 30. The BLOG TAIL / WEB TWO DOT UH OHBlogger: Allows embedded URL’s to malicious codeCalendar + DOCS: allow embedded malicious code
  31. 31. The BLOG TAIL / WEB TWO DOT UH OHBlogger: Allows embedded URL’s to malicious codeCalendar + DOCS: allow embedded malicious codeGooglePages: allows upload of malicious code
  32. 32. The BLOG TAIL / WEB TWO DOT UH OHBlogger: Allows embedded URL’s to malicious codeCalendar + DOCS: allow embedded malicious codeGooglePages: allows upload of malicious codePicasso Albums: allow embedded URL’s tomalicious code
  33. 33. Using Reputation for Security Decisions
  34. 34. What’s the Problem ?The webs most visited sites are increasingly being used to host malicious code Spammers, and malcode groups have wised up to industry use of reputation and are exploiting it > 50% of malicious websites are compromised 70% of top 100 sites rely on user uploaded content Most top sites have poor, if any, input validation
  35. 35. eBay input validation eBay is unquestionably one of the most popular websites (high reputation)eBay does some input but not in real-time
  36. 36. Seller ReputationWe blogged in the past of sellers makingtheir reputation go from 0 to “Power Seller”
  37. 37. Seller ReputationWe blogged in the past of sellers makingtheir reputation go from 0 to “Power Seller”
  38. 38. “make me a power seller”• How did this user accomplish this?
  39. 39. Congrats, your have been 0wned
  40. 40. Adding malicious listings to eBay…
  41. 41. eBay Sploit
  42. 42. eBay Sploit
  43. 43. 90 minutes later.....
  44. 44. Easy as Pie?
  45. 45. Easy as Pie?
  46. 46. Everything has a price!Buying good Reputation
  47. 47. Expired Domaindreamcast.com
  48. 48. IFRAME: Content Injection> 20,000 sites infected today (all had good reputation) ZDNet.com, news.com, history.com, usatoday.com, etc. The list goes onThis attack used search engine optimizationcaching within high reputable sites to cache malicious content
  49. 49. IFRAME:Content Injection
  50. 50. IFRAME: Content InjectionAttacks are using a bot to automaticallysearch inside Blogdigger search engine.In turn Blogdigger is caching the results.
  51. 51. IFRAME:Content InjectionIFRAME is able to escape the parent tag
  52. 52. IFRAME: Content Injection Unsuspecting user who trust the site isredirected automatically to this PUS site
  53. 53. Email Wreck-utation
  54. 54. Email Wreck-utation Has been around for a lot longer than Web Reputation Several sender technologies: (SPF, DKIM,SenderID) Reputation systems have helped move the problem
  55. 55. Email Wreck-utation
  56. 56. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around
  57. 57. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relay
  58. 58. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relayUse a webmail provider like Yahoo!, Gmail, Microsoft
  59. 59. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relayUse a webmail provider like Yahoo!, Gmail, Microsoft Spread wealth to BLOGS (Splogs)
  60. 60. Email Wreck-utation “Legit Sender”
  61. 61. Email: “Legit” SPF
  62. 62. Email: “Legit” SPF"Theres never been a better time to get a new car" mail.yakdrive.com [67.218.177.112] mail.jadeblond.com [67.218.177.54] mail.routevery.com [67.218.177.53] mail.filterwind.com [67.218.185.50] mail.routevery.com [67.218.177.53] mail.bendton.com [67.218.177.73] mail.wellcometo.com [67.218.185.76] mail.domesell.com [67.218.185.96] mail.smashoot.com [67.218.185.94] mail.arrivespark.com [67.218.185.117] mail.spearmine.com [67.218.185.74] mail.cleanfluff.com [67.218.171.33] mail.thirdground.com [67.218.171.20]
  63. 63. Email: “Legit” SPF
  64. 64. Email: “Legit” SPF
  65. 65. MS Live Sending SPAM
  66. 66. MS Live Captchas
  67. 67. Gmail Captchas
  68. 68. Cruel Irony: Google Redirectshttp://www.google.com/pagead/iclk?sa=3Dl&ai=3DoOfDzh&num= =3D07504&adurl=3Dhttp://visamedicalopinion.com/run.exe
  69. 69. Moving Targets
  70. 70. Moving Targets: SPLOG
  71. 71. Moving Targets: SPLOG
  72. 72. Moving Targets: SPLOG
  73. 73. Domain Reputation
  74. 74. Domain Reputation Mostly used for email Some people are re-factoring for Web Domain tasting best example (age) Cousin / Likeliness of other domains used We have something called LexiRep also
  75. 75. Domain Wreck-utation
  76. 76. Domain Wreck-utation Web 80 - 20 rule works against this Compromised sites are not accounted for Domain stealing, acquiring, breaks age and history algorithms DNS spoofing, hacks ,etc Do not account for URL’s, hostnames
  77. 77. Application reputation Packer heuristics are commonly used tocategorize a malicious binary, because 90% of all malicious binaries are packed. Malicious authors have increasingly started to try to fool application detection engines into thinking the binary in question is not a packed binary.
  78. 78. Storm Ecard Application reputationSections look normal
  79. 79. Storm EcardApplication reputationEntry point matches MinGW GCC
  80. 80. Storm Ecard Application reputation• Eventually a call to the packed code…
  81. 81. Storm Ecard Application reputation How did it do this? There are multipleprograms to scramble the true identity….i.e. DotFix Fake Signer, pseudo signer, etc
  82. 82. Conclusion
  83. 83. ConclusionReputation systems for security are effective in long tail of Internet
  84. 84. ConclusionReputation systems for security are effective in long tail of InternetReputation can be used with other parts of the equation to make better decisions
  85. 85. ConclusionReputation systems for security are effective in long tail of InternetReputation can be used with other parts of the equation to make better decisionsWeb reputation is less affective than email reputation based on the new dynamics of the web, the large numbers of compromised web-sites, and web two dot uh-oh
  86. 86. Conclusion
  87. 87. Conclusion
  88. 88. Conclusion
  89. 89. THANKS !dhubbard | schenette <at>websense.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×