Uygulama guvenligi gunu - malicious web sites

741 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
741
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Uygulama guvenligi gunu - malicious web sites

  1. 1. OWASP Turkey - Uygulama Güvenliği Günü Introduction to Malicious Web Sites Kötücül Web Sitelerine Bir İlk Bakış Ali Ikinci – Siber Güvenlik Derneği ali@ikinci.info 9 June 2012 Turkey
  2. 2. About Me ● ● ● ● ● Working on Malicious Web Sites since 2006 Developed a Client Honeypot called Monkey-Spider in 2007 [9] Member of the Siber Güvenlik Derneği[10] Chapter Lead of the Turkish Chapter of the Honeynet Project[11] Chief Security Analyst at ContentKeeper Technologies[12] 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 2
  3. 3. Agenda ● Introduction ● Attack Vectors ● Code Obfuscation ● Sample Attack ● Payload ● Detecting Malicious Web Sites ● Mitigation Techniques 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 3
  4. 4. Malicious Web Sites ... ● ● ● Are Web sites which could be a threat to the security of the client computers requesting them Even a visit without any other interaction of such could be a threat (so called drive-by downloads) Such Web sites can ... – – exploit browser vulnerabilities – exploit vulnerabilities of other client software – install backdoors, spyware or keyloggers – 9 June 2012 host all sorts of malware and malicious code steal confidential information Uygulama Güvenliği Günü Ali Ikinci 4
  5. 5. Current Situation ● ● ● ● ● Attacks on client systems have become very popular in recent years Web Browsers are the most wide spread use case of client software Browsers and Browser plugins are the most wanted targets in vulnerability assessment Firewalls and IDS systems are widely deployed and the client has become the shortest path to hack into a network Botnets are on the rise and a valuable tool of trade 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 5
  6. 6. Attack Vectors ● Anything a client computer requests from a server and in one way or another executes or interpreters on the client computer could become an attack vector ● Web Browser ● Web Browser Plugins – Flash, PDF, Media Plugins, ActiveX, JRE ... ● Media Players/Viewers ● PDF Readers ● Java VMs ... 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 6
  7. 7. Attack Vectors Code/Markup ● JavaScript ● Flash, embedded ActionScript ● PDF, embedded JavaScript ● HTML ● ActiveX ● Java ● VBS ... 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 7
  8. 8. Attack Vectors Example Programs/Libraries ● ● ● ● (X)HTML parsers like libxml, libxslt JavaScript Interpreters like V8, SpiderMonkey PDF Reader Exploits like Acrobat Reader, Foxit Reader Java Runtime Environment Exploits like Oracle JRE, IBM JRE ... 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 8
  9. 9. Starting Points for a Malicious Web Site Attack ● Specifically set up “Trojan” Web Site looking benign but hosting Exploits. F.e. fake online AV sites ● Compromised benign Web Sites/Servers ● Malvertisments on benign Web Sites ● Spam Emails pointing to/loading Malicious Web Sites ● Malicious PDF Files sent via Email Spam ● Spam in Social Networks/Forums etc. ● Social Engineering on Social Networks f.e. Fake campaings, Fake news ... 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 9
  10. 10. Starting Point Example: Twitter Spam[8] ● Compromised Twitter accounts abused for propagation of Malicious Web Sites (April 2012) 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 10
  11. 11. Starting Point Example: Malvertisments ● Advertisement that conceal malicious content ● Distributed through benign Ad Networks ● ● ● Often utilized in situations where attacker cannot obtain access to high value, high trafficked web sites. Relying on social engineering techniques to trick major ad networks into serving their malicious content[4] More than 3 million malvertising impressions served per day[4] After three months of web browsing, the probability that an average Internet user will hit an infected page is approximately 95%[4] 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 11
  12. 12. Attack Hiding Technique: Code Obfuscation ● ● Code Obfuscation intends to fool the malware analyst in revealing the attack via making the code unreadable to the human eye A simple JavaScript example[1] to hide code encoded in Hexadecimal values: var  d=document['x63x72x65x61x74x65x45x6c  x65x6dx65x6ex74'](‘x69x6ex70x75x74′); Results converted into ASCII to: var d=document['createElement'](‘input’); 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 12
  13. 13. [1] Code Obfuscation Starting Point Example: Spam A markup generating obfuscated JavaScript sample from a real world spam Mail trying to fool the user to a Malicious Web Site Results in a redirect to the Malicious Web Site with the Exploit: 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 13
  14. 14. Browser Attack Example: [3] Heap Spray Attack ● ● ● ● does not actually exploit any security issues but it can be used to make a security issue easier to exploit. by itself cannot be used to break any security boundaries: a separate exploit is needed can be used to introduce a large amount of order to compensate for the difficulty of prediction of memory space and increase the chances of successful exploitation. take advantage of the fact that often the start location of large heap allocations is predictable and consecutive allocations are roughly sequential. 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 14
  15. 15. Example: Heap Spray Attack[2] 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 15
  16. 16. Example: Heap Spray Attack[2] 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 16
  17. 17. Example: Heap Spray Attack[2] 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 17
  18. 18. Example: Heap Spray Attack[2] ● ● ● An attack can consist of multiple Exploits if one is not enough to gain the needed system properties before executing the final shellcode and continuing the malicious deed After predictable location has been reached the exploit is triggered to set the EIP (Instruction Pointer) in the sprayed area to hopefully trigger the shellcode or the next Exploit in the chain before the shellcode Shellcode than is used to continue the attack often through downloading and installing backdoors, keyloggers and often add it to the attackers botnet as a bot/zombie 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 18
  19. 19. Shellcode ● is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode[5] [6] 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 19
  20. 20. Sample Real World Attack [7] on cdi.org from May 2012 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 20
  21. 21. Tools Categories to Detect Malicious Web Sites ● High-Interaction Honeyclients: Real Client Computers requesting Malicious Web Sites to learn the behavior/tools/techniques of the attacker ● Low-Interaction Honeyclients: Emulated Web Browsers requesting and sudo executing sites to gain information about attacks. ● Deobfuscation Tools for static or dynamic analysis GUI Tools to ease work of Malware Analysts in supporting deobfuscation with various techniques in a safe execution environment. 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 21
  22. 22. Online Tools and Reputation Services to detect Malicious Web Sites ● Wepawet http://wepawet.iseclab.org/ ● Anubis http://anubis.iseclab.org/ ● Google Safe Browsing diagnostic Page http://www.google.com/safebrowsing/diagnostic?site=google.com ● McAfee SiteAdvisor http://www.siteadvisor.com/ ● Norton Safe Web http://safeweb.norton.com/ ● Web of Trust http://www.mywot.com/ 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 22
  23. 23. General Defense: Blacklists and IDS Signatures ● ● Many free and commercial Services to offer ready to use lists/signatures to avoid visiting malicious websites by blacklisting them or avoid triggering exploits by detecting their signatures or ip address in IDS signature. Applying these in Firewalls and Gateways can add significant security measures to fight Malicious Web Sites. Two import free examples are: – – 9 June 2012 Blacklisting malicious websites http://www.malwaredomains.com/ Providing various IDS Signature http://www.emergingthreats.com Uygulama Güvenliği Günü Ali Ikinci 23
  24. 24. Server Side Defense ● ● Updates: Immediate updates to server software is the base protection to any kind exploitation attack Remote Service Hardening: Any unnecessary remote service should be disabled or the configuration hardened to be secure against exploits or brute for attacks. ● Application Level Firewalls ● Secure Passwords ● Web Site Admins should check their site regular for any unauthorized modifications 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 24
  25. 25. ISP/Network Level Defense ● ● Various proprietary vendors provide inline scanning of network traffic and can block such attacks from triggering or malware from being transfered to victim systems Secure Web Gateways often have various means of detecting malicious attacks and also can keep the local network safe or raise alarms if an infection might have gone unnoticed. 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 25
  26. 26. Client Side Defense ● ● ● ● Updates: Always having the latest patch level of client software avoids being exploited by non zero-day exploits. Software Management systems like NAC or Secunia PSI[13] for personal helps administer and grant this HIDS and Personal Firewalls can also utilize Blacklist and sites like ET to raise the security boundary Many AV engines in combination with so called “Internet Security Suites” provide a certain level of heuristics based exploit detection and can even avoid zero-day exploits from being triggered in certain scenarios AV engines can also stop the execution of malicious payload after the exploit has been triggered unnoticed and can then stop the malware before it can do any harm to the client system 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 26
  27. 27. References [1] Kahu Security http://www.kahusecurity.com/ [2] Peter Van Eeckhoutte https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ [3] Wikipedia http://en.wikipedia.org/wiki/Heap_spraying [4] Dancho Danchev http://www.zdnet.com/blog/security/report-3-million-malvertising-impressions-served-per-day/8319 [5] Wikipedia http://en.wikipedia.org/wiki/Shellcode [6] Phrack Issue 49 by Aleph One http://www.phrack.org/issues.html?issue=49&id=14#article [7] Steven Adair and Ned Moran http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/ [8] Nicolaz Bruez http://www.securelist.com/en/blog/208193477/New_Spam_campaign_on_Twitter_Leads_to_Rogue_AV [9] The Monkey-Spider Project http://monkeyspider.sf.net 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 27
  28. 28. References [10] Siber Güvenlik Derneği http://www.siberguvenlik.org.tr/ [11] Honeynet Project – Turkish Chapter http://www.honeynettr.org [12] ContentKeeper Technologies http://www.contentkeeper.com [13] Secunia Personal Software Inspector http://secunia.com/products/consumer/psi 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 28
  29. 29. Questions? Thank you for your attention! This talk was made possible with kind support from http://contentkeeper.com 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 29
  30. 30. Exploit Kits ● ● ● ● ● Ready to run large scale automated Exploitation kits Sold in rouge underground Forums One kit often has a bunch of exploits ready to execute on varying client machines Exploited machine are added to the interface for the ease of “management” Wide spread approach on running Malicious Web Site infrastructure 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 30
  31. 31. Exploit Kits Most Wanted 9 June 2012 Uygulama Güvenliği Günü Ali Ikinci [1] 31

×