Introducing The Malware Script Detector (MSD) By d0ubl3_h3lix http ://yehg.net Tue Feb 19 2008

Agenda Counter Strategy Overview XSS Coverage Versioning Info Standalone MSD Detection Screenshots Why MSD? Weaknesses

Counter Strategy

Overview

XSS Coverage

Versioning Info

Standalone MSD

Detection Screenshots

Why MSD?

Weaknesses

Counter Strategy Using the Power of JavaScript, Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript

Using the Power of JavaScript, Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript

Overview Run on Gecko browsers (Firefox, Flock, Netscape, …etc) GreaseMonkey addon needed Acted as Browser IDS Intended for Web Client Security Recommended for every web surfer Please don’t underestimate MSD by looking its simplest source code

Run on Gecko browsers (Firefox, Flock, Netscape, …etc)

GreaseMonkey addon needed

Acted as Browser IDS

Intended for Web Client Security

Recommended for every web surfer

Please don’t underestimate MSD by looking its simplest source code

Overview (Cont.) Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon

Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF

Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon

XSS Coverage MSD was coded to detect the following XSS exploitation areas: data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html jar: protocol exploitation file: protocol exploitation by locally saved malicious web pages

MSD was coded to detect the following XSS exploitation areas:

data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html

jar: protocol exploitation

file: protocol exploitation by locally saved malicious web pages

XSS Coverage Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc unicode injection utf-7,null-byte (0), black slash injection (u
l), comments star slash injection (/* */),injection like u00, x00....etc

Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc

unicode injection

utf-7,null-byte (0), black slash injection (u
l), comments star slash injection (/* */),injection like u00, x00....etc

XSS Coverage MSD was thoroughly tested with: - RSnake’s XSS CheatSheet - XSS-ME Addon Attack List - Dabbledb.com’s Xssdb list - CAL9000 XSS List

MSD was thoroughly tested with:

- RSnake’s XSS CheatSheet - XSS-ME Addon Attack List

- Dabbledb.com’s Xssdb list - CAL9000 XSS List

Versioning Info GreaseMonkey Version Main Objective: Alert XSS Attacks to users Must be Installed by users Requires Gecko Browser + GreaseMonkey Addon Version 1 – Detect Malware Scripts Version 2 – Detect Malware Scripts + Prevailing XSS

GreaseMonkey Version

Main Objective: Alert XSS Attacks to users

Must be Installed by users

Requires Gecko Browser + GreaseMonkey Addon

Version 1 – Detect Malware Scripts

Version 2 – Detect Malware Scripts +

Prevailing XSS

Versioning Info Standalone Version Main Objective: Alert XSS Attacks to users & webmaster Must be Deployed by web developers Browser-Independent No Checking if users have GreaseMonkey version Version 1 – Detect Malware Scripts + Prevailing XSS

Standalone Version

Main Objective: Alert XSS Attacks to users & webmaster

Must be Deployed by web developers

Browser-Independent

No Checking if users have GreaseMonkey version

Version 1 – Detect Malware Scripts + Prevailing XSS

Standalone MSD Standalone version was created as single .js file for web developers To embed in their footer files To notify both visitors and webmasters of XSS injection attempts & attacks Browser-independent unlike GreaseMonkey Script version Intended for web application security as a portable lightweight solution

Standalone version was created as single .js file for web developers

To embed in their footer files

To notify both visitors and webmasters of XSS injection attempts & attacks

Browser-independent unlike GreaseMonkey Script version

Intended for web application security as a portable lightweight solution

Detection Screenshots

Why MSD? XSS Payloads like http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc

XSS Payloads like

http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc

Why MSD? (Cont.) Never get DETECTED by Web Server-level Firewall/IDS/IPS Because the code is Totally Executed at Client’s Browser

Never get DETECTED by Web Server-level Firewall/IDS/IPS

Because the code is Totally Executed at Client’s Browser

Why MSD? (Cont.) Malicious sites intentionally embed malicious JavaScript attack frameworks Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users

Malicious sites intentionally embed malicious JavaScript attack frameworks

Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users

Why MSD? (Cont.) No ways to detect such Malware scripts unless we check HTML source codes Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases According to above scenarios, MSD becomes a nice solution for us

No ways to detect such Malware scripts unless we check HTML source codes

Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases

According to above scenarios, MSD becomes a nice solution for us

Oh, But …

Oh, But …

Weaknesses Doesn’t check POSTS/COOKIES variables No guarantee for full protection of XSS Many ways to bypass MSD XSS Filtering needs to be updated regularly where extensive filtering may cause false alerts and much annoyance to users

Doesn’t check POSTS/COOKIES variables

No guarantee for full protection of XSS

Many ways to bypass MSD

XSS Filtering needs to be updated regularly where extensive filtering may cause false alerts and much annoyance to users

Where Can I get it ? Check Under Tools Section http://yehg.net/lab/#tools.greasemonkey If you wish to contribute, there is a smoketest page. Insert your own XSS payload to defeat MSD. Notify me of whenever new Attack frameworks are created

Check Under Tools Section http://yehg.net/lab/#tools.greasemonkey

If you wish to contribute, there is a smoketest

page.

Insert your own XSS payload to defeat MSD.

Notify me of whenever new Attack frameworks are created

Special Thanks Goes to Mario, http://php-ids.org Secgeek, http://www.secgeek s .com Andres Riancho , http://w3af.sf.net For encouragements and suggestions

Goes to

Mario, http://php-ids.org

Secgeek, http://www.secgeek s .com

Andres Riancho , http://w3af.sf.net

For encouragements and suggestions

Reference XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth Fogie Syngress Publishing ISBN-13:987-1-59749-154-9

XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth Fogie Syngress Publishing ISBN-13:987-1-59749-154-9

Thank you!

Thank you!