Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ISSA Journal Paper - JavaScript Infection Model


Published on

Published in: Technology
  • Be the first to comment

ISSA Journal Paper - JavaScript Infection Model

  1. 1. PreemInent truSted GlobAl ISSA ISSA Journal | November 2010 InformAtIon SecurIty communItyJavaScript Infection modelBy Aditya K Sood and Richard J. EnbodyAdvancements in Web 2.0 technologies have enhanced Internet functionality but at thesame time have created numerous threats to the World Wide Web. this paper talks aboutthe negative nature of JavaScript, which is exploited heavily by malware writers to spreadinfections throughout the online world.Abstract creasing4 in spite of versatile functions. These new technolo- gies have made the Web flexible and robust by allowing theAdvancements in Web 2.0 technologies have enhanced In- inclusion of content from third-party sites and sending con-ternet functionality but at the same time have created nu- tent to other domains. In reality, data from the third partiesmerous threats to the World Wide Web. The biggest issue the cannot be verified against presence of potential malware. Asonline world is grappling with is web malware, which is an a result malware can accompany the data back into the parentoutcome of intensive exploitation of web vulnerabilities. This website without restriction and continue spreading across thepaper talks about the negative nature of JavaScript, which Web. Security considerations have to be undertaken in theis exploited heavily by malware writers to spread infections best possible manner to combat web exploitation.throughout the online world. new technologiesexploitation Shift With the advent of new technologies, the sphere of attack sur-T here is always an element of discrepancy present be- face vulnerability has widened. The Web is getting exposed tween current and upcoming technologies. With the to identity theft, exploitation, scams, phishing, redirection advent of powerful operating system protection mech- vulnerabilities, cross site scripting (XSS), and cross site re-anisms, the attack surface has shifted to web exploitation vec- quest forgery (CSRF).5 CSRF, for example, is a type of attacktors because memory exploitation is becoming tougher for in which HTTP requests are sent in a stealth manner with-the attackers. Technologies such as Microsoft Data Execution out the knowledge of user. This type of attack allows the at-Protection (DEP),1 Address Space Layout Randomization tacker to execute commands and requests on user’s behalf.(ASLR),2 and GS cookies3 have circumvented the attack and The inherent vulnerabilities in web applications are exploitedexploitation of system-level vulnerabilities. The use of string by various application injections such as PHP, ASP, LDAP,functions is completely isolated from systems as they are con- SQL, and DOM (Document Object Model).6 The injectionssidered as a base for buffer overflow attacks. Exploitation has are widely used to manipulate the content, steal informa-shifted from system vulnerabilities to web vulnerabilities. tion, and spread malware. One step ahead is HTTP ProtocolThe attack landscape of the Web has a panorama of exploita- manipulation comprising of attack type Response Splitting,7tions that are proliferating day by day. With the rise of blogs, which bypasses browser protection mechanisms by split-wikis, atom feeds, RSS, and others, the insecurity level is in- ting the HTTP response from the server thereby fooling the browser to interpret two responses instead of one. 4 RSS Attacks, Data Execution Prevention, predicted.html.2 Address Space Layout Randomization, 5 Cross Site Request Forgery, archive/2006/05/26/430538.aspx. 6 DOM XSS, GS, 7 HTTP Response Splitting, studio-2010.aspx. securityreviews/5WP0E2KFGK.html. ©2010 Information Systems Security Association • • • Permission for author use only. 31
  2. 2. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010The cropping up of Web 2.0 and AJAX with JSON (JavaS-cript Object Notation) has transformed the structure ofWeb. Primarily, AJAX is used to interact with a spe-cific set of events in a webpage through asynchronousJavaScript calls, which are usually scattered through-out the webpage. AJAX allows a number of events tobe executed in a single page from different domains.Content validation is a big problem because content isfetched from various sources. Further, AJAX serializesall types of data elements into strings, which are usedby programming interfaces such as ASP, ASP.NET, etc.Basically, serialization converts data into a stream. Italso helps build dynamic scripts in a backend channel,passing information from third-party servers to thebrowser DOM for execution. These factors can be uti-lized collectively to misuse the AJAX technology8 andthe techniques are proliferating in the wild. Numer-ous attacks can be initiated with new parameters andweb technologies. The educational community, finan-cial institutions, banks, companies, etc., are all struc-tured over the Web. Browsers are interdependent ona number of components and sometimes it is hard todetermine the impact of a vulnerability. Are we readyto handle such attacks? Are our defense mechanisms in- figure 1 – JavaScript Infection modelgenious enough to thwart Web 2.0 attacks through AJAXand applied policies? namic operations, which can be performed on the vulnerable websites and applications. Every browser uses JavaScript as aWeb malware – real world scenario default scripting language and content is rendered withoutWeb malware is infecting websites at a rapid pace. The rea- any notification because this scripting language is a workingsons can be security negligence, unpatched vulnerabilities, standard in Web 2.0. That’s the main reason malware writersadministration problems, etc., but the impact is growing use JavaScript to conduct stealth attacks by exploiting the in-exponentially. In the last few years, the security community built functionality of browsers.has detected an overwhelming increase in malware using Ja- It is always advisable to understand the benchmark of infec-vaScript.9 10 The malware problem, however, is not restricted tion strategies used by the attackers to launch extensive at-to one business entity but has encompassed all the spheres, tacks on the public websites or social networking environ-thereby resulting in loss of business and compromising the ments. The JavaScript Infection Model (JIM) reflects thestability and robustness of organizations. Dasient11 has pub- generic methods opted by the attackers to launch malware.lished stats which present the sphere of infection by web mal- The model itself clarifies the structure and basic thinkingware. Business is the most exploited entity because of the in- of the attacker to inject malware in the Web, thereby result-herent money element involved in it – there is money to steal. ing in large-scale infection. The overall model is presented in Figure 1. The following steps describe the model in detail.understanding the JavaScript Infection 1. Attacker controlled domainmodel The base is the attacker’s controlled domain, which hosts aJavaScript is one of the most susceptible scripting language number of malware/programs that are used for maliciousused for malware infection by most of the attackers,12 espe- purposes. This step is undertaken to ensure that there is acially since JavaScript is used extensively in websites and ap- centralized repository of JavaScript malware. The infectionplications for accessing various HTML elements and objects vector can be a single website or a number of websites in thedynamically. JavaScript provides more robust control and dy- domain. The attacker’s controlled domain also has custom designed web spiders for collecting information from the8 Malware using AJAX, Web. Attackers always look for vulnerabilities in websites to9 Growth in Web Malware, web-based-malware_9357.html. conduct injections so that malicious content can be included10 Malware Stats, into the victimized websites.11 Dasient, malware_9357.html. 2. Detecting blacklisted and vulnerable websites12 JavaScript opens doors to browser-based attacks, The second step is to scrutinize vulnerable websites and do- opens-doors-to-browser-based-attacks/2100-7349_3-6099891.html. mains which possess inherent application vulnerabilities that ©2010 Information Systems Security Association • • • Permission for author use only.32
  3. 3. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010can be exploited to spread malware. As most malware spread-ing attacks are automated, an attacker should have the infor- Spreading malware: JavaScript functionalitymation of blacklisted websites in order to make the malware JavaScript is used extensively in spreading malware13 due toattacks more successful. Automated spiders accumulate in- its inherent nature to provide direct access to browser com-formation about a domain. This is a very important step from ponents. A JavaScript infection pattern is followed by mostmalware writer’s perspective because if the website is black- malware whether system-resident or web-based to hide thelisted, it gives an indication of the fact that most browsers objects used for infection. The concept of hidden infection iswill not visit that website. As a result, it hampers the malware not new but is used in a randomized manner. This is a veryinfections through JavaScript. This information required by effective technique to launch malware attacks in a stealthythe attacker depends on the capability of that spider. As one manner to exploit the user parlance to understand what isknows the Web is an open forest: there is no stringency in happening at the backend. There are definitive methods thataccessing the front end of websites directly because it is the are used incessantly by web malware to infect victim ma-Web’s default nature until and unless custom security con- chines. Let’s have a look at the hidden structure which is usedtrols are implemented. intensively.3. Designing attack vector remote scripting with hidden iframesAfter detecting the blacklisted domains, the crawlers push The HTTP specification allows the effective use of <iframe>the information back to the attacker’s controlled domain in a substantial manner to embed one webpage into anotherfor scrutinizing the contents. During this process malicious webpage, irrespective of the domain to which a page belongs,scripts are not injected into blacklisted domains; rather new and can be used in cross-domain context. This functionalitysets of websites having vulnerabilities are used as an attack of iFrames is exploited by malware writers in order to infectpoint. The crawling process is repeated to find new domains systems. Since these are interactive in nature, it is possiblehaving security vulnerabilities. The information can be to bypass Same Origin Policy (SOP) easily to launch cross-scanned in an automated manner or manually; it depends domain attacks if a certain set of vulnerabilities exist in theon the attacker’s strategy how the process will be carried out. base software or in web applications. SOP defines a controlFor example, user agent strings provide information about policy on scripts that are originating in a same domain tothe type of browsers used and other custom software that access properties and objects on various webpages in that do-are used in line with the browsers. This indirectly helps the main. SOP applies restrictions on scripts in order to preventattackers a lot in crafting an attack by exploiting web vul- access to HTML objects and properties of webpages on differ-nerabilities in the new domains. If we talk about the manual ent domains and websites. SOP is completely browser-based,ways, then the attacker himself can look into the vulnerable and due to inherent vulnerabilities14 in browsers it can be by-websites for latent vulnerabilities. Again, it depends upon the passed easily. This factor relates not only to the HTTP speci-attack vector, which requires a specific set of vulnerabilities fication but also to the browsers as to how effectively SOP isto be exploited for spreading malware. implemented. It also depends on the rendering engine when4. Exploiting targets the objects are rendered and access is required by them to perform various functions.The information is further looked upon by matching the in-dexed vulnerabilities on the attacker’s domain to explore di- <iframe src=”” width=”1”rect vulnerabilities that can be exploited. If not, the attacker height=”1” style=”visibility:hidden;position:absoltries to inject malicious iFrames in the context of the domain ute”></iframe>with the source pointing to malicious JavaScript hosted on <iframe src=”” width=”0”the attacker’s domain or third-party infected domain. Once height=”0”></iframe>the JavaScript is injected, the code is changed as per require- The above presented iFrame code is used heavily in spreadingments to infect the systems in a versatile manner. Lastly, the malware. The beauty of this code is the fact that the iFrameattacker controls the vulnerable websites hosted on a domain becomes hidden and cannot be displayed on the infectedand changes them into a malware spreading entities. The at- website. The hidden iFrame sends a request to malicious.comtacker’s surface becomes diversified when more victims fall for downloading malware or executing rogue JavaScript.into the trap. Malware writers exploit this functionality to a greater extentMany of the online tools used by malware writers primar- to serve malware by infecting websites with iFrames whichily test the weaknesses and entry points through which Ja- can be used to serve hidden malware through infected web-vaScript can be injected. Because JavaScript is dynamic and sites. It is also possible to update databases with maliciousrobust in its working on the Web, it is the preferential choice iFrames as stored elements to make iFrames persistent in na-of malware writers to conduct attacks and spread malware. 13 JavaScript Malware, jhtml?articleID=208803932. 14 Mozilla SOP bypass Vulnerability, Jul/1024228.html. ©2010 Information Systems Security Association • • • Permission for author use only. 33
  4. 4. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010ture. This type of attack depends on the XSS vulnerability ity. Image objects a have “src” parameter and are pointedbeing present in the website, depending on the design of the to URLs that exploit the vulnerability in Firefox. JavaScriptapplication and website which makes the XSS persistent or heap blocks constitute the shellcode with call and jmp in-reflective in nature. Nowadays, SQL-injection attacks have structions. The shellcode may result in downloading of mal-been used in conjunction with XSS to upload malicious iF- ware.18rames into a database through a vulnerable website. TheiFrames are passed as payloads in the form of hexadecimal obfuscation and hybrid codesstrings,15 which get stored in the web database. It remains Code obfuscation is used at a very large scale for spreadingpersistent in the database and is retrieved when a website is- malware. The preferable scripting language is, of course, Ja-sues some database query. This tactic is used heavily in mass vaScript. But obfuscation is not restricted to only JavaScriptSQL-injection attacks that spread malware through drive-by- and using only escape functionality and generic attacks. Obfuscation is used extensively to make code hybrids now- adays. There can be a scenario in which two scripting lan-JavaScript heap spraying guages are used together. The malware spreading can be doneThe inherent software vulnerabilities that can be exploited very easily through hybrid codes because it becomes hard tothrough JavaScript heap spraying16 are also a major source of analyze the code which is encoded with custom encoder andmalware infection. The browser-based exploits are used ex- using JavaScript functions to get downloaded into the sys-tensively to trigger malware infection on the client side. If a tem. For example, custom JavaScript decoders can be used tovulnerable version of the browser is running or there is pres- decode the JavaScript-related functions, but in order to deci-ence of vulnerable software, the malware writers try to ex- pher the payloads other extensive tools are required. PERL isploit the vulnerability in order to execute custom shellcode. a good tool that is used in a wide manner to decode hybridHeap spraying is a type of attack which exploits memory cor- codes to understand the actual payload which is exploitingruption vulnerabilities through browsers without any has- the system.sles. The target is unsafe applications. The functional part isto create and allocate arbitrary objects in the heap by using Widgetsa type-safe language. The objects used to fill heaps contain The Web 2.0 working model uses widgets at a very large scale.dangerous exploit codes to be run against the target system. Generally, these small chunks of code are used for enhancedSpecific notions used for these types of exploits are men- functionality, primarily for advertisement purposes, includ-tioned below: ing content from third parties, notification alerts, etc. They are based on the concept of code reuse. Widgets are provided • Design a string which grows exponentially by concat- by the advertisement agencies, news portals, companies, etc., enating with itself to include content for the user website experience. The vendor • Keep string format as Unicode to avoid any type of offers widgets that can be added manually or automatically stringency in the code in the user websites or blogs, depending on the feasibility of • Exhaust the maximum length that is allowed by the environment. In order to accept data from third parties, the scripting engine widget provides a communication and content transfer inter- face between the parties. Once installed in the user website, it • Shellcode is placed at the end of the string opens the communication channel between the parent node • The set of code is copied over a large sum of arrays and the child node. JavaScript widgets are used heavily for which can control the execution infecting websites because the chunked code sits as HTML in • The attack surface is potentially created so that it can the parent page and follows the same hierarchy functions as have enough memory for exploitation the parent node.19 It means the code becomes in line with the main module and is executed as the webpage is loaded into • Heap blocks are considered to be on the same loca- the browser. Widgets may contain malware which redirects tions every time the website to a malware domain or starts downloading theThe above mentioned steps are used to exploit the target malware executables into the system. So JavaScript code inthrough the browser. The security community has witnessed the form of widgets is used to spread malware through theexorbitant growth of these browser-based exploits in the re- Web thereby impacting the large sets of users who are usingcent years.17 These attacks exploit the vulnerability in brows- that specific widget. The widgets can be uploaded to malwareers by manipulating the default heap using JavaScript, used domains or content delivery networks to follow the chainto create heap blocks within a particular memory range and process of infecting large number of websites.dynamic image objects generated to trigger the vulnerabil-15 SQLXSSI Attacks, 18 Mozilla “Host: Heap Buffer Overflow Exploit,” Heap Spraying, exploits/1224. Presentation/bh-eu-07-sotirov-apr19.pdf. 19 Web Widget Infection, IE Object Memory Corruption, widget.html. ©2010 Information Systems Security Association • • • Permission for author use only.34
  5. 5. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010drive-by downloads designed search engine. If a victim uses that search portal to run a query, the resultant links are the mostDrive-by Download20 is one of the most long-lived techniques vulnerable links and directed towards malicious webof spreading malware through JavaScript by forcing victims servers. This happens quite download malware without their consent and knowledge.The malicious website usually hosts a number of hidden • Generation of advertisement pop ups in the systemiFrames that point to the malicious program or malicious continuously. This can be a time-based logic to gen-Active X control. Essentially, the website forces the user’s erate a pop up after a requisite interval and runningbrowser to install the plug-in directly on the system. How with the same behavior for a longer duration.does the drive-by download work? Let’s consider as generic The infection does not stop here as such. If a victim tries tocase. The website offers a browser plug-in to install directly remove the required set of files, a cleanup link is also pro-into the context of system. There is a lot of functional dif- vided which further downloads another plug-in having well-ference between a normal plug-in and Program Loader Stub defined EULA and privacy restrictions. The attackers follow(PLS) which is installed as result of the plug-in. Program the same technique but the overall functional perspective isloader stub defines the nature of execution of plug-in. The different. It is kind of dual entrapment and the directed web-main function of program loader stub is to call functions in site looks like a cleaning solution vendor website, but typi-a hierarchical manner and synchronously. In general terms, cally it is fake. As a result, the victim is trapped again and thethe PLS is responsible for calling API’s appropriately that are system gets infected with a different layout.used by plug-ins to download malware. The PLS loads eachDLL that is required by the plug-in into the memory space. It conclusionfills in the structures in the import directory of the execut- Malware running rampant in the wild is an outcome of flawsable in the memory. If the DLL is not loaded in the memory, and vulnerabilities that exist in web applications and web-the PLS fails to load the malicious executable. The stub ac- sites that make up the Web. The same language tools are usedtually downloads a lot of malicious content into the user’s for development AND exploitation. This paper has presentedsystem by remaining silent and infecting the system at large JavaScript from the malicious infection point of view. In or-in a stealth manner. The plug-in offers fake information to der to defend against these web malware we have to designconvince the user it is valid: a number of defenses and protections in the same pattern. 1. Fake certification and end user license agreements Since JavaScript is the major scripting language to add dy- (EULA) links aiming to exploit the user’s ability to namic functionality to webpages, the same is used for dy- make a decision about the software. namic generation of malware. So understanding the diverse nature of JavaScript, we can design protection mechanisms to 2. Incessant and rogue security warnings to exploit the combat its misuse and exploitation by malware writers. user’s inability to decide the working of software plug-in. About the AuthorsIf the required plug-in is allowed to install in the system, a Aditya K Sood is a security researcher, con-stub is installed simultaneously, which further downloads a sultant, and Ph.D. candidate at Michigannumber of programs without user consent. The installed pro- State University. He has worked in the se-grams infect the system as mentioned below: curity domain for Armorize, COSEINC, and KPMG and founded SecNiche Secu- • Infection at the folder level by placing malicious files. rity. He has been an active speaker at con- The malware programs follow the concept of cross ferences like RSA, TRISC, Hacker Halted, linking in which one malicious binary is interfaced ExCaliburCon, EuSecwest, XCON, OWASP AppSec, Security- with another malicious binary with randomized Byte, CERT-IN and has written content for HITB Ezine, Ha- names. This becomes hard for a normal user to detect kin9, Usenix Login.He may be reached at the real working of the binary present in the requisite program files folder. Dr. Richard Enbody is an Associate Profes- sor in the Department of Computer Science • Inserting malicious, e.g.,. porn website, links in the and Engineering, Michigan State Universi- browser bookmarks and shortcuts to be placed in the ty. He joined the faculty in 1987 after earn- program bars on the desktop that further links ma- ing his Ph.D. in Computer Science from licious website and malware programs respectively. the University of Minnesota. Richard’s The main criterion of this type of functionality is to research interests are in computer security, infect the generic places in the systems which are used computer architecture, web-based distance by the victims easily. education, and parallel processing. He has • It primarily hijacks the default browser links and web- two patents pending on hardware buffer-overflow protection, pages and points to a malicious website or custom- which will prevent most computer worms and viruses. He re- cently co-authored a CS1 Python book, The Practice of Comput-20 Drive by Downloads, ing using Python. He may be reached at ©2010 Information Systems Security Association • • • Permission for author use only. 35