Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introducing Malware Script Detector


Published on

The version 2 is similar to XSS warning addon. Look for URL string for XSS payloads. Detect and stop XSS attacks from evil bad guys to you in addition to detection of Malicious JavaScript embedded in malicious sites. This script has been tested for false positives thoroughly. False positives may occur at those sites which use crypto strings like order.php?token={a:xC2;id:ac3f52233;[]} and Squirrel mail sites which use URL strings like compose.php?to=John<;. We can\'t fix it for the sake of security. If you know this one, you can feel assured this is safe to accept and go on.

Published in: Technology
  • Be the first to comment

Introducing Malware Script Detector

  1. 1. Introducing The Malware Script Detector (MSD) By d0ubl3_h3lix http :// Tue Feb 19 2008
  2. 2. Agenda <ul><li>Counter Strategy </li></ul><ul><li>Overview </li></ul><ul><li>XSS Coverage </li></ul><ul><li>Versioning Info </li></ul><ul><li>Standalone MSD </li></ul><ul><li>Detection Screenshots </li></ul><ul><li>Why MSD? </li></ul><ul><li>Weaknesses </li></ul>
  3. 3. Counter Strategy <ul><li>Using the Power of JavaScript, Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript </li></ul>
  4. 4. Overview <ul><li>Run on Gecko browsers (Firefox, Flock, Netscape, …etc) </li></ul><ul><li>GreaseMonkey addon needed </li></ul><ul><li>Acted as Browser IDS </li></ul><ul><li>Intended for Web Client Security </li></ul><ul><li>Recommended for every web surfer </li></ul><ul><li>Please don’t underestimate MSD by looking its simplest source code </li></ul>
  5. 5. Overview (Cont.) <ul><li>Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF </li></ul><ul><li>Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon </li></ul>
  6. 6. XSS Coverage <ul><li>MSD was coded to detect the following XSS exploitation areas: </li></ul><ul><li>data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html </li></ul><ul><li>jar: protocol exploitation </li></ul><ul><li>file: protocol exploitation by locally saved malicious web pages </li></ul>
  7. 7. XSS Coverage <ul><li>Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc </li></ul><ul><li>unicode injection </li></ul><ul><li>utf-7,null-byte (0), black slash injection (u l), comments star slash injection (/* */),injection like u00, x00....etc </li></ul>
  8. 8. XSS Coverage <ul><li>MSD was thoroughly tested with: </li></ul><ul><li> - RSnake’s XSS CheatSheet - XSS-ME Addon Attack List </li></ul><ul><li> -’s Xssdb list - CAL9000 XSS List </li></ul>
  9. 9. Versioning Info <ul><li>GreaseMonkey Version </li></ul><ul><li>Main Objective: Alert XSS Attacks to users </li></ul><ul><li>Must be Installed by users </li></ul><ul><li>Requires Gecko Browser + GreaseMonkey Addon </li></ul><ul><li>Version 1 – Detect Malware Scripts </li></ul><ul><li>Version 2 – Detect Malware Scripts + </li></ul><ul><li>Prevailing XSS </li></ul>
  10. 10. Versioning Info <ul><li>Standalone Version </li></ul><ul><li>Main Objective: Alert XSS Attacks to users & webmaster </li></ul><ul><li>Must be Deployed by web developers </li></ul><ul><li>Browser-Independent </li></ul><ul><li>No Checking if users have GreaseMonkey version </li></ul><ul><li>Version 1 – Detect Malware Scripts + Prevailing XSS </li></ul>
  11. 11. Standalone MSD <ul><li>Standalone version was created as single .js file for web developers </li></ul><ul><li>To embed in their footer files </li></ul><ul><li>To notify both visitors and webmasters of XSS injection attempts & attacks </li></ul><ul><li>Browser-independent unlike GreaseMonkey Script version </li></ul><ul><li>Intended for web application security as a portable lightweight solution </li></ul>
  12. 13. Detection Screenshots
  13. 14. Why MSD? <ul><li>XSS Payloads like </li></ul><ul><li>http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc </li></ul>
  14. 15. Why MSD? (Cont.) <ul><li>Never get DETECTED by Web Server-level Firewall/IDS/IPS </li></ul><ul><li>Because the code is Totally Executed at Client’s Browser </li></ul>
  15. 16. Why MSD? (Cont.) <ul><li>Malicious sites intentionally embed malicious JavaScript attack frameworks </li></ul><ul><li>Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users </li></ul>
  16. 17. Why MSD? (Cont.) <ul><li>No ways to detect such Malware scripts unless we check HTML source codes </li></ul><ul><li>Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases </li></ul><ul><li>According to above scenarios, MSD becomes a nice solution for us </li></ul>
  17. 18. <ul><li> Oh, But … </li></ul>
  18. 19. Weaknesses <ul><li>Doesn’t check POSTS/COOKIES variables </li></ul><ul><li>No guarantee for full protection of XSS </li></ul><ul><li>Many ways to bypass MSD </li></ul><ul><li>XSS Filtering needs to be updated regularly where extensive filtering may cause false alerts and much annoyance to users </li></ul>
  19. 20. Where Can I get it ? <ul><li> Check Under Tools Section </li></ul><ul><li>If you wish to contribute, there is a smoketest </li></ul><ul><li>page. </li></ul><ul><li>Insert your own XSS payload to defeat MSD. </li></ul><ul><li>Notify me of whenever new Attack frameworks are created </li></ul>
  20. 21. Special Thanks <ul><li>Goes to </li></ul><ul><li>Mario, </li></ul><ul><li>Secgeek, http://www.secgeek s .com </li></ul><ul><li>Andres Riancho , </li></ul><ul><li>For encouragements and suggestions </li></ul>
  21. 22. Reference <ul><li>XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth Fogie Syngress Publishing ISBN-13:987-1-59749-154-9 </li></ul>
  22. 23. <ul><li>Thank you! </li></ul>