SlideShare a Scribd company logo

Catch and Release: A New Look at Detecting and Mitigating highly obfuscated Exploit Kits

Download as PPTX, PDF
Мохачёк Сахер
Мохачёк Сахер

Catch and Release: A New Look at Detecting and Mitigating highly obfuscated Exploit Kits

Software
1 of 101
CATCH AND RELEASE: A NEW LOOK AT DETECTING AND MITIGATING HIGHLY OBFUSCATED EXPLOIT KITS BY MOHAMED SAHER AND AHMED GARHY
AGENDA  Our Intent  Rethinking Evasions  Domain of the Problem  Current Problem  Problem with Current Solutions  Solution #1 First Method  Solution #2 Second Method
OUR INTENT  Is this function malicious? function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length); } }
OUR INTENT  Is this function malicious? function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length); } }  Without understanding the context on how a function is used, it is very difficult to determine if it is malicious or not
OUR INTENT  What about this script? <script> var a = '%25%33%43%69%66%72%61%6d%65 ...'; var b = unescape(unescape(a)); var spray = new Function(unescape(b)); </script>
OUR INTENT  What about this script? <script> var a = '%25%33%43%69%66%72%61%6d%65 ...'; var b = unescape(unescape(a)); var spray = new Function(unescape(b)); </script>  An “expert’s eye” can probably determine it looks suspicious. The two are actually equal to each other
OUR INTENT  What about this script? <script> var a = '%25%33%43%69%66%72%61%6d%65 ...'; var b = unescape(unescape(a)); var spray = new Function(unescape(b)); </script>  An “expert’s eye” can probably determine it looks suspicious. The two are actually equal to each other  Our intent is to allow an attack using the first example script, without depending on obfuscating like the second example script, and propose a more superior method for detecting both
RETHINKING EVASIONS  Designing a new architecture
RETHINKING EVASIONS  Designing a new architecture  Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work”
RETHINKING EVASIONS  Designing a new architecture  Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work”  This is a variation of the “script splitting” technique except a message exists within a local scope and is destroyed after it serves its purpose
RETHINKING EVASIONS  Designing a new architecture  Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work”  This is a variation of the “script splitting” technique except a message exists within a local scope and is destroyed after it serves its purpose  Does not require DOM manipulation to hide “magic strings”
RETHINKING EVASIONS  Designing a new architecture  Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work”  This is a variation of the “script splitting” technique except a message exists within a local scope and is destroyed after it serves its purpose  Does not require DOM manipulation to hide “magic strings”  Avoid the “magic redirect IFRAME” that can be a trigger for some analyzers
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist  An alternative to loading JavaScript in “clear text”
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist  An alternative to loading JavaScript in “clear text”  Load one message at a time, forcing each message to be analyzed independently – remember “units of work”
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist  An alternative to loading JavaScript in “clear text”  Load one message at a time, forcing each message to be analyzed independently – remember “units of work”  Web Sockets are a perfect candidate for both MOA and bypassing HTTP from a web environment
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Two components involved, client and server Client Listen Invoke
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Two components involved, client and server Client Listen Invoke Server State Send
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Two components involved, client and server  For each accepted connection from a client, server maintains a state machine
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Two components involved, client and server  For each accepted connection from a client, server maintains a state machine  Messages are essentially commands and do not depend on each other – remember “units of work”
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Two components involved, client and server  For each accepted connection from a client, server maintains a state machine  Messages are essentially commands and do not depend on each other – remember “units of work”  Client evaluates message, invokes message, and destroys it
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Only client control flow is that of the client listening and invoking a message
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Only client control flow is that of the client listening and invoking a message  Order of messages not guaranteed by server. Server may send NOP messages as part of an attack to trick certain analyzers
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Only client control flow is that of the client listening and invoking a message  Order of messages not guaranteed by server. Server may send NOP messages as part of an attack to trick certain analyzers  “Monkey patch” functions dynamically evaluated in messages to trick certain analyzers
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way  No longer restricted to sending JavaScript in clear text
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way  No longer restricted to sending JavaScript in clear text  Create custom binary format
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way  No longer restricted to sending JavaScript in clear text  Create custom binary format  Send message in binary on the wire 01001000011001010110110001101100011011110010000001001000011 00001011011010110001001110101011100100110011100100001
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way  No longer restricted to sending JavaScript in clear text  Create custom binary format  Send message in binary on the wire  Simply looking at a binary message won't give hints about what its contents are – is it an audio file, an image, even text?
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way  No longer restricted to sending JavaScript in clear text  Create custom binary format  Send message in binary on the wire  Simply looking at a binary message won't give hints about what its contents are – is it an audio file, an image, even text?  To even begin to understand a binary message, its format specification needs to be known beforehand or else it is a very challenging problem in its own
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Confusing the Context
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Confusing the Context  Remember this function? function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length); } }
RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Confusing the Context  Remember this function? function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length); } }  Now that we get this from our binary format, we again ask the question, how do you determine if it is malicious?
DOMAIN OF THE PROBLEM  How can we define a malicious website?
DOMAIN OF THE PROBLEM  How can we define a malicious website?  How can we detect a malicious website?
DOMAIN OF THE PROBLEM  How can we define a malicious website?  How can we detect a malicious website?  How can we detect obfuscation?
DOMAIN OF THE PROBLEM  How can we define a malicious website?  How can we detect a malicious website?  How can we detect obfuscation?  How can we identify obfuscation used for malicious purposes?
DOMAIN OF THE PROBLEM  How can we define a malicious website?  How can we detect a malicious website?  How can we detect obfuscation?  How can we identify obfuscation used for malicious purposes?  How can we categorize what is malicious and what is not?
CURRENT PROBLEM  Exploits delivered at some point relies on JavaScript
CURRENT PROBLEM  Exploits delivered at some point relies on JavaScript  JavaScript is continuously getting obfuscated with more complexity
CURRENT PROBLEM  Exploits delivered at some point relies on JavaScript  JavaScript is continuously getting obfuscated with more complexity  Current solutions are way behind in technology
PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases
PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases  DOM and CSS selectors
PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases  DOM and CSS selectors  Client side proxies for client-server interaction
PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases  DOM and CSS selectors  Client side proxies for client-server interaction  Client side template engines
PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases  Limited sets of characteristics
PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases  Limited sets of characteristics  Probabilistic decisions is directly proportional with the characteristics extracted
TYPES OF APPROACHES  Dynamic analysis of embedded JS
TYPES OF APPROACHES  Dynamic analysis of embedded JS  Static analysis of extracted JS (Method #1)
TYPES OF APPROACHES  Dynamic analysis of embedded JS  Static analysis of extracted JS (Method #1)  Static analysis of extracted JS (Method #2)
DYNAMIC ANALYSIS  AdHoc Forwarding
DYNAMIC ANALYSIS  AdHoc Forwarding  Create a middle layer between the browser and the JS engine
DYNAMIC ANALYSIS  AdHoc Forwarding  Create a middle layer between the browser and the JS engine  Analyze the CFG of the scripts being executed
DYNAMIC ANALYSIS  AdHoc Forwarding  Create a middle layer between the browser and the JS engine  Analyze the CFG of the scripts being executed  Analyze a call hierarchy of functions order
DYNAMIC ANALYSIS  AdHoc Forwarding  Create a middle layer between the browser and the JS engine  Analyze the CFG of the scripts being executed  Analyze a call hierarchy of functions order  Analyze certain combination of functions used including known highly risky ones
DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation
DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Attach to IE process
DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Attach to IE process  Use shdocvw.dll to automate COM callbacks
DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Attach to IE process  Use shdocvw.dll to automate COM callbacks  Capture events while they trigger and manipulate them
DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Attach to IE process  Use shdocvw.dll to automate COM callbacks  Capture events while they trigger and manipulate them  Analyze in the same manner as AdHoc Forwarding
DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Browser In-Memory Injection
DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Browser In-Memory Injection  Inject JS in DOM to monitor events
DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Browser In-Memory Injection  Inject JS in DOM to monitor events  Use a JS Debugger (FireBug or other)
STATIC ANALYSIS (METHOD 1)  Extract local scripts
STATIC ANALYSIS (METHOD 1)  Extract local scripts  Extract remote scripts
STATIC ANALYSIS (METHOD 1)  Analyze the script and categorize them based on certain criteria
STATIC ANALYSIS (METHOD 1)  Analyze the script and categorize them based on certain criteria  Web page encoding
STATIC ANALYSIS (METHOD 1)  Analyze the script and categorize them based on certain criteria  Web page encoding  Detecting current language used and extracting features
STATIC ANALYSIS (METHOD 1)  Analyze the script and categorize them based on certain criteria  Web page encoding  Detecting current language used and extracting features  Check the WHOIS for the web page
STATIC ANALYSIS (METHOD 1)  Analyze the script and categorize them based on certain criteria  Web page encoding  Detecting current language used and extracting features  Check the WHOIS for the web page  Determine probabilistically to which category it belongs to
SHANNON’S ENTROPY  Formula
SHANNON’S ENTROPY  Formula  We use Shannon’s Entropy to determine the entropy of the file only as a side-effect and not a main criteria to determine the decision whether it was malicious or not
NAÏVE BAYESIAN  A machine-learning technique that can be used to predict to which category a particular data case belongs
NAÏVE BAYESIAN  A machine-learning technique that can be used to predict to which category a particular data case belongs  Given the above formula’: An event A is INDEPENDENT from event B if the conditional probability is the same as the marginal probability
LAPLACIAN SMOOTHING  To avoid having a 0 joint in any partial probability we use the add-one smoothing technique
LAPLACIAN SMOOTHING  To avoid having a 0 joint in any partial probability we use the add-one smoothing technique.  Given an observation x = (x1, …, xd) from a multinomial distribution with N trials and parameter vector θ = (θ1, …, θd), a "smoothed" version of the data gives the estimator where α > 0 is the smoothing parameter (α = 0 corresponds to no smoothing)
STATIC ANALYSIS (METHOD 2)  How is JS executed/handled?
STATIC ANALYSIS (METHOD 2)  How is JS executed/handled? 1. The code is scanned for all function(s) declaration. Each declaration is executed by creating a function object and a named reference to that function is created so that the function can be called from within a statement.
STATIC ANALYSIS (METHOD 2)  How is JS executed/handled? 1. The code is scanned for all function(s) declaration. Each declaration is executed by creating a function object and a named reference to that function is created so that the function can be called from within a statement. 2. The statements are evaluated and executed by order as they appear on the page after fully loaded.
JS EXAMPLE #1 <script> DoNothing(); function DoNothing() { return; } </script> This works
JS EXAMPLE #2 <script> DoNothing(); </script> <script> function DoNothing() { return; } </script> This does not works
JS EXAMPLE #3 <script> function DoNothing() { return; } </script> <script> DoNothing(); </script> This works
JS EXAMPLE #3 <script> // assuming that DoNothing is not defined DoNothing(); alert(1); </script> This does not works
JS EXAMPLE #3 <script> // assuming that DoNothing is not defined DoNothing(); </script> <script> alert(1); </script> This works
STATIC ANALYSIS (METHOD 2)  Semantic analysis to focus on “what does this mean”
STATIC ANALYSIS (METHOD 2)  Semantic analysis to focus on “what does this mean”  Optimizer-Compiler for JS which focuses on structure other than extracted invocative functions
OPTIMIZER-COMPILER  The following describes the architecture of any ordinary compiler and the current compiler as well Lexer Parser Translator Optimizer Tokens AST IR
OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes
OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference
OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches
OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis
OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion
OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion Loop Invariant Code Motion
OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion Loop Invariant Code Motion Constant Folding
OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion Loop Invariant Code Motion Constant Folding Copy Propagation
OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion Loop Invariant Code Motion Constant Folding Copy Propagation Common Sub-Expression Elimination
OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion Loop Invariant Code Motion Constant Folding Copy Propagation Common Sub-Expression Elimination Dead Code Elimination

Recommended

Modularizing RESTful Web Service Management with Aspect Oriented Programming
Modularizing RESTful Web Service Management with Aspect Oriented ProgrammingModularizing RESTful Web Service Management with Aspect Oriented Programming
Modularizing RESTful Web Service Management with Aspect Oriented ProgrammingWidhian Bramantya
 
Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)
Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)
Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)James Titcumb
 
Restful Web Service
Restful Web ServiceRestful Web Service
Restful Web ServiceBin Cai
 
Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)ukdpe
 
Day01 api
Day01 apiDay01 api
Day01 apiABDEL RAHMAN KARIM
 
Day03 api
Day03 apiDay03 api
Day03 apiABDEL RAHMAN KARIM
 
Avoiding unnecessary stops at public transportations ( karthi group )
Avoiding unnecessary stops at public transportations ( karthi group )Avoiding unnecessary stops at public transportations ( karthi group )
Avoiding unnecessary stops at public transportations ( karthi group )Akash Kpa
 
CQRS & EVS with MongoDb
CQRS & EVS with MongoDbCQRS & EVS with MongoDb
CQRS & EVS with MongoDbLluis Fernandez
 

Recommended

Modularizing RESTful Web Service Management with Aspect Oriented Programming
Modularizing RESTful Web Service Management with Aspect Oriented ProgrammingModularizing RESTful Web Service Management with Aspect Oriented Programming
Modularizing RESTful Web Service Management with Aspect Oriented ProgrammingWidhian Bramantya
 
Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)
Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)
Kicking off with Zend Expressive and Doctrine ORM (PHP MiNDS March 2018)James Titcumb
 
Restful Web Service
Restful Web ServiceRestful Web Service
Restful Web ServiceBin Cai
 
Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)ukdpe
 
Day01 api
Day01 apiDay01 api
Day01 apiABDEL RAHMAN KARIM
 
Day03 api
Day03 apiDay03 api
Day03 apiABDEL RAHMAN KARIM
 
Avoiding unnecessary stops at public transportations ( karthi group )
Avoiding unnecessary stops at public transportations ( karthi group )Avoiding unnecessary stops at public transportations ( karthi group )
Avoiding unnecessary stops at public transportations ( karthi group )Akash Kpa
 
CQRS & EVS with MongoDb
CQRS & EVS with MongoDbCQRS & EVS with MongoDb
CQRS & EVS with MongoDbLluis Fernandez
 
Intro to Muon - How to build Polyglot Message and Event Microservices
Intro to Muon - How to build Polyglot Message and Event MicroservicesIntro to Muon - How to build Polyglot Message and Event Microservices
Intro to Muon - How to build Polyglot Message and Event MicroservicesDavid Dawson
 
Web API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonWeb API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonAdnan Masood
 
Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)Mindfire Solutions
 
Architecting Microservices in .Net
Architecting Microservices in .NetArchitecting Microservices in .Net
Architecting Microservices in .NetRichard Banks
 
Wso2 tutorial
Wso2 tutorialWso2 tutorial
Wso2 tutorialArmando Ramirez Vila
 
Intro to web services
Intro to web servicesIntro to web services
Intro to web servicesNeil Ghosh
 
SOA and web services
SOA and web servicesSOA and web services
SOA and web servicesSreekanth Narayanan
 
53 hui homework2
53 hui homework253 hui homework2
53 hui homework2huis89
 
Spray - Build RESTfull services in scala
Spray - Build RESTfull services in scalaSpray - Build RESTfull services in scala
Spray - Build RESTfull services in scalaSandeep Purohit
 
Spray
SpraySpray
SprayKnoldus Inc.
 
Networked APIs with swift
Networked APIs with swiftNetworked APIs with swift
Networked APIs with swiftTim Burks
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIPankaj Bajaj
 
내꺼내꺼
내꺼내꺼내꺼내꺼
내꺼내꺼misty915
 
A1 from n tier to soa
A1 from n tier to soaA1 from n tier to soa
A1 from n tier to soaArnaud Bouchez
 
Sending mail,web services
Sending mail,web servicesSending mail,web services
Sending mail,web servicesDevang Patel
 
AWS Cloud Kata 2014 | Jakarta - Startup Best Practices
AWS Cloud Kata 2014 | Jakarta - Startup Best PracticesAWS Cloud Kata 2014 | Jakarta - Startup Best Practices
AWS Cloud Kata 2014 | Jakarta - Startup Best PracticesAmazon Web Services
 
How the WSO2 ESB outperforms other major open source esb vendors
How the WSO2 ESB outperforms other major open source esb vendorsHow the WSO2 ESB outperforms other major open source esb vendors
How the WSO2 ESB outperforms other major open source esb vendorsWSO2
 
Detailed information on webservice by websoles
Detailed information on webservice by websolesDetailed information on webservice by websoles
Detailed information on webservice by websolesNAVEEN KUMAR SHARMA
 
Web services Tutorial /Websoles Strategic Digital Solutions
Web services Tutorial /Websoles Strategic Digital SolutionsWeb services Tutorial /Websoles Strategic Digital Solutions
Web services Tutorial /Websoles Strategic Digital SolutionsRatnesh Pandey
 
Web services | Websoles
Web services | WebsolesWeb services | Websoles
Web services | WebsolesCRM Manager | Developer @ Websoles Strategic Digital Solutions
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 

More Related Content

Similar to Catch and Release: A New Look at Detecting and Mitigating highly obfuscated Exploit Kits

Intro to Muon - How to build Polyglot Message and Event Microservices
Intro to Muon - How to build Polyglot Message and Event MicroservicesIntro to Muon - How to build Polyglot Message and Event Microservices
Intro to Muon - How to build Polyglot Message and Event MicroservicesDavid Dawson
 
Web API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonWeb API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonAdnan Masood
 
Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)Mindfire Solutions
 
Architecting Microservices in .Net
Architecting Microservices in .NetArchitecting Microservices in .Net
Architecting Microservices in .NetRichard Banks
 
Intro to web services
Intro to web servicesIntro to web services
Intro to web servicesNeil Ghosh
 
53 hui homework2
53 hui homework253 hui homework2
53 hui homework2huis89
 
Spray - Build RESTfull services in scala
Spray - Build RESTfull services in scalaSpray - Build RESTfull services in scala
Spray - Build RESTfull services in scalaSandeep Purohit
 
Networked APIs with swift
Networked APIs with swiftNetworked APIs with swift
Networked APIs with swiftTim Burks
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIPankaj Bajaj
 
내꺼내꺼
내꺼내꺼내꺼내꺼
내꺼내꺼misty915
 
Sending mail,web services
Sending mail,web servicesSending mail,web services
Sending mail,web servicesDevang Patel
 
AWS Cloud Kata 2014 | Jakarta - Startup Best Practices
AWS Cloud Kata 2014 | Jakarta - Startup Best PracticesAWS Cloud Kata 2014 | Jakarta - Startup Best Practices
AWS Cloud Kata 2014 | Jakarta - Startup Best PracticesAmazon Web Services
 
How the WSO2 ESB outperforms other major open source esb vendors
How the WSO2 ESB outperforms other major open source esb vendorsHow the WSO2 ESB outperforms other major open source esb vendors
How the WSO2 ESB outperforms other major open source esb vendorsWSO2
 
Detailed information on webservice by websoles
Detailed information on webservice by websolesDetailed information on webservice by websoles
Detailed information on webservice by websolesNAVEEN KUMAR SHARMA
 
Web services Tutorial /Websoles Strategic Digital Solutions
Web services Tutorial /Websoles Strategic Digital SolutionsWeb services Tutorial /Websoles Strategic Digital Solutions
Web services Tutorial /Websoles Strategic Digital SolutionsRatnesh Pandey
 

Similar to Catch and Release: A New Look at Detecting and Mitigating highly obfuscated Exploit Kits (20)

Intro to Muon - How to build Polyglot Message and Event Microservices
Intro to Muon - How to build Polyglot Message and Event MicroservicesIntro to Muon - How to build Polyglot Message and Event Microservices
Intro to Muon - How to build Polyglot Message and Event Microservices
 
Web API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonWeb API or WCF - An Architectural Comparison
Web API or WCF - An Architectural Comparison
 
Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)
 
Architecting Microservices in .Net
Architecting Microservices in .NetArchitecting Microservices in .Net
Architecting Microservices in .Net
 
Wso2 tutorial
Wso2 tutorialWso2 tutorial
Wso2 tutorial
 
Intro to web services
Intro to web servicesIntro to web services
Intro to web services
 
SOA and web services
SOA and web servicesSOA and web services
SOA and web services
 
53 hui homework2
53 hui homework253 hui homework2
53 hui homework2
 
Spray - Build RESTfull services in scala
Spray - Build RESTfull services in scalaSpray - Build RESTfull services in scala
Spray - Build RESTfull services in scala
 
Spray
SpraySpray
Spray
 
Networked APIs with swift
Networked APIs with swiftNetworked APIs with swift
Networked APIs with swift
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB API
 
내꺼내꺼
내꺼내꺼내꺼내꺼
내꺼내꺼
 
A1 from n tier to soa
A1 from n tier to soaA1 from n tier to soa
A1 from n tier to soa
 
Sending mail,web services
Sending mail,web servicesSending mail,web services
Sending mail,web services
 
AWS Cloud Kata 2014 | Jakarta - Startup Best Practices
AWS Cloud Kata 2014 | Jakarta - Startup Best PracticesAWS Cloud Kata 2014 | Jakarta - Startup Best Practices
AWS Cloud Kata 2014 | Jakarta - Startup Best Practices
 
How the WSO2 ESB outperforms other major open source esb vendors
How the WSO2 ESB outperforms other major open source esb vendorsHow the WSO2 ESB outperforms other major open source esb vendors
How the WSO2 ESB outperforms other major open source esb vendors
 
Detailed information on webservice by websoles
Detailed information on webservice by websolesDetailed information on webservice by websoles
Detailed information on webservice by websoles
 
Web services Tutorial /Websoles Strategic Digital Solutions
Web services Tutorial /Websoles Strategic Digital SolutionsWeb services Tutorial /Websoles Strategic Digital Solutions
Web services Tutorial /Websoles Strategic Digital Solutions
 
Web services | Websoles
Web services | WebsolesWeb services | Websoles
Web services | Websoles
 

Recently uploaded

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 

Recently uploaded (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 

Catch and Release: A New Look at Detecting and Mitigating highly obfuscated Exploit Kits

  • 1. CATCH AND RELEASE: A NEW LOOK AT DETECTING AND MITIGATING HIGHLY OBFUSCATED EXPLOIT KITS BY MOHAMED SAHER AND AHMED GARHY
  • 2. AGENDA  Our Intent  Rethinking Evasions  Domain of the Problem  Current Problem  Problem with Current Solutions  Solution #1 First Method  Solution #2 Second Method
  • 3. OUR INTENT  Is this function malicious? function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length); } }
  • 4. OUR INTENT  Is this function malicious? function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length); } }  Without understanding the context on how a function is used, it is very difficult to determine if it is malicious or not
  • 5. OUR INTENT  What about this script? <script> var a = '%25%33%43%69%66%72%61%6d%65 ...'; var b = unescape(unescape(a)); var spray = new Function(unescape(b)); </script>
  • 6. OUR INTENT  What about this script? <script> var a = '%25%33%43%69%66%72%61%6d%65 ...'; var b = unescape(unescape(a)); var spray = new Function(unescape(b)); </script>  An “expert’s eye” can probably determine it looks suspicious. The two are actually equal to each other
  • 7. OUR INTENT  What about this script? <script> var a = '%25%33%43%69%66%72%61%6d%65 ...'; var b = unescape(unescape(a)); var spray = new Function(unescape(b)); </script>  An “expert’s eye” can probably determine it looks suspicious. The two are actually equal to each other  Our intent is to allow an attack using the first example script, without depending on obfuscating like the second example script, and propose a more superior method for detecting both
  • 9. RETHINKING EVASIONS  Designing a new architecture  Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work”
  • 10. RETHINKING EVASIONS  Designing a new architecture  Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work”  This is a variation of the “script splitting” technique except a message exists within a local scope and is destroyed after it serves its purpose
  • 11. RETHINKING EVASIONS  Designing a new architecture  Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work”  This is a variation of the “script splitting” technique except a message exists within a local scope and is destroyed after it serves its purpose  Does not require DOM manipulation to hide “magic strings”
  • 12. RETHINKING EVASIONS  Designing a new architecture  Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work”  This is a variation of the “script splitting” technique except a message exists within a local scope and is destroyed after it serves its purpose  Does not require DOM manipulation to hide “magic strings”  Avoid the “magic redirect IFRAME” that can be a trigger for some analyzers
  • 13. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP
  • 14. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist
  • 15. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist  An alternative to loading JavaScript in “clear text”
  • 16. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist  An alternative to loading JavaScript in “clear text”  Load one message at a time, forcing each message to be analyzed independently – remember “units of work”
  • 17. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist  An alternative to loading JavaScript in “clear text”  Load one message at a time, forcing each message to be analyzed independently – remember “units of work”  Web Sockets are a perfect candidate for both MOA and bypassing HTTP from a web environment
  • 18. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state
  • 19. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Two components involved, client and server Client Listen Invoke
  • 20. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Two components involved, client and server Client Listen Invoke Server State Send
  • 21. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Two components involved, client and server  For each accepted connection from a client, server maintains a state machine
  • 22. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Two components involved, client and server  For each accepted connection from a client, server maintains a state machine  Messages are essentially commands and do not depend on each other – remember “units of work”
  • 23. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Two components involved, client and server  For each accepted connection from a client, server maintains a state machine  Messages are essentially commands and do not depend on each other – remember “units of work”  Client evaluates message, invokes message, and destroys it
  • 24. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy
  • 25. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Only client control flow is that of the client listening and invoking a message
  • 26. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Only client control flow is that of the client listening and invoking a message  Order of messages not guaranteed by server. Server may send NOP messages as part of an attack to trick certain analyzers
  • 27. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Only client control flow is that of the client listening and invoking a message  Order of messages not guaranteed by server. Server may send NOP messages as part of an attack to trick certain analyzers  “Monkey patch” functions dynamically evaluated in messages to trick certain analyzers
  • 28. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format
  • 29. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way
  • 30. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way  No longer restricted to sending JavaScript in clear text
  • 31. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way  No longer restricted to sending JavaScript in clear text  Create custom binary format
  • 32. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way  No longer restricted to sending JavaScript in clear text  Create custom binary format  Send message in binary on the wire 01001000011001010110110001101100011011110010000001001000011 00001011011010110001001110101011100100110011100100001
  • 33. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way  No longer restricted to sending JavaScript in clear text  Create custom binary format  Send message in binary on the wire  Simply looking at a binary message won't give hints about what its contents are – is it an audio file, an image, even text?
  • 34. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way  No longer restricted to sending JavaScript in clear text  Create custom binary format  Send message in binary on the wire  Simply looking at a binary message won't give hints about what its contents are – is it an audio file, an image, even text?  To even begin to understand a binary message, its format specification needs to be known beforehand or else it is a very challenging problem in its own
  • 35. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Confusing the Context
  • 36. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Confusing the Context  Remember this function? function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length); } }
  • 37. RETHINKING EVASIONS  Designing a new architecture  Avoiding HTTP  Avoiding client side state  Limit control flow and function call hierarchy  Getting creative in transport format  Confusing the Context  Remember this function? function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length); } }  Now that we get this from our binary format, we again ask the question, how do you determine if it is malicious?
  • 38. DOMAIN OF THE PROBLEM  How can we define a malicious website?
  • 39. DOMAIN OF THE PROBLEM  How can we define a malicious website?  How can we detect a malicious website?
  • 40. DOMAIN OF THE PROBLEM  How can we define a malicious website?  How can we detect a malicious website?  How can we detect obfuscation?
  • 41. DOMAIN OF THE PROBLEM  How can we define a malicious website?  How can we detect a malicious website?  How can we detect obfuscation?  How can we identify obfuscation used for malicious purposes?
  • 42. DOMAIN OF THE PROBLEM  How can we define a malicious website?  How can we detect a malicious website?  How can we detect obfuscation?  How can we identify obfuscation used for malicious purposes?  How can we categorize what is malicious and what is not?
  • 43. CURRENT PROBLEM  Exploits delivered at some point relies on JavaScript
  • 44. CURRENT PROBLEM  Exploits delivered at some point relies on JavaScript  JavaScript is continuously getting obfuscated with more complexity
  • 45. CURRENT PROBLEM  Exploits delivered at some point relies on JavaScript  JavaScript is continuously getting obfuscated with more complexity  Current solutions are way behind in technology
  • 46. PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases
  • 47. PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases  DOM and CSS selectors
  • 48. PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases  DOM and CSS selectors  Client side proxies for client-server interaction
  • 49. PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases  DOM and CSS selectors  Client side proxies for client-server interaction  Client side template engines
  • 50. PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases  Limited sets of characteristics
  • 51. PROBLEMS WITH CURRENT SOLUTIONS  Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases  Limited sets of characteristics  Probabilistic decisions is directly proportional with the characteristics extracted
  • 52. TYPES OF APPROACHES  Dynamic analysis of embedded JS
  • 53. TYPES OF APPROACHES  Dynamic analysis of embedded JS  Static analysis of extracted JS (Method #1)
  • 54. TYPES OF APPROACHES  Dynamic analysis of embedded JS  Static analysis of extracted JS (Method #1)  Static analysis of extracted JS (Method #2)
  • 56. DYNAMIC ANALYSIS  AdHoc Forwarding  Create a middle layer between the browser and the JS engine
  • 57. DYNAMIC ANALYSIS  AdHoc Forwarding  Create a middle layer between the browser and the JS engine  Analyze the CFG of the scripts being executed
  • 58. DYNAMIC ANALYSIS  AdHoc Forwarding  Create a middle layer between the browser and the JS engine  Analyze the CFG of the scripts being executed  Analyze a call hierarchy of functions order
  • 59. DYNAMIC ANALYSIS  AdHoc Forwarding  Create a middle layer between the browser and the JS engine  Analyze the CFG of the scripts being executed  Analyze a call hierarchy of functions order  Analyze certain combination of functions used including known highly risky ones
  • 60. DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation
  • 61. DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Attach to IE process
  • 62. DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Attach to IE process  Use shdocvw.dll to automate COM callbacks
  • 63. DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Attach to IE process  Use shdocvw.dll to automate COM callbacks  Capture events while they trigger and manipulate them
  • 64. DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Attach to IE process  Use shdocvw.dll to automate COM callbacks  Capture events while they trigger and manipulate them  Analyze in the same manner as AdHoc Forwarding
  • 65. DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Browser In-Memory Injection
  • 66. DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Browser In-Memory Injection  Inject JS in DOM to monitor events
  • 67. DYNAMIC ANALYSIS  AdHoc Forwarding  Browser Automation  Browser In-Memory Injection  Inject JS in DOM to monitor events  Use a JS Debugger (FireBug or other)
  • 68. STATIC ANALYSIS (METHOD 1)  Extract local scripts
  • 69. STATIC ANALYSIS (METHOD 1)  Extract local scripts  Extract remote scripts
  • 70. STATIC ANALYSIS (METHOD 1)  Analyze the script and categorize them based on certain criteria
  • 71. STATIC ANALYSIS (METHOD 1)  Analyze the script and categorize them based on certain criteria  Web page encoding
  • 72. STATIC ANALYSIS (METHOD 1)  Analyze the script and categorize them based on certain criteria  Web page encoding  Detecting current language used and extracting features
  • 73. STATIC ANALYSIS (METHOD 1)  Analyze the script and categorize them based on certain criteria  Web page encoding  Detecting current language used and extracting features  Check the WHOIS for the web page
  • 74. STATIC ANALYSIS (METHOD 1)  Analyze the script and categorize them based on certain criteria  Web page encoding  Detecting current language used and extracting features  Check the WHOIS for the web page  Determine probabilistically to which category it belongs to
  • 76. SHANNON’S ENTROPY  Formula  We use Shannon’s Entropy to determine the entropy of the file only as a side-effect and not a main criteria to determine the decision whether it was malicious or not
  • 77. NAÏVE BAYESIAN  A machine-learning technique that can be used to predict to which category a particular data case belongs
  • 78. NAÏVE BAYESIAN  A machine-learning technique that can be used to predict to which category a particular data case belongs  Given the above formula’: An event A is INDEPENDENT from event B if the conditional probability is the same as the marginal probability
  • 79. LAPLACIAN SMOOTHING  To avoid having a 0 joint in any partial probability we use the add-one smoothing technique
  • 80. LAPLACIAN SMOOTHING  To avoid having a 0 joint in any partial probability we use the add-one smoothing technique.  Given an observation x = (x1, …, xd) from a multinomial distribution with N trials and parameter vector θ = (θ1, …, θd), a "smoothed" version of the data gives the estimator where α > 0 is the smoothing parameter (α = 0 corresponds to no smoothing)
  • 81. STATIC ANALYSIS (METHOD 2)  How is JS executed/handled?
  • 82. STATIC ANALYSIS (METHOD 2)  How is JS executed/handled? 1. The code is scanned for all function(s) declaration. Each declaration is executed by creating a function object and a named reference to that function is created so that the function can be called from within a statement.
  • 83. STATIC ANALYSIS (METHOD 2)  How is JS executed/handled? 1. The code is scanned for all function(s) declaration. Each declaration is executed by creating a function object and a named reference to that function is created so that the function can be called from within a statement. 2. The statements are evaluated and executed by order as they appear on the page after fully loaded.
  • 84. JS EXAMPLE #1 <script> DoNothing(); function DoNothing() { return; } </script> This works
  • 85. JS EXAMPLE #2 <script> DoNothing(); </script> <script> function DoNothing() { return; } </script> This does not works
  • 86. JS EXAMPLE #3 <script> function DoNothing() { return; } </script> <script> DoNothing(); </script> This works
  • 87. JS EXAMPLE #3 <script> // assuming that DoNothing is not defined DoNothing(); alert(1); </script> This does not works
  • 88. JS EXAMPLE #3 <script> // assuming that DoNothing is not defined DoNothing(); </script> <script> alert(1); </script> This works
  • 89. STATIC ANALYSIS (METHOD 2)  Semantic analysis to focus on “what does this mean”
  • 90. STATIC ANALYSIS (METHOD 2)  Semantic analysis to focus on “what does this mean”  Optimizer-Compiler for JS which focuses on structure other than extracted invocative functions
  • 91. OPTIMIZER-COMPILER  The following describes the architecture of any ordinary compiler and the current compiler as well Lexer Parser Translator Optimizer Tokens AST IR
  • 92. OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes
  • 93. OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference
  • 94. OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches
  • 95. OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis
  • 96. OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion
  • 97. OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion Loop Invariant Code Motion
  • 98. OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion Loop Invariant Code Motion Constant Folding
  • 99. OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion Loop Invariant Code Motion Constant Folding Copy Propagation
  • 100. OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion Loop Invariant Code Motion Constant Folding Copy Propagation Common Sub-Expression Elimination
  • 101. OPTIMIZER-COMPILER  At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis Inline Expansion Loop Invariant Code Motion Constant Folding Copy Propagation Common Sub-Expression Elimination Dead Code Elimination