Downloaded 35 times
![Thank you [email_address]](https://image.slidesharecdn.com/anantnullcon2010-100402080012-phpapp02/85/nullcon-2010-Signature-based-Malware-Detection-PoC-for-Websites-39-320.jpg)
Uploaded byn|u - The Open Security Community
nullcon 2010 - Signature based Malware Detection PoC for Websites
nullcon 2010 - Signature based Malware Detection PoC by Anant Kochhar
nullcon 2010 - Signature based Malware Detection PoC for Websites
- 1. Proof-Of-Concept: SignatureBased Malware Detection for Websites and Domain Administrators - Anant Kochhar
- 2. Malware /`mæl.weə(ɹ)/Software developed for the purpose of causing harm to a computer system and its users. Back Door, Key Logger, Botnet Zombie
- 3.
- 4.
- 5. Drive-By Downloads AKAIFRAME and Script Injections
- 6.
- 7.
- 8.
- 9. First Wave: MassSQL Injection First noticed in late 2007. Tool based. Identified vulnerable pages across the internet using search engines. Sprayed them with SQL injection payloads- Inserted script injections indiscriminately in all database columns Infected data was reflected in dynamic pages
- 10.
- 11. Affected Page WithRubbish Data
- 12. Source: http://www.scmagazineus.com/mass-sql-injection-attack-compromises-70000-websites/article/100497/ Source:http://www.scmagazineus.com/sql-attack-hits-125000-sites/article/159445/
- 13. Bulk of thespread: Self Propagation Inserts IFrame/ Script injections in all web pages in the victim’s machine If victim = website admin, all his websites will be updated with infected pages. Or steals FTP passwords from victims’ computer and updates the pages directly on the web server.
- 14. Movies College FashionSports .abc.xyz
- 15.
- 16. PC Based Securityfor Malwares Source: http://www.cyveillance.com/web/docs/WP_CyberIntel_H1_2009.pdf
- 17. Movies College FashionSports .abc.xyz
- 18.
- 19.
- 20. Prevention … “Process”. Use linux-based dedicated machines for website administration. But even the best process cannot be 100% effective because…
- 21. Indirect Risks: TheLegitimate can also becomes Dangerous A Site B B Iframe Injection All internal and external users of the “clean” site A are also at risk now.
- 22. Accept the risk…the Alternative: Fast Detection and Quick Remedy Contain the spread of infection. Protect reputation of the website.
- 23. Detection Part 1:Detect ALL External Sites Linking from your websites
- 24. 2 Methods InternalScans- Scanners that reside in the web server and scan all web pages for external links. External Scans- Crawlers, not residing in the web server, that will scan all pages from the internet.
- 25. Internal Scans ProsWill be exhaustive and will scan pages behind authentication. Cons Will affect web server performance and can even crash the server.
- 26. External Scans ProsCan be run as often as possible. Has virtually no affect on the web server. Cons Will depend on network conditions. Breadth and the Depth of the scan may not be exhaustive.
- 27. The Scanner Must:Detect and list all external sites in a website. Ideally NOT visit any external websites Because it may put the system at risk.
- 28. Detection Part 2:Detecting malware spreading sites in the list of external sites.
- 29. Behavior Analysis DetectionModel Visit the external site Download suspected malware Analyze it And determine if it is malware or not.
- 30. fashion. abc.xyz efg.xyzIframe redirection Malware Legitimate Dynamic Scan
- 31. Behavior Analysis Expensive-requires a dedicated setup. Slow- takes time to analyze all codes downloaded from external websites. Newer malwares are designed to fool it- delayed activation etc. Will not detect infected ‘site B’
- 32. Signature Based DetectionModel Downloads signatures of malware infected sites. Compares the list of external sites to the signatures.
- 33. Multi Sourced SignaturesList of external sites. Positive Matches
- 34. Signature Based Cheap-can be done on any machine. Several “freely” available sources of signatures. Fast- comparison takes a fraction of the time. Safe- malware is not downloaded on the machine. Will detect infected ‘site B’.
- 35. Final Model ExternalScanner/ crawler that will continuously scan the entire domain for external sites. At least 2 sources of signatures. Update as frequently as possible.
- 36. Ideally… Crawl time> Signature update time. On every signature update, the list of external site from (n-1)th crawl should be used for full comparison.
- 37. On A PositiveMatch Immediately remove the malware site link from the infected page. Run AV and malware detection scans on the affected server. Or quarantine suspected computers… Change FTP password.
- 38. Multi Sourced SignaturesList of external sites. Positive Matches Continuous Crawl Compare
- 39.
Editor's Notes
- #2 This is a malware detection method for websites, not for end users/ victims.
- #3 Malware, for this presentation, is a piece of code with intent to harm computer users. It maybe a back door, key logger, or a botnet client. End victims of malware are individuals and not websites.
- #4 Attackers are always looking to deliver the malware to the victim. Maybe over WWW or may include techniques like infected USBs. The initial attacks were email based or through phishing sites. Now, they are using an alternative ‘trust’ based method- exploiting the trust that users have for ‘known’ websites. Malicious coders, working for RBN, create malware. These malware can be bought online. Example…- this is something I can work on.
- #5 All are trusted names. There is implicit ‘trust’ when you visit their sites. Although not the end victim, these websites were victims of attacks. And they lost reputation.
- #6 In the HTML source of the web pages, an ‘invisible’ redirection to a malicious site from where malware is downloaded. Note the obfuscation. The decoded URL: http: //chura.pl- one of the many malicious websites. This can also be a ‘script’ redirection- several variations of the same. How widespread is the problem?
- #7 An attacked site.
- #8 This is what the source looks like.
- #9 With any of the above warning, a website loses reputation. Organizations lose reputations. Especially bad for ‘traffic-driven’ web based businesses. For banking websites, users will get keyloggers.
- #10 Automated Tools discovered vulnerable pages and spray them with payloads which inserted scripts in databases. Scripts were inserted in all dynamic pages which picked up data from the corrupted database.
- #11 The payload was encoded in hex to bypass IPS and IDS signatures.
- #12 An infected page will look like the above, with lots of corrupted data as. With invisible redirections in the background.
- #15 A medium sized domain with 4 sub domains. 4 sub domains= at least 4 separate web content administrators.
- #17 The best Antivirus have less than 50% chance of catching the malware. Source: http://www.cyveillance.com/web/docs/WP_CyberIntel_H1_2009.pdf
- #18 1 of 4 content admin infected with malware. Entire domain is at risk of losing reputation.
- #19 With any of the above warning, a website loses reputation. Organizations lose reputations. Especially bad for ‘traffic-driven’ web based businesses.
- #20 How prevalent?
- #21 Since almost all malwares are designed to exploit windows vulnerabilities, it is safer to use linux based systems.
- #22 Site A links to Site B- Basis of the internet. Site B gets infected with Iframe Injection. All internal and external users of the “clean” site A are also at risk.
- #23 Containing the spread is important if you are an internet bank. Protecting reputation is important if you are a web portal with a traffic driven revenue model.
- #37 Multiple sources of signatures. Instead of dynamically comparing every external site with the new signatures, compare the entire list of external sites from the previous scan with new signatures. This will ensure that nothing gets missed.