This document summarizes a presentation on the web forensics and analysis tool Fireshark. It discusses how Fireshark allows automated browsing and passive logging of connection data, source content, JavaScript calls and page links to help analyze malicious websites and mass injection attacks. Specific use cases covered include analyzing website architectures, redirection chains, and profiling compromised content. The document also provides examples of analyzing real injection campaigns using Fireshark to gain insights into exploitation techniques and patterns used by attackers on the web.
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
ERA 2008 - Stephan Chenette, Presentation on Script Fragmentation attack
Abstract: This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content.
This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit.
Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
ERA 2008 - Stephan Chenette, Presentation on Script Fragmentation attack
Abstract: This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content.
This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit.
Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
More here: http://bit.ly/2OMTu4
Sudha Iyer of LogLogic and Slavik Markovich of Sentrigo discuss how hackers learn their trade and what you can do to protect your database.
Learn about methods for protecting against each type of attack, including secure coding practices, database hardening methods and deep-scanning database activity monitoring tools.
You will learn:
• How to think like a hacker (including a demonstration of basic hacking)
• SQL injection in depth
• How to avoid SQL injection problems
• User-defined DBMS security policies
• Taking control of SQL injection, buffer overflow and other privilege-escalation attacks
• How to preserve the confidentiality and integrity of your data
• Strategies for monitoring and analyzing database activities without impacting performance
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
“The call to kill Adobe’s Flash in favour of HTML5 is rising...” This and similar statements mean that many web applications might now contain old and vulnerable SWF files as their developers have to concentrate on developing non-Flash contents. We may all hope that we never have to see Flash files ever again! However, as long as web browsers continue their support for Flash, web applications can be vulnerable to client-side issues and it is important for a penetration tester or a bug bounty hunter to have the right skills to find vulnerable SWF files. This presentation aids eager testers to identify security issues in the SWF files manually and automatically using certain techniques and tools.
PowerPoint File:
https://soroush.secproject.com/downloadable/flash_it_baby_v2.0.pptx
In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
Given at black hat and DEF CON 2010 by Wayne Huang and team.
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang
DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION
This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.
At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.
Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.
Attendees will gain the following:
1. Understanding of drive-by downloads and associated terminologies.
2. Information about various drive-by download infection vectors.
3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet
4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult
5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys
6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles
7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis
8. Knowledge about the available countermeasures to this threat
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
More here: http://bit.ly/2OMTu4
Sudha Iyer of LogLogic and Slavik Markovich of Sentrigo discuss how hackers learn their trade and what you can do to protect your database.
Learn about methods for protecting against each type of attack, including secure coding practices, database hardening methods and deep-scanning database activity monitoring tools.
You will learn:
• How to think like a hacker (including a demonstration of basic hacking)
• SQL injection in depth
• How to avoid SQL injection problems
• User-defined DBMS security policies
• Taking control of SQL injection, buffer overflow and other privilege-escalation attacks
• How to preserve the confidentiality and integrity of your data
• Strategies for monitoring and analyzing database activities without impacting performance
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
“The call to kill Adobe’s Flash in favour of HTML5 is rising...” This and similar statements mean that many web applications might now contain old and vulnerable SWF files as their developers have to concentrate on developing non-Flash contents. We may all hope that we never have to see Flash files ever again! However, as long as web browsers continue their support for Flash, web applications can be vulnerable to client-side issues and it is important for a penetration tester or a bug bounty hunter to have the right skills to find vulnerable SWF files. This presentation aids eager testers to identify security issues in the SWF files manually and automatically using certain techniques and tools.
PowerPoint File:
https://soroush.secproject.com/downloadable/flash_it_baby_v2.0.pptx
In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
Given at black hat and DEF CON 2010 by Wayne Huang and team.
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang
DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION
This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.
At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.
Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.
Attendees will gain the following:
1. Understanding of drive-by downloads and associated terminologies.
2. Information about various drive-by download infection vectors.
3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet
4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult
5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys
6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles
7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis
8. Knowledge about the available countermeasures to this threat
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
The 2013 Security Threat Report recaps what happened in data security in 2012, and what trends are ahead in 2013. For more information, visit: http://bit.ly/VcLfLa
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
BIO
Stephan Chenette is the Director of Security Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive Labs. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, EkoParty, RECon, AusCERT, ToorCon, SecTor, SOURCE, OWASP, B-Sides and PacSec. His specialty is in writing research tools for both the offensive and defensive front as well as investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
2012 B-Sides and ToorCon Talk Offensive Defense
Blog Post - http://blog.ioactive.com/2013/01/offensive-defense.html
Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware and exploits are effective against AV scanners for many years, thus showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals. Let's not pretend attackers can't bypass each and every detection technique currently deployed. Join me as I present and review current detection methods found in most host and network security solutions found today. We will re-review the defense in depth strategy while keeping in mind that a solid security strategy consists of forcing an attacker to spend as much time and effort while needing to know a variety of skills and technologies in order to successfully pull off the attack. In the end I hope to convince you that thinking defensively requires thinking offensively.
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
4. The Fireshark Project
Author: Stephan Chenette
Contributions by: Wladimir Palant (AdBlockPlus FF Plugin)
Organize and analyze
malicious website data
Correlate data
Similar mass injection attacks (C/R/E)
attacker patterns (providers/content/kits)
4
5. The Fireshark Project
Current Status
– 1.0 Release - April 2010 (GPL v3 license)
– 1.1 Release - due in November 2010 (selective beta)
5
6. Overview of Fireshark Architecture
Browser Plugin allows automated control of browser
Passively logs information to log file
– Connections (contextual reference)
– Source and DOM content
– JavaScript function calls
– Page Links
– Screen Shot
Your Job: Use post-processing scripts/database to output
organized results
6
8. URL Injection attacks are increasing
225% increase in the number of new
compromised legitimate websites in the
last 12 months.
Source: Websense Security Labs, State of Internet Security, Q3-Q4 2009 Report
Translation:
There is a large chance that a website you have visited
In the recent past served malicious code.
8
9. Victims of “Malvertisements” (2009)
The Drudge Report
Horoscope.com
Lyrics.com
slacker.com
Eweek.com
The New York Times
Philadelphia Inquirer
Expedia, Rhapsody
9
11. Redirection chains/ Mass Compromises
Nine-ball mass-injection
There are a varied but unique set of hosts involved in the redirection chain
Any repeat visitor is diverted to ask.com instead of a malicious landing page
The structure of the injected deobfuscation algorithm is equivalent throughout
all the infected sites
11
24. Crimepack 2.8 Anti-Analysis
Features include:
1. Undetected by AV Scanners (JavaScript &
PDF/JAR/JPG files)
2. Random PDF Obfuscation (Not using static PDF file
like other packs)
3. Blacklist checker & AutoChecker
4. Prevent Wepawet, JSunpack and other JavaScript
unpackers to decode your page
24
25. Crimepack 2.8 Changes
Added CVE-2010-0806
Added CVE-2010-0188
Added more ip's to block
IFrame generator
Redirector for non-vulnerable traffic
New JS cryptor
Anti-Kaspersky emulation
25
26. RECAP OF NEEDS: Track and Organize
Organize and analyze
malicious website data
Correlate data
Similar mass injection attacks (C/R/E)
attacker patterns (providers/content/kits)
26
33. Emulation -> Implementation is behind
document.body is undefined
document.title is undefined
document.forms is undefined
document.documentElement is undefined
document.URL is undefined
document.getElementsByTagName is not a
function
33
34. Emulation -> Implementation is behind
window.location.search
window.addEvent is not a function
window.onDomReady is not a function
window.parent is undefined
window.screen is undefined
window.top is undefined
screen is not defined
top is not defined
parent is not defined
self is not defined
location.protocol
34
36. Why do we need Fireshark?
Researcher
Network Administrator
Penetration Tester
We need tools to analyze mass injection attacks
– Website Architecture/Redirection Chains
– Source / Changes to DOM / JavaScript function calls
– Content Profiling / Screen shot
Using an organized and ultimately VISUAL approach
36
47. How to use Fireshark 1.0
Install Fireshark Firefox plugin (.xpi file)
Create data.txt file, place in your home directory
Tools->Go! (then go and get a cup of coffee)
** Reportlog.yml **
Use post-processing scripts
– FiresharkInitInfo.pl (must be run first)
– GraphViz.pl
– IngressEgress.pl
47
52. Down the Rabbit hole
Analysis of Three exemplary Injection campaigns
Injection campaigns occur daily
A breadth view analysis
Gain a better understanding of the malicious webscape
Use Fireshark to do it.
55. Injection Example #1
Step 1) Analyze a subset (500/13k)
Breadth
– Popular campaign will emerge
• Injections into unique websites will lead to same hosts
Depth
– Details of the attack
• Screen Shots
• Source code, Deobfuscted DOM, Network traffic
80. ru:8080 URL Injection Campaign
Similarities between infected sites:
Port 8080
Various changing .ru domains
Legitimate content on port 80 served by Apache
Malicious domains are mapped to 5 different IPs
Malicious IP addresses are on hosting providers
Leaseweb (Netherlands) and OVH.com (France)
Landing domains were NXD Dec 09’/Jan 10’
82. Observations from ru:8080 attack
Compromised websites can and are updated automatically
Compromised websites are injected with multiple
redirectors
Sharing of stolen FTP credentials
e.g. Many infected sites also led to Gumblar infected
domains, indicating that attackers perhaps had shared
stolen FTP credentials
83. Injection Example #3
Mass Injection #3
~5700 infected pages
~5300 unique hosts…sent 1k for analysis
95. Observations from Injection attack #3
The bad guys are tracking/hiding, redundancy redirectors
are common
Exploits that are being used are current e.g. all
platforms/browsers are targeted
Exploit kits are easily attainable, setup is quick
Many kits serve user polymorphic exploits/malware, thus
traditional AV signatures are always behind
103. Conclusions/Take-away
Compromised websites:
– Increase of 225% over the last 12 months
– Frequently updated to contain fresh links
– Current tools are insufficient if desire is to monitor
and analyze mass URL injections
Use Fireshark for:
– Mass Injection Analysis
– Redirection Chaining
– Content Profiling
103
104. Q&A
Questions?
Contact:
Stephan Chenette
Twitter: StephanChenette
Email: stephan@packetsector.net
Fireshark Feedback:
Join the Fireshark mailing list!! or..
send an email to feedback@fireshark.org
104