SlideShare a Scribd company logo

ISSA Journal Paper - JavaScript Infection Model

Aditya K Sood
Aditya K Sood
Technology
1 of 5
PreemInent truSted GlobAl ISSA ISSA Journal | November 2010 InformAtIon SecurIty communIty JavaScript Infection model By Aditya K Sood and Richard J. Enbody Advancements in Web 2.0 technologies have enhanced Internet functionality but at the same time have created numerous threats to the World Wide Web. this paper talks about the negative nature of JavaScript, which is exploited heavily by malware writers to spread infections throughout the online world. Abstract creasing4 in spite of versatile functions. These new technolo- gies have made the Web flexible and robust by allowing the Advancements in Web 2.0 technologies have enhanced In- inclusion of content from third-party sites and sending con- ternet functionality but at the same time have created nu- tent to other domains. In reality, data from the third parties merous threats to the World Wide Web. The biggest issue the cannot be verified against presence of potential malware. As online world is grappling with is web malware, which is an a result malware can accompany the data back into the parent outcome of intensive exploitation of web vulnerabilities. This website without restriction and continue spreading across the paper talks about the negative nature of JavaScript, which Web. Security considerations have to be undertaken in the is exploited heavily by malware writers to spread infections best possible manner to combat web exploitation. throughout the online world. new technologies exploitation Shift With the advent of new technologies, the sphere of attack sur- T here is always an element of discrepancy present be- face vulnerability has widened. The Web is getting exposed tween current and upcoming technologies. With the to identity theft, exploitation, scams, phishing, redirection advent of powerful operating system protection mech- vulnerabilities, cross site scripting (XSS), and cross site re- anisms, the attack surface has shifted to web exploitation vec- quest forgery (CSRF).5 CSRF, for example, is a type of attack tors because memory exploitation is becoming tougher for in which HTTP requests are sent in a stealth manner with- the attackers. Technologies such as Microsoft Data Execution out the knowledge of user. This type of attack allows the at- Protection (DEP),1 Address Space Layout Randomization tacker to execute commands and requests on user’s behalf. (ASLR),2 and GS cookies3 have circumvented the attack and The inherent vulnerabilities in web applications are exploited exploitation of system-level vulnerabilities. The use of string by various application injections such as PHP, ASP, LDAP, functions is completely isolated from systems as they are con- SQL, and DOM (Document Object Model).6 The injections sidered as a base for buffer overflow attacks. Exploitation has are widely used to manipulate the content, steal informa- shifted from system vulnerabilities to web vulnerabilities. tion, and spread malware. One step ahead is HTTP Protocol The attack landscape of the Web has a panorama of exploita- manipulation comprising of attack type Response Splitting,7 tions that are proliferating day by day. With the rise of blogs, which bypasses browser protection mechanisms by split- wikis, atom feeds, RSS, and others, the insecurity level is in- ting the HTTP response from the server thereby fooling the browser to interpret two responses instead of one. 4 RSS Attacks, http://www.techspot.com/news/20098-increased-rss-malware-attacks- 1 Data Execution Prevention, http://support.microsoft.com/kb/875352. predicted.html. 2 Address Space Layout Randomization, http://blogs.technet.com/b/security/ 5 Cross Site Request Forgery, https://www.isecpartners.com/files/CSRF_Paper.pdf. archive/2006/05/26/430538.aspx. 6 DOM XSS, http://www.webappsec.org/projects/articles/071105.shtml. 3 GS, http://blogs.technet.com/b/srd/archive/2009/03/20/enhanced-gs-in-visual- 7 HTTP Response Splitting, http://www.securiteam.com/ studio-2010.aspx. securityreviews/5WP0E2KFGK.html. ©2010 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only. 31
JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 The cropping up of Web 2.0 and AJAX with JSON (JavaS- cript Object Notation) has transformed the structure of Web. Primarily, AJAX is used to interact with a spe- cific set of events in a webpage through asynchronous JavaScript calls, which are usually scattered through- out the webpage. AJAX allows a number of events to be executed in a single page from different domains. Content validation is a big problem because content is fetched from various sources. Further, AJAX serializes all types of data elements into strings, which are used by programming interfaces such as ASP, ASP.NET, etc. Basically, serialization converts data into a stream. It also helps build dynamic scripts in a backend channel, passing information from third-party servers to the browser DOM for execution. These factors can be uti- lized collectively to misuse the AJAX technology8 and the techniques are proliferating in the wild. Numer- ous attacks can be initiated with new parameters and web technologies. The educational community, finan- cial institutions, banks, companies, etc., are all struc- tured over the Web. Browsers are interdependent on a number of components and sometimes it is hard to determine the impact of a vulnerability. Are we ready to handle such attacks? Are our defense mechanisms in- figure 1 – JavaScript Infection model genious enough to thwart Web 2.0 attacks through AJAX and applied policies? namic operations, which can be performed on the vulnerable websites and applications. Every browser uses JavaScript as a Web malware – real world scenario default scripting language and content is rendered without Web malware is infecting websites at a rapid pace. The rea- any notification because this scripting language is a working sons can be security negligence, unpatched vulnerabilities, standard in Web 2.0. That’s the main reason malware writers administration problems, etc., but the impact is growing use JavaScript to conduct stealth attacks by exploiting the in- exponentially. In the last few years, the security community built functionality of browsers. has detected an overwhelming increase in malware using Ja- It is always advisable to understand the benchmark of infec- vaScript.9 10 The malware problem, however, is not restricted tion strategies used by the attackers to launch extensive at- to one business entity but has encompassed all the spheres, tacks on the public websites or social networking environ- thereby resulting in loss of business and compromising the ments. The JavaScript Infection Model (JIM) reflects the stability and robustness of organizations. Dasient11 has pub- generic methods opted by the attackers to launch malware. lished stats which present the sphere of infection by web mal- The model itself clarifies the structure and basic thinking ware. Business is the most exploited entity because of the in- of the attacker to inject malware in the Web, thereby result- herent money element involved in it – there is money to steal. ing in large-scale infection. The overall model is presented in Figure 1. The following steps describe the model in detail. understanding the JavaScript Infection 1. Attacker controlled domain model The base is the attacker’s controlled domain, which hosts a JavaScript is one of the most susceptible scripting language number of malware/programs that are used for malicious used for malware infection by most of the attackers,12 espe- purposes. This step is undertaken to ensure that there is a cially since JavaScript is used extensively in websites and ap- centralized repository of JavaScript malware. The infection plications for accessing various HTML elements and objects vector can be a single website or a number of websites in the dynamically. JavaScript provides more robust control and dy- domain. The attacker’s controlled domain also has custom designed web spiders for collecting information from the 8 Malware using AJAX, http://blogs.securiteam.com/index.php/archives/734. Web. Attackers always look for vulnerabilities in websites to 9 Growth in Web Malware, http://blog.dasient.com/2010/09/continued-growth-in- web-based-malware_9357.html. conduct injections so that malicious content can be included 10 Malware Stats, http://wam.dasient.com/wam/infection_library_index. into the victimized websites. 11 Dasient, http://blog.dasient.com/2010/09/continued-growth-in-web-based- malware_9357.html. 2. Detecting blacklisted and vulnerable websites 12 JavaScript opens doors to browser-based attacks, http://news.cnet.com/JavaScript- The second step is to scrutinize vulnerable websites and do- opens-doors-to-browser-based-attacks/2100-7349_3-6099891.html. mains which possess inherent application vulnerabilities that ©2010 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only. 32
JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 can be exploited to spread malware. As most malware spread- ing attacks are automated, an attacker should have the infor- Spreading malware: JavaScript functionality mation of blacklisted websites in order to make the malware JavaScript is used extensively in spreading malware13 due to attacks more successful. Automated spiders accumulate in- its inherent nature to provide direct access to browser com- formation about a domain. This is a very important step from ponents. A JavaScript infection pattern is followed by most malware writer’s perspective because if the website is black- malware whether system-resident or web-based to hide the listed, it gives an indication of the fact that most browsers objects used for infection. The concept of hidden infection is will not visit that website. As a result, it hampers the malware not new but is used in a randomized manner. This is a very infections through JavaScript. This information required by effective technique to launch malware attacks in a stealthy the attacker depends on the capability of that spider. As one manner to exploit the user parlance to understand what is knows the Web is an open forest: there is no stringency in happening at the backend. There are definitive methods that accessing the front end of websites directly because it is the are used incessantly by web malware to infect victim ma- Web’s default nature until and unless custom security con- chines. Let’s have a look at the hidden structure which is used trols are implemented. intensively. 3. Designing attack vector remote scripting with hidden iframes After detecting the blacklisted domains, the crawlers push The HTTP specification allows the effective use of <iframe> the information back to the attacker’s controlled domain in a substantial manner to embed one webpage into another for scrutinizing the contents. During this process malicious webpage, irrespective of the domain to which a page belongs, scripts are not injected into blacklisted domains; rather new and can be used in cross-domain context. This functionality sets of websites having vulnerabilities are used as an attack of iFrames is exploited by malware writers in order to infect point. The crawling process is repeated to find new domains systems. Since these are interactive in nature, it is possible having security vulnerabilities. The information can be to bypass Same Origin Policy (SOP) easily to launch cross- scanned in an automated manner or manually; it depends domain attacks if a certain set of vulnerabilities exist in the on the attacker’s strategy how the process will be carried out. base software or in web applications. SOP defines a control For example, user agent strings provide information about policy on scripts that are originating in a same domain to the type of browsers used and other custom software that access properties and objects on various webpages in that do- are used in line with the browsers. This indirectly helps the main. SOP applies restrictions on scripts in order to prevent attackers a lot in crafting an attack by exploiting web vul- access to HTML objects and properties of webpages on differ- nerabilities in the new domains. If we talk about the manual ent domains and websites. SOP is completely browser-based, ways, then the attacker himself can look into the vulnerable and due to inherent vulnerabilities14 in browsers it can be by- websites for latent vulnerabilities. Again, it depends upon the passed easily. This factor relates not only to the HTTP speci- attack vector, which requires a specific set of vulnerabilities fication but also to the browsers as to how effectively SOP is to be exploited for spreading malware. implemented. It also depends on the rendering engine when 4. Exploiting targets the objects are rendered and access is required by them to perform various functions. The information is further looked upon by matching the in- dexed vulnerabilities on the attacker’s domain to explore di- <iframe src=”http://www.malicious.com” width=”1” rect vulnerabilities that can be exploited. If not, the attacker height=”1” style=”visibility:hidden;position:absol tries to inject malicious iFrames in the context of the domain ute”></iframe> with the source pointing to malicious JavaScript hosted on <iframe src=” http://www.malicious.com” width=”0” the attacker’s domain or third-party infected domain. Once height=”0”></iframe> the JavaScript is injected, the code is changed as per require- The above presented iFrame code is used heavily in spreading ments to infect the systems in a versatile manner. Lastly, the malware. The beauty of this code is the fact that the iFrame attacker controls the vulnerable websites hosted on a domain becomes hidden and cannot be displayed on the infected and changes them into a malware spreading entities. The at- website. The hidden iFrame sends a request to malicious.com tacker’s surface becomes diversified when more victims fall for downloading malware or executing rogue JavaScript. into the trap. Malware writers exploit this functionality to a greater extent Many of the online tools used by malware writers primar- to serve malware by infecting websites with iFrames which ily test the weaknesses and entry points through which Ja- can be used to serve hidden malware through infected web- vaScript can be injected. Because JavaScript is dynamic and sites. It is also possible to update databases with malicious robust in its working on the Web, it is the preferential choice iFrames as stored elements to make iFrames persistent in na- of malware writers to conduct attacks and spread malware. 13 JavaScript Malware, http://www.darkreading.com/security/app-security/showArticle. jhtml?articleID=208803932. 14 Mozilla SOP bypass Vulnerability, http://securitytracker.com/alerts/2010/ Jul/1024228.html. ©2010 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only. 33
JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 ture. This type of attack depends on the XSS vulnerability ity. Image objects a have “src” parameter and are pointed being present in the website, depending on the design of the to URLs that exploit the vulnerability in Firefox. JavaScript application and website which makes the XSS persistent or heap blocks constitute the shellcode with call and jmp in- reflective in nature. Nowadays, SQL-injection attacks have structions. The shellcode may result in downloading of mal- been used in conjunction with XSS to upload malicious iF- ware.18 rames into a database through a vulnerable website. The iFrames are passed as payloads in the form of hexadecimal obfuscation and hybrid codes strings,15 which get stored in the web database. It remains Code obfuscation is used at a very large scale for spreading persistent in the database and is retrieved when a website is- malware. The preferable scripting language is, of course, Ja- sues some database query. This tactic is used heavily in mass vaScript. But obfuscation is not restricted to only JavaScript SQL-injection attacks that spread malware through drive-by- and using only escape functionality and generic encoders. download attacks. Obfuscation is used extensively to make code hybrids now- adays. There can be a scenario in which two scripting lan- JavaScript heap spraying guages are used together. The malware spreading can be done The inherent software vulnerabilities that can be exploited very easily through hybrid codes because it becomes hard to through JavaScript heap spraying16 are also a major source of analyze the code which is encoded with custom encoder and malware infection. The browser-based exploits are used ex- using JavaScript functions to get downloaded into the sys- tensively to trigger malware infection on the client side. If a tem. For example, custom JavaScript decoders can be used to vulnerable version of the browser is running or there is pres- decode the JavaScript-related functions, but in order to deci- ence of vulnerable software, the malware writers try to ex- pher the payloads other extensive tools are required. PERL is ploit the vulnerability in order to execute custom shellcode. a good tool that is used in a wide manner to decode hybrid Heap spraying is a type of attack which exploits memory cor- codes to understand the actual payload which is exploiting ruption vulnerabilities through browsers without any has- the system. sles. The target is unsafe applications. The functional part is to create and allocate arbitrary objects in the heap by using Widgets a type-safe language. The objects used to fill heaps contain The Web 2.0 working model uses widgets at a very large scale. dangerous exploit codes to be run against the target system. Generally, these small chunks of code are used for enhanced Specific notions used for these types of exploits are men- functionality, primarily for advertisement purposes, includ- tioned below: ing content from third parties, notification alerts, etc. They are based on the concept of code reuse. Widgets are provided • Design a string which grows exponentially by concat- by the advertisement agencies, news portals, companies, etc., enating with itself to include content for the user website experience. The vendor • Keep string format as Unicode to avoid any type of offers widgets that can be added manually or automatically stringency in the code in the user websites or blogs, depending on the feasibility of • Exhaust the maximum length that is allowed by the environment. In order to accept data from third parties, the scripting engine widget provides a communication and content transfer inter- face between the parties. Once installed in the user website, it • Shellcode is placed at the end of the string opens the communication channel between the parent node • The set of code is copied over a large sum of arrays and the child node. JavaScript widgets are used heavily for which can control the execution infecting websites because the chunked code sits as HTML in • The attack surface is potentially created so that it can the parent page and follows the same hierarchy functions as have enough memory for exploitation the parent node.19 It means the code becomes in line with the main module and is executed as the webpage is loaded into • Heap blocks are considered to be on the same loca- the browser. Widgets may contain malware which redirects tions every time the website to a malware domain or starts downloading the The above mentioned steps are used to exploit the target malware executables into the system. So JavaScript code in through the browser. The security community has witnessed the form of widgets is used to spread malware through the exorbitant growth of these browser-based exploits in the re- Web thereby impacting the large sets of users who are using cent years.17 These attacks exploit the vulnerability in brows- that specific widget. The widgets can be uploaded to malware ers by manipulating the default heap using JavaScript, used domains or content delivery networks to follow the chain to create heap blocks within a particular memory range and process of infecting large number of websites. dynamic image objects generated to trigger the vulnerabil- 15 SQLXSSI Attacks, http://www.slideshare.net/adityaks/owasp-app-sec-us-2010. 18 Mozilla “Host: Heap Buffer Overflow Exploit,” http://www.exploit-db.com/ 16 Heap Spraying, http://www.blackhat.com/presentations/bh-europe-07/Sotirov/ exploits/1224. Presentation/bh-eu-07-sotirov-apr19.pdf. 19 Web Widget Infection, http://blog.dasient.com/2010/06/third-party-javascript- 17 IE Object Memory Corruption, http://www.exploit-db.com/exploits/930. widget.html. ©2010 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only. 34
JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 drive-by downloads designed search engine. If a victim uses that search portal to run a query, the resultant links are the most Drive-by Download20 is one of the most long-lived techniques vulnerable links and directed towards malicious web of spreading malware through JavaScript by forcing victims servers. This happens quite often. to download malware without their consent and knowledge. The malicious website usually hosts a number of hidden • Generation of advertisement pop ups in the system iFrames that point to the malicious program or malicious continuously. This can be a time-based logic to gen- Active X control. Essentially, the website forces the user’s erate a pop up after a requisite interval and running browser to install the plug-in directly on the system. How with the same behavior for a longer duration. does the drive-by download work? Let’s consider as generic The infection does not stop here as such. If a victim tries to case. The website offers a browser plug-in to install directly remove the required set of files, a cleanup link is also pro- into the context of system. There is a lot of functional dif- vided which further downloads another plug-in having well- ference between a normal plug-in and Program Loader Stub defined EULA and privacy restrictions. The attackers follow (PLS) which is installed as result of the plug-in. Program the same technique but the overall functional perspective is loader stub defines the nature of execution of plug-in. The different. It is kind of dual entrapment and the directed web- main function of program loader stub is to call functions in site looks like a cleaning solution vendor website, but typi- a hierarchical manner and synchronously. In general terms, cally it is fake. As a result, the victim is trapped again and the the PLS is responsible for calling API’s appropriately that are system gets infected with a different layout. used by plug-ins to download malware. The PLS loads each DLL that is required by the plug-in into the memory space. It conclusion fills in the structures in the import directory of the execut- Malware running rampant in the wild is an outcome of flaws able in the memory. If the DLL is not loaded in the memory, and vulnerabilities that exist in web applications and web- the PLS fails to load the malicious executable. The stub ac- sites that make up the Web. The same language tools are used tually downloads a lot of malicious content into the user’s for development AND exploitation. This paper has presented system by remaining silent and infecting the system at large JavaScript from the malicious infection point of view. In or- in a stealth manner. The plug-in offers fake information to der to defend against these web malware we have to design convince the user it is valid: a number of defenses and protections in the same pattern. 1. Fake certification and end user license agreements Since JavaScript is the major scripting language to add dy- (EULA) links aiming to exploit the user’s ability to namic functionality to webpages, the same is used for dy- make a decision about the software. namic generation of malware. So understanding the diverse nature of JavaScript, we can design protection mechanisms to 2. Incessant and rogue security warnings to exploit the combat its misuse and exploitation by malware writers. user’s inability to decide the working of software plug-in. About the Authors If the required plug-in is allowed to install in the system, a Aditya K Sood is a security researcher, con- stub is installed simultaneously, which further downloads a sultant, and Ph.D. candidate at Michigan number of programs without user consent. The installed pro- State University. He has worked in the se- grams infect the system as mentioned below: curity domain for Armorize, COSEINC, and KPMG and founded SecNiche Secu- • Infection at the folder level by placing malicious files. rity. He has been an active speaker at con- The malware programs follow the concept of cross ferences like RSA, TRISC, Hacker Halted, linking in which one malicious binary is interfaced ExCaliburCon, EuSecwest, XCON, OWASP AppSec, Security- with another malicious binary with randomized Byte, CERT-IN and has written content for HITB Ezine, Ha- names. This becomes hard for a normal user to detect kin9, Usenix Login.He may be reached at adi_ks@secniche.org. the real working of the binary present in the requisite program files folder. Dr. Richard Enbody is an Associate Profes- sor in the Department of Computer Science • Inserting malicious, e.g.,. porn website, links in the and Engineering, Michigan State Universi- browser bookmarks and shortcuts to be placed in the ty. He joined the faculty in 1987 after earn- program bars on the desktop that further links ma- ing his Ph.D. in Computer Science from licious website and malware programs respectively. the University of Minnesota. Richard’s The main criterion of this type of functionality is to research interests are in computer security, infect the generic places in the systems which are used computer architecture, web-based distance by the victims easily. education, and parallel processing. He has • It primarily hijacks the default browser links and web- two patents pending on hardware buffer-overflow protection, pages and points to a malicious website or custom- which will prevent most computer worms and viruses. He re- cently co-authored a CS1 Python book, The Practice of Comput- 20 Drive by Downloads, http://www.spywarewarrior.com/uiuc/dbd-anatomy.htm. ing using Python. He may be reached at enbody@cse.msu.edu. ©2010 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only. 35

Recommended

Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Types of viruses
Types of virusesTypes of viruses
Types of virusesmudassir1988
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Usebrittanyjespersen
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Jasmin Hami
 
Malware
MalwareMalware
Malwarezelkan19
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 

Recommended

Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Types of viruses
Types of virusesTypes of viruses
Types of virusesmudassir1988
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Usebrittanyjespersen
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Jasmin Hami
 
Malware
MalwareMalware
Malwarezelkan19
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniqueIJCSIS Research Publications
 
Corona - Ph.D. Defense Slides
Corona - Ph.D. Defense SlidesCorona - Ph.D. Defense Slides
Corona - Ph.D. Defense SlidesPluribus One
 
WannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarWannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarDavid Smith
 
Masango2017
Masango2017Masango2017
Masango2017Prakash1944121
 
MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017Jermund Ottermo
 
Codigo Malicioso
Codigo MaliciosoCodigo Malicioso
Codigo MaliciosoJose Manuel Acosta
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
The malware (r)evolution
The malware (r)evolutionThe malware (r)evolution
The malware (r)evolutionITrust - Cybersecurity as a Service
 
IJSRED-V2I3P69
IJSRED-V2I3P69IJSRED-V2I3P69
IJSRED-V2I3P69IJSRED
 
Web App Sec Benchmarks
Web App Sec BenchmarksWeb App Sec Benchmarks
Web App Sec BenchmarksAung Khant
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&AttackEmanuela Boroș
 
Antivirus
AntivirusAntivirus
AntivirusPankaj Kumawat
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 
Zero day-malware-protection-brief-2607983
Zero day-malware-protection-brief-2607983Zero day-malware-protection-brief-2607983
Zero day-malware-protection-brief-2607983saif khan
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middlewareijtsrd
 
Stormy Weather
Stormy WeatherStormy Weather
Stormy WeatherAnthony Arrott
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry VirusEast West University
 
NALCO Recruitment 2015
NALCO Recruitment 2015NALCO Recruitment 2015
NALCO Recruitment 2015Sudha Sati
 
Thoughts On Simplicity and Agile
Thoughts On Simplicity and AgileThoughts On Simplicity and Agile
Thoughts On Simplicity and Agileguobiao_li
 
Student Facilitator Presentation
Student Facilitator PresentationStudent Facilitator Presentation
Student Facilitator PresentationZoe Christo
 
INGLES A1
INGLES A1INGLES A1
INGLES A1Johanna Parra Avila
 

More Related Content

What's hot

Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniqueIJCSIS Research Publications
 
Corona - Ph.D. Defense Slides
Corona - Ph.D. Defense SlidesCorona - Ph.D. Defense Slides
Corona - Ph.D. Defense SlidesPluribus One
 
WannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarWannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarDavid Smith
 
MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017Jermund Ottermo
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
IJSRED-V2I3P69
IJSRED-V2I3P69IJSRED-V2I3P69
IJSRED-V2I3P69IJSRED
 
Web App Sec Benchmarks
Web App Sec BenchmarksWeb App Sec Benchmarks
Web App Sec BenchmarksAung Khant
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&AttackEmanuela Boroș
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 
Zero day-malware-protection-brief-2607983
Zero day-malware-protection-brief-2607983Zero day-malware-protection-brief-2607983
Zero day-malware-protection-brief-2607983saif khan
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middlewareijtsrd
 

What's hot (18)

Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash Technique
 
Corona - Ph.D. Defense Slides
Corona - Ph.D. Defense SlidesCorona - Ph.D. Defense Slides
Corona - Ph.D. Defense Slides
 
WannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarWannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of Ransomwar
 
Masango2017
Masango2017Masango2017
Masango2017
 
MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017
 
Codigo Malicioso
Codigo MaliciosoCodigo Malicioso
Codigo Malicioso
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
The malware (r)evolution
The malware (r)evolutionThe malware (r)evolution
The malware (r)evolution
 
IJSRED-V2I3P69
IJSRED-V2I3P69IJSRED-V2I3P69
IJSRED-V2I3P69
 
Web App Sec Benchmarks
Web App Sec BenchmarksWeb App Sec Benchmarks
Web App Sec Benchmarks
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&Attack
 
Antivirus
AntivirusAntivirus
Antivirus
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomware
 
Zero day-malware-protection-brief-2607983
Zero day-malware-protection-brief-2607983Zero day-malware-protection-brief-2607983
Zero day-malware-protection-brief-2607983
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middleware
 
Stormy Weather
Stormy WeatherStormy Weather
Stormy Weather
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry Virus
 

Viewers also liked

NALCO Recruitment 2015
NALCO Recruitment 2015NALCO Recruitment 2015
NALCO Recruitment 2015Sudha Sati
 
Thoughts On Simplicity and Agile
Thoughts On Simplicity and AgileThoughts On Simplicity and Agile
Thoughts On Simplicity and Agileguobiao_li
 
Student Facilitator Presentation
Student Facilitator PresentationStudent Facilitator Presentation
Student Facilitator PresentationZoe Christo
 
รายชื่อคณะทำงาน
รายชื่อคณะทำงานรายชื่อคณะทำงาน
รายชื่อคณะทำงานsongdet khunta
 
Ashtavakra Gita Chapter 18 - Wonders of Patience
Ashtavakra Gita Chapter 18 - Wonders of PatienceAshtavakra Gita Chapter 18 - Wonders of Patience
Ashtavakra Gita Chapter 18 - Wonders of PatienceVinod Kad
 
Corporate Image Consulting
Corporate Image ConsultingCorporate Image Consulting
Corporate Image Consultingrobertsol
 
Welding machine catalogue from expert technology co.,ltd manufacture
Welding machine catalogue from expert technology co.,ltd manufactureWelding machine catalogue from expert technology co.,ltd manufacture
Welding machine catalogue from expert technology co.,ltd manufacturecarriewu0911
 
Ukg pedagogig 2
Ukg pedagogig 2Ukg pedagogig 2
Ukg pedagogig 2Patta Ula
 
Resumes: Remove the Irrelevant
Resumes: Remove the IrrelevantResumes: Remove the Irrelevant
Resumes: Remove the IrrelevantSteve Rogers
 
对Cite space生成的kml文件进行可视化
对Cite space生成的kml文件进行可视化对Cite space生成的kml文件进行可视化
对Cite space生成的kml文件进行可视化cueb
 
iNut Limited Mi Gel
iNut Limited Mi GeliNut Limited Mi Gel
iNut Limited Mi Gelinutltd
 
iNut Limited Leather Beani Tablet Range
iNut Limited Leather Beani Tablet RangeiNut Limited Leather Beani Tablet Range
iNut Limited Leather Beani Tablet Rangeinutltd
 

Viewers also liked (20)

NALCO Recruitment 2015
NALCO Recruitment 2015NALCO Recruitment 2015
NALCO Recruitment 2015
 
Thoughts On Simplicity and Agile
Thoughts On Simplicity and AgileThoughts On Simplicity and Agile
Thoughts On Simplicity and Agile
 
Student Facilitator Presentation
Student Facilitator PresentationStudent Facilitator Presentation
Student Facilitator Presentation
 
INGLES A1
INGLES A1INGLES A1
INGLES A1
 
รายชื่อคณะทำงาน
รายชื่อคณะทำงานรายชื่อคณะทำงาน
รายชื่อคณะทำงาน
 
Rescue1.asd
Rescue1.asdRescue1.asd
Rescue1.asd
 
Elearning v.0.0
Elearning v.0.0Elearning v.0.0
Elearning v.0.0
 
Ashtavakra Gita Chapter 18 - Wonders of Patience
Ashtavakra Gita Chapter 18 - Wonders of PatienceAshtavakra Gita Chapter 18 - Wonders of Patience
Ashtavakra Gita Chapter 18 - Wonders of Patience
 
Corporate Image Consulting
Corporate Image ConsultingCorporate Image Consulting
Corporate Image Consulting
 
DGAE
DGAEDGAE
DGAE
 
Welding machine catalogue from expert technology co.,ltd manufacture
Welding machine catalogue from expert technology co.,ltd manufactureWelding machine catalogue from expert technology co.,ltd manufacture
Welding machine catalogue from expert technology co.,ltd manufacture
 
Ukg pedagogig 2
Ukg pedagogig 2Ukg pedagogig 2
Ukg pedagogig 2
 
Gnbkk by mz
Gnbkk by mzGnbkk by mz
Gnbkk by mz
 
Sujal enterprise
Sujal enterpriseSujal enterprise
Sujal enterprise
 
Resumes: Remove the Irrelevant
Resumes: Remove the IrrelevantResumes: Remove the Irrelevant
Resumes: Remove the Irrelevant
 
对Cite space生成的kml文件进行可视化
对Cite space生成的kml文件进行可视化对Cite space生成的kml文件进行可视化
对Cite space生成的kml文件进行可视化
 
The popularity of the english language
The popularity of the english languageThe popularity of the english language
The popularity of the english language
 
iNut Limited Mi Gel
iNut Limited Mi GeliNut Limited Mi Gel
iNut Limited Mi Gel
 
iNut Limited Leather Beani Tablet Range
iNut Limited Leather Beani Tablet RangeiNut Limited Leather Beani Tablet Range
iNut Limited Leather Beani Tablet Range
 
Simple instruction
Simple instructionSimple instruction
Simple instruction
 

Similar to ISSA Journal Paper - JavaScript Infection Model

Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and BrowsersAnalysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and Browserscscpconf
 
Qg was guide
Qg was guideQg was guide
Qg was guidenat page
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do smehr77
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
13.2ResMilitary005651045-1058.pdf
13.2ResMilitary005651045-1058.pdf13.2ResMilitary005651045-1058.pdf
13.2ResMilitary005651045-1058.pdfsowmi59
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Watch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)DnaWatch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)DnaSylCotter
 
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentCase Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentProlexic
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORNeha Rana
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresStudy of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresEditor IJCATR
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
 
IRJET - Web Vulnerability Scanner
IRJET - Web Vulnerability ScannerIRJET - Web Vulnerability Scanner
IRJET - Web Vulnerability ScannerIRJET Journal
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...IBM Rational software
 

Similar to ISSA Journal Paper - JavaScript Infection Model (20)

Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and BrowsersAnalysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
 
A26001006
A26001006A26001006
A26001006
 
Qg was guide
Qg was guideQg was guide
Qg was guide
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence Flaws
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
375 378
375 378375 378
375 378
 
13.2ResMilitary005651045-1058.pdf
13.2ResMilitary005651045-1058.pdf13.2ResMilitary005651045-1058.pdf
13.2ResMilitary005651045-1058.pdf
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
Watch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)DnaWatch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)Dna
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentCase Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresStudy of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their Countermeasures
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
 
Code protection
Code protectionCode protection
Code protection
 
IRJET - Web Vulnerability Scanner
IRJET - Web Vulnerability ScannerIRJET - Web Vulnerability Scanner
IRJET - Web Vulnerability Scanner
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
 

More from Aditya K Sood

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 

More from Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 

Recently uploaded

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 

Recently uploaded (20)

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 

ISSA Journal Paper - JavaScript Infection Model

  • 1. PreemInent truSted GlobAl ISSA ISSA Journal | November 2010 InformAtIon SecurIty communIty JavaScript Infection model By Aditya K Sood and Richard J. Enbody Advancements in Web 2.0 technologies have enhanced Internet functionality but at the same time have created numerous threats to the World Wide Web. this paper talks about the negative nature of JavaScript, which is exploited heavily by malware writers to spread infections throughout the online world. Abstract creasing4 in spite of versatile functions. These new technolo- gies have made the Web flexible and robust by allowing the Advancements in Web 2.0 technologies have enhanced In- inclusion of content from third-party sites and sending con- ternet functionality but at the same time have created nu- tent to other domains. In reality, data from the third parties merous threats to the World Wide Web. The biggest issue the cannot be verified against presence of potential malware. As online world is grappling with is web malware, which is an a result malware can accompany the data back into the parent outcome of intensive exploitation of web vulnerabilities. This website without restriction and continue spreading across the paper talks about the negative nature of JavaScript, which Web. Security considerations have to be undertaken in the is exploited heavily by malware writers to spread infections best possible manner to combat web exploitation. throughout the online world. new technologies exploitation Shift With the advent of new technologies, the sphere of attack sur- T here is always an element of discrepancy present be- face vulnerability has widened. The Web is getting exposed tween current and upcoming technologies. With the to identity theft, exploitation, scams, phishing, redirection advent of powerful operating system protection mech- vulnerabilities, cross site scripting (XSS), and cross site re- anisms, the attack surface has shifted to web exploitation vec- quest forgery (CSRF).5 CSRF, for example, is a type of attack tors because memory exploitation is becoming tougher for in which HTTP requests are sent in a stealth manner with- the attackers. Technologies such as Microsoft Data Execution out the knowledge of user. This type of attack allows the at- Protection (DEP),1 Address Space Layout Randomization tacker to execute commands and requests on user’s behalf. (ASLR),2 and GS cookies3 have circumvented the attack and The inherent vulnerabilities in web applications are exploited exploitation of system-level vulnerabilities. The use of string by various application injections such as PHP, ASP, LDAP, functions is completely isolated from systems as they are con- SQL, and DOM (Document Object Model).6 The injections sidered as a base for buffer overflow attacks. Exploitation has are widely used to manipulate the content, steal informa- shifted from system vulnerabilities to web vulnerabilities. tion, and spread malware. One step ahead is HTTP Protocol The attack landscape of the Web has a panorama of exploita- manipulation comprising of attack type Response Splitting,7 tions that are proliferating day by day. With the rise of blogs, which bypasses browser protection mechanisms by split- wikis, atom feeds, RSS, and others, the insecurity level is in- ting the HTTP response from the server thereby fooling the browser to interpret two responses instead of one. 4 RSS Attacks, http://www.techspot.com/news/20098-increased-rss-malware-attacks- 1 Data Execution Prevention, http://support.microsoft.com/kb/875352. predicted.html. 2 Address Space Layout Randomization, http://blogs.technet.com/b/security/ 5 Cross Site Request Forgery, https://www.isecpartners.com/files/CSRF_Paper.pdf. archive/2006/05/26/430538.aspx. 6 DOM XSS, http://www.webappsec.org/projects/articles/071105.shtml. 3 GS, http://blogs.technet.com/b/srd/archive/2009/03/20/enhanced-gs-in-visual- 7 HTTP Response Splitting, http://www.securiteam.com/ studio-2010.aspx. securityreviews/5WP0E2KFGK.html. ©2010 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only. 31
  • 2. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 The cropping up of Web 2.0 and AJAX with JSON (JavaS- cript Object Notation) has transformed the structure of Web. Primarily, AJAX is used to interact with a spe- cific set of events in a webpage through asynchronous JavaScript calls, which are usually scattered through- out the webpage. AJAX allows a number of events to be executed in a single page from different domains. Content validation is a big problem because content is fetched from various sources. Further, AJAX serializes all types of data elements into strings, which are used by programming interfaces such as ASP, ASP.NET, etc. Basically, serialization converts data into a stream. It also helps build dynamic scripts in a backend channel, passing information from third-party servers to the browser DOM for execution. These factors can be uti- lized collectively to misuse the AJAX technology8 and the techniques are proliferating in the wild. Numer- ous attacks can be initiated with new parameters and web technologies. The educational community, finan- cial institutions, banks, companies, etc., are all struc- tured over the Web. Browsers are interdependent on a number of components and sometimes it is hard to determine the impact of a vulnerability. Are we ready to handle such attacks? Are our defense mechanisms in- figure 1 – JavaScript Infection model genious enough to thwart Web 2.0 attacks through AJAX and applied policies? namic operations, which can be performed on the vulnerable websites and applications. Every browser uses JavaScript as a Web malware – real world scenario default scripting language and content is rendered without Web malware is infecting websites at a rapid pace. The rea- any notification because this scripting language is a working sons can be security negligence, unpatched vulnerabilities, standard in Web 2.0. That’s the main reason malware writers administration problems, etc., but the impact is growing use JavaScript to conduct stealth attacks by exploiting the in- exponentially. In the last few years, the security community built functionality of browsers. has detected an overwhelming increase in malware using Ja- It is always advisable to understand the benchmark of infec- vaScript.9 10 The malware problem, however, is not restricted tion strategies used by the attackers to launch extensive at- to one business entity but has encompassed all the spheres, tacks on the public websites or social networking environ- thereby resulting in loss of business and compromising the ments. The JavaScript Infection Model (JIM) reflects the stability and robustness of organizations. Dasient11 has pub- generic methods opted by the attackers to launch malware. lished stats which present the sphere of infection by web mal- The model itself clarifies the structure and basic thinking ware. Business is the most exploited entity because of the in- of the attacker to inject malware in the Web, thereby result- herent money element involved in it – there is money to steal. ing in large-scale infection. The overall model is presented in Figure 1. The following steps describe the model in detail. understanding the JavaScript Infection 1. Attacker controlled domain model The base is the attacker’s controlled domain, which hosts a JavaScript is one of the most susceptible scripting language number of malware/programs that are used for malicious used for malware infection by most of the attackers,12 espe- purposes. This step is undertaken to ensure that there is a cially since JavaScript is used extensively in websites and ap- centralized repository of JavaScript malware. The infection plications for accessing various HTML elements and objects vector can be a single website or a number of websites in the dynamically. JavaScript provides more robust control and dy- domain. The attacker’s controlled domain also has custom designed web spiders for collecting information from the 8 Malware using AJAX, http://blogs.securiteam.com/index.php/archives/734. Web. Attackers always look for vulnerabilities in websites to 9 Growth in Web Malware, http://blog.dasient.com/2010/09/continued-growth-in- web-based-malware_9357.html. conduct injections so that malicious content can be included 10 Malware Stats, http://wam.dasient.com/wam/infection_library_index. into the victimized websites. 11 Dasient, http://blog.dasient.com/2010/09/continued-growth-in-web-based- malware_9357.html. 2. Detecting blacklisted and vulnerable websites 12 JavaScript opens doors to browser-based attacks, http://news.cnet.com/JavaScript- The second step is to scrutinize vulnerable websites and do- opens-doors-to-browser-based-attacks/2100-7349_3-6099891.html. mains which possess inherent application vulnerabilities that ©2010 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only. 32
  • 3. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 can be exploited to spread malware. As most malware spread- ing attacks are automated, an attacker should have the infor- Spreading malware: JavaScript functionality mation of blacklisted websites in order to make the malware JavaScript is used extensively in spreading malware13 due to attacks more successful. Automated spiders accumulate in- its inherent nature to provide direct access to browser com- formation about a domain. This is a very important step from ponents. A JavaScript infection pattern is followed by most malware writer’s perspective because if the website is black- malware whether system-resident or web-based to hide the listed, it gives an indication of the fact that most browsers objects used for infection. The concept of hidden infection is will not visit that website. As a result, it hampers the malware not new but is used in a randomized manner. This is a very infections through JavaScript. This information required by effective technique to launch malware attacks in a stealthy the attacker depends on the capability of that spider. As one manner to exploit the user parlance to understand what is knows the Web is an open forest: there is no stringency in happening at the backend. There are definitive methods that accessing the front end of websites directly because it is the are used incessantly by web malware to infect victim ma- Web’s default nature until and unless custom security con- chines. Let’s have a look at the hidden structure which is used trols are implemented. intensively. 3. Designing attack vector remote scripting with hidden iframes After detecting the blacklisted domains, the crawlers push The HTTP specification allows the effective use of <iframe> the information back to the attacker’s controlled domain in a substantial manner to embed one webpage into another for scrutinizing the contents. During this process malicious webpage, irrespective of the domain to which a page belongs, scripts are not injected into blacklisted domains; rather new and can be used in cross-domain context. This functionality sets of websites having vulnerabilities are used as an attack of iFrames is exploited by malware writers in order to infect point. The crawling process is repeated to find new domains systems. Since these are interactive in nature, it is possible having security vulnerabilities. The information can be to bypass Same Origin Policy (SOP) easily to launch cross- scanned in an automated manner or manually; it depends domain attacks if a certain set of vulnerabilities exist in the on the attacker’s strategy how the process will be carried out. base software or in web applications. SOP defines a control For example, user agent strings provide information about policy on scripts that are originating in a same domain to the type of browsers used and other custom software that access properties and objects on various webpages in that do- are used in line with the browsers. This indirectly helps the main. SOP applies restrictions on scripts in order to prevent attackers a lot in crafting an attack by exploiting web vul- access to HTML objects and properties of webpages on differ- nerabilities in the new domains. If we talk about the manual ent domains and websites. SOP is completely browser-based, ways, then the attacker himself can look into the vulnerable and due to inherent vulnerabilities14 in browsers it can be by- websites for latent vulnerabilities. Again, it depends upon the passed easily. This factor relates not only to the HTTP speci- attack vector, which requires a specific set of vulnerabilities fication but also to the browsers as to how effectively SOP is to be exploited for spreading malware. implemented. It also depends on the rendering engine when 4. Exploiting targets the objects are rendered and access is required by them to perform various functions. The information is further looked upon by matching the in- dexed vulnerabilities on the attacker’s domain to explore di- <iframe src=”http://www.malicious.com” width=”1” rect vulnerabilities that can be exploited. If not, the attacker height=”1” style=”visibility:hidden;position:absol tries to inject malicious iFrames in the context of the domain ute”></iframe> with the source pointing to malicious JavaScript hosted on <iframe src=” http://www.malicious.com” width=”0” the attacker’s domain or third-party infected domain. Once height=”0”></iframe> the JavaScript is injected, the code is changed as per require- The above presented iFrame code is used heavily in spreading ments to infect the systems in a versatile manner. Lastly, the malware. The beauty of this code is the fact that the iFrame attacker controls the vulnerable websites hosted on a domain becomes hidden and cannot be displayed on the infected and changes them into a malware spreading entities. The at- website. The hidden iFrame sends a request to malicious.com tacker’s surface becomes diversified when more victims fall for downloading malware or executing rogue JavaScript. into the trap. Malware writers exploit this functionality to a greater extent Many of the online tools used by malware writers primar- to serve malware by infecting websites with iFrames which ily test the weaknesses and entry points through which Ja- can be used to serve hidden malware through infected web- vaScript can be injected. Because JavaScript is dynamic and sites. It is also possible to update databases with malicious robust in its working on the Web, it is the preferential choice iFrames as stored elements to make iFrames persistent in na- of malware writers to conduct attacks and spread malware. 13 JavaScript Malware, http://www.darkreading.com/security/app-security/showArticle. jhtml?articleID=208803932. 14 Mozilla SOP bypass Vulnerability, http://securitytracker.com/alerts/2010/ Jul/1024228.html. ©2010 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only. 33
  • 4. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 ture. This type of attack depends on the XSS vulnerability ity. Image objects a have “src” parameter and are pointed being present in the website, depending on the design of the to URLs that exploit the vulnerability in Firefox. JavaScript application and website which makes the XSS persistent or heap blocks constitute the shellcode with call and jmp in- reflective in nature. Nowadays, SQL-injection attacks have structions. The shellcode may result in downloading of mal- been used in conjunction with XSS to upload malicious iF- ware.18 rames into a database through a vulnerable website. The iFrames are passed as payloads in the form of hexadecimal obfuscation and hybrid codes strings,15 which get stored in the web database. It remains Code obfuscation is used at a very large scale for spreading persistent in the database and is retrieved when a website is- malware. The preferable scripting language is, of course, Ja- sues some database query. This tactic is used heavily in mass vaScript. But obfuscation is not restricted to only JavaScript SQL-injection attacks that spread malware through drive-by- and using only escape functionality and generic encoders. download attacks. Obfuscation is used extensively to make code hybrids now- adays. There can be a scenario in which two scripting lan- JavaScript heap spraying guages are used together. The malware spreading can be done The inherent software vulnerabilities that can be exploited very easily through hybrid codes because it becomes hard to through JavaScript heap spraying16 are also a major source of analyze the code which is encoded with custom encoder and malware infection. The browser-based exploits are used ex- using JavaScript functions to get downloaded into the sys- tensively to trigger malware infection on the client side. If a tem. For example, custom JavaScript decoders can be used to vulnerable version of the browser is running or there is pres- decode the JavaScript-related functions, but in order to deci- ence of vulnerable software, the malware writers try to ex- pher the payloads other extensive tools are required. PERL is ploit the vulnerability in order to execute custom shellcode. a good tool that is used in a wide manner to decode hybrid Heap spraying is a type of attack which exploits memory cor- codes to understand the actual payload which is exploiting ruption vulnerabilities through browsers without any has- the system. sles. The target is unsafe applications. The functional part is to create and allocate arbitrary objects in the heap by using Widgets a type-safe language. The objects used to fill heaps contain The Web 2.0 working model uses widgets at a very large scale. dangerous exploit codes to be run against the target system. Generally, these small chunks of code are used for enhanced Specific notions used for these types of exploits are men- functionality, primarily for advertisement purposes, includ- tioned below: ing content from third parties, notification alerts, etc. They are based on the concept of code reuse. Widgets are provided • Design a string which grows exponentially by concat- by the advertisement agencies, news portals, companies, etc., enating with itself to include content for the user website experience. The vendor • Keep string format as Unicode to avoid any type of offers widgets that can be added manually or automatically stringency in the code in the user websites or blogs, depending on the feasibility of • Exhaust the maximum length that is allowed by the environment. In order to accept data from third parties, the scripting engine widget provides a communication and content transfer inter- face between the parties. Once installed in the user website, it • Shellcode is placed at the end of the string opens the communication channel between the parent node • The set of code is copied over a large sum of arrays and the child node. JavaScript widgets are used heavily for which can control the execution infecting websites because the chunked code sits as HTML in • The attack surface is potentially created so that it can the parent page and follows the same hierarchy functions as have enough memory for exploitation the parent node.19 It means the code becomes in line with the main module and is executed as the webpage is loaded into • Heap blocks are considered to be on the same loca- the browser. Widgets may contain malware which redirects tions every time the website to a malware domain or starts downloading the The above mentioned steps are used to exploit the target malware executables into the system. So JavaScript code in through the browser. The security community has witnessed the form of widgets is used to spread malware through the exorbitant growth of these browser-based exploits in the re- Web thereby impacting the large sets of users who are using cent years.17 These attacks exploit the vulnerability in brows- that specific widget. The widgets can be uploaded to malware ers by manipulating the default heap using JavaScript, used domains or content delivery networks to follow the chain to create heap blocks within a particular memory range and process of infecting large number of websites. dynamic image objects generated to trigger the vulnerabil- 15 SQLXSSI Attacks, http://www.slideshare.net/adityaks/owasp-app-sec-us-2010. 18 Mozilla “Host: Heap Buffer Overflow Exploit,” http://www.exploit-db.com/ 16 Heap Spraying, http://www.blackhat.com/presentations/bh-europe-07/Sotirov/ exploits/1224. Presentation/bh-eu-07-sotirov-apr19.pdf. 19 Web Widget Infection, http://blog.dasient.com/2010/06/third-party-javascript- 17 IE Object Memory Corruption, http://www.exploit-db.com/exploits/930. widget.html. ©2010 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only. 34
  • 5. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 drive-by downloads designed search engine. If a victim uses that search portal to run a query, the resultant links are the most Drive-by Download20 is one of the most long-lived techniques vulnerable links and directed towards malicious web of spreading malware through JavaScript by forcing victims servers. This happens quite often. to download malware without their consent and knowledge. The malicious website usually hosts a number of hidden • Generation of advertisement pop ups in the system iFrames that point to the malicious program or malicious continuously. This can be a time-based logic to gen- Active X control. Essentially, the website forces the user’s erate a pop up after a requisite interval and running browser to install the plug-in directly on the system. How with the same behavior for a longer duration. does the drive-by download work? Let’s consider as generic The infection does not stop here as such. If a victim tries to case. The website offers a browser plug-in to install directly remove the required set of files, a cleanup link is also pro- into the context of system. There is a lot of functional dif- vided which further downloads another plug-in having well- ference between a normal plug-in and Program Loader Stub defined EULA and privacy restrictions. The attackers follow (PLS) which is installed as result of the plug-in. Program the same technique but the overall functional perspective is loader stub defines the nature of execution of plug-in. The different. It is kind of dual entrapment and the directed web- main function of program loader stub is to call functions in site looks like a cleaning solution vendor website, but typi- a hierarchical manner and synchronously. In general terms, cally it is fake. As a result, the victim is trapped again and the the PLS is responsible for calling API’s appropriately that are system gets infected with a different layout. used by plug-ins to download malware. The PLS loads each DLL that is required by the plug-in into the memory space. It conclusion fills in the structures in the import directory of the execut- Malware running rampant in the wild is an outcome of flaws able in the memory. If the DLL is not loaded in the memory, and vulnerabilities that exist in web applications and web- the PLS fails to load the malicious executable. The stub ac- sites that make up the Web. The same language tools are used tually downloads a lot of malicious content into the user’s for development AND exploitation. This paper has presented system by remaining silent and infecting the system at large JavaScript from the malicious infection point of view. In or- in a stealth manner. The plug-in offers fake information to der to defend against these web malware we have to design convince the user it is valid: a number of defenses and protections in the same pattern. 1. Fake certification and end user license agreements Since JavaScript is the major scripting language to add dy- (EULA) links aiming to exploit the user’s ability to namic functionality to webpages, the same is used for dy- make a decision about the software. namic generation of malware. So understanding the diverse nature of JavaScript, we can design protection mechanisms to 2. Incessant and rogue security warnings to exploit the combat its misuse and exploitation by malware writers. user’s inability to decide the working of software plug-in. About the Authors If the required plug-in is allowed to install in the system, a Aditya K Sood is a security researcher, con- stub is installed simultaneously, which further downloads a sultant, and Ph.D. candidate at Michigan number of programs without user consent. The installed pro- State University. He has worked in the se- grams infect the system as mentioned below: curity domain for Armorize, COSEINC, and KPMG and founded SecNiche Secu- • Infection at the folder level by placing malicious files. rity. He has been an active speaker at con- The malware programs follow the concept of cross ferences like RSA, TRISC, Hacker Halted, linking in which one malicious binary is interfaced ExCaliburCon, EuSecwest, XCON, OWASP AppSec, Security- with another malicious binary with randomized Byte, CERT-IN and has written content for HITB Ezine, Ha- names. This becomes hard for a normal user to detect kin9, Usenix Login.He may be reached at adi_ks@secniche.org. the real working of the binary present in the requisite program files folder. Dr. Richard Enbody is an Associate Profes- sor in the Department of Computer Science • Inserting malicious, e.g.,. porn website, links in the and Engineering, Michigan State Universi- browser bookmarks and shortcuts to be placed in the ty. He joined the faculty in 1987 after earn- program bars on the desktop that further links ma- ing his Ph.D. in Computer Science from licious website and malware programs respectively. the University of Minnesota. Richard’s The main criterion of this type of functionality is to research interests are in computer security, infect the generic places in the systems which are used computer architecture, web-based distance by the victims easily. education, and parallel processing. He has • It primarily hijacks the default browser links and web- two patents pending on hardware buffer-overflow protection, pages and points to a malicious website or custom- which will prevent most computer worms and viruses. He re- cently co-authored a CS1 Python book, The Practice of Comput- 20 Drive by Downloads, http://www.spywarewarrior.com/uiuc/dbd-anatomy.htm. ing using Python. He may be reached at enbody@cse.msu.edu. ©2010 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only. 35