The document provides an overview of malicious web sites from Ali Ikinci of the Cyber Security Association. It discusses how malicious web sites can exploit vulnerabilities to install malware. Common attack vectors include browser plugins, media players, and Java. Techniques like heap spraying and code obfuscation are used to avoid detection. Detection methods include honeyclients, deobfuscation tools, and online reputation services. Defenses include software updates, firewalls, antivirus, and blacklists. The talk concludes with a discussion of exploit kits and the growing automated exploitation of software vulnerabilities.
1. OWASP Turkey - Uygulama Güvenliği Günü
Introduction to Malicious Web Sites
Kötücül Web Sitelerine Bir İlk Bakış
Ali Ikinci – Siber Güvenlik Derneği
ali@ikinci.info
9 June 2012
Turkey
2. About Me
●
●
●
●
●
Working on Malicious Web Sites since 2006
Developed a Client Honeypot called Monkey-Spider in
2007 [9]
Member of the Siber Güvenlik Derneği[10]
Chapter Lead of the Turkish Chapter of the Honeynet
Project[11]
Chief Security Analyst at ContentKeeper Technologies[12]
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
2
4. Malicious Web Sites ...
●
●
●
Are Web sites which could be a threat to the security of the
client computers requesting them
Even a visit without any other interaction of such could be a
threat (so called drive-by downloads)
Such Web sites can ...
–
–
exploit browser vulnerabilities
–
exploit vulnerabilities of other client software
–
install backdoors, spyware or keyloggers
–
9 June 2012
host all sorts of malware and malicious code
steal confidential information
Uygulama Güvenliği Günü
Ali Ikinci
4
5. Current Situation
●
●
●
●
●
Attacks on client systems have become very
popular in recent years
Web Browsers are the most wide spread use case
of client software
Browsers and Browser plugins are the most wanted
targets in vulnerability assessment
Firewalls and IDS systems are widely deployed and
the client has become the shortest path to hack
into a network
Botnets are on the rise and a valuable tool of trade
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
5
6. Attack Vectors
●
Anything a client computer requests from a server
and in one way or another executes or interpreters
on the client computer could become an attack
vector
●
Web Browser
●
Web Browser Plugins
–
Flash, PDF, Media Plugins, ActiveX, JRE ...
●
Media Players/Viewers
●
PDF Readers
●
Java VMs ...
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
6
8. Attack Vectors Example
Programs/Libraries
●
●
●
●
(X)HTML parsers like libxml, libxslt
JavaScript Interpreters like V8,
SpiderMonkey
PDF Reader Exploits like Acrobat Reader,
Foxit Reader
Java Runtime Environment Exploits like
Oracle JRE, IBM JRE ...
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
8
9. Starting Points for a
Malicious Web Site Attack
●
Specifically set up “Trojan” Web Site looking benign
but hosting Exploits. F.e. fake online AV sites
●
Compromised benign Web Sites/Servers
●
Malvertisments on benign Web Sites
●
Spam Emails pointing to/loading Malicious Web
Sites
●
Malicious PDF Files sent via Email Spam
●
Spam in Social Networks/Forums etc.
●
Social Engineering on Social Networks f.e. Fake
campaings, Fake news ...
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
9
10. Starting Point Example: Twitter Spam[8]
●
Compromised Twitter accounts abused for propagation
of Malicious Web Sites (April 2012)
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
10
11. Starting Point Example:
Malvertisments
●
Advertisement that conceal malicious content
●
Distributed through benign Ad Networks
●
●
●
Often utilized in situations where attacker cannot obtain
access to high value, high trafficked web sites. Relying on
social engineering techniques to trick major ad networks into
serving their malicious content[4]
More than 3 million malvertising impressions served per
day[4]
After three months of web browsing, the probability that an
average Internet user will hit an infected page is
approximately 95%[4]
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
11
12. Attack Hiding Technique:
Code Obfuscation
●
●
Code Obfuscation intends to fool the malware analyst in
revealing the attack via making the code unreadable to
the human eye
A simple JavaScript example[1] to hide code encoded in
Hexadecimal values:
var d=document['x63x72x65x61x74x65x45x6c
x65x6dx65x6ex74'](‘x69x6ex70x75x74′);
Results converted into ASCII to:
var d=document['createElement'](‘input’);
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
12
13. [1]
Code Obfuscation Starting Point Example: Spam
A markup generating obfuscated JavaScript sample from a real world
spam Mail trying to fool the user to a Malicious Web Site
Results in a redirect to the Malicious Web Site with the Exploit:
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
13
14. Browser Attack Example:
[3]
Heap Spray Attack
●
●
●
●
does not actually exploit any security issues but it can
be used to make a security issue easier to exploit.
by itself cannot be used to break any security
boundaries: a separate exploit is needed
can be used to introduce a large amount of order to
compensate for the difficulty of prediction of memory
space and increase the chances of successful
exploitation.
take advantage of the fact that often the start location
of large heap allocations is predictable and consecutive
allocations are roughly sequential.
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
14
15. Example: Heap Spray Attack[2]
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
15
16. Example: Heap Spray Attack[2]
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
16
17. Example: Heap Spray Attack[2]
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
17
18. Example: Heap Spray Attack[2]
●
●
●
An attack can consist of multiple Exploits if one is not
enough to gain the needed system properties before
executing the final shellcode and continuing the
malicious deed
After predictable location has been reached the exploit
is triggered to set the EIP (Instruction Pointer) in the
sprayed area to hopefully trigger the shellcode or the
next Exploit in the chain before the shellcode
Shellcode than is used to continue the attack often
through downloading and installing backdoors,
keyloggers and often add it to the attackers botnet as a
bot/zombie
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
18
19. Shellcode
●
is a small piece of code used as the payload in the
exploitation of a software vulnerability. It is called
"shellcode" because it typically starts a command shell
from which the attacker can control the compromised
machine, but any piece of code that performs a similar
task can be called shellcode[5]
[6]
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
19
20. Sample Real World Attack
[7]
on cdi.org from May 2012
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
20
21. Tools Categories to Detect
Malicious Web Sites
●
High-Interaction Honeyclients:
Real Client Computers requesting Malicious Web Sites
to learn the behavior/tools/techniques of the attacker
●
Low-Interaction Honeyclients:
Emulated Web Browsers requesting and sudo executing
sites to gain information about attacks.
●
Deobfuscation Tools for static or dynamic
analysis
GUI Tools to ease work of Malware Analysts in supporting
deobfuscation with various techniques in a safe execution
environment.
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
21
22. Online Tools and Reputation Services to
detect Malicious Web Sites
●
Wepawet http://wepawet.iseclab.org/
●
Anubis http://anubis.iseclab.org/
●
Google Safe Browsing diagnostic Page
http://www.google.com/safebrowsing/diagnostic?site=google.com
●
McAfee SiteAdvisor http://www.siteadvisor.com/
●
Norton Safe Web http://safeweb.norton.com/
●
Web of Trust http://www.mywot.com/
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
22
23. General Defense:
Blacklists and IDS Signatures
●
●
Many free and commercial Services to offer ready to
use lists/signatures to avoid visiting malicious websites
by blacklisting them or avoid triggering exploits by
detecting their signatures or ip address in IDS
signature. Applying these in Firewalls and Gateways can
add significant security measures to fight Malicious Web
Sites.
Two import free examples are:
–
–
9 June 2012
Blacklisting malicious websites
http://www.malwaredomains.com/
Providing various IDS Signature
http://www.emergingthreats.com
Uygulama Güvenliği Günü
Ali Ikinci
23
24. Server Side Defense
●
●
Updates: Immediate updates to server software is
the base protection to any kind exploitation attack
Remote Service Hardening: Any unnecessary
remote service should be disabled or the
configuration hardened to be secure against
exploits or brute for attacks.
●
Application Level Firewalls
●
Secure Passwords
●
Web Site Admins should check their site regular for
any unauthorized modifications
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
24
25. ISP/Network Level Defense
●
●
Various proprietary vendors provide inline scanning of network traffic and can
block such attacks from triggering or
malware from being transfered to victim
systems
Secure Web Gateways often have various
means of detecting malicious attacks and
also can keep the local network safe or
raise alarms if an infection might have
gone unnoticed.
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
25
26. Client Side Defense
●
●
●
●
Updates: Always having the latest patch level of client software
avoids being exploited by non zero-day exploits. Software
Management systems like NAC or Secunia PSI[13] for personal
helps administer and grant this
HIDS and Personal Firewalls can also utilize Blacklist and sites like
ET to raise the security boundary
Many AV engines in combination with so called “Internet Security
Suites” provide a certain level of heuristics based exploit detection
and can even avoid zero-day exploits from being triggered in
certain scenarios
AV engines can also stop the execution of malicious payload after
the exploit has been triggered unnoticed and can then stop the
malware before it can do any harm to the client system
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
26
27. References
[1] Kahu Security http://www.kahusecurity.com/
[2] Peter Van Eeckhoutte
https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
[3] Wikipedia http://en.wikipedia.org/wiki/Heap_spraying
[4] Dancho Danchev
http://www.zdnet.com/blog/security/report-3-million-malvertising-impressions-served-per-day/8319
[5] Wikipedia http://en.wikipedia.org/wiki/Shellcode
[6] Phrack Issue 49 by Aleph One
http://www.phrack.org/issues.html?issue=49&id=14#article
[7] Steven Adair and Ned Moran
http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/
[8] Nicolaz Bruez
http://www.securelist.com/en/blog/208193477/New_Spam_campaign_on_Twitter_Leads_to_Rogue_AV
[9] The Monkey-Spider Project http://monkeyspider.sf.net
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
27
28. References
[10] Siber Güvenlik Derneği http://www.siberguvenlik.org.tr/
[11] Honeynet Project – Turkish Chapter http://www.honeynettr.org
[12] ContentKeeper Technologies http://www.contentkeeper.com
[13] Secunia Personal Software Inspector http://secunia.com/products/consumer/psi
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
28
29. Questions?
Thank you for your attention!
This talk was made possible with kind
support from http://contentkeeper.com
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
29
30. Exploit Kits
●
●
●
●
●
Ready to run large scale automated Exploitation
kits
Sold in rouge underground Forums
One kit often has a bunch of exploits ready to
execute on varying client machines
Exploited machine are added to the interface
for the ease of “management”
Wide spread approach on running Malicious
Web Site infrastructure
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
30
31. Exploit Kits Most Wanted
9 June 2012
Uygulama Güvenliği Günü
Ali Ikinci
[1]
31