Introducing Msd

3,300 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,300
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
47
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Templates created by Aung Khant <aungkhant@flashband.net>
  • Introducing Msd

    1. 1. Introducing The Malware Script Detector (MSD) By d0ubl3_h3lix http ://yehg.net Tue Feb 19 2008
    2. 2. Agenda <ul><li>Counter Strategy </li></ul><ul><li>Overview </li></ul><ul><li>XSS Coverage </li></ul><ul><li>Versioning Info </li></ul><ul><li>Standalone MSD </li></ul><ul><li>Detection Screenshots </li></ul><ul><li>Why MSD? </li></ul><ul><li>Weaknesses </li></ul>
    3. 3. Counter Strategy <ul><li>Using the Power of JavaScript, Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript </li></ul>
    4. 4. Overview <ul><li>Run on Gecko browsers (Firefox, Flock, Netscape, …etc) </li></ul><ul><li>GreaseMonkey addon needed </li></ul><ul><li>Acted as Browser IDS </li></ul><ul><li>Intended for Web Client Security </li></ul><ul><li>Recommended for every web surfer </li></ul><ul><li>Please don’t underestimate MSD by looking its simplest source code </li></ul>
    5. 5. Overview (Cont.) <ul><li>Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF </li></ul><ul><li>Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon </li></ul>
    6. 6. XSS Coverage <ul><li>MSD was coded to detect the following XSS exploitation areas: </li></ul><ul><li>data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html </li></ul><ul><li>jar: protocol exploitation </li></ul><ul><li>file: protocol exploitation by locally saved malicious web pages </li></ul>
    7. 7. XSS Coverage <ul><li>Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc </li></ul><ul><li>unicode injection </li></ul><ul><li>utf-7,null-byte (0), black slash injection (u l), comments star slash injection (/* */),injection like u00, x00....etc </li></ul>
    8. 8. XSS Coverage <ul><li>MSD was thoroughly tested with: </li></ul><ul><li> - RSnake’s XSS CheatSheet - XSS-ME Addon Attack List </li></ul><ul><li> - Dabbledb.com’s Xssdb list - CAL9000 XSS List </li></ul>
    9. 9. Versioning Info <ul><li>GreaseMonkey Version </li></ul><ul><li>Main Objective: Alert XSS Attacks to users </li></ul><ul><li>Must be Installed by users </li></ul><ul><li>Requires Gecko Browser + GreaseMonkey Addon </li></ul><ul><li>Version 1 – Detect Malware Scripts </li></ul><ul><li>Version 2 – Detect Malware Scripts + </li></ul><ul><li>Prevailing XSS </li></ul>
    10. 10. Versioning Info <ul><li>Standalone Version </li></ul><ul><li>Main Objective: Alert XSS Attacks to users & webmaster </li></ul><ul><li>Must be Deployed by web developers </li></ul><ul><li>Browser-Independent </li></ul><ul><li>No Checking if users have GreaseMonkey version </li></ul><ul><li>Version 1 – Detect Malware Scripts + Prevailing XSS </li></ul>
    11. 11. Standalone MSD <ul><li>Standalone version was created as single .js file for web developers </li></ul><ul><li>To embed in their footer files </li></ul><ul><li>To notify both visitors and webmasters of XSS injection attempts & attacks </li></ul><ul><li>Browser-independent unlike GreaseMonkey Script version </li></ul><ul><li>Intended for web application security as a portable lightweight solution </li></ul>
    12. 13. Detection Screenshots
    13. 14. Why MSD? <ul><li>XSS Payloads like </li></ul><ul><li>http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc </li></ul>
    14. 15. Why MSD? (Cont.) <ul><li>Never get DETECTED by Web Server-level Firewall/IDS/IPS </li></ul><ul><li>Because the code is Totally Executed at Client’s Browser </li></ul>
    15. 16. Why MSD? (Cont.) <ul><li>Malicious sites intentionally embed malicious JavaScript attack frameworks </li></ul><ul><li>Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users </li></ul>
    16. 17. Why MSD? (Cont.) <ul><li>No ways to detect such Malware scripts unless we check HTML source codes </li></ul><ul><li>Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases </li></ul><ul><li>According to above scenarios, MSD becomes a nice solution for us </li></ul>
    17. 18. <ul><li> Oh, But … </li></ul>
    18. 19. Weaknesses <ul><li>Doesn’t check POSTS/COOKIES variables </li></ul><ul><li>No guarantee for full protection of XSS </li></ul><ul><li>Many ways to bypass MSD </li></ul><ul><li>XSS Filtering needs to be updated regularly where extensive filtering may cause false alerts and much annoyance to users </li></ul>
    19. 20. Where Can I get it ? <ul><li> Check Under Tools Section http://yehg.net/lab/#tools.greasemonkey </li></ul><ul><li>If you wish to contribute, there is a smoketest </li></ul><ul><li>page. </li></ul><ul><li>Insert your own XSS payload to defeat MSD. </li></ul><ul><li>Notify me of whenever new Attack frameworks are created </li></ul>
    20. 21. Special Thanks <ul><li>Goes to </li></ul><ul><li>Mario, http://php-ids.org </li></ul><ul><li>Secgeek, http://www.secgeek s .com </li></ul><ul><li>Andres Riancho , http://w3af.sf.net </li></ul><ul><li>For encouragements and suggestions </li></ul>
    21. 22. Reference <ul><li>XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth Fogie Syngress Publishing ISBN-13:987-1-59749-154-9 </li></ul>
    22. 23. <ul><li>Thank you! </li></ul>

    ×