Hacked While Browsing — Using the Web to Spread Malware

1© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

Hacked While Browsing —Using the Web to Spread Malware

Kah-Kin Ho

Cisco

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2

Agenda

Botnet Business Models

Making Bots: Five Infection Vectors

Hacked While Browsing

Solutions

Conclusion


Botnet Business


The Professional

Smartbot.Net Malware

Opened CD-ROM tray

“If your cd-rom drive’s open . . .you desperately need to rid your system of spyware pop-ups immediately! Download Spy Wiper now!”

Spy Wiper sold for $30

$4M FTC judgment

Sanford Wallace


“Installs” for Sale — Monetizing Botnets


Botnet Monetized Four Ways

Rogue AV


Social Engineering Scareware Spyware


If Infected, Fake Scan Recommends “Removal”

“Antivirus XP has found 2794 threats. It is recommended to

proceed with removal”


After Scan, Takes Me to Website Identifiesgeo-IP, Hides the Close Button Off the Screen


Change the Desktop


Removes Desktop and Screen Saver Tabs from Control Panel


More Scareware Spyware Trickery


Bakasoftware Is Master Criminal

Bakasoftware “scareware spyware” affiliate business

Affiliates load “scareware” onto their bots.

Affiliates paid commission when consumers purchase

This #2 Affiliate earned $147k in 10 days - $5M/year

154,825 installations and 2,772 purchases

Source: http://www.secureworks.com/research/threats/rogue-antivirus-part-2/?threat=rogue-antivirus-part-2

Bakasoftware Dashboard Showing 10 Days Revenue for #2 Affiliate

Day 10Day 10

Day 1 Day 1

Day 2 Day 2

Day 3 Day 3

Day 4 Day 4

Day 5 Day 5

Day 6 Day 6

Day 7 Day 7

Day 8 Day 8

Day 9 Day 9

Total Total


Making a Bot: Infection Vectors


Making a Bot: Infection Vectors

Social Engineering enables the first four methods

1. Search Engine Optimization

2. Spam with URL or active payload

3. Instant Messaging

4. Social Network Attacks

5. Network-based worm: Conficker


Social Engineering


Hacked While Browsing


18

Surprise Valley, Idaho


4 Bedrooms, 2.5 Baths, $379,000


Search Result


21


Browsing to Brooke’s site









Understanding the Problem in Four Parts

1. URL: Recipe for Disaster

2. Web Browser Ecosystem Vulnerable

3. Malware Defeats Anti-Virus Signatures

4. Web Servers Vulnerable


The Web Page: A Security Primer

How does a Web Page Work?

1. HTML: Web site “recipe.” Initial HTML retrieval provides “recipe". Browser then fetches all objects listed in initial HTML “recipe”.

2. Web Resources: The actual ingredients.Retrieved, per the HTML, from any specified location. Includes

Images

Scripts

Executable objects (“plug-ins”)

Other web pages


BoingBoing.net: A Popular Blog

URLs in browser: 1

HTTP Gets: 162

Images: 66from 18 domains including 5 separate 1x1 pixel invisibletracking images

Scripts: 87 from 7 domains

Cookies: 118 from 15 domains

8 Flash objects from 4 domains








Web Browser Ecosystem Vulnerable

IE and Firefox vulnerable

“…hundreds of vulnerabilities in ActiveX controls installed by software vendors have been discovered.”

Media Players & Browser Helper Objects (BHO)

RealPlayer, iTunes, Flash, Quicktime, Windows Media

Explosion of BHOs and third-party plug-ins

Plug-ins are installed (semi) transparently by website. Users unaware an at-risk helper object or plug-in is installed … introducing more avenues for hackers to exploit users visiting malicious web sites.

SANS Top 20 2007 Security Risks

http://www.sans.org/top20/#c1


Mpack: 13.32% Infection Rate in US








Malware Defeats Anti-Virus Signatures

Criminals have developed tools to mutate malware to defect signature-based detection

At DefCon teams of researchers proved their success yet again

Seven viruses and two exploits, all well-known, were mutated to defeat anti-virus engines

Winning time: 2 hours, 25 minutes








Online Norwegian Tax Form


Translated to English


Results of Form Entry


Hacked While Browsing – What Really Happened


What’s Happening on BrookeSeidl.com

brookeseidl.com registered at eNom 2002

63.249.17.64 hosted at Seattle’s ZipCon with 52 other domains

Script injected onto web page – one extra ingredient!


What Does Tejary.net/h.js Do?

Browser fetches h.js javascript from tejary.net

Tejary.net registered 2003 at GoDaddy and hosted on 68.178.160.68 in Arizona

Registered by Aljuraid, Mr Nassir A in Saudi Arabia

Tejary.net/h.js calls two remote iframe objects


V3i9.cn Domain Information

V3i9.cn registered at 北京新网互联科技有限公司 by 贾雨荷 On 3/25/09. DNS by mysuperdns.com

Hosted on 216.245.201.208 at Limestone Networks inDallas, TX

Fetched objects include

ipp.htm, real.html, real.js

14.htm, 14.Js

flash.htm, igg.htm


It all starts with /c.htm loaded from tejary.net, said7.comReal Player Exploit /ipp.htm – Real Player exploit CVE-2008-1309 2/40 AV anti-virus vendors detect, calls real.html. Includes f#!kyoukaspersky

/real.htm, /real.js – Real Player exploit CVE-2007-5601

MDAC (Microsoft Data Access Component) Exploit /14.htm, /14.js – exploits Exploit-MS06-014 vulnerability in the MDAC functions

Flash Exploit /swfobject.js – detects flash version and selects according content /flash.htm – Flash exploit. 2/40 anti-virus vendors detect /igg.htm - ??? Called from /flash.htm for exploit?

Exploit Resources Fetched from v3i9.cn


What Is Our Malware?

Dalai Lama reported office computers hacked

University of Toronto Munk Center found “GhostNet” surveillance malware

Keylogging, webcam monitoring, document retrieval

Exploit downloads ce.exe


Anti-Virus Won’t Protect Us

Ce.exe analyzed on Virus Total

31% detection on days 1, 2

48% detection on day 3

21% detection for SMS.exe


Some Websites Injected with tejary.net


Solutions


51

Has anyone seen my silver bullet?


52

Security needs to move at the speed of crime


Solutions

1. Web application security

2. End-user security (social engineering)

3. Client Security

4. Perimeter Web Gateway

5. Monitoring and Botnet Detection


Conclusion


Conclusion

The web vector has become the #1 weakness targeted by criminals for profit

The web browser ecosystem is vulnerable

Web 2.0 exacerbates these problems

More active content from disparate, uncontrolled sources

Anti-virus is not an adequate solution

Web servers are attacked and use to spread malware via legitimate sites

A different approach is required


Documents

Hacked While Browsing — Using the Web to Spread Malware