Website Compromise and Malware Propagation(WCMP)

Web 2.0 AttacksWeb 2.0 Attacks

Bhupendra Singh AwasyaScientist ‘B’

CERT-In

Few years ago, In 2006 and earlier,

“No one ever thought of spreading

2

“No one ever thought of spreading

malware via legitimate websites. ”

Popular Infection Vectors (before 2006)

Supply malware in USB drives with autorun(pretty common and still effective, spreading malware enormously)

Go to system and install a malicious piece of code(Rarely heard of it or very few cases),

3

(pretty common and still effective, spreading malware enormously)

Distribute malware as an email attachment(pretty common and still effective unfortunately)

Convincing users to download legitimate looking software but actually MALWARE(providing direct link in email, chat or other mechanism)

New age Mechanism

Drive-by-download

4

Drive-by-download

• Downloads which a person authorized but without understanding the consequences

Unintended download of computer software from the Internet:

understanding the consequences(e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).

• Any download that happens without a person's knowledge.• Download of spyware, a computer virus or any kind of

malware that happens without a person's knowledge.

5

Let’s see how things workLet’s see how things work

6

1.2 Infect a legitimate website

Legitimate website

2 User request legitimate website

3 Website response including malicious code

Legitimate user’s system

Req.

Resp.

Connect Attacker

website

1.1 Create a Malicious website

Malicious website

Attacker4 User’s browser request for content from malicious website

5 Malicious website successfully delivers malware/virus

user’s system

Malware authors are shifting their focus

from traditional desktop bases attack methodology to the new emerging attack methodology to the new emerging

dynamic and user interactive web applications for spreading malware

8

Web 2.0

•Information sharing•Interoperability•User centred design

9

•User centred design•Interconnectivity•Collaboration on the World Wide Web

Why attackers are using this . . .

In this attack vector, attackers will Compromise a legitimate website and plant a piece of malicious code in it, which plant a piece of malicious code in it, which will be served to all legitimate users of that website.

10

Once the malware/virus is planted on user's computer, a remote attacker/hacker can:

- Access on the infected computer- Steal user credentials, banking or otherpasswordspasswords

- Use as a launching pad for further attacks- Install more sophisticated malwares/viruses- Gain chain of access to corporate networks

via VPN etc for which user or user's systemis allowed for.

11

Drive-by-download is working covertly, which make it difficult to suspect or detect.to suspect or detect.

12

Where is the problem ?• Web frameworks• Content management systems i.e. CSM

13

PHP ColdFusion.NET DrupalJ2EE JhoomlaRuby on Rails etc

What is the problem ?

Web application security defects likeInsufficient user input validationApplication logic errors etc. Application logic errors etc.

14

The possible attack methods are as follows

• SQL Injection,• PHP Remote File Include,• PHP Remote File Include,• Cross-Site Scripting (XSS),• Cross-site request forgeries (CSRF).

15

Unfortunately all of these vulnerabilities are

Web application vulnerabilities.

Attacker are shifting more Attacker are shifting more towards web application

vulnerabilities.

16

Classical server side vulnerabilities

• Windows Services• Unix and Mac OS Services• Backup Software• Backup Software• Anti-virus Software• Management Servers• Database Software

17

Since last 3-4 years, awareness in web administrators and security

professionals regarding server side vulnerabilities has increased. Eventually, vulnerabilities has increased. Eventually,

they are doing their job quite nicely, securing all six OSI layers except the

last and most vulnerable layer-"Application layer ".

18

The main reason leading to legitimate website malicious code injections

appear to be appear to be

“Structural Vulnerabilities “term given by Dasient.

19

According to Dasient's analysis,

Structural vulnerabilities comprises:

•Third party advertisements•Third party widgets/applications

20

•Third party widgets/applications•Mash-ups or RSS•User generated content

21

22

23

24

These threats are serious, not so easy

to patch or fix because these threats

are emerging from third party are emerging from third party applications/contents rather

from the web application, which can be fixed or patched in one shot.

25

Talk about Attack mechanismsin order to exploit Structural Vulnerabilities

• Web application vulnerabilities• Stolen admin credentials• Stolen admin credentials• Malicious advertisements• Malicious 3rd party applications• User generated contents

26

Web application vulnerabilities

Most of the web applications are vulnerable

27

are vulnerable and affected cross-site scripting vulnerability

XSS

28

http://www.cert-in.org.in/s2cMainServlet?pageid=PUBADV01&CACODE=CICA-2010-1330

SQL injection

Another attack mechanism is SQL injection, attackers try to break the SQL queries by supplying

crafted malicious queries in the fields like username crafted malicious queries in the fields like username or password, user comment forms etc.

29

Asprox

• "Asprox" was released by malware authors to speed-up and automate the infection mechanism. This trojan infection mechanism. This trojan specifically search for Microsoft ASP pages in Google and injects an iFrame into the page, that leads the naive legitimate user to a fraudulent malicious website.

30

31

Asprox infection in webpage

The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites. The decrypted Asprox XML can be seen here as:

32

Asprox launching SQL injection attacks

33

In case, if attacker succeeded gaining administrative credentials of the

website, he can modify the whole content of website or can replace the present doc, pdf, xls etc file with malicious files of

34

pdf, xls etc file with malicious files of same content to make the attack vector vital and more affective for

future use.

All SQL injection attacks are persistent and stay in database until any of the user doesn't report to the

website administrator and he removes website administrator and he removes the same.

35

Stolen admin credentials

Another popular vector, other than SQL injection and

cross-site scripting is Stealing FTP service credentials .Most of the websites are managed their website contents via FTP uploads.

36

Once attacker successfully gain FTP credentials , he can launch variety of attacks on website like- Placing iFrame- Call to

- remotely hosted JavaScript by modifying webpages

- Native JavaScript files on web server.- Native JavaScript files on web server.

Attacker can also modify the server settings (.htaccess) to redirect the legitimate traffic of the website to a malicious website.

37

Gumblar

Gumblar performs the following tasks:- Stealing FTP credentials- Send SPAM- Send SPAM- Install fake anti-malware- Google search/query hijacking- Disabling security software like desktopfirewall and antivirus

38

39

40

41

Gumblar is a botnet, infecting Web servers and infected Web site visitors for installing malicious code on user's system that redirects end-user's Google searches to fraudulent Web sites delivering further malwares.Initially the redirecting website sends the visitor an Initially the redirecting website sends the visitor an infected PDF which exploits a known vulnerability in Acrobat to gain access to the user's computer. New variations of Gumblar, redirect users to the sites running fake antivirus.

42

Malicious advertisements

Another website attack mechanism is malicious advertises . Instead of infecting a legitimate website directly, attacks

may plant a legitimate looking MALICIOUS advertisement banner onto the legitimated website via third party advertisement service operators

43

onto the legitimated website via third party advertisement service operators like Google, Yahoo and others.

Attacker added a malicious but legitimate looking advertisement banner in the advertisement network and then it

floats in the network rapidly and flashes to number users and in number of websites.

These malicious advertises are generally exploits of operating system or applications, which later installs a backdoor or trojan on user's

system.

44

Example of malicious advertisement , which says it is scanning the computer and found several threats. Later it leads to the

malware/virus/trojan/backdoor distribution server.

45

Malicious 3rd party applications

Modern age websites and web pages are using third party widgets and applications. Website managers and administrators are trying to offer

46

managers and administrators are trying to offer best to users as well as want to manage their website operations smoothly.

4747

Attacker needs to compromise the third-party

widget/application and insert his/her

desired code in it, Now, since this is a popular widget and many of the legitimate websites are

using this widget to analyze their traffic pattern and other functionality but in reality they are other functionality but in reality they are

unknowingly distributing malwares to their

legitimate naive users .

48

User Generated Contents

User generated contents has revolutionized user experiences on web. Now, with the help of Web 2.0, unpredictable amount of interconnectivity and highly engaging content is now possible.

49

engaging content is now possible.

Unknown users are now able to submit comments, links, HTML code, scripts, files including images, video, document, flash etc. These features created an opportunity for attackers to use legitimate website for the propagation of malware.

Attackers can:

- Use URL shortening services like,http://tinyurl.com/

http://bit.ly/

For hiding the actual URL

50

For hiding the actual URL- Upload malicious code embedded

(PDF, DOC, XLS, SWF, PPT)

- iFrame, JavaScript code in comment fields

Attackers can use these for operating their bot (Zombies) and botnet.

51

Analyzing of Browser script

- Analyze malicious web pages that uses

52

- Analyze malicious web pages that usesJavaScript and/or VBScript

- Defeating obfuscation and other defensivetechniques

- Assembling script components

Browser Script Obfuscation Techn.

- Multiple obfuscation functions- Deobfuscation and execute

53

Browser script debugger and interpreter

•Open Source•Rhino, Firebug•SpiderMonkey, Malzilla

54

•SpiderMonkey, Malzilla

•Microsoft•MS Script debugger•IE 8 debugger•CScript/WScript

::Case Study - I::Analysis of infected Website

55

Multi level redirection

Analysis

Website running in support of ASP engine infected with malicious script snippet pointing to malicious JavaScript file "x.js " hosted on domain "a0v[d0t]org ". The infection on the

56

domain "a0v[d0t]org ". The infection on the website can be seen as:

Content of the malicious JavaScript file "x.js "

This JavaScript is designed in such a that, it will only execute for the websites URL not containing ".gov.cn " and " .edu.cn ".

57

" .edu.cn ".

Network connections

58

Contents of 5.html

Contents of xx.html

59

Contents of yt.htm Contents of dxxz.htm

60

Content of "ytfl1.htm"

61

Content of "Td14.htm"

Content of “y1.htm"

62

Upon execution of all these JavaScript and SWF objects at users' browser, some more files downloaded on the system:a.jpg x3.swf 16.js 9.exe 19.exe 29.exe

b.jpg x4.swf x115.css 10.exe 20.exe 30.exe

url.jpg x5.swf 1.exe 11.exe 21.exe 31.exe

c.jpg t2.htm 2.exe 12.exe 22.exe 32.exe

63

c.jpg t2.htm 2.exe 12.exe 22.exe 32.exe

d.jpg of.htm 3.exe 13.exe 23.exe 33.exe

e.jpg of.css 4.exe 14.exe 24.exe YTPPSeee.vbs

f.jpg of.js 5.exe 15.exe 25.exe YTPPSeee.pif

swfobject.js ytfl.htm 6.exe 16.exe 26.exe

x1.swf 14.js 7.exe 17.exe 27.exe

x2.swf 15.js 8.exe 18.exe 28.exe

It has been noticed that most of these dropped files are trojan download agents, trojan dropper, memory resident spywares, online gaming password stealers, keyloggers, rootkit and backdoor trojans and detected by AV.

::Case Study - II::Analysis of infected Website

64

Obfuscated JavaScript

Malicious script injected in“ABC Mart” Website.

Level 1 Obfuscation.

65

After little beautification and common replacement, the same obfuscated script look something like this. But actual script is But actual script is still hidden and obfuscated.

Level 2 Obfuscation.

Replacing variable “xe3” with ‘’

Replacing ++ with +

+ is used for string concatenation

Replacing ++ with +

+ is used for string concatenation

This look like HEX codes, lets replace HEX code with its HEX code with its string equivalent.

Level 3 Obfuscation.

Level 4 Obfuscation.

Behavioral Analysis

Tools for Analyzing Files

PDF : PDF Analysis tool – Didier StevenPDF : PDF Analysis tool – Didier StevenWORD OfficeMalScanner, OffVis,PPT : OfficeCat, MalHost-Setup, MOICE, XLS BiffView, FileInsight, FlexHexSWF : swfdump

Thank you