Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Website Compromise and Malware Propagation(WCMP)
Web 2.0 AttacksWeb 2.0 Attacks
Bhupendra Singh AwasyaScientist ‘B’
CERT-In
Few years ago, In 2006 and earlier,
“No one ever thought of spreading
2
“No one ever thought of spreading
malware via legitimate websites. ”
Popular Infection Vectors (before 2006)
Supply malware in USB drives with autorun(pretty common and still effective, spreading malware enormously)
Go to system and install a malicious piece of code(Rarely heard of it or very few cases),
3
(pretty common and still effective, spreading malware enormously)
Distribute malware as an email attachment(pretty common and still effective unfortunately)
Convincing users to download legitimate looking software but actually MALWARE(providing direct link in email, chat or other mechanism)
Drive-by-download
• Downloads which a person authorized but without understanding the consequences
Unintended download of computer software from the Internet:
understanding the consequences(e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).
• Any download that happens without a person's knowledge.• Download of spyware, a computer virus or any kind of
malware that happens without a person's knowledge.
5
1.2 Infect a legitimate website
Legitimate website
2 User request legitimate website
3 Website response including malicious code
Legitimate user’s system
Req.
Resp.
Connect Attacker
website
1.1 Create a Malicious website
Malicious website
Attacker4 User’s browser request for content from malicious website
5 Malicious website successfully delivers malware/virus
user’s system
Malware authors are shifting their focus
from traditional desktop bases attack methodology to the new emerging attack methodology to the new emerging
dynamic and user interactive web applications for spreading malware
8
Web 2.0
•Information sharing•Interoperability•User centred design
9
•User centred design•Interconnectivity•Collaboration on the World Wide Web
Why attackers are using this . . .
In this attack vector, attackers will Compromise a legitimate website and plant a piece of malicious code in it, which plant a piece of malicious code in it, which will be served to all legitimate users of that website.
10
Once the malware/virus is planted on user's computer, a remote attacker/hacker can:
- Access on the infected computer- Steal user credentials, banking or otherpasswordspasswords
- Use as a launching pad for further attacks- Install more sophisticated malwares/viruses- Gain chain of access to corporate networks
via VPN etc for which user or user's systemis allowed for.
11
Drive-by-download is working covertly, which make it difficult to suspect or detect.to suspect or detect.
12
Where is the problem ?• Web frameworks• Content management systems i.e. CSM
13
PHP ColdFusion.NET DrupalJ2EE JhoomlaRuby on Rails etc
What is the problem ?
Web application security defects likeInsufficient user input validationApplication logic errors etc. Application logic errors etc.
14
The possible attack methods are as follows
• SQL Injection,• PHP Remote File Include,• PHP Remote File Include,• Cross-Site Scripting (XSS),• Cross-site request forgeries (CSRF).
15
Unfortunately all of these vulnerabilities are
Web application vulnerabilities.
Attacker are shifting more Attacker are shifting more towards web application
vulnerabilities.
16
Classical server side vulnerabilities
• Windows Services• Unix and Mac OS Services• Backup Software• Backup Software• Anti-virus Software• Management Servers• Database Software
17
Since last 3-4 years, awareness in web administrators and security
professionals regarding server side vulnerabilities has increased. Eventually, vulnerabilities has increased. Eventually,
they are doing their job quite nicely, securing all six OSI layers except the
last and most vulnerable layer-"Application layer ".
18
The main reason leading to legitimate website malicious code injections
appear to be appear to be
“Structural Vulnerabilities “term given by Dasient.
19
According to Dasient's analysis,
Structural vulnerabilities comprises:
•Third party advertisements•Third party widgets/applications
20
•Third party widgets/applications•Mash-ups or RSS•User generated content
These threats are serious, not so easy
to patch or fix because these threats
are emerging from third party are emerging from third party applications/contents rather
from the web application, which can be fixed or patched in one shot.
25
Talk about Attack mechanismsin order to exploit Structural Vulnerabilities
• Web application vulnerabilities• Stolen admin credentials• Stolen admin credentials• Malicious advertisements• Malicious 3rd party applications• User generated contents
26
Web application vulnerabilities
Most of the web applications are vulnerable
27
are vulnerable and affected cross-site scripting vulnerability
SQL injection
Another attack mechanism is SQL injection, attackers try to break the SQL queries by supplying
crafted malicious queries in the fields like username crafted malicious queries in the fields like username or password, user comment forms etc.
29
Asprox
• "Asprox" was released by malware authors to speed-up and automate the infection mechanism. This trojan infection mechanism. This trojan specifically search for Microsoft ASP pages in Google and injects an iFrame into the page, that leads the naive legitimate user to a fraudulent malicious website.
30
The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites. The decrypted Asprox XML can be seen here as:
32
In case, if attacker succeeded gaining administrative credentials of the
website, he can modify the whole content of website or can replace the present doc, pdf, xls etc file with malicious files of
34
pdf, xls etc file with malicious files of same content to make the attack vector vital and more affective for
future use.
All SQL injection attacks are persistent and stay in database until any of the user doesn't report to the
website administrator and he removes website administrator and he removes the same.
35
Stolen admin credentials
Another popular vector, other than SQL injection and
cross-site scripting is Stealing FTP service credentials .Most of the websites are managed their website contents via FTP uploads.
36
Once attacker successfully gain FTP credentials , he can launch variety of attacks on website like- Placing iFrame- Call to
- remotely hosted JavaScript by modifying webpages
- Native JavaScript files on web server.- Native JavaScript files on web server.
Attacker can also modify the server settings (.htaccess) to redirect the legitimate traffic of the website to a malicious website.
37
Gumblar
Gumblar performs the following tasks:- Stealing FTP credentials- Send SPAM- Send SPAM- Install fake anti-malware- Google search/query hijacking- Disabling security software like desktopfirewall and antivirus
38
Gumblar is a botnet, infecting Web servers and infected Web site visitors for installing malicious code on user's system that redirects end-user's Google searches to fraudulent Web sites delivering further malwares.Initially the redirecting website sends the visitor an Initially the redirecting website sends the visitor an infected PDF which exploits a known vulnerability in Acrobat to gain access to the user's computer. New variations of Gumblar, redirect users to the sites running fake antivirus.
42
Malicious advertisements
Another website attack mechanism is malicious advertises . Instead of infecting a legitimate website directly, attacks
may plant a legitimate looking MALICIOUS advertisement banner onto the legitimated website via third party advertisement service operators
43
onto the legitimated website via third party advertisement service operators like Google, Yahoo and others.
Attacker added a malicious but legitimate looking advertisement banner in the advertisement network and then it
floats in the network rapidly and flashes to number users and in number of websites.
These malicious advertises are generally exploits of operating system or applications, which later installs a backdoor or trojan on user's
system.
44
Example of malicious advertisement , which says it is scanning the computer and found several threats. Later it leads to the
malware/virus/trojan/backdoor distribution server.
45
Malicious 3rd party applications
Modern age websites and web pages are using third party widgets and applications. Website managers and administrators are trying to offer
46
managers and administrators are trying to offer best to users as well as want to manage their website operations smoothly.
Attacker needs to compromise the third-party
widget/application and insert his/her
desired code in it, Now, since this is a popular widget and many of the legitimate websites are
using this widget to analyze their traffic pattern and other functionality but in reality they are other functionality but in reality they are
unknowingly distributing malwares to their
legitimate naive users .
48
User Generated Contents
User generated contents has revolutionized user experiences on web. Now, with the help of Web 2.0, unpredictable amount of interconnectivity and highly engaging content is now possible.
49
engaging content is now possible.
Unknown users are now able to submit comments, links, HTML code, scripts, files including images, video, document, flash etc. These features created an opportunity for attackers to use legitimate website for the propagation of malware.
Attackers can:
- Use URL shortening services like,http://tinyurl.com/
http://bit.ly/
For hiding the actual URL
50
For hiding the actual URL- Upload malicious code embedded
(PDF, DOC, XLS, SWF, PPT)
- iFrame, JavaScript code in comment fields
Analyzing of Browser script
- Analyze malicious web pages that uses
52
- Analyze malicious web pages that usesJavaScript and/or VBScript
- Defeating obfuscation and other defensivetechniques
- Assembling script components
Browser script debugger and interpreter
•Open Source•Rhino, Firebug•SpiderMonkey, Malzilla
54
•SpiderMonkey, Malzilla
•Microsoft•MS Script debugger•IE 8 debugger•CScript/WScript
Analysis
Website running in support of ASP engine infected with malicious script snippet pointing to malicious JavaScript file "x.js " hosted on domain "a0v[d0t]org ". The infection on the
56
domain "a0v[d0t]org ". The infection on the website can be seen as:
Content of the malicious JavaScript file "x.js "
This JavaScript is designed in such a that, it will only execute for the websites URL not containing ".gov.cn " and " .edu.cn ".
57
" .edu.cn ".
Upon execution of all these JavaScript and SWF objects at users' browser, some more files downloaded on the system:a.jpg x3.swf 16.js 9.exe 19.exe 29.exe
b.jpg x4.swf x115.css 10.exe 20.exe 30.exe
url.jpg x5.swf 1.exe 11.exe 21.exe 31.exe
c.jpg t2.htm 2.exe 12.exe 22.exe 32.exe
63
c.jpg t2.htm 2.exe 12.exe 22.exe 32.exe
d.jpg of.htm 3.exe 13.exe 23.exe 33.exe
e.jpg of.css 4.exe 14.exe 24.exe YTPPSeee.vbs
f.jpg of.js 5.exe 15.exe 25.exe YTPPSeee.pif
swfobject.js ytfl.htm 6.exe 16.exe 26.exe
x1.swf 14.js 7.exe 17.exe 27.exe
x2.swf 15.js 8.exe 18.exe 28.exe
It has been noticed that most of these dropped files are trojan download agents, trojan dropper, memory resident spywares, online gaming password stealers, keyloggers, rootkit and backdoor trojans and detected by AV.
After little beautification and common replacement, the same obfuscated script look something like this. But actual script is But actual script is still hidden and obfuscated.
Level 2 Obfuscation.
Replacing variable “xe3” with ‘’
Replacing ++ with +
+ is used for string concatenation
Replacing ++ with +
+ is used for string concatenation
This look like HEX codes, lets replace HEX code with its HEX code with its string equivalent.
Tools for Analyzing Files
PDF : PDF Analysis tool – Didier StevenPDF : PDF Analysis tool – Didier StevenWORD OfficeMalScanner, OffVis,PPT : OfficeCat, MalHost-Setup, MOICE, XLS BiffView, FileInsight, FlexHexSWF : swfdump