Stephan Chenette Principal Security Researcher Websense Labs FIRESHARK A TOOL TO LINK THE MALICIOUS WEB
Agenda Introduction Fireshark Details Web Communities Malicious Web Communities Mass Injection Analysis Redirection Chaining DeobfuscationAnalysis Content Profiling Conclusion 2
Why you should care URL Injection attacks are increasing 225% increase in the number of new compromised legitimate websites in the last 12 months Source: Websense Security Labs, State of Internet Security, Q3-Q4 2009 Report 3
Why you should care The deobfuscation tools are NOT sufficient Emulators are meant for products not researchers Mass Injection attacks are hard to correlate e.g. nine-ball, beladen (~40k compromises) A need exist that satisfied both the high level view of an attack + low level content profiling Fireshark. 4
Connecting the dots Mass Injections examples Gumblar ~60,000 compromises Beladen ~40,000 compromises Nine-ball ~20,000 compromises 5
Public Tools Available today Websites: Tools: Wepawet Malzilla Anubis Rhino Debugger ZeusTracker FF JavaScript Deobfuscator BLADE (*new*) DS’s SpiderMonkey Robtex Jsunpack Unmask Parasites Caffeine Monkey Malwaredomainlist.com NJS Badwarebusters.org VirusTotal.com 6
Malzilla vs the Pheonix Exploit Kit 7
JSUNPACK VS. Phoenix 8
Spidermonkey/ CaffeineMonkey Lacks DOM features + Only a JavaScript engine 9
Obfuscated Content Iframe/script injection (compromised pages) Crimepack exploit kit Eleonore exploit kit Phoenix exploit kit YES exploit kit SEO sploit pack Fragus exploit kit Neosploit kit More… 10
Crimepack 2.8 (released before Easter) Exploits include: Adobe Acrobat Reader Exploits (including CVE-2010-0188) (ALL) JRE (GSB & SERIALIZE) (ALL) MDAC (IE) MS09-032 (IE) MS09-002 (IE) CVE-2010-0806 (IE) 11
Crimepack 2.8 Anti-Analysis Features include: 1. Undetected from AV Scanners (JavaScript & PDF/JAR/JPG files) 2. Random PDF Obfuscation (Not using static pdf file like other packs) 3. Blacklist checker & AutoChecker 4. Prevent Wepawet, Jsunpack and other JavaScript unpackers to decode your page 12
Crimepack 2.8 Changes Added CVE-2010-0806 Added CVE-2010-0188 Added more ip's to block IFrame generator Redirector for non-vulnerable traffic New JS cryptor Anti-Kaspersky emulation 13
Problems with emulation DOM Always behind document.body is undefined document.title is undefined document.forms is undefined document.documentElement is undefined document.URL is undefined document.getElementsByTagName is not a function 14
Problems with emulation DOM Always behind window.location.search window.addEvent is not a function window.onDomReady is not a function window.parent is undefined window.screen is undefined window.top is undefined screen is not defined top is not defined parent is not defined self is not defined location.protocol 15
Problems with emulation External scripts jQuery is not defined urchinTracker is not defined SWFObject is not defined 16
What about crawlers?? Wget Curl Selenium Use a web proxy like fiddler Redirection Chains? Sort of. Content Profiling? Not really. 17
You dare doubt me?? Me!!!?? =] 18
FireShark Introduction Firefox plugin Accepts commands to crawl compromised websites Stores events and data sets. Post-data analysis correlates data End result = better understanding of URL injection attacks 19
Send URLs to FireShark Malicious URL Feed 20
FireShark Architect (Two Modes) Network Mode Used in an automated manor Alert/Auto-Categorize Single-user mode Manual Inspection Injection Research 21
Single-User Mode Demo 22
Local FireShark Demo 23
Now Parse the Log file Fireshark Log What comes next is up to you… A few scripts provided e.g: Graphmaker.pl InOut.pl 24
Post-Run Analysis Log is analyzed manually or automatically via post-analysis correlation process 25
Monitoring communities 26
Monitoring communities 27
Mass Injection Attack Example of a Injection attack community 28
The Importance of Data correlation 29
The Importance of Data correlation 30
31
“Web Communities” 32
Top 25 Global Alexa List (mid-Feb 2010) google.com google.co.in facebook.com google.cn youtube.com sina.com.cn yahoo.com myspace.com live.com google.de wikipedia.org wordpress.com blogger.com microsoft.com baidu.com amazon.com msn.com taobao.com qq.com google.co.uk yahoo.co.jp bing.com twitter.com ebay.com google.fr 33
Visiting youtube.com • This is all the content your browser is feed when visiting youtube.com 34
35
36
37
38
39
40
41
42
43
Major Ad Networks Doubleclick (Google) Yield Manager (Yahoo) Fastclick (ValueClick) 44
Top 100 Global Alexa List (mid-Feb 2010) 45
Top 100 Global Alexa List (mid-Feb 2010) 46
Victims of “ Malvertisements ” (2009) The Drudge Report Horoscope.com Lyrics.com slacker.com Eweek.com The New York Times Philadelphia Inquirer Expedia, Rhapsody 47
Horoscope.com Economy 48
“Malicious Web Communities” 49
Down the Rabbit hole Analysis of Three exemplary Injection campaigns Injection campaigns occur daily A breadth view analysis helps us gain a better understanding of the malicious webscape 50
Down the Rabbit hole Injection Example #1 51
Injection Example #1 (Nov/Dec 2009) 13k matches/24hrs 52
Injection Example #1 (Nov/Dec 2009) 13k matches/24hrs 53
Injection Example #1 Step 1) Analyze a subset (500/13k) Breadth Popular campaign will emerge Injections into unique websites will lead to same hosts Depth Details of the attack Screen Shots Source code, Deobfuscted DOM, Network traffic 54
Bird’s Eye View of 500 Compromised Websites 55
Breadth – Popularity of Request connection 56
Breadth – Popularity of Request connection 57
Breadth – Popularity of Request connection 58
Down the Rabbit hole Injection Campaign #1: 93.186.127.49 59
“W93.186” Injection Campaign 60
“W93.186” Injection Campaign 61
“W93.186” Injection Campaign Screen Shot 62
Observations from 93.186.127.49 attack Operation b49 63
Rascop.com…a familiar foe? 64
65
Infamous Rascop.com rascop.com = NXD (feb 10’) Waledac Fast-flux domain 66
Rascop.com and friends say goodbye but landing pages here to stay Waladec domains were NXD in the takedown Landing pages were still online though 67
Injection Example #2 Attack #2: ru:8080 68
Breadth – Popularity of Request connection 69
Breadth – Popularity of Request connection 250/5k URLs lead to homesalesplus.ru 70
Polymorphic Injected Code Variation #1 71
Polymorphic Injected Code Variation #2 72
Polymorphic Injected Code Variation #3 73
Depth – Diff DOM/SRC 74
Depth – Script link in DOM 75
Polymorphic Injected Code Variation #3 76
DOM View DOM ==> Mutable Memory representation (Final View of DOM after JS/events) 77
Log Analysis Further Analysis showed variations: hxxp://clicksor-com.eastmoney.com.mobile- 1. de. homesaleplus.ru:8080 /ocn.ne.jp/ocn.ne.jp/class mates.com/linkhelper.cn/google.com/ hxxp://chip-de.ggpht.com.deezer- 2. com. viewhomesale .ru:8080 /google.com/google.com/timeanddate.co m/avg.com/zshare.net/ 78
ru:8080 URL Injection Campaign Similarities between infected sites: Port 8080 Various changing .ru domains Legitimate content on port 80 served by Apache Malicious domains are mapped to 5 different IPs Malicious IP addresses are on hosting providers Leaseweb (Netherlands) and OVH.com (France) Landing domains were NXD Dec 09’/Jan 10’ 79
The Never-ending story Where one ends, another begins 80
Observations from ru:8080 Injection attack Compromised websites can and are updated automatically Compromised websites are injected with multiple redirectors Sharing of stolen FTP credentials e.g. Many infected sites also led to Gumblar infected domains, indicating that attackers perhaps had shared stolen FTP credentials 81
Injection Example #3 Mass Injection #3 ~5700 infected pages ~5300 unique hosts 82
Breadth – Popularity of Response connection 83
Breadth – Popularity of Response connection sportgun.pl.ua sends a response back to 50+ hosts 84
85
Recommend
More recommend
