dissecting web attacks
play

Dissecting Web Attacks Val Smith (valsmith@attackresearch.com) - PowerPoint PPT Presentation

Mar 16, 2024 •13 likes •903 views

Dissecting Web Attacks Val Smith (valsmith@attackresearch.com) Colin Ames (amesc@attackresearch.com) Delchi (delchi@attackresearch.com) Bios Valsmith Affiliations: Attack Research Metasploit cDc Work: Attack

  1. Dissecting Web Attacks Val Smith (valsmith@attackresearch.com) Colin Ames (amesc@attackresearch.com) Delchi (delchi@attackresearch.com)

  2. Bios Valsmith – Affiliations: • Attack Research • Metasploit • cDc – Work: • Attack Techniques Research - History • Pen Tester/ Exploit • Founder Offensive Computing developer • Speaker • Reverse Engineer - Blackhat • Malware Analyst - Defcon - Shmoocon

  3. Bios Colin Ames – Security Researcher, Attack Research – Steganography Research – Penetration Testing – Reverse Engineering – Malware Analysis

  4. The Problem

  5. THESE GUYS

  6. (For Real?)

  7. AND THESE GUYS

  8. (Who says so?)

  9. AND THESE GUYS ?

  10. WANT YOUR

  11. AND WILL USE YOUR TO GET THEM

  12. While this happens you are:

  13. I n t r o d u c t i o n

  14. Introduction • Attackers are using the web in various ways to: – Push users to their malicious sites – Gain access to computers – Steal information • They use many technologies – Java/Javascript HTML – Iframes Encoding/Obfuscation – Spam Injection

  15. Introduction • For this talk we analyzed different types of attacks – Blog Spam – Web site injection • We dissect the attacks piece by piece to analyze and show – Source code Commands – Network traffic Attack Goals – Binaries Attackers

  17. Blog Spam • Analysis process – View victim blog, locate malicious comments – Trace back all A HREFs in comments – WGET code from attacker site • Follow any links • Decode obfuscated instructions • Debug javascript – Firebug, Venkman • Decompile Java Applets – Lookup owners of domains / IPs – Reverse any exploits / binaries

  18. Blog Spam • 1 st Stage of the attack – Uses comments to sites – Blogs such as Drupal & Wordpress • Comments: – Usually in response to valid post – Splice together random but legitimate phrases from sources such as wikipedia – Contain several linked words to various sites – Will be added en mass to many disparate posts – Often will have non-English embedded words such as Italian, German, Russian

  20. Shows some comments added to a legitimate post. Notice the hyperlinked Italian words. Comments often start with an md5sum hash.

  22. Blog Spam • Following embeded links in comment shows:

  23. Blog Spam • Site made to look like normal blog • Links don’t actually work • Page actually for deploying malware

  24. Blog Spam • Attack often comes from same domain with slightly different name: – qff09296@averfame.org – drff09296@averfame.org – drff52122@averfame.org – mer52122@averfame.org • Attack domain averfame.org info: Sponsoring Registrar: EstDomains, Inc. (R1345-LROR) IP Address: 78.108.181.22 Registrant Name: Harold Lani descr: UPL Telecom Registrant Organization: China Construction Bank changed: serge@upl.cz 20071227 Registrant Street1: Mansion, No.31 Guangji Street, Ningbo, address: UPL TELECOM s.r.o 315000, CN address: Vinohradska 184/2396 Registrant Email: harold@avereanoia.org

  25. Blog Spam • China Construction Bank known in the past for malware – State owned bank • In 2004 several executives were executed by the state for engaging in financial fraud • In March 2006 it was reported to be hosting phishing sites targeting US banks

  26. Blog Spam • While the e-mail address given to post the malicious comments was owned by China Construction Bank, – The HTTP connection to make the posts came from 212.227.118.40 based on various web logs 212.227.118.40 infong113.kundenserver.de. Domain: kundenserver.de Name: Achim Weiss Address: Erbprinzenstr. 4 - 12 Pcode: 76133 City: Karlsruhe Country: DE role: Schlund NCC address: 1&1 Internet AG address: Brauerstrasse 48 address: D-76135 Karlsruhe address: Germany e-mail: noc@oneandone.net

  27. Most of these sites have the blog spam in comments on them.

  28. Blog Spam • The URL’s linked to by the first comment listed in order are : – mir-t.ru/files/rolling_stones_testi/rolling_stones_testi.htm – mebelionika.ru/download/site/libreria_blocchi_autocad/page_libreria_blocchi_autocad.htm – mebelionika.ru/download/scarica_gratis_msn_live_spaces/listing/page_scarica_gratis_msn_live_spaces .html – dich.com.ua/forum/video_porno_scaricare_gratis/video_porno_scaricare_gratis.htm – mir-t.ru/files/cavalli_da_salto.html – dich.com.ua/forum/croccantino_gelato.html – mir-t.ru/files/apt_lombardia.htm – mebelionika.ru/download/index_sherk_cartone_animato.htm – dich.com.ua/forum/video_porno_com/page_video_porno_com.htm – mebelionika.ru/download/foto_zero_assoluto/foto_zero_assoluto.htm – mir-t.ru/files/rolling_stones_testi/rolling_stones_testi.htm – dich.com.ua/forum/video_hard_casalinga_gratis/video_hard_casalinga_gratis.htm – mir-t.ru/files/video_casalinghe_gratis/video_casalinghe_gratis.htm – mebelionika.ru/download/villaggio_vacanza_corsica/comp/page_villaggio_vacanza_corsica.htm – dich.com.ua/forum/esercizio_svolti_elettrotecnica/esercizio_svolti_elettrotecnica.htm – mebelionika.ru/download/falze_trevignano/falze_trevignano.htm – mir-t.ru/files/video_porno_con_ragazzine/page_video_porno_con_ragazzine.html – dich.com.ua/forum/video_porno_com/page_video_porno_com.htm – mir-t.ru/files/foto_privata_donna_incinta_nuda/style/foto_privata_donna_incinta_nuda.html – mebelionika.ru/download/video_clitoride/index/index_video_clitoride.html

  29. Blog Spam • The second attack contained a different set of URLs with similar content – www.daolao.ru/Confucius/Pound/it/world/negozi_abbigliamento_ravenna/negozi_abbigliamento_ravenna .htm – www.economypmr.org/giic/video_lesbica_asiatica_gratis/world/video_lesbica_asiatica_gratis.htm – www.economypmr.org/giic/assicurazione_su_imbarcazioni/to/assicurazione_su_imbarcazioni.html – www.daolao.ru/Confucius/Pound/it/hotel_provincia_di_rovigo/verso/page_hotel_provincia_di_rovigo.ht ml – www.economy-pmr.org/giic/antivirus_scansione_online.html – www.daolao.ru/Confucius/Pound/it/montaggio_gru_edilizia.htm – www.economy-pmr.org/giic/world/magnolia_negrita/index_magnolia_negrita.html – www.daolao.ru/Confucius/Pound/it/edilizia_pubblica/index_edilizia_pubblica.html – www.economy-pmr.org/giic/antivirus_scansione_online.html – www.daolao.ru/Confucius/Pound/it/ater_provincia_roma/page_ater_provincia_roma.html – www.economypmr.org/giic/incontro_privati_annuncio_personali/top/incontro_privati_annuncio_persona li.htm – www.daolao.ru/Confucius/Pound/it/albergo_hotel_avellino/albergo_hotel_avellino.htm – www.economypmr.org/giic/city/cucina_cinese_ricetta/index_cucina_cinese_ricetta.html – www.daolao.ru/Confucius/Pound/it/test_colesterolo.html – www.economypmr.org/giic/news/annuncio_hard_sicilia/annuncio_hard_sicilia.htm – www.daolao.ru/Confucius/Pound/it/istruzioni_ricarica_cartuccia_epson/nix/page_istruzioni_ricarica_cart uccia_epson.html – www.economy-pmr.org/giic/agriturismo_guidonia/italia/agriturismo_guidonia.html – www.daolao.ru/Confucius/Pound/it/lol/video_sesso_scaricare_gratis/index_video_sesso_scaricare_grati s.htm

  30. Blog Spam MIR -T.RU DICH.COM.UA DOMAIN OWNER INFO DOMAIN OWNER INFO ip addr : 89.108.95.149 ip addr : 217.20.175.128 person : Aleksandr A Artemyev person : Oleg Teteryatnik e-mail : sahasaha@bk.ru e-mail : mazai@tnmk.com registrar : RUCENTER -REG-RIPN NETWORK OWNER INFO NETWOR K OWNER INFO netname : AGAVACOMPANY address : WNet ISP address : AGAVA JSC address : Pochayninska str. 25/49, off. 30, 03148, Ukraine, address : B. Novodmitrovskaya str., 36/4, 127015 Kiev Moscow, Russia phone : +38 067 786 96 12 phone : +7 495 4081790 changed : gusak@wnet.ua 20060731 MEBELIONIKA.RU DAOLAO.RU There are only DOMAIN OWNER INFO DOMAIN OWNER INFO ip addr : 217.16.16.145 ip addr : 217.16.16.153 five different org : "Impuls - Plus" Ltd. phone : +7 095 0000000 e-mail :info@mebelionika.ru e-mail : yukan@tsinet.ru e-mail :mebelionika@gmail.com domains actually NETWORK OWNER INFO NETWORK OWNER INFO changed :caspy@masterhost.ru 20030507 in use. changed : caspy@masterhost.ru 20030507 address : Lyalin lane 3, bld 3,105062 Moscow, Russia phone : +7 495 7729720 registrar : RUCEN TER-REG-RIPN address : Lyalin lane 3, bld 3, 105062 Moscow, Russia phone : +7 495 7729720 ECONOMY -PMR.ORG DOMAIN OWNER INFO ip addr: 91.196.0.85 Registrant :Name:Makruha Igor N. Registrant : Organization:Eco nomy Registrant : Street1:Tiraspol, Sverdlova, MD (Moldova) Registrant : Phone:+373.93224 Registrant :Email:pom@economy.idknet.com Admin Name : Makruha Igor N. NETWORK OWNER INFO descr :HostBizUa Data Center notify : msil@hostbizua.com address : Polarna st.15 , 3 fw. address : Ukraine, 04201 Kyiv phone : +380(44) 5017659 e-mail : support@hostbizua.com person :Valentin Dobrovolsky address : Ukraine, Kyiv

  31. Blog Spam • www.economy-pmr.org belongs to the Moldovan government – Economic website – Sites been compromised by the attackers – Serving up spam / malware unbeknownst to owners • Adds even another level of complexity – Yet another country and now government involvement

  32. Blog Spam • Already we can see attack’s complexity – 3 countries – Domain owned by China, hosted in Czech Republic, attacker posting from Germany • Serious international and language barriers in the way of removing attack • Easy to change one or all pieces of attack to make blocking hard

Recommend

Dissecting tf.function to discover AutoGraph strengths and subtleties How to correctly write

Dissecting tf.function to discover AutoGraph strengths and subtleties How to correctly write

12/7/2019 Dissecting tf.function to discover AutoGraph strengths and subtleties Dissecting tf.function to discover AutoGraph strengths and subtleties How to correctly write graph-convertible functions in TensorFlow 2.0.

385 views • 36 slides
Dissecting Diversity towards a conceptual framework for realizing diversity in

Dissecting Diversity towards a conceptual framework for realizing diversity in

Dissecting Diversity towards a conceptual framework for realizing diversity in recommendations Prof. Dr. Natali Helberger, Institute for Information Law Bozen, 29 February 2018 Central questions What is diversity? Do people encounter

521 views • 38 slides
Dissecting the Volta GPU Architecture through Microbenchmarking GTC 2018 Zhe Jia, Marco

Dissecting the Volta GPU Architecture through Microbenchmarking GTC 2018 Zhe Jia, Marco

Dissecting the Volta GPU Architecture through Microbenchmarking GTC 2018 Zhe Jia, Marco Maggioni, Benjamin Staiger, Daniele P. Scarpazza High-Performance Computing Group Everything You Ever Wanted To Know About Volta Micro-architectural

504 views • 21 slides
Dissecting Transactional Semantics and Implementations Suresh Jagannathan Observations

Dissecting Transactional Semantics and Implementations Suresh Jagannathan Observations

Dissecting Transactional Semantics and Implementations Suresh Jagannathan Observations Mainstream adoption of concurrency and distributed programming abstractions Heavy burden on programmer to balance safety and performance

1.86k views • 136 slides
Dissecting the Turing GPU Architecture through Microbenchmarking GTC 2019 Zhe Jia Marco

Dissecting the Turing GPU Architecture through Microbenchmarking GTC 2019 Zhe Jia Marco

Dissecting the Turing GPU Architecture through Microbenchmarking GTC 2019 Zhe Jia Marco Maggioni Jeffrey Smith Daniele P. Scarpazza High Performance Computing R&D Team Summary GPU software performance matters performance

752 views • 42 slides
When the Dike Breaks: Dissecting DNS Defenses During DDoS Giovane C. M. Moura 1 , 2 , John

When the Dike Breaks: Dissecting DNS Defenses During DDoS Giovane C. M. Moura 1 , 2 , John

When the Dike Breaks: Dissecting DNS Defenses During DDoS Giovane C. M. Moura 1 , 2 , John Heidemann 3 , Moritz Mller 1 , 4 , Ricardo de O. Schmidt 5 , Marco Davids 1 RIPE 77, Amsterdam, The Netherlands 2018-10-15 1 SIDN Labs, 2 TU Delft, 3

648 views • 38 slides
DISSECTING THE DECISION: Investigators Discuss Emerging Treatment Strategies and Novel Approaches

DISSECTING THE DECISION: Investigators Discuss Emerging Treatment Strategies and Novel Approaches

DISSECTING THE DECISION: Investigators Discuss Emerging Treatment Strategies and Novel Approaches in Gynecologic Cancers March 12, 2017 6:30 AM 7:30 AM Faculty Michael Birrer, MD, PhD Angeles Alvarez Secord, MD, MHSc Bradley J Monk, MD

479 views • 13 slides
NAS-Bench-1Shot1: Benchmarking and Dissecting One-Shot Neural Architecture Search

NAS-Bench-1Shot1: Benchmarking and Dissecting One-Shot Neural Architecture Search

NAS-Bench-1Shot1: Benchmarking and Dissecting One-Shot Neural Architecture Search Albert-Ludwigs-Universitt Freiburg DeToL 07.11.2019 Julien Siems, Arbr Zela and Frank Hutter Under review as a conference paper at ICLR 2020 Motivation

1.43k views • 24 slides
Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST 2008 Michael La Pilla VeriSign iDefense Malicious Code Operations Team June 26, 2008 Why Should Incident Responders Care? + US Commercial Accounts

458 views • 19 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Dissecting Data Elements for a Useful Needs Assessment September 22-23, 2015 SAMHSAs Center

Dissecting Data Elements for a Useful Needs Assessment September 22-23, 2015 SAMHSAs Center

Dissecting Data Elements for a Useful Needs Assessment September 22-23, 2015 SAMHSAs Center for the Application of Prevention Technologies (CAPT) Presenters: Jeremy Goldbach, PhD, LMSW CAPT Associate Beverly Triana-Tremain, PhD

985 views • 74 slides
Dissecting PDF Documents Mark S. Rasmussen iPaper mark@improve.dk What Is This Session NOT

Dissecting PDF Documents Mark S. Rasmussen iPaper mark@improve.dk What Is This Session NOT

Dissecting PDF Documents Mark S. Rasmussen iPaper mark@improve.dk What Is This Session NOT About? Creating PDFs How to use Acrobat Transparency flattening options in InDesign So what is it about? PDF documents Tooling

382 views • 23 slides
Dissecting Transactional Executions in Haskell Cristian Perfumo +* , Nehir Sonmez +* , Adrian

Dissecting Transactional Executions in Haskell Cristian Perfumo +* , Nehir Sonmez +* , Adrian

Dissecting Transactional Executions in Haskell Cristian Perfumo +* , Nehir Sonmez +* , Adrian Cristal + , Osman S. Unsal + , Mateo Valero +* , Tim Harris # + Barcelona Supercomputing Center * Computer Architecture Department, UPC, Barcelona, Spain

450 views • 16 slides
The Anatomy of Violence: Dissecting The Biological Roots of Crime Adrian Raine Departments of

The Anatomy of Violence: Dissecting The Biological Roots of Crime Adrian Raine Departments of

The Anatomy of Violence: Dissecting The Biological Roots of Crime Adrian Raine Departments of Criminology, Psychiatry, and Psychology, University Of Pennsylvania. 5 th International Bergen Conference on Forensic Psychology, 23 rd October, 2018

495 views • 26 slides
Application Training by David Noguera 1 Overview 1. Dissecting the Application 2. Program

Application Training by David Noguera 1 Overview 1. Dissecting the Application 2. Program

Urban Land Bank Demonstration Program Application Training by David Noguera 1 Overview 1. Dissecting the Application 2. Program Description 3. Program Uses 4. Lot Sales Price 5. Eligible Program Applicants 6. Program Requirements

432 views • 12 slides
Dissecting Interactions in Solution Scott L. Cockroft UKQSAR Autumn meeting, 29 th September 2017

Dissecting Interactions in Solution Scott L. Cockroft UKQSAR Autumn meeting, 29 th September 2017

Dissecting Interactions in Solution Scott L. Cockroft UKQSAR Autumn meeting, 29 th September 2017 Understanding & exploiting conformational change Unfolded Folded equilibrium K fold + measurement I. K. Mati & S. L. Cockroft. Chem.

543 views • 37 slides
CAMDA 2004 Dissecting the Malaria Transcriptome Malaria - the disease More than 400 million

CAMDA 2004 Dissecting the Malaria Transcriptome Malaria - the disease More than 400 million

CAMDA 2004 Dissecting the Malaria Transcriptome Malaria - the disease More than 400 million affected every year 1 - 2.7 million annual deaths Most deaths are children under 5 A child dies every 20-40 seconds Transmitted by

866 views • 73 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

648 views • 34 slides
Dissecting QNX Analyzing & Breaking Exploit Mitigations and PRNGs on QNX 6 and 7 Jos Wetzels,

Dissecting QNX Analyzing & Breaking Exploit Mitigations and PRNGs on QNX 6 and 7 Jos Wetzels,

Dissecting QNX Analyzing & Breaking Exploit Mitigations and PRNGs on QNX 6 and 7 Jos Wetzels, Ali Abbasi Who are we? Jos Wetzels Ali Abbasi Independent Security Researcher @ Midnight Blue Ph.D. Candidate @ TU/e (Previously) Security

714 views • 69 slides
Dissecting FinCENs Customer Due Diligence Rule: Understanding the final rule and preparing for

Dissecting FinCENs Customer Due Diligence Rule: Understanding the final rule and preparing for

Dissecting FinCENs Customer Due Diligence Rule: Understanding the final rule and preparing for implementation The views expressed in this presentation are strictly those of the author[s] and do not necessarily represent the views of their

509 views • 34 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Dissecting Multiscale Systems Peter Szmolyan Technische Universit at Wien, Austria

Dissecting Multiscale Systems Peter Szmolyan Technische Universit at Wien, Austria

Dissecting Multiscale Systems Peter Szmolyan Technische Universit at Wien, Austria Introduction 1. Overview: time scales, slow-fast dynamics, model reduction 2. Olsen model: complicated dynamics 3. Cell cycle model: Mitotic Oscillator 4.

973 views • 48 slides
Dissecting the Effect of Credit Supply on Trade: Evidence from Matched Credit-Export Data Daniel

Dissecting the Effect of Credit Supply on Trade: Evidence from Matched Credit-Export Data Daniel

Dissecting the Effect of Credit Supply on Trade: Evidence from Matched Credit-Export Data Daniel Paravisini, Veronica Rappoport, Philipp Schnabl, and Daniel Wolfenzon August 2013 Motivation What is the role of banks in amplifying economic

364 views • 18 slides

More recommend