introduction to malicious web sites
play

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak - PowerPoint PPT Presentation

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites


  1. OWASP T urkey - Uygulama Güvenliği Günü Introduction to Malicious Web Sites Kötücül Web Sitelerine Bir İlk Bakış Ali Ikinci – Siber Güvenlik Derneği ali@ikinci.info 9 June 2012 Turkey

  2. About Me ● Working on Malicious Web Sites since 2006 ● Developed a Client Honeypot called Monkey-Spider in 2007 [9] ● Member of the Siber Güvenlik Derneği [10] ● Chapter Lead of the T urkish Chapter of the Honeynet Project [11] ● Chief Security Analyst at ContentKeeper T echnologies [12] 9 June 2012 Uygulama Güvenliği Günü 2 Ali Ikinci

  3. Agenda ● Introduction ● Attack Vectors ● Code Obfuscation ● Sample Attack ● Payload ● Detecting Malicious Web Sites ● Mitigation T echniques 9 June 2012 Uygulama Güvenliği Günü 3 Ali Ikinci

  4. Malicious Web Sites ... Are Web sites which could be a threat to the security of the ● client computers requesting them Even a visit without any other interaction of such could be a ● threat (so called drive-by downloads) Such Web sites can ... ● – host all sorts of malware and malicious code – exploit browser vulnerabilities – exploit vulnerabilities of other client software – install backdoors, spyware or keyloggers – steal confidential information 9 June 2012 Uygulama Güvenliği Günü 4 Ali Ikinci

  5. Current Situation ● Attacks on client systems have become very popular in recent years ● Web Browsers are the most wide spread use case of client software ● Browsers and Browser plugins are the most wanted targets in vulnerability assessment ● Firewalls and IDS systems are widely deployed and the client has become the shortest path to hack into a network ● Botnets are on the rise and a valuable tool of trade 9 June 2012 Uygulama Güvenliği Günü 5 Ali Ikinci

  6. Attack Vectors ● Anything a client computer requests from a server and in one way or another executes or interpreters on the client computer could become an attack vector ● Web Browser ● Web Browser Plugins – Flash, PDF, Media Plugins, ActiveX, JRE ... ● Media Players/Viewers ● PDF Readers ● Java VMs ... 9 June 2012 Uygulama Güvenliği Günü 6 Ali Ikinci

  7. Attack Vectors Code/Markup ● JavaScript ● Flash, embedded ActionScript ● PDF, embedded JavaScript ● HTML ● ActiveX ● Java ● VBS ... 9 June 2012 Uygulama Güvenliği Günü 7 Ali Ikinci

  8. Attack Vectors Example Programs/Libraries ● (X)HTML parsers like libxml, libxslt ● JavaScript Interpreters like V8, SpiderMonkey ● PDF Reader Exploits like Acrobat Reader, Foxit Reader ● Java Runtime Environment Exploits like Oracle JRE, IBM JRE ... 9 June 2012 Uygulama Güvenliği Günü 8 Ali Ikinci

  9. Starting Points for a Malicious Web Site Attack ● Specifically set up “Trojan” Web Site looking benign but hosting Exploits. F .e. fake online AV sites ● Compromised benign Web Sites/Servers ● Malvertisments on benign Web Sites ● Spam Emails pointing to/loading Malicious Web Sites ● Malicious PDF Files sent via Email Spam ● Spam in Social Networks/Forums etc. ● Social Engineering on Social Networks f.e. Fake campaings, Fake news ... 9 June 2012 Uygulama Güvenliği Günü 9 Ali Ikinci

  10. Starting Point Example: Twitter Spam [8] ● Compromised T witter accounts abused for propagation of Malicious Web Sites (April 2012) 9 June 2012 Uygulama Güvenliği Günü 10 Ali Ikinci

  11. Starting Point Example: Malvertisments Advertisement that conceal malicious content ● Distributed through benign Ad Networks ● Often utilized in situations where attacker cannot obtain ● access to high value, high trafficked web sites. Relying on social engineering techniques to trick major ad networks into serving their malicious content [4] More than 3 million malvertising impressions served per ● day [4] After three months of web browsing, the probability that an ● average Internet user will hit an infected page is approximately 95% [4] 9 June 2012 Uygulama Güvenliği Günü 11 Ali Ikinci

  12. Attack Hiding Technique: Code Obfuscation ● Code Obfuscation intends to fool the malware analyst in revealing the attack via making the code unreadable to the human eye ● A simple JavaScript example [1] to hide code encoded in Hexadecimal values: var d=document['\x63\x72\x65\x61\x74\x65\x45\x6c ′ \x65\x6d\x65\x6e\x74'](‘\x69\x6e\x70\x75\x74 ); Results converted into ASCII to: var d=document['createElement'](‘input’); 9 June 2012 Uygulama Güvenliği Günü 12 Ali Ikinci

  13. Code Obfuscation [1] - Starting Point Example: Spam A markup generating obfuscated JavaScript sample from a real world spam Mail trying to fool the user to a Malicious Web Site Results in a redirect to the Malicious Web Site with the Exploit: 9 June 2012 Uygulama Güvenliği Günü 13 Ali Ikinci

  14. Browser Attack Example: Heap Spray Attack [3] ● does not actually exploit any security issues but it can be used to make a security issue easier to exploit. ● by itself cannot be used to break any security boundaries: a separate exploit is needed ● can be used to introduce a large amount of order to compensate for the difficulty of prediction of memory space and increase the chances of successful exploitation. ● take advantage of the fact that often the start location of large heap allocations is predictable and consecutive allocations are roughly sequential. 9 June 2012 Uygulama Güvenliği Günü 14 Ali Ikinci

  15. Example: Heap Spray Attack [2] 9 June 2012 Uygulama Güvenliği Günü 15 Ali Ikinci

  16. Example: Heap Spray Attack [2] 9 June 2012 Uygulama Güvenliği Günü 16 Ali Ikinci

  17. Example: Heap Spray Attack [2] 9 June 2012 Uygulama Güvenliği Günü 17 Ali Ikinci

  18. Example: Heap Spray Attack [2] ● An attack can consist of multiple Exploits if one is not enough to gain the needed system properties before executing the final shellcode and continuing the malicious deed ● After predictable location has been reached the exploit is triggered to set the EIP (Instruction Pointer) in the sprayed area to hopefully trigger the shellcode or the next Exploit in the chain before the shellcode ● Shellcode than is used to continue the attack often through downloading and installing backdoors, keyloggers and often add it to the attackers botnet as a bot/zombie 9 June 2012 Uygulama Güvenliği Günü 18 Ali Ikinci

  19. Shellcode ● is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode [5] [6] 9 June 2012 Uygulama Güvenliği Günü 19 Ali Ikinci

  20. Sample Real World Attack on cdi.org from May 2012 [7] 9 June 2012 Uygulama Güvenliği Günü 20 Ali Ikinci

  21. Tools Categories to Detect Malicious Web Sites ● High-Interaction Honeyclients: Real Client Computers requesting Malicious Web Sites to learn the behavior/tools/techniques of the attacker ● Low-Interaction Honeyclients: Emulated Web Browsers requesting and sudo executing sites to gain information about attacks. ● Deobfuscation T ools for static or dynamic analysis GUI T ools to ease work of Malware Analysts in supporting deobfuscation with various techniques in a safe execution environment. 9 June 2012 Uygulama Güvenliği Günü 21 Ali Ikinci

  22. Online Tools and Reputation Services to detect Malicious Web Sites ● Wepawet http://wepawet.iseclab.org/ ● Anubis http://anubis.iseclab.org/ ● Google Safe Browsing diagnostic Page http://www.google.com/safebrowsing/diagnostic?site=google.com ● McAfee SiteAdvisor http://www.siteadvisor.com/ ● Norton Safe Web http://safeweb.norton.com/ ● Web of Trust http://www.mywot.com/ 9 June 2012 Uygulama Güvenliği Günü 22 Ali Ikinci

  23. General Defense: Blacklists and IDS Signatures ● Many free and commercial Services to offer ready to use lists/signatures to avoid visiting malicious websites by blacklisting them or avoid triggering exploits by detecting their signatures or ip address in IDS signature. Applying these in Firewalls and Gateways can add significant security measures to fight Malicious Web Sites. ● T wo import free examples are: – Blacklisting malicious websites http://www.malwaredomains.com/ – Providing various IDS Signature http://www.emergingthreats.com 9 June 2012 Uygulama Güvenliği Günü 23 Ali Ikinci

  24. Server Side Defense ● Updates: Immediate updates to server software is the base protection to any kind exploitation attack ● Remote Service Hardening: Any unnecessary remote service should be disabled or the configuration hardened to be secure against exploits or brute for attacks. ● Application Level Firewalls ● Secure Passwords ● Web Site Admins should check their site regular for any unauthorized modifications 9 June 2012 Uygulama Güvenliği Günü 24 Ali Ikinci

  25. ISP/Network Level Defense ● Various proprietary vendors provide in- line scanning of network traffic and can block such attacks from triggering or malware from being transfered to victim systems ● Secure Web Gateways often have various means of detecting malicious attacks and also can keep the local network safe or raise alarms if an infection might have gone unnoticed. 9 June 2012 Uygulama Güvenliği Günü 25 Ali Ikinci

Recommend


More recommend