Bsideshh 2014 Master

8/10/2019 Bsideshh 2014 Master

1/101

CATCH AND RELEASE: ANEW LOOK AT DETECTINGAND MITIGATING HIGHLY

OBFUSCATED EXPLOITKITS

BY MOHAMED SAHER AND AHMED GARHY


2/101

AGENDAOur IntentRethinking EvasionsDomain of the Problem

Current ProblemProblem with Current SolutionsSolution #1 First MethoSolution #! Se"on Metho


3/101

OUR INTENTIs this fun"tion mali"iousfunction Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset 0) { r = r.substr(offset) + r.substr(0, offset); !

objects"i# = r.substr(0, r.length); !!


4/101

OUR INTENTIs this fun"tion mali"iousfunction Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset 0) { r = r.substr(offset) + r.substr(0, offset); ! objects"i# = r.substr(0, r.length); !!

$ithout un erstan ing the "onte%t on how a fun"tion is use & it isver' iffi"ult to etermine if it is mali"ious or not


5/101

OUR INTENT$hat about this s"ri(t


6/101



7/101



8/101

RETHINKING EVASIONSDesigning a new ar"hite"ture


9/101


3se a essage oriente architecture (567) to s$lit the attac8into is$arate self containe essages 9 e refer to this as :unitsof or8


10/101


3se a essage oriente architecture (567) to s$lit the attac8into is$arate self containe essages 9 e refer to this as :unitsof or8This is a variation of the :scri$t s$litting techni ue e ce$t a

essage e ists ithin a local sco$e an is estro/e after itserves its $ur$ose


11/101



essage e ists ithin a local sco$e an is estro/e after itserves its $ur$ose>oes not re uire >65 ani$ulation to hi e : agic strings


12/101



essage e ists ithin a local sco$e an is estro/e after itserves its $ur$ose>oes not re uire >65 ani$ulation to hi e : agic strings

7voi the : agic re irect ?1@75A that can be a trigger for so eanal/zers


13/101

RETHINKING EVASIONSDesigning a new ar"hite"ture)voi ing 0..P


14/101


7n artifact that can be $arse or scanne for $atterns,characteristics, an efinitions oes not e ist


15/101



7n alternative to loa ing BavaCcri$t in :clear te t


16/101



7n alternative to loa ing BavaCcri$t in :clear te tDoa one essage at a ti e, forcing each essage to beanal/ze in e$en entl/ 9 re e ber :units of or8


17/101



7n alternative to loa ing BavaCcri$t in :clear te tDoa one essage at a ti e, forcing each essage to beanal/ze in e$en entl/ 9 re e ber :units of or8Eeb Coc8ets are a $erfect can i ate for both 567 an

b/$assing FTTG fro a eb environ ent


18/101

RETHINKING EVASIONSDesigning a new ar"hite"ture)voi ing 0..P)voi ing "lient si e state


19/101


T o co $onents involve , client an server

Hlient

Disten

?nvo8e


20/101


T o co $onents involve , client an server

Hlient

Disten

?nvo8e

Cerver

Ctate

Cen


21/101


T o co $onents involve , client an server 1or each acce$te connection fro a client, server aintains astate achine


22/101


T o co $onents involve , client an server 1or each acce$te connection fro a client, server aintains astate achine5essages are essentiall/ co an s an o not e$en on eachother 9 re e ber :units of or8


23/101


T o co $onents involve , client an server 1or each acce$te connection fro a client, server aintains astate achine5essages are essentiall/ co an s an o not e$en on eachother 9 re e ber :units of or8

Hlient evaluates essage, invo8es essage, an estro/s it


24/101


imit "ontrol flow an fun"tion "all hierar"h'


25/101


imit "ontrol flow an fun"tion "all hierar"h'6nl/ client control flo is that of the client listening an invo8ing a

essage


26/101



essage6r er of essages not guarantee b/ server. Cerver a/ senI6G essages as $art of an attac8 to tric8 certain anal/zers


27/101



essage6r er of essages not guarantee b/ server. Cerver a/ senI6G essages as $art of an attac8 to tric8 certain anal/zers

:5on8e/ $atch functions /na icall/ evaluate in essages totric8 certain anal/zers


28/101


)voi ing "lient si e stateimit "ontrol flow an fun"tion "all hierar"h'

2etting "reative in trans(ort format


29/101



2etting "reative in trans(ort formatEeb Coc8ets are si $le THG $i$es, so ata can be re$resenteon the ire in an a$$lication s$ecific a/


30/101



2etting "reative in trans(ort formatEeb Coc8ets are si $le THG $i$es, so ata can be re$resenteon the ire in an a$$lication s$ecific a/Io longer restricte to sen ing BavaCcri$t in clear te t


31/101




Hreate custo binar/ for at


32/101




Hreate custo binar/ for atCen essage in binar/ on the ire

0-00-0000--00-0-0--0--000--0--000--0----00-000000-00-0000--0000-0--0--0-0--000-00---0-0-0---00-00--00---00-0000-


33/101




Hreate custo binar/ for atCen essage in binar/ on the ireCi $l/ loo8ing at a binar/ essage on%t give hints about hatits contents are 9 is it an au io file, an i age, even te tJ


34/101


)voi ing "lient si e state

imit "ontrol flow an fun"tion "all hierar"h'

2etting "reative in trans(ort formatEeb Coc8ets are si $le THG $i$es, so ata can be re$resente on the irein an a$$lication s$ecific a/Io longer restricte to sen ing BavaCcri$t in clear te tHreate custo binar/ for atCen essage in binar/ on the ireCi $l/ loo8ing at a binar/ essage on%t give hints about hat its contentsare 9 is it an au io file, an i age, even te tJTo even begin to un erstan a binar/ essage, its for at s$ecification nee sto be 8no n beforehan or else it is a ver/ challenging $roble in its o n


35/101



2etting "reative in trans(ort formatConfusing the Conte%t


36/101


imit "ontrol flow an fun"tion "all hierar"h'2etting "reative in trans(ort format

Confusing the Conte%t@e e ber this functionJ

function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset 0) { r = r.substr(offset) + r.substr(0, offset); ! objects"i# = r.substr(0, r.length); !!


37/101


imit "ontrol flow an fun"tion "all hierar"h'2etting "reative in trans(ort formatConfusing the Conte%t

@e e ber this functionJfunction Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset 0) { r = r.substr(offset) + r.substr(0, offset);

! objects"i# = r.substr(0, r.length); !!

Io that e get this fro our binar/ for at, e again as8 the uestion, ho o /ou eter ine if it isaliciousJ


38/101

DOMAIN OF THE PROBLEM0ow "an we efine a mali"ious website


39/101

DOMAIN OF THE PROBLEM0ow "an we efine a mali"ious website0ow "an we ete"t a mali"ious website


40/101

DOMAIN OF THE PROBLEM0ow "an we efine a mali"ious website0ow "an we ete"t a mali"ious website0ow "an we ete"t obfus"ation


41/101

DOMAIN OF THE PROBLEM0ow "an we efine a mali"ious website0ow "an we ete"t a mali"ious website0ow "an we ete"t obfus"ation0ow "an we i entif' obfus"ation use for mali"ious (ur(oses


42/101

DOMAIN OF THE PROBLEM0ow "an we efine a mali"ious website0ow "an we ete"t a mali"ious website0ow "an we ete"t obfus"ation0ow "an we i entif' obfus"ation use for mali"ious (ur(oses0ow "an we "ategori3e what is mali"ious an what is not


43/101

CURRENT PROBLEME%(loits elivere at some (oint relies on 4avaS"ri(t


44/101

CURRENT PROBLEME%(loits elivere at some (oint relies on 4avaS"ri(t4avaS"ri(t is "ontinuousl' getting obfus"ate with more"om(le%it'


45/101

CURRENT PROBLEME%(loits elivere at some (oint relies on 4avaS"ri(t4avaS"ri(t is "ontinuousl' getting obfus"ate with more"om(le%it'Current solutions are wa' behin in te"hnolog'


46/101

PROBLEMS WITH CURRENTSOLUTIONS

Relies heavil' on invo"ative fun"tions that are not a"on"rete base to be mali"ious 5fromCharCo e& eval&unes"a(e& et"-6 an have (lent' of legitimate use "ases


47/101



>65 an HCC selectors


48/101




Hlient si e $ro ies for clientKserver interaction


49/101




Hlient si e $ro ies for clientKserver interactionHlient si e te $late engines


50/101



imite sets of "hara"teristi"s


51/101



imite sets of "hara"teristi"s

Probabilisti" e"isions is ire"tl' (ro(ortional with the"hara"teristi"s e%tra"te


52/101

TYPES OF APPROACHESD'nami" anal'sis of embe e 4S


53/101

TYPES OF APPROACHESD'nami" anal'sis of embe e 4SStati" anal'sis of e%tra"te 4S 5Metho #16


54/101

TYPES OF APPROACHESD'nami" anal'sis of embe e 4SStati" anal'sis of e%tra"te 4S 5Metho #16Stati" anal'sis of e%tra"te 4S 5Metho #!6


55/101

DYNAMIC ANALYSIS) 0o" Forwar ing


56/101


Hreate a i le la/er bet een the bro ser an the BCengine


57/101



7nal/ze the H1L of the scri$ts being e ecute


58/101




7nal/ze a call hierarch/ of functions or er


59/101




7nal/ze a call hierarch/ of functions or er 7nal/ze certain co bination of functions use inclu ing8no n highl/ ris8/ ones


60/101

DYNAMIC ANALYSIS) 0o" Forwar ing7rowser )utomation


61/101


7ttach to ?A $rocess


62/101


7ttach to ?A $rocess3se sh ocv . ll to auto ate H65 callbac8s


63/101


7ttach to ?A $rocess3se sh ocv . ll to auto ate H65 callbac8sHa$ture events hile the/ trigger an ani$ulate the


64/101


7ttach to ?A $rocess3se sh ocv . ll to auto ate H65 callbac8sHa$ture events hile the/ trigger an ani$ulate the

7nal/ze in the sa e anner as 7 Foc 1or ar ing


65/101

DYNAMIC ANALYSIS) 0o" Forwar ing7rowser )utomation7rowser In8Memor' In9e"tion


66/101


?nject BC in >65 to onitor events


67/101


?nject BC in >65 to onitor events3se a BC >ebugger (1ireMug or other)


68/101

STATIC ANALYSIS (METHOD 1)E%tra"t lo"al s"ri(ts


69/101

STATIC ANALYSIS (METHOD 1)E%tra"t lo"al s"ri(tsE%tra"t remote s"ri(ts


70/101

STATIC ANALYSIS (METHOD 1))nal'3e the s"ri(t an "ategori3e them base on "ertain"riteria


71/101


Eeb $age enco ing


72/101


Eeb $age enco ing>etecting current language use an e tracting features


73/101



Hhec8 the EF6?C for the eb $age


74/101



Hhec8 the EF6?C for the eb $ageDetermine (robabilisti"all' to whi"h "ategor' it belongs to


75/101

SHANNONS ENTROPYFormula


76/101

SHANNONS ENTROPYFormula

$e use Shannon+s Entro(' to etermine the entro(' of thefile onl' as a si e8effe"t an not a main "riteria to

etermine the e"ision whether it was mali"ious or not


77/101

NAVE BAYESIAN) ma"hine8learning te"hni/ue that "an be use to (re i"tto whi"h "ategor' a (arti"ular ata "ase belongs


78/101

NAVE BAYESIAN) ma"hine8learning te"hni/ue that "an be use to (re i"tto whi"h "ategor' a (arti"ular ata "ase belongs

2iven the above formula+: )n event ) is I;DEPE;DE;.from event 7 if the "on itional (robabilit' is the same asthe marginal (robabilit'


79/101

LAPLACIAN SMOOTHING.o avoi having a < 9oint in an' (artial (robabilit' we usethe a 8one smoothing te"hni/ue


80/101

LAPLACIAN SMOOTHING.o avoi having a < 9oint in an' (artial (robabilit' we usethe a 8one smoothing te"hni/ue-2iven an observation % = ( x - , N, x d ) from a multinomial

istribution with ; trials an (arameter ve"tor

= = ( - , N, d )& a >smoothe > version of the ata gives theestimator

where ? < is the smoothing (arameter 5 @ < "orres(on sto no smoothing6


81/101

STATIC ANALYSIS (METHOD 2)0ow is 4S e%e"ute Ahan le


82/101

STATIC ANALYSIS (METHOD 2)0ow is 4S e%e"ute Ahan le-. The co e is scanne for all function(s) eclaration. Aach

eclaration is e ecute b/ creating a function object ana na e reference to that function is create so that the

function can be calle fro ithin a state ent.


83/101

STATIC ANALYSIS (METHOD 2)0ow is 4S e%e"ute Ahan le-. The co e is scanne for all function(s) eclaration. Aach

eclaration is e ecute b/ creating a function object ana na e reference to that function is create so that the

function can be calle fro ithin a state ent.'. The state ents are evaluate an e ecute b/ or er asthe/ a$$ear on the $age after full/ loa e .


84/101

S EXAMPLE !1

DoNothing();

function DoNothing() {

return;

}

This or8s


85/101

S EXAMPLE !2

DoNothing();


return;

}

This oes notor8s


86/101

S EXAMPLE !"


return;

}

DoNothing();

This or8s


87/101

S EXAMPLE !"

// assuming that DoNothing is not defined

DoNothing();

alert(1);

This oes not

or8s


88/101

S EXAMPLE !"

// assuming that DoNothing is not defined

DoNothing();

alert(1);

This or8s


89/101

STATIC ANALYSIS (METHOD 2)Semanti" anal'sis to fo"us on *what oes this mean,


90/101

STATIC ANALYSIS (METHOD 2)Semanti" anal'sis to fo"us on *what oes this mean,O(timi3er8Com(iler for 4S whi"h fo"uses on stru"tureother than e%tra"te invo"ative fun"tions


91/101

OPTIMI#ER$COMPILER.he following es"ribes the ar"hite"ture of an' or inar'"om(iler an the "urrent "om(iler as well

De er Garser Translator 6$ti izer To8ens 7CT ?@


92/101

OPTIMI#ER$COMPILER)t this (hase the o(timi3er tries to o(timi3e the 4S in(utbase on o(timi3ation theories after the )S. wasgenerate an "onverte into an IR

6$ti izer

Fi en Hlasses


93/101


6$ti izer

Fi en Hlasses

T/$e ?nference


94/101


6$ti izer

Fi en Hlasses

T/$e ?nference

?nline Haches


95/101


6$ti izer

Fi en Hlasses

T/$e ?nference

?nline Haches

1unction C/nthesis


96/101


6$ti izer

Fi en Hlasses

T/$e ?nference

?nline Haches

1unction C/nthesis

?nline A $ansion


97/101


6$ti izer

Fi en Hlasses

T/$e ?nference

?nline Haches

1unction C/nthesis

?nline A $ansion

Doo$ ?nvariant Ho e 5otion


98/101


6$ti izer

Fi en Hlasses

T/$e ?nference

?nline Haches

1unction C/nthesis

?nline A $ansion


Honstant 1ol ing


99/101


6$ti izer

Fi en Hlasses

T/$e ?nference

?nline Haches

1unction C/nthesis

?nline A $ansion


Honstant 1ol ing

Ho$/ Gro$agation


100/101


6$ti izer

Fi en Hlasses

T/$e ?nference

?nline Haches

1unction C/nthesis

?nline A $ansion


Honstant 1ol ing

Ho$/ Gro$agation

Ho on CubKA $ression Ali ination


101/101


6$ti izer

Fi en Hlasses

T/$e ?nference

?nline Haches

1unction C/nthesis

?nline A $ansion


Honstant 1ol ing

Ho$/ Gro$agation

Ho on CubKA $ression Ali ination

>ea Ho e Ali ination

Documents

Bsideshh 2014 Master