Uygulama guvenligi gunu - malicious web sites

OWASP Turkey - Uygulama Güvenliği Günü

Introduction to Malicious Web SitesKötücül Web Sitelerine Bir İlk Bakış

Ali Ikinci – Siber Güvenlik Derneği

[email protected]

9 June 2012

Turkey

9 June 2012 Uygulama Güvenliği Günü

Ali Ikinci

2

About Me

● Working on Malicious Web Sites since 2006

● Developed a Client Honeypot called Monkey-Spider in 2007 [9]

● Member of the Siber Güvenlik Derneği[10]

● Chapter Lead of the Turkish Chapter of the Honeynet Project[11]

● Chief Security Analyst at ContentKeeper Technologies[12]


Ali Ikinci

3

Agenda

● Introduction● Attack Vectors● Code Obfuscation● Sample Attack● Payload● Detecting Malicious Web Sites● Mitigation Techniques


Ali Ikinci

4

Malicious Web Sites ...

● Are Web sites which could be a threat to the security of the client computers requesting them

● Even a visit without any other interaction of such could be a threat (so called drive-by downloads)

● Such Web sites can ...

– host all sorts of malware and malicious code

– exploit browser vulnerabilities

– exploit vulnerabilities of other client software

– install backdoors, spyware or keyloggers

– steal confidential information


Ali Ikinci

5

Current Situation

● Attacks on client systems have become very popular in recent years

● Web Browsers are the most wide spread use case of client software

● Browsers and Browser plugins are the most wanted targets in vulnerability assessment

● Firewalls and IDS systems are widely deployed and the client has become the shortest path to hack into a network

● Botnets are on the rise and a valuable tool of trade


Ali Ikinci

6

Attack Vectors

● Anything a client computer requests from a server and in one way or another executes or interpreters on the client computer could become an attack vector

● Web Browser

● Web Browser Plugins

– Flash, PDF, Media Plugins, ActiveX, JRE ...● Media Players/Viewers

● PDF Readers

● Java VMs ...


Ali Ikinci

7

Attack Vectors Code/Markup

● JavaScript● Flash, embedded ActionScript● PDF, embedded JavaScript● HTML● ActiveX● Java● VBS ...


Ali Ikinci

8

Attack Vectors Example Programs/Libraries

● (X)HTML parsers like libxml, libxslt● JavaScript Interpreters like V8,

SpiderMonkey● PDF Reader Exploits like Acrobat Reader,

Foxit Reader● Java Runtime Environment Exploits like

Oracle JRE, IBM JRE ...


Ali Ikinci

9

Starting Points for aMalicious Web Site Attack

● Specifically set up “Trojan” Web Site looking benign but hosting Exploits. F.e. fake online AV sites

● Compromised benign Web Sites/Servers

● Malvertisments on benign Web Sites

● Spam Emails pointing to/loading Malicious Web Sites

● Malicious PDF Files sent via Email Spam

● Spam in Social Networks/Forums etc.

● Social Engineering on Social Networks f.e. Fake campaings, Fake news ...


Ali Ikinci

10

Starting Point Example: Twitter Spam[8]

● Compromised Twitter accounts abused for propagation of Malicious Web Sites (April 2012)


Ali Ikinci

11

Starting Point Example: Malvertisments

● Advertisement that conceal malicious content

● Distributed through benign Ad Networks

● Often utilized in situations where attacker cannot obtain access to high value, high trafficked web sites. Relying on social engineering techniques to trick major ad networks into serving their malicious content[4]

● More than 3 million malvertising impressions served per day[4]

● After three months of web browsing, the probability that an average Internet user will hit an infected page is approximately 95%[4]


Ali Ikinci

12

Attack Hiding Technique:Code Obfuscation

● Code Obfuscation intends to fool the malware analyst in revealing the attack via making the code unreadable to the human eye

● A simple JavaScript example[1] to hide code encoded in Hexadecimal values:

var d=document['\x63\x72\x65\x61\x74\x65\x45\x6c \x65\x6d\x65\x6e\x74'](‘\x69\x6e\x70\x75\x74 );′

Results converted into ASCII to:

var d=document['createElement'](‘input’);


Ali Ikinci

13

Code Obfuscation[1] -Starting Point Example: Spam

A markup generating obfuscated JavaScript sample from a real world spam Mail trying to fool the user to a Malicious Web Site

Results in a redirect to the Malicious Web Site with the Exploit:


Ali Ikinci

14

Browser Attack Example: Heap Spray Attack[3]

● does not actually exploit any security issues but it can be used to make a security issue easier to exploit.

● by itself cannot be used to break any security boundaries: a separate exploit is needed

● can be used to introduce a large amount of order to compensate for the difficulty of prediction of memory space and increase the chances of successful exploitation.

● take advantage of the fact that often the start location of large heap allocations is predictable and consecutive allocations are roughly sequential.


Ali Ikinci

15

Example: Heap Spray Attack[2]


Ali Ikinci

16



Ali Ikinci

17



Ali Ikinci

18


● An attack can consist of multiple Exploits if one is not enough to gain the needed system properties before executing the final shellcode and continuing the malicious deed

● After predictable location has been reached the exploit is triggered to set the EIP (Instruction Pointer) in the sprayed area to hopefully trigger the shellcode or the next Exploit in the chain before the shellcode

● Shellcode than is used to continue the attack often through downloading and installing backdoors, keyloggers and often add it to the attackers botnet as a bot/zombie


Ali Ikinci

19

Shellcode

● is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode[5]

[6]


Ali Ikinci

20

Sample Real World Attack on cdi.org from May 2012[7]


Ali Ikinci

21

Tools Categories to DetectMalicious Web Sites

● High-Interaction Honeyclients:Real Client Computers requesting Malicious Web Sites to learn the behavior/tools/techniques of the attacker

● Low-Interaction Honeyclients:Emulated Web Browsers requesting and sudo executing sites to gain information about attacks.

● Deobfuscation Tools for static or dynamic analysisGUI Tools to ease work of Malware Analysts in supporting deobfuscation with various techniques in a safe execution environment.


Ali Ikinci

22

Online Tools and Reputation Services to detect Malicious Web Sites

● Wepawet http://wepawet.iseclab.org/

● Anubis http://anubis.iseclab.org/

● Google Safe Browsing diagnostic Pagehttp://www.google.com/safebrowsing/diagnostic?site=google.com

● McAfee SiteAdvisor http://www.siteadvisor.com/

● Norton Safe Web http://safeweb.norton.com/

● Web of Trust http://www.mywot.com/

http://wepawet.iseclab.org/

http://anubis.iseclab.org/

http://www.google.com/safebrowsing/diagnostic?site=google.com

http://www.siteadvisor.com/

http://safeweb.norton.com/

http://www.mywot.com/


Ali Ikinci

23

General Defense:Blacklists and IDS Signatures

● Many free and commercial Services to offer ready to use lists/signatures to avoid visiting malicious websites by blacklisting them or avoid triggering exploits by detecting their signatures or ip address in IDS signature. Applying these in Firewalls and Gateways can add significant security measures to fight Malicious Web Sites.

● Two import free examples are:

– Blacklisting malicious websiteshttp://www.malwaredomains.com/

– Providing various IDS Signaturehttp://www.emergingthreats.com

http://www.malwaredomains.com/

http://www.emergingthreats.com/


Ali Ikinci

24

Server Side Defense

● Updates: Immediate updates to server software is the base protection to any kind exploitation attack

● Remote Service Hardening: Any unnecessary remote service should be disabled or the configuration hardened to be secure against exploits or brute for attacks.

● Application Level Firewalls

● Secure Passwords

● Web Site Admins should check their site regular for any unauthorized modifications


Ali Ikinci

25

ISP/Network Level Defense

● Various proprietary vendors provide in-line scanning of network traffic and can block such attacks from triggering or malware from being transfered to victim systems

● Secure Web Gateways often have various means of detecting malicious attacks and also can keep the local network safe or raise alarms if an infection might have gone unnoticed.


Ali Ikinci

26

Client Side Defense

● Updates: Always having the latest patch level of client software avoids being exploited by non zero-day exploits. Software Management systems like NAC or Secunia PSI[13] for personal helps administer and grant this

● HIDS and Personal Firewalls can also utilize Blacklist and sites like ET to raise the security boundary

● Many AV engines in combination with so called “Internet Security Suites” provide a certain level of heuristics based exploit detection and can even avoid zero-day exploits from being triggered in certain scenarios

● AV engines can also stop the execution of malicious payload after the exploit has been triggered unnoticed and can then stop the malware before it can do any harm to the client system


Ali Ikinci

27

References

[1] Kahu Security http://www.kahusecurity.com/

[2] Peter Van Eeckhouttehttps://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

[3] Wikipedia http://en.wikipedia.org/wiki/Heap_spraying

[4] Dancho Danchev http://www.zdnet.com/blog/security/report-3-million-malvertising-impressions-served-per-day/8319

[5] Wikipedia http://en.wikipedia.org/wiki/Shellcode

[6] Phrack Issue 49 by Aleph One http://www.phrack.org/issues.html?issue=49&id=14#article

[7] Steven Adair and Ned Moran http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/

[8] Nicolaz Bruez http://www.securelist.com/en/blog/208193477/New_Spam_campaign_on_Twitter_Leads_to_Rogue_AV

[9] The Monkey-Spider Project http://monkeyspider.sf.net

http://www.kahusecurity.com/

https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

http://en.wikipedia.org/wiki/Heap_spraying

http://www.zdnet.com/blog/security/report-3-million-malvertising-impressions-served-per-day/8319

http://en.wikipedia.org/wiki/Shellcode

http://www.phrack.org/issues.html?issue=49&id=14#article

http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/

http://www.securelist.com/en/blog/208193477/New_Spam_campaign_on_Twitter_Leads_to_Rogue_AV

http://monkeyspider.sf.net/


Ali Ikinci

28

References

[10] Siber Güvenlik Derneği http://www.siberguvenlik.org.tr/

[11] Honeynet Project – Turkish Chapter http://www.honeynettr.org

[12] ContentKeeper Technologies http://www.contentkeeper.com

[13] Secunia Personal Software Inspector http://secunia.com/products/consumer/psi

http://www.siberguvenlik.org.tr/

http://www.honeynettr.org/

http://www.contentkeeper.com/

http://secunia.com/products/consumer/psi


Ali Ikinci

29

Questions?

Thank you for your attention!

This talk was made possible with kind support from http://contentkeeper.com

http://contentkeeper.com/


Ali Ikinci

30

Exploit Kits

● Ready to run large scale automated Exploitation kits

● Sold in rouge underground Forums

● One kit often has a bunch of exploits ready to execute on varying client machines

● Exploited machine are added to the interface for the ease of “management”

● Wide spread approach on running Malicious Web Site infrastructure


Ali Ikinci

31

Exploit Kits Most Wanted[1]

Technology

Uygulama guvenligi gunu - malicious web sites