A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark - - PowerPoint PPT Presentation

FIRESHARK A TOOL TO LINK THE MALICIOUS WEB

Stephan Chenette Principal Security Researcher Websense Labs

Agenda

• Introduction
• Fireshark Details
• Web Communities
• Malicious Web Communities

 Mass Injection Analysis  Redirection Chaining  DeobfuscationAnalysis  Content Profiling

• Conclusion

2

Why you should care

URL Injection attacks are increasing

225% increase in the number of new compromised legitimate websites in the last 12 months Source: Websense Security Labs, State of Internet Security, Q3-Q4 2009 Report

3

Why you should care

• The deobfuscation tools are NOT sufficient
• Emulators are meant for products not

researchers

• Mass Injection attacks are hard to correlate

e.g. nine-ball, beladen (~40k compromises)

• A need exist that satisfied both the high level

view of an attack + low level content profiling

• Fireshark.

4

Connecting the dots

Mass Injections examples

• Gumblar ~60,000 compromises
• Beladen ~40,000 compromises
• Nine-ball ~20,000 compromises

5

Public Tools Available today

Websites:

• Wepawet
• Anubis
• ZeusTracker
• BLADE (*new*)
• Robtex
• Unmask Parasites
• Malwaredomainlist.com
• Badwarebusters.org
• VirusTotal.com

Tools:

• Malzilla
• Rhino Debugger
• FF JavaScript Deobfuscator
• DS’s SpiderMonkey
• Jsunpack
• Caffeine Monkey
• NJS

6

Malzilla vs the Pheonix Exploit Kit

7

JSUNPACK VS. Phoenix

8

Spidermonkey/ CaffeineMonkey

• Lacks DOM features + Only a JavaScript

engine

9

Obfuscated Content

• Iframe/script injection (compromised pages)
• Crimepack exploit kit
• Eleonore exploit kit
• Phoenix exploit kit
• YES exploit kit
• SEO sploit pack
• Fragus exploit kit
• Neosploit kit
• More…

10

Crimepack 2.8 (released before Easter)

Exploits include:

 Adobe Acrobat Reader Exploits (including CVE-2010-0188) (ALL)  JRE (GSB & SERIALIZE) (ALL)  MDAC (IE)  MS09-032 (IE)  MS09-002 (IE)  CVE-2010-0806 (IE)

11

Crimepack 2.8 Anti-Analysis

Features include:

• 1. Undetected from AV Scanners (JavaScript &

PDF/JAR/JPG files)

• 2. Random PDF Obfuscation (Not using static pdf file like
• ther packs)
• 3. Blacklist checker & AutoChecker
• 4. Prevent Wepawet, Jsunpack and other JavaScript

unpackers to decode your page

12

Crimepack 2.8 Changes

• Added CVE-2010-0806
• Added CVE-2010-0188
• Added more ip's to block
• IFrame generator
• Redirector for non-vulnerable traffic
• New JS cryptor
• Anti-Kaspersky emulation

13

Problems with emulation DOM Always behind

• document.body is undefined
• document.title is undefined
• document.forms is undefined
• document.documentElement is undefined
• document.URL is undefined
• document.getElementsByTagName is not

a function

14

Problems with emulation DOM Always behind

• window.location.search
• window.addEvent is not a function
• window.onDomReady is not a function
• window.parent is undefined
• window.screen is undefined
• window.top is undefined
• screen is not defined
• top is not defined
• parent is not defined
• self is not defined
• location.protocol

15

Problems with emulation External scripts

• jQuery is not defined
• urchinTracker is not defined
• SWFObject is not defined

16

What about crawlers??

• Wget
• Curl
• Selenium
• Use a web proxy like fiddler
• Redirection Chains? Sort of.
• Content Profiling? Not really.

17

You dare doubt me?? Me!!!?? =]

18

FireShark Introduction

• Firefox plugin
• Accepts commands to crawl compromised

websites

• Stores events and data sets.
• Post-data analysis correlates data
• End result = better understanding of URL

injection attacks

19

Send URLs to FireShark

20

Malicious URL Feed

FireShark Architect (Two Modes)

• Network Mode

 Used in an automated manor  Alert/Auto-Categorize

• Single-user mode

 Manual Inspection  Injection Research

21

Single-User Mode Demo

22

Local FireShark Demo

23

Now Parse the Log file

• Fireshark Log
• What comes next

is up to you… A few scripts provided e.g:

• Graphmaker.pl
• InOut.pl

24

Post-Run Analysis

• Log is analyzed manually or automatically via

post-analysis correlation process

25

Monitoring communities

26

Monitoring communities

27

Mass Injection Attack

• Example of a Injection attack community

28

The Importance of Data correlation

29

The Importance of Data correlation

30

31

“Web Communities”

32

Top 25 Global Alexa List (mid-Feb 2010)

google.com facebook.com youtube.com yahoo.com live.com wikipedia.org blogger.com baidu.com msn.com qq.com yahoo.co.jp twitter.com google.co.in google.cn sina.com.cn myspace.com google.de wordpress.com microsoft.com amazon.com taobao.com google.co.uk bing.com ebay.com google.fr

33

Visiting youtube.com

34

• This is all the content your browser is feed when

visiting youtube.com

35

36

37

38

39

40

41

42

43

Major Ad Networks

• Doubleclick (Google)
• Yield Manager (Yahoo)
• Fastclick (ValueClick)

44

Top 100 Global Alexa List (mid-Feb 2010)

45

Top 100 Global Alexa List (mid-Feb 2010)

46

Victims of “Malvertisements” (2009)

• The Drudge Report
• Horoscope.com
• Lyrics.com
• slacker.com
• Eweek.com
• The New York Times
• Philadelphia Inquirer
• Expedia, Rhapsody

47

Horoscope.com Economy

48

“Malicious Web Communities”

49

Down the Rabbit hole

• Analysis of Three exemplary Injection

campaigns

• Injection campaigns occur daily
• A breadth view analysis helps us gain a better

understanding of the malicious webscape

50

Down the Rabbit hole

51

Injection Example #1

Injection Example #1

• (Nov/Dec 2009)
• 13k matches/24hrs

52

Injection Example #1

• (Nov/Dec 2009)
• 13k matches/24hrs

53

Injection Example #1

• Step 1) Analyze a subset (500/13k)
• Breadth

 Popular campaign will emerge

 Injections into unique websites will lead to same hosts

• Depth

 Details of the attack

 Screen Shots  Source code, Deobfuscted DOM, Network traffic

54

Bird’s Eye View of 500 Compromised Websites

55

Breadth – Popularity of Request connection

56

Breadth – Popularity of Request connection

57

Breadth – Popularity of Request connection

58

Down the Rabbit hole

59

Injection Campaign #1: 93.186.127.49

“W93.186” Injection Campaign

60

“W93.186” Injection Campaign

61

“W93.186” Injection Campaign Screen Shot

62

Observations from 93.186.127.49 attack

63

Operation b49

Rascop.com…a familiar foe?

64

65

Infamous Rascop.com

66

rascop.com = NXD (feb 10’) Waledac Fast-flux domain

Rascop.com and friends say goodbye but landing pages here to stay

• Waladec domains were NXD in the takedown
• Landing pages were still online though

67

Injection Example #2

68

Attack #2: ru:8080

Breadth – Popularity of Request connection

69

Breadth – Popularity of Request connection

• 250/5k URLs lead to homesalesplus.ru

70

Polymorphic Injected Code Variation #1

71

Polymorphic Injected Code Variation #2

72

Polymorphic Injected Code Variation #3

73

Depth – Diff DOM/SRC

74

Depth – Script link in DOM

75

Polymorphic Injected Code Variation #3

76

DOM View

• DOM ==> Mutable Memory representation

(Final View of DOM after JS/events)

77

Log Analysis

• Further Analysis showed variations:

1.

hxxp://clicksor-com.eastmoney.com.mobile- de.homesaleplus.ru:8080/ocn.ne.jp/ocn.ne.jp/class mates.com/linkhelper.cn/google.com/

2.

hxxp://chip-de.ggpht.com.deezer- com.viewhomesale .ru:8080/google.com/google.com/timeanddate.co m/avg.com/zshare.net/

78

ru:8080 URL Injection Campaign

Similarities between infected sites:

• Port 8080
• Various changing .ru domains
• Legitimate content on port 80 served by Apache
• Malicious domains are mapped to 5 different IPs
• Malicious IP addresses are on hosting providers

Leaseweb (Netherlands) and OVH.com (France)

• Landing domains were NXD Dec 09’/Jan 10’

79

The Never-ending story

• Where one ends, another begins

80

Observations from ru:8080 Injection attack

• Compromised websites can and are updated

automatically

• Compromised websites are injected with multiple

redirectors

• Sharing of stolen FTP credentials

e.g. Many infected sites also led to Gumblar infected domains, indicating that attackers perhaps had shared stolen FTP credentials

81

Injection Example #3

• Mass Injection #3
• ~5700 infected pages
• ~5300 unique hosts

82

Breadth – Popularity of Response connection

83

Breadth – Popularity of Response connection

• sportgun.pl.ua sends a response back to 50+ hosts

84

85

Connection Request/No Response

Src: hxxp://sportgun.pl.ua/st/go.php?sid=2& Dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php

86

Round #2 Connection Request/Response

• Success!

87

Fetches Exploits

• Fetches PDF and Java Exploits

88

• connection:

type: response src: hxxp://uplevelgmno.vn.ua/111/sv777/pdf.php dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php status: 200

• connection:

type: response src: hxxp://uplevelgmno.vn.ua/111/sv777/dev.s.AdgredY.class dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php status: 200

PDF VirusTotal Results

89

Eleonore Exploits Pack

hxxp://uplevelgmno.vn.ua/111/sv777/stat.php

90

Obfuscated Chunk in Source Code

• howtofindmyip.com obfuscation

91

Deobfuscated DOM

• howtofindmyip.com deobfuscated

92

Exploit Kit

• uplevelgmno.vn.ua

93

Observations from Injection attack #3

• The bad guys are tracking/hiding, redundancy redirectors

are common

• Exploits that are being used are current e.g. all

platforms/browsers are targeted

• Exploit kits are easily attainable, setup is quick
• Many kits serve user polymorphic exploits/malware, thus

traditional AV signatures are always behind

94

Fireshark vs Phoenix (works!)

95

Conclusion

96

Conclusions/Take-away

• Compromised websites:

 Increase of 225% over the last 12 months  Frequently updated to contain fresh links  iframe/script tags & direct malicious code

injection

 Exploits target various OS/applications

• Use Fireshark for:

 Mass Injection Analysis  Redirection Chaining  Content Profiling

97

Download Fireshark – fireshark.org

98

Questions?

Contact: Stephan Chenette, schenette@websense.com Addition thanks to:

• Websense Security Labs team
• Wladimir Palant (AdBlockPlus FireFox Plugin)

99