Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak - - PowerPoint PPT Presentation

introduction to malicious web sites
SMART_READER_LITE
LIVE PREVIEW

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak - - PowerPoint PPT Presentation

Mar 17, 2023 183 likes •506 views

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

slide-1
SLIDE 1

OWASP T urkey - Uygulama Güvenliği Günü

Introduction to Malicious Web Sites

Kötücül Web Sitelerine Bir İlk Bakış

Ali Ikinci – Siber Güvenlik Derneği ali@ikinci.info 9 June 2012

Turkey

slide-2
SLIDE 2

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 2

About Me

  • Working on Malicious Web Sites since 2006
  • Developed a Client Honeypot called Monkey-Spider in

2007 [9]

  • Member of the Siber Güvenlik Derneği[10]
  • Chapter Lead of the T

urkish Chapter of the Honeynet Project[11]

  • Chief Security Analyst at ContentKeeper T

echnologies[12]

slide-3
SLIDE 3

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 3

Agenda

  • Introduction
  • Attack Vectors
  • Code Obfuscation
  • Sample Attack
  • Payload
  • Detecting Malicious Web Sites
  • Mitigation T

echniques

slide-4
SLIDE 4

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 4

Malicious Web Sites ...

  • Are Web sites which could be a threat to the security of the

client computers requesting them

  • Even a visit without any other interaction of such could be a

threat (so called drive-by downloads)

  • Such Web sites can ...

– host all sorts of malware and malicious code – exploit browser vulnerabilities – exploit vulnerabilities of other client software – install backdoors, spyware or keyloggers – steal confidential information

slide-5
SLIDE 5

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 5

Current Situation

  • Attacks on client systems have become very

popular in recent years

  • Web Browsers are the most wide spread use case
  • f client software
  • Browsers and Browser plugins are the most wanted

targets in vulnerability assessment

  • Firewalls and IDS systems are widely deployed and

the client has become the shortest path to hack into a network

  • Botnets are on the rise and a valuable tool of trade
slide-6
SLIDE 6

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 6

Attack Vectors

  • Anything a client computer requests from a server

and in one way or another executes or interpreters

  • n the client computer could become an attack

vector

  • Web Browser
  • Web Browser Plugins

– Flash, PDF, Media Plugins, ActiveX, JRE ...

  • Media Players/Viewers
  • PDF Readers
  • Java VMs ...
slide-7
SLIDE 7

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 7

Attack Vectors Code/Markup

  • JavaScript
  • Flash, embedded ActionScript
  • PDF, embedded JavaScript
  • HTML
  • ActiveX
  • Java
  • VBS ...
slide-8
SLIDE 8

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 8

Attack Vectors Example Programs/Libraries

  • (X)HTML parsers like libxml, libxslt
  • JavaScript Interpreters like V8,

SpiderMonkey

  • PDF Reader Exploits like Acrobat Reader,

Foxit Reader

  • Java Runtime Environment Exploits like

Oracle JRE, IBM JRE ...

slide-9
SLIDE 9

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 9

Starting Points for a Malicious Web Site Attack

  • Specifically set up “Trojan” Web Site looking benign

but hosting Exploits. F .e. fake online AV sites

  • Compromised benign Web Sites/Servers
  • Malvertisments on benign Web Sites
  • Spam Emails pointing to/loading Malicious Web

Sites

  • Malicious PDF Files sent via Email Spam
  • Spam in Social Networks/Forums etc.
  • Social Engineering on Social Networks f.e. Fake

campaings, Fake news ...

slide-10
SLIDE 10

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 10

Starting Point Example: Twitter Spam[8]

  • Compromised T

witter accounts abused for propagation

  • f Malicious Web Sites (April 2012)
slide-11
SLIDE 11

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 11

Starting Point Example: Malvertisments

  • Advertisement that conceal malicious content
  • Distributed through benign Ad Networks
  • Often utilized in situations where attacker cannot obtain

access to high value, high trafficked web sites. Relying on social engineering techniques to trick major ad networks into serving their malicious content[4]

  • More than 3 million malvertising impressions served per

day[4]

  • After three months of web browsing, the probability that an

average Internet user will hit an infected page is approximately 95%[4]

slide-12
SLIDE 12

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 12

Attack Hiding Technique: Code Obfuscation

  • Code Obfuscation intends to fool the malware analyst in

revealing the attack via making the code unreadable to the human eye

  • A simple JavaScript example[1] to hide code encoded in

Hexadecimal values: var d=document['\x63\x72\x65\x61\x74\x65\x45\x6c \x65\x6d\x65\x6e\x74'](‘\x69\x6e\x70\x75\x74 ); ′

Results converted into ASCII to:

var d=document['createElement'](‘input’);

slide-13
SLIDE 13

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 13

Code Obfuscation[1] - Starting Point Example: Spam

A markup generating obfuscated JavaScript sample from a real world spam Mail trying to fool the user to a Malicious Web Site Results in a redirect to the Malicious Web Site with the Exploit:

slide-14
SLIDE 14

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 14

Browser Attack Example: Heap Spray Attack[3]

  • does not actually exploit any security issues but it can

be used to make a security issue easier to exploit.

  • by itself cannot be used to break any security

boundaries: a separate exploit is needed

  • can be used to introduce a large amount of order to

compensate for the difficulty of prediction of memory space and increase the chances of successful exploitation.

  • take advantage of the fact that often the start location
  • f large heap allocations is predictable and consecutive

allocations are roughly sequential.

slide-15
SLIDE 15

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 15

Example: Heap Spray Attack[2]

slide-16
SLIDE 16

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 16

Example: Heap Spray Attack[2]

slide-17
SLIDE 17

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 17

Example: Heap Spray Attack[2]

slide-18
SLIDE 18

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 18

Example: Heap Spray Attack[2]

  • An attack can consist of multiple Exploits if one is not

enough to gain the needed system properties before executing the final shellcode and continuing the malicious deed

  • After predictable location has been reached the exploit

is triggered to set the EIP (Instruction Pointer) in the sprayed area to hopefully trigger the shellcode or the next Exploit in the chain before the shellcode

  • Shellcode than is used to continue the attack often

through downloading and installing backdoors, keyloggers and often add it to the attackers botnet as a bot/zombie

slide-19
SLIDE 19

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 19

Shellcode

  • is a small piece of code used as the payload in the

exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode[5]

[6]

slide-20
SLIDE 20

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 20

Sample Real World Attack

  • n cdi.org from May 2012[7]
slide-21
SLIDE 21

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 21

Tools Categories to Detect Malicious Web Sites

  • High-Interaction Honeyclients:

Real Client Computers requesting Malicious Web Sites to learn the behavior/tools/techniques of the attacker

  • Low-Interaction Honeyclients:

Emulated Web Browsers requesting and sudo executing sites to gain information about attacks.

  • Deobfuscation T
  • ols for static or dynamic

analysis

GUI T

  • ols to ease work of Malware Analysts in supporting

deobfuscation with various techniques in a safe execution environment.

slide-22
SLIDE 22

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 22

Online Tools and Reputation Services to detect Malicious Web Sites

  • Wepawet http://wepawet.iseclab.org/
  • Anubis http://anubis.iseclab.org/
  • Google Safe Browsing diagnostic Page

http://www.google.com/safebrowsing/diagnostic?site=google.com

  • McAfee SiteAdvisor http://www.siteadvisor.com/
  • Norton Safe Web http://safeweb.norton.com/
  • Web of Trust http://www.mywot.com/
slide-23
SLIDE 23

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 23

General Defense: Blacklists and IDS Signatures

  • Many free and commercial Services to offer ready to

use lists/signatures to avoid visiting malicious websites by blacklisting them or avoid triggering exploits by detecting their signatures or ip address in IDS

  • signature. Applying these in Firewalls and Gateways can

add significant security measures to fight Malicious Web Sites.

  • T

wo import free examples are:

– Blacklisting malicious websites

http://www.malwaredomains.com/

– Providing various IDS Signature

http://www.emergingthreats.com

slide-24
SLIDE 24

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 24

Server Side Defense

  • Updates: Immediate updates to server software is

the base protection to any kind exploitation attack

  • Remote Service Hardening: Any unnecessary

remote service should be disabled or the configuration hardened to be secure against exploits or brute for attacks.

  • Application Level Firewalls
  • Secure Passwords
  • Web Site Admins should check their site regular for

any unauthorized modifications

slide-25
SLIDE 25

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 25

ISP/Network Level Defense

  • Various proprietary vendors provide in-

line scanning of network traffic and can block such attacks from triggering or malware from being transfered to victim systems

  • Secure Web Gateways often have various

means of detecting malicious attacks and also can keep the local network safe or raise alarms if an infection might have gone unnoticed.

slide-26
SLIDE 26

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 26

Client Side Defense

  • Updates: Always having the latest patch level of client software

avoids being exploited by non zero-day exploits. Software Management systems like NAC or Secunia PSI[13] for personal helps administer and grant this

  • HIDS and Personal Firewalls can also utilize Blacklist and sites like

ET to raise the security boundary

  • Many AV engines in combination with so called “Internet Security

Suites” provide a certain level of heuristics based exploit detection and can even avoid zero-day exploits from being triggered in certain scenarios

  • AV engines can also stop the execution of malicious payload after

the exploit has been triggered unnoticed and can then stop the malware before it can do any harm to the client system

slide-27
SLIDE 27

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 27

References

[1] Kahu Security http://www.kahusecurity.com/ [2] Peter Van Eeckhoutte

https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

[3] Wikipedia http://en.wikipedia.org/wiki/Heap_spraying [4] Dancho Danchev

http://www.zdnet.com/blog/security/report-3-million-malvertising-impressions-served-per-day/8319

[5] Wikipedia http://en.wikipedia.org/wiki/Shellcode [6] Phrack Issue 49 by Aleph One http://www.phrack.org/issues.html?issue=49&id=14#article [7] Steven Adair and Ned Moran

http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/

[8] Nicolaz Bruez

http://www.securelist.com/en/blog/208193477/New_Spam_campaign_on_T witter_Leads_to_Rogue_AV

[9] The Monkey-Spider Project http://monkeyspider.sf.net

slide-28
SLIDE 28

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 28

References

[10] Siber Güvenlik Derneği http://www.siberguvenlik.org.tr/ [11] Honeynet Project – T urkish Chapter http://www.honeynettr.org [12] ContentKeeper T echnologies http://www.contentkeeper.com [13] Secunia Personal Software Inspector http://secunia.com/products/consumer/psi

slide-29
SLIDE 29

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 29

Questions?

Thank you for your attention! This talk was made possible with kind support from http://contentkeeper.com

slide-30
SLIDE 30

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 30

Exploit Kits

  • Ready to run large scale automated Exploitation

kits

  • Sold in rouge underground Forums
  • One kit often has a bunch of exploits ready to

execute on varying client machines

  • Exploited machine are added to the interface

for the ease of “management”

  • Wide spread approach on running Malicious

Web Site infrastructure

slide-31
SLIDE 31

9 June 2012 Uygulama Güvenliği Günü Ali Ikinci 31

Exploit Kits Most Wanted[1]