introduction to malicious web sites
play

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak - PowerPoint PPT Presentation

Mar 17, 2023 •183 likes •505 views

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

  1. OWASP T urkey - Uygulama Güvenliği Günü Introduction to Malicious Web Sites Kötücül Web Sitelerine Bir İlk Bakış Ali Ikinci – Siber Güvenlik Derneği ali@ikinci.info 9 June 2012 Turkey

  2. About Me ● Working on Malicious Web Sites since 2006 ● Developed a Client Honeypot called Monkey-Spider in 2007 [9] ● Member of the Siber Güvenlik Derneği [10] ● Chapter Lead of the T urkish Chapter of the Honeynet Project [11] ● Chief Security Analyst at ContentKeeper T echnologies [12] 9 June 2012 Uygulama Güvenliği Günü 2 Ali Ikinci

  3. Agenda ● Introduction ● Attack Vectors ● Code Obfuscation ● Sample Attack ● Payload ● Detecting Malicious Web Sites ● Mitigation T echniques 9 June 2012 Uygulama Güvenliği Günü 3 Ali Ikinci

  4. Malicious Web Sites ... Are Web sites which could be a threat to the security of the ● client computers requesting them Even a visit without any other interaction of such could be a ● threat (so called drive-by downloads) Such Web sites can ... ● – host all sorts of malware and malicious code – exploit browser vulnerabilities – exploit vulnerabilities of other client software – install backdoors, spyware or keyloggers – steal confidential information 9 June 2012 Uygulama Güvenliği Günü 4 Ali Ikinci

  5. Current Situation ● Attacks on client systems have become very popular in recent years ● Web Browsers are the most wide spread use case of client software ● Browsers and Browser plugins are the most wanted targets in vulnerability assessment ● Firewalls and IDS systems are widely deployed and the client has become the shortest path to hack into a network ● Botnets are on the rise and a valuable tool of trade 9 June 2012 Uygulama Güvenliği Günü 5 Ali Ikinci

  6. Attack Vectors ● Anything a client computer requests from a server and in one way or another executes or interpreters on the client computer could become an attack vector ● Web Browser ● Web Browser Plugins – Flash, PDF, Media Plugins, ActiveX, JRE ... ● Media Players/Viewers ● PDF Readers ● Java VMs ... 9 June 2012 Uygulama Güvenliği Günü 6 Ali Ikinci

  7. Attack Vectors Code/Markup ● JavaScript ● Flash, embedded ActionScript ● PDF, embedded JavaScript ● HTML ● ActiveX ● Java ● VBS ... 9 June 2012 Uygulama Güvenliği Günü 7 Ali Ikinci

  8. Attack Vectors Example Programs/Libraries ● (X)HTML parsers like libxml, libxslt ● JavaScript Interpreters like V8, SpiderMonkey ● PDF Reader Exploits like Acrobat Reader, Foxit Reader ● Java Runtime Environment Exploits like Oracle JRE, IBM JRE ... 9 June 2012 Uygulama Güvenliği Günü 8 Ali Ikinci

  9. Starting Points for a Malicious Web Site Attack ● Specifically set up “Trojan” Web Site looking benign but hosting Exploits. F .e. fake online AV sites ● Compromised benign Web Sites/Servers ● Malvertisments on benign Web Sites ● Spam Emails pointing to/loading Malicious Web Sites ● Malicious PDF Files sent via Email Spam ● Spam in Social Networks/Forums etc. ● Social Engineering on Social Networks f.e. Fake campaings, Fake news ... 9 June 2012 Uygulama Güvenliği Günü 9 Ali Ikinci

  10. Starting Point Example: Twitter Spam [8] ● Compromised T witter accounts abused for propagation of Malicious Web Sites (April 2012) 9 June 2012 Uygulama Güvenliği Günü 10 Ali Ikinci

  11. Starting Point Example: Malvertisments Advertisement that conceal malicious content ● Distributed through benign Ad Networks ● Often utilized in situations where attacker cannot obtain ● access to high value, high trafficked web sites. Relying on social engineering techniques to trick major ad networks into serving their malicious content [4] More than 3 million malvertising impressions served per ● day [4] After three months of web browsing, the probability that an ● average Internet user will hit an infected page is approximately 95% [4] 9 June 2012 Uygulama Güvenliği Günü 11 Ali Ikinci

  12. Attack Hiding Technique: Code Obfuscation ● Code Obfuscation intends to fool the malware analyst in revealing the attack via making the code unreadable to the human eye ● A simple JavaScript example [1] to hide code encoded in Hexadecimal values: var d=document['\x63\x72\x65\x61\x74\x65\x45\x6c ′ \x65\x6d\x65\x6e\x74'](‘\x69\x6e\x70\x75\x74 ); Results converted into ASCII to: var d=document['createElement'](‘input’); 9 June 2012 Uygulama Güvenliği Günü 12 Ali Ikinci

  13. Code Obfuscation [1] - Starting Point Example: Spam A markup generating obfuscated JavaScript sample from a real world spam Mail trying to fool the user to a Malicious Web Site Results in a redirect to the Malicious Web Site with the Exploit: 9 June 2012 Uygulama Güvenliği Günü 13 Ali Ikinci

  14. Browser Attack Example: Heap Spray Attack [3] ● does not actually exploit any security issues but it can be used to make a security issue easier to exploit. ● by itself cannot be used to break any security boundaries: a separate exploit is needed ● can be used to introduce a large amount of order to compensate for the difficulty of prediction of memory space and increase the chances of successful exploitation. ● take advantage of the fact that often the start location of large heap allocations is predictable and consecutive allocations are roughly sequential. 9 June 2012 Uygulama Güvenliği Günü 14 Ali Ikinci

  15. Example: Heap Spray Attack [2] 9 June 2012 Uygulama Güvenliği Günü 15 Ali Ikinci

  16. Example: Heap Spray Attack [2] 9 June 2012 Uygulama Güvenliği Günü 16 Ali Ikinci

  17. Example: Heap Spray Attack [2] 9 June 2012 Uygulama Güvenliği Günü 17 Ali Ikinci

  18. Example: Heap Spray Attack [2] ● An attack can consist of multiple Exploits if one is not enough to gain the needed system properties before executing the final shellcode and continuing the malicious deed ● After predictable location has been reached the exploit is triggered to set the EIP (Instruction Pointer) in the sprayed area to hopefully trigger the shellcode or the next Exploit in the chain before the shellcode ● Shellcode than is used to continue the attack often through downloading and installing backdoors, keyloggers and often add it to the attackers botnet as a bot/zombie 9 June 2012 Uygulama Güvenliği Günü 18 Ali Ikinci

  19. Shellcode ● is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode [5] [6] 9 June 2012 Uygulama Güvenliği Günü 19 Ali Ikinci

  20. Sample Real World Attack on cdi.org from May 2012 [7] 9 June 2012 Uygulama Güvenliği Günü 20 Ali Ikinci

  21. Tools Categories to Detect Malicious Web Sites ● High-Interaction Honeyclients: Real Client Computers requesting Malicious Web Sites to learn the behavior/tools/techniques of the attacker ● Low-Interaction Honeyclients: Emulated Web Browsers requesting and sudo executing sites to gain information about attacks. ● Deobfuscation T ools for static or dynamic analysis GUI T ools to ease work of Malware Analysts in supporting deobfuscation with various techniques in a safe execution environment. 9 June 2012 Uygulama Güvenliği Günü 21 Ali Ikinci

  22. Online Tools and Reputation Services to detect Malicious Web Sites ● Wepawet http://wepawet.iseclab.org/ ● Anubis http://anubis.iseclab.org/ ● Google Safe Browsing diagnostic Page http://www.google.com/safebrowsing/diagnostic?site=google.com ● McAfee SiteAdvisor http://www.siteadvisor.com/ ● Norton Safe Web http://safeweb.norton.com/ ● Web of Trust http://www.mywot.com/ 9 June 2012 Uygulama Güvenliği Günü 22 Ali Ikinci

  23. General Defense: Blacklists and IDS Signatures ● Many free and commercial Services to offer ready to use lists/signatures to avoid visiting malicious websites by blacklisting them or avoid triggering exploits by detecting their signatures or ip address in IDS signature. Applying these in Firewalls and Gateways can add significant security measures to fight Malicious Web Sites. ● T wo import free examples are: – Blacklisting malicious websites http://www.malwaredomains.com/ – Providing various IDS Signature http://www.emergingthreats.com 9 June 2012 Uygulama Güvenliği Günü 23 Ali Ikinci

  24. Server Side Defense ● Updates: Immediate updates to server software is the base protection to any kind exploitation attack ● Remote Service Hardening: Any unnecessary remote service should be disabled or the configuration hardened to be secure against exploits or brute for attacks. ● Application Level Firewalls ● Secure Passwords ● Web Site Admins should check their site regular for any unauthorized modifications 9 June 2012 Uygulama Güvenliği Günü 24 Ali Ikinci

  25. ISP/Network Level Defense ● Various proprietary vendors provide in- line scanning of network traffic and can block such attacks from triggering or malware from being transfered to victim systems ● Secure Web Gateways often have various means of detecting malicious attacks and also can keep the local network safe or raise alarms if an infection might have gone unnoticed. 9 June 2012 Uygulama Güvenliği Günü 25 Ali Ikinci

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali Ikinci ali[at]ikinci.info 9. July 2007 Head of Department: Prof. Dr. Felix Freiling Supervisor: Dipl.-Inform. Thorsten Holz Laboratory for Dependable

665 views • 32 slides
Blacklisting Malicious Web Sites using a Secure Version of the DHT Protocol Kademlia Philipp C.

Blacklisting Malicious Web Sites using a Secure Version of the DHT Protocol Kademlia Philipp C.

Blacklisting Malicious Web Sites using a Secure Version of the DHT Protocol Kademlia Philipp C. Heckel, University of Mannheim, 5/26/09 1 Road Map 1. General Idea 2. Application Design 3. Implementation 4. Testing Philipp C. Heckel,

551 views • 29 slides
A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web

A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web

Stephan Chenette Principal Security Researcher Websense Labs FIRESHARK A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web Communities Malicious Web Communities Mass Injection Analysis Redirection

1.49k views • 99 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas

Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas

Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas Chris>n Carnegie Mellon University Carnegie Mellon University ECE / Cylab ECE / Cylab

491 views • 28 slides
Herbicides (Atrazine and 2,4-D) 25 sites in May Pathogens 113 sites in mid-July 88 sites in

Herbicides (Atrazine and 2,4-D) 25 sites in May Pathogens 113 sites in mid-July 88 sites in

Herbicides (Atrazine and 2,4-D) 25 sites in May Pathogens 113 sites in mid-July 88 sites in mid-August Chemicals and Nutrients 53 sites in September Metals 15 sites in September Total # of KRWW Sites Sampled by Year 300 248 250 231 207

723 views • 44 slides
1 Virus Pseudocode Virus A Trojan Horse? Some say YES: Purpose of infected program is overt

1 Virus Pseudocode Virus A Trojan Horse? Some say YES: Purpose of infected program is overt

Introduction Malicious Logic: a set of instructions that cause violation of security policy Malicious Logic Idea taken from Troy: to breach an impenetrable perimeter, have someone from the inside unknowingly bring you inside Example:

481 views • 19 slides
Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

418 views • 19 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
Malicious Logic Trojan Horses Viruses Worms Fall 2010 CS 334: Computer Security Slide #1

Malicious Logic Trojan Horses Viruses Worms Fall 2010 CS 334: Computer Security Slide #1

Malicious Logic Trojan Horses Viruses Worms Fall 2010 CS 334: Computer Security Slide #1 Introduction Malicious Logic: a set of instructions that cause violation of security policy Idea taken from Troy: to breach an impenetrable

1.3k views • 109 slides
Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for Networks and Trap doors System Software Logic bombs May 12, 2002 Worms Examples Lecture 11 Lecture 11 Page 1 Page 2 CS 239,

234 views • 12 slides
Detecting Fileless Malicious Behaviour of .NET C2 Agents using ETW Supervisors: Course:

Detecting Fileless Malicious Behaviour of .NET C2 Agents using ETW Supervisors: Course:

Detecting Fileless Malicious Behaviour of .NET C2 Agents using ETW Supervisors: Course: Authors: Leandro Velasco Research Project 1 Alexander Bode Joao de Novais Marques Niels Warnars Introduction Event Tracing for Windows Enables

781 views • 40 slides
CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav paek Martin

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav paek Martin

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav paek Martin Latovika, Martin Hork and Tom Plesnk Introduction Malicious Domains Attackers may register their own domains May host phishing

427 views • 19 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views • 27 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana

NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana

NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana Medkov Martin Husk, Martin Draar Introduction optimal strategy to defend network infrastructure no standard for benchmarking Network Defence

574 views • 18 slides
What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017 Management Summary Research Approach: Overview of the main research topics in the fields of cyber risk and

579 views • 12 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results [APWG Phishing Activity Trends Report 2 nd Quarter 2016] All time high record

921 views • 59 slides
Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani Name Here About Serianu Limited Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the

759 views • 46 slides
Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut The role of the honeypot The limitations Low-interaction honeypots: "Artificial" attack surface

846 views • 13 slides
Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik Kinkel Jon Osborne Korbin Stich http://may1601.sd.ece.iastate.edu Client : Alliant Energy Advisor : Dr. Doug Jacobson April 28, 2016 May1601 ICS

384 views • 15 slides
NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2.

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2.

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2. SBIR 3. Cuckoo Sandbox 4. Project 5. Architecture 6. Offline demo 7. Roadmap Introduction Pieter Jansen - CEO @ Cybersprint -

859 views • 42 slides

More recommend