SlideShare ist ein Scribd-Unternehmen logo

Toorcon Seattle 2011 - Browser Exploit Packs

Aditya K Sood
Aditya K Sood
Technologie
1 von 20
Browser Exploit Packs Exploitation Tactics ToorCon Security Conference SEATTLE , 2011 Aditya K Sood | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
About Us  Aditya K Sood ─ Founder , SecNiche Security ● Independent Security Consultant, Researcher and Practitioner ● Worked previously for Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content – ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NES|CFS ● LinkedIn : http://www.linkedin.com/in/adityaks ● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com ─ PhD Candidate at Michigan State University  Dr. Richard J Enbody ─ Associate Professor, CSE, Michigan State University ● Since 1987, teaching computer architecture/ computer security / mathematics ● Website: http://www.cse.msu.edu/~enbody ─ Co-Author CS1 Python book, The Practice of Computing using Python. ─ Patents Pending – Hardware Buffer Overflow Protection 2
Agenda  BEP Generic Framework ─ BEP Insidious Details  BEP Trades and Tactics ● Plugin Detection and Verification ● String Obfuscation, Replacement and Manipulation ● User Agent Based Fingerprinting ● IP Logging Detection Trick ● Drive By Downloads ● Drive By Cache ● BEP’s and Botnets Collaboration  Future Work and Discussion 3
BEP Generic Framework  BEP Framework ─ Detecting Patterns ● Fingerprinting the victim environment ● Applying inherent techniques supporting exploitation ● Robust approach to set the ground before serving exploits ─ Supporting Objects ● JavaScript event handlers ● Document Object Model (DOM) objects ● Dynamic content generation ● Requests across domains ─ Exploit Trigger ● Serving exploits efficiently ● Dropping malicious executable or bot in the victim machine 4
BEP Configuration Check  BEP Framework ─ Configuration (Admin Panel + Execution Environment) ● Payload determines the malicious executable to be dropped – BEP’s are a supporting agent for botnets. Ofcourse, bots are dropped. ● Apart from normal settings, exploit distribution environment is set. 5
PHP Ion Cube Encoder  PHP Ion Cube Encoder ─ Why ? ● Most of the BEPs are designed in PHP. ● Encodes all the exploits in a robust manner (efficient code protection) – All PHP files in BEP’s are encoded except configuration file – No restoration of compiled files back to source level. » Protection is applied at compilation time – Encoded files have digital signatures. – MAC protection enabled. Encoding Layer {n} ● Exploit detection becomes hard Encoding Layer { … } Encoding Layer {2} Encoding Layer {1} Optimized compiled Byte codes 6
Max Mind Geo Location Library  Tracking and Tracing ─ Open source library for statistical analysis ● Most of BEP’s and botnets explicit use this library ● However, it is not a hard restriction to use this library – Malware writers can also use custom designed tracking code – An inadvertent part of any BEP 7
Trade and Tactics 8
Plugin Detection and Verification  Plugin Verification and Version Detection ─ Plugin Detection ! Why? ● Enumerating the installed plugins in browsers. ● Serving exploits based on installed version of various plugins – Generic PluginDetect.js script is used to attain the information ─ Example: Phoenix Browser Exploit Pack ● GetJavaInfo.jar – Decompilation provides the generic code of detecting installed java version – Used to verify the appropriate exploit match 9
String Encoding and Replacement  Encoding Tactics ─ String manipulation ● Defining variables to obfuscate the reality » Declaring the strings in reverse order during execution » Passing the required string to definitive string replacement class » Randomizing the BEP file names 10
String Tampering - Example 11
User Agent Based Fingerprinting 12
IP Logging Detection Trick (IPLDT)  What it is all about? ─ Hampering the analysis process – Exploit is served only once a time to the required IP – BEP uses GeoLocation PHP library to keep a track of IP addresses – Appropriate check is performed before serving exploit » If IP is already served no more exploits are delivered » In other terms, no more infection to the specific IP address 13
Long Live – Drive By Downloads  Inside Drive By Downloads – Serving malware by forcing users to visit infected website – Iframe is injected into vulnerable websites – Exploit is served silently based on browser environment 14
Long Live – Drive By Downloads  Complete Process – Victim browser is forced to visit infected website – Iframe redirects browser to the EXPLOIT POINT (Exploit Hub) – Exploit is served by fingerprinting browser environment – Browser is exploited successfully – Exploit point silently asks for the malware from the malicious domain » It can be self driven – Malware is downloaded into system and automatically installed 15
Wait ! Drive By Cache. What?  What it is ? – Brother of Drive by Download Attacks. Is it ? – More efficient way to bypass anti virus protections .  Comparison – Drive By Download / Drive By Cache – Very less variations have been noticed ( Drive By Cache) – However, the infections are still in the wild and some of the traces have been noticed – Lot more to research over this attack but it has been initialized already – Reference: http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in- new.html 16
BEP’s & Botnets Collaboration  Is This True Artifact? ─ Yes it is. – BEP’s are used in conjunction with botnets – On successful exploitation, bot is dropped into victim machine – Harnessing the power of two different frameworks to deliver malware – Some traces have been seen of ZEUS (Botnet) + BlackHole (BEP) 17
Top 5 Java Exploits – BEP Choice  Finest and Fast Five Java Exploits ─ High exploitation and infection Rate – Sun Java Runtime Environment Trusted Methods Chaining Remote Code Execution Vulnerability (CVE-2010-0840) – Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability (CVE-2010-0842) | Java JMF MIDI – Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE (CVE-2010-0886) – Sun Java Runtime RMIConnectionImpl Privileged Context Remote Code Execution Vulnerability (CVE-2010-0094) | Java RMI – Java argument injection vulnerability in the URI handler in Java NPAPI plugin (CVE-2010-1423) 18
Future Work and Discussion  Hunting back the malware domains like a hacker  Continuous analysis to dig deeper into malware world  Designing solutions and protection mechanisms  Researching new and advanced hacking techniques  Becoming smarter with the passage of time 19
Questions / Thanks  Thanks to ToorCon (http://www.toorcon.org)  Thanks to SecNiche Security(http://www.secniche.org )  Malware at Stake ( http://secniche.blogspot.com ) 20

Empfohlen

Dalvik Vm & Jit
Dalvik Vm & JitDalvik Vm & Jit
Dalvik Vm & JitAnkit Somani
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on AndroidToshiharu Harada, Ph.D
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesNational Cheng Kung University
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineNational Cheng Kung University
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Vincenzo Iozzo
 

Empfohlen

Dalvik Vm & Jit
Dalvik Vm & JitDalvik Vm & Jit
Dalvik Vm & JitAnkit Somani
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on AndroidToshiharu Harada, Ph.D
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesNational Cheng Kung University
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineNational Cheng Kung University
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Vincenzo Iozzo
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMNational Cheng Kung University
 
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Tetsuyuki Kobayashi
 
Introduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherIntroduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherMatthew McCullough
 
Overview of Android binder IPC implementation
Overview of Android binder IPC implementationOverview of Android binder IPC implementation
Overview of Android binder IPC implementationChethan Pchethan
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Jnode
JnodeJnode
JnodeRaul Espinola
 
Accelerated Android Development with Linaro
Accelerated Android Development with LinaroAccelerated Android Development with Linaro
Accelerated Android Development with LinaroNational Cheng Kung University
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
Guides To Analyzing WebKit Performance
Guides To Analyzing WebKit PerformanceGuides To Analyzing WebKit Performance
Guides To Analyzing WebKit PerformanceNational Cheng Kung University
 
Os Madsen Block
Os Madsen BlockOs Madsen Block
Os Madsen Blockoscon2007
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android InternalsNational Cheng Kung University
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and RealityNational Cheng Kung University
 
Android IPC Mechanism
Android IPC MechanismAndroid IPC Mechanism
Android IPC MechanismNational Cheng Kung University
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDBNational Cheng Kung University
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 

Weitere ähnliche Inhalte

Was ist angesagt?

Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Tetsuyuki Kobayashi
 
Introduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherIntroduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherMatthew McCullough
 
Overview of Android binder IPC implementation
Overview of Android binder IPC implementationOverview of Android binder IPC implementation
Overview of Android binder IPC implementationChethan Pchethan
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
Os Madsen Block
Os Madsen BlockOs Madsen Block
Os Madsen Blockoscon2007
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 

Was ist angesagt? (20)

Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVM
 
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'
 
Introduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherIntroduction to Android by Demian Neidetcher
Introduction to Android by Demian Neidetcher
 
Overview of Android binder IPC implementation
Overview of Android binder IPC implementationOverview of Android binder IPC implementation
Overview of Android binder IPC implementation
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Jnode
JnodeJnode
Jnode
 
Accelerated Android Development with Linaro
Accelerated Android Development with LinaroAccelerated Android Development with Linaro
Accelerated Android Development with Linaro
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
 
Guides To Analyzing WebKit Performance
Guides To Analyzing WebKit PerformanceGuides To Analyzing WebKit Performance
Guides To Analyzing WebKit Performance
 
Os Madsen Block
Os Madsen BlockOs Madsen Block
Os Madsen Block
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android Internals
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and Reality
 
Android IPC Mechanism
Android IPC MechanismAndroid IPC Mechanism
Android IPC Mechanism
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 

Ähnlich wie Toorcon Seattle 2011 - Browser Exploit Packs

Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosurech0psticks
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
 
Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Da-Chang Guan
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 

Ähnlich wie Toorcon Seattle 2011 - Browser Exploit Packs (20)

Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
 
Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
 

Mehr von Aditya K Sood

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Aditya K Sood
 

Mehr von Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
 

Kürzlich hochgeladen

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 

Kürzlich hochgeladen (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 

Toorcon Seattle 2011 - Browser Exploit Packs

  • 1. Browser Exploit Packs Exploitation Tactics ToorCon Security Conference SEATTLE , 2011 Aditya K Sood | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
  • 2. About Us  Aditya K Sood ─ Founder , SecNiche Security ● Independent Security Consultant, Researcher and Practitioner ● Worked previously for Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content – ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NES|CFS ● LinkedIn : http://www.linkedin.com/in/adityaks ● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com ─ PhD Candidate at Michigan State University  Dr. Richard J Enbody ─ Associate Professor, CSE, Michigan State University ● Since 1987, teaching computer architecture/ computer security / mathematics ● Website: http://www.cse.msu.edu/~enbody ─ Co-Author CS1 Python book, The Practice of Computing using Python. ─ Patents Pending – Hardware Buffer Overflow Protection 2
  • 3. Agenda  BEP Generic Framework ─ BEP Insidious Details  BEP Trades and Tactics ● Plugin Detection and Verification ● String Obfuscation, Replacement and Manipulation ● User Agent Based Fingerprinting ● IP Logging Detection Trick ● Drive By Downloads ● Drive By Cache ● BEP’s and Botnets Collaboration  Future Work and Discussion 3
  • 4. BEP Generic Framework  BEP Framework ─ Detecting Patterns ● Fingerprinting the victim environment ● Applying inherent techniques supporting exploitation ● Robust approach to set the ground before serving exploits ─ Supporting Objects ● JavaScript event handlers ● Document Object Model (DOM) objects ● Dynamic content generation ● Requests across domains ─ Exploit Trigger ● Serving exploits efficiently ● Dropping malicious executable or bot in the victim machine 4
  • 5. BEP Configuration Check  BEP Framework ─ Configuration (Admin Panel + Execution Environment) ● Payload determines the malicious executable to be dropped – BEP’s are a supporting agent for botnets. Ofcourse, bots are dropped. ● Apart from normal settings, exploit distribution environment is set. 5
  • 6. PHP Ion Cube Encoder  PHP Ion Cube Encoder ─ Why ? ● Most of the BEPs are designed in PHP. ● Encodes all the exploits in a robust manner (efficient code protection) – All PHP files in BEP’s are encoded except configuration file – No restoration of compiled files back to source level. » Protection is applied at compilation time – Encoded files have digital signatures. – MAC protection enabled. Encoding Layer {n} ● Exploit detection becomes hard Encoding Layer { … } Encoding Layer {2} Encoding Layer {1} Optimized compiled Byte codes 6
  • 7. Max Mind Geo Location Library  Tracking and Tracing ─ Open source library for statistical analysis ● Most of BEP’s and botnets explicit use this library ● However, it is not a hard restriction to use this library – Malware writers can also use custom designed tracking code – An inadvertent part of any BEP 7
  • 9. Plugin Detection and Verification  Plugin Verification and Version Detection ─ Plugin Detection ! Why? ● Enumerating the installed plugins in browsers. ● Serving exploits based on installed version of various plugins – Generic PluginDetect.js script is used to attain the information ─ Example: Phoenix Browser Exploit Pack ● GetJavaInfo.jar – Decompilation provides the generic code of detecting installed java version – Used to verify the appropriate exploit match 9
  • 10. String Encoding and Replacement  Encoding Tactics ─ String manipulation ● Defining variables to obfuscate the reality » Declaring the strings in reverse order during execution » Passing the required string to definitive string replacement class » Randomizing the BEP file names 10
  • 11. String Tampering - Example 11
  • 12. User Agent Based Fingerprinting 12
  • 13. IP Logging Detection Trick (IPLDT)  What it is all about? ─ Hampering the analysis process – Exploit is served only once a time to the required IP – BEP uses GeoLocation PHP library to keep a track of IP addresses – Appropriate check is performed before serving exploit » If IP is already served no more exploits are delivered » In other terms, no more infection to the specific IP address 13
  • 14. Long Live – Drive By Downloads  Inside Drive By Downloads – Serving malware by forcing users to visit infected website – Iframe is injected into vulnerable websites – Exploit is served silently based on browser environment 14
  • 15. Long Live – Drive By Downloads  Complete Process – Victim browser is forced to visit infected website – Iframe redirects browser to the EXPLOIT POINT (Exploit Hub) – Exploit is served by fingerprinting browser environment – Browser is exploited successfully – Exploit point silently asks for the malware from the malicious domain » It can be self driven – Malware is downloaded into system and automatically installed 15
  • 16. Wait ! Drive By Cache. What?  What it is ? – Brother of Drive by Download Attacks. Is it ? – More efficient way to bypass anti virus protections .  Comparison – Drive By Download / Drive By Cache – Very less variations have been noticed ( Drive By Cache) – However, the infections are still in the wild and some of the traces have been noticed – Lot more to research over this attack but it has been initialized already – Reference: http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in- new.html 16
  • 17. BEP’s & Botnets Collaboration  Is This True Artifact? ─ Yes it is. – BEP’s are used in conjunction with botnets – On successful exploitation, bot is dropped into victim machine – Harnessing the power of two different frameworks to deliver malware – Some traces have been seen of ZEUS (Botnet) + BlackHole (BEP) 17
  • 18. Top 5 Java Exploits – BEP Choice  Finest and Fast Five Java Exploits ─ High exploitation and infection Rate – Sun Java Runtime Environment Trusted Methods Chaining Remote Code Execution Vulnerability (CVE-2010-0840) – Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability (CVE-2010-0842) | Java JMF MIDI – Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE (CVE-2010-0886) – Sun Java Runtime RMIConnectionImpl Privileged Context Remote Code Execution Vulnerability (CVE-2010-0094) | Java RMI – Java argument injection vulnerability in the URI handler in Java NPAPI plugin (CVE-2010-1423) 18
  • 19. Future Work and Discussion  Hunting back the malware domains like a hacker  Continuous analysis to dig deeper into malware world  Designing solutions and protection mechanisms  Researching new and advanced hacking techniques  Becoming smarter with the passage of time 19
  • 20. Questions / Thanks  Thanks to ToorCon (http://www.toorcon.org)  Thanks to SecNiche Security(http://www.secniche.org )  Malware at Stake ( http://secniche.blogspot.com ) 20