SlideShare ist ein Scribd-Unternehmen logo

Fireshark - Brucon 2010

Stephan Chenette
Stephan Chenette

Presentation on Fireshark - http://fireshark.org

1 von 104
Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette Principal Security Researcher, Websense Labs
Fireshark Agenda  Overview  Who Am I  What is Fireshark  The Malicious Webscape  Fireshark Introduction  Down the Rabbit hole (use cases) – Website Architecture / Redirection Chains – Mass Injection Points (dead or alive) – Content Profiling  Fireshark Releases  Download Location  Q&A 2
Let’s start at the beginning… WHAT IS FIRESHARK 3
The Fireshark Project Author: Stephan Chenette Contributions by: Wladimir Palant (AdBlockPlus FF Plugin) Organize and analyze malicious website data Correlate data  Similar mass injection attacks (C/R/E)  attacker patterns (providers/content/kits) 4
The Fireshark Project  Current Status – 1.0 Release - April 2010 (GPL v3 license) – 1.1 Release - due in November 2010 (selective beta) 5
Overview of Fireshark Architecture  Browser Plugin allows automated control of browser  Passively logs information to log file – Connections (contextual reference) – Source and DOM content – JavaScript function calls – Page Links – Screen Shot  Your Job: Use post-processing scripts/database to output organized results 6
Understanding the interweb… THE MALICIOUS WEBSCAPE 7
URL Injection attacks are increasing 225% increase in the number of new compromised legitimate websites in the last 12 months. Source: Websense Security Labs, State of Internet Security, Q3-Q4 2009 Report Translation: There is a large chance that a website you have visited In the recent past served malicious code. 8
Victims of “Malvertisements” (2009)  The Drudge Report  Horoscope.com  Lyrics.com  slacker.com  Eweek.com  The New York Times  Philadelphia Inquirer  Expedia, Rhapsody 9
Redirection chains/ Mass Compromises Nine-ball mass-injection 10
Redirection chains/ Mass Compromises Nine-ball mass-injection  There are a varied but unique set of hosts involved in the redirection chain  Any repeat visitor is diverted to ask.com instead of a malicious landing page  The structure of the injected deobfuscation algorithm is equivalent throughout all the infected sites 11
compromised website using an iframe 12
compromised website using a redirector 13
Exploit site goes through redirector 14
15
Exploit Site Serves Rogue Anti-Virus 16
Exploit Site Serves Rogue Anti-Virus  XP Security Tool 2010  XP Defender Pro  Vista Security Tool 2010  Vista Defender Pro 17
Malicious Site Serves – Exploit Kits 18
Malicious Site Serves – Exploit Kits  CRIMEPACK  PHOENIX  ELEONORE  FRAGUS  YES EXPLOIT  SEBERIA  EL FIESTA  ICEPACK  MPACK  WEB ATTACKER 19
Malicious Site Serves – Exploit Kits CVE-2003-0111 CVE-2006-5745 CVE-2007-0655 CVE-2009-0806 CVE-2006-5820 CVE-2007-5755 CVE-2009-0927 CVE-2004-1043 CVE-2006-6884 CVE-2007-6250 CVE-2009-1136 CVE-2005-2265 CVE-2009-1869 CVE-2007-0015 CVE-2008-0015 CVE-2009-2477 CVE-2006-0003 CVE-2007-0018 CVE-2008-1309 CVE-2009-3269 CVE-2006-0005 CVE-2007-0024 CVE-2008-2463 CVE-2009-3867 CVE-2006-1359 CVE-2007-0071 CVE-2008-2992 CVE-2009-4324 CVE-2006-3643 CVE-2007-3147 CVE-2008-4844 CVE-2006-3677 CVE-2007-3148 CVE-2008-5353 CVE-2010-0188 CVE-2006-3730 CVE-2007-4034 CVE-2010-0806 CVE-2006-4868 CVE-2007-4336 CVE-2009-0075 CVE-2006-4777 CVE-2007-5327 CVE-2009-0076 CVE-2006-5559 CVE-2007-5659 CVE-2009-0355 20
Malicious Site Serves – Exploit Kits  Firefox  Internet Explorer  Opera  Java/Reader/Flash 21
Obfuscated content (Phoenix pack) 22
Crimepack 2.8 released before March 10’ Exploits include: • Adobe Acrobat Reader Exploits (including CVE-2010-0188) • JRE (GSB & SERIALIZE) • MDAC (IE) • MS09-032 (IE) • MS09-002 (IE) • CVE-2010-0806 (IE) 23
Crimepack 2.8 Anti-Analysis Features include: 1. Undetected by AV Scanners (JavaScript & PDF/JAR/JPG files) 2. Random PDF Obfuscation (Not using static PDF file like other packs) 3. Blacklist checker & AutoChecker 4. Prevent Wepawet, JSunpack and other JavaScript unpackers to decode your page 24
Crimepack 2.8 Changes  Added CVE-2010-0806  Added CVE-2010-0188  Added more ip's to block  IFrame generator  Redirector for non-vulnerable traffic  New JS cryptor  Anti-Kaspersky emulation 25
RECAP OF NEEDS: Track and Organize Organize and analyze malicious website data Correlate data  Similar mass injection attacks (C/R/E)  attacker patterns (providers/content/kits) 26
Current Resources Websites: Tools:  Wepawet  Malzilla  Anubis  Rhino Debugger  ZeusTracker  FF JavaScript  BLADE (*new*) Deobfuscator  Robtex  DS’s SpiderMonkey  Unmask Parasites  Jsunpack  Malwaredomainlist.com  Caffeine Monkey  Badwarebusters.org  NJS  VirusTotal.com  Etc.  Etc. 27
Malzilla V.S. The Phoenix Exploit Kit 28
Malzilla V.S. The Phoenix Exploit Kit 29
JSUNPACK V.S. The Phoenix Exploit Kit 30
JSUNPACK V.S. The Phoenix Exploit Kit ERROR: CAN NOT FULLY DECODE 31
Spidermonkey/ CaffeineMonkey  JavaScript Engine + Limited browser features 32
Emulation -> Implementation is behind  document.body is undefined  document.title is undefined  document.forms is undefined  document.documentElement is undefined  document.URL is undefined  document.getElementsByTagName is not a function 33
Emulation -> Implementation is behind  window.location.search  window.addEvent is not a function  window.onDomReady is not a function  window.parent is undefined  window.screen is undefined  window.top is undefined  screen is not defined  top is not defined  parent is not defined  self is not defined  location.protocol 34
When an alternative just won’t do… FIRESHARK INTRODUCTION 35
Why do we need Fireshark?  Researcher  Network Administrator  Penetration Tester  We need tools to analyze mass injection attacks – Website Architecture/Redirection Chains – Source / Changes to DOM / JavaScript function calls – Content Profiling / Screen shot  Using an organized and ultimately VISUAL approach 36
List view V.S. Graph view 37
List view V.S. Graph view 38
Architecture of a youtube.com 39
horoscope.com (Content responsibility) 40
42
43
44
Original Source code (Phoenix pack) 45
DOM result (Phoenix pack) 46
How to use Fireshark 1.0  Install Fireshark Firefox plugin (.xpi file)  Create data.txt file, place in your home directory  Tools->Go! (then go and get a cup of coffee)  ** Reportlog.yml **  Use post-processing scripts – FiresharkInitInfo.pl (must be run first) – GraphViz.pl – IngressEgress.pl 47
48
Post-Run Analysis / data correlation  Log is analyzed manually or automatically via post- analysis correlation process
Local FireShark Demo
Use cases… DOWN THE RABBIT HOLE 51
Down the Rabbit hole  Analysis of Three exemplary Injection campaigns  Injection campaigns occur daily  A breadth view analysis  Gain a better understanding of the malicious webscape  Use Fireshark to do it.
Down the Rabbit hole •Injection Example #1
Injection Example #1  13k matches/24hrs
Injection Example #1  Step 1) Analyze a subset (500/13k)  Breadth – Popular campaign will emerge • Injections into unique websites will lead to same hosts  Depth – Details of the attack • Screen Shots • Source code, Deobfuscted DOM, Network traffic
Bird’s Eye View of 500/13k
Popularity of Requests
Popularity of Requests
Popularity of Requests
Down the Rabbit hole •Injection Campaign #1: 93.186.127.49
“W93.186” Injection Campaign
“W93.186” Injection Campaign
“W93.186” Injection Campaign SS
Observations from 93.186.127.49 attack •Operation b49
Rascop.com…a familiar foe?
Infamous Rascop.com •rascop.com = NXD (feb 10’) •Waledac •Fast-flux •domain
Rascop.com and friends gone but landing pages here to stay  Waladec domains were NXD in the takedown  Landing pages were still online though
Injection Example #2 •Attack #2: ru:8080
Popularity of Requests  250/5k URLs lead to homesalesplus.ru
Breadth – Popularity of Request connection  250/5k URLs lead to homesalesplus.ru
Injected Code Variation #1
Injected Code Variation #2
Injected Code Variation #3
Depth – Diff DOM/SRC
Depth – Script link in DOM
Injected Code Variation #3
DOM View  DOM ==> Mutable Memory representation (Final View of DOM after JS/events)
Log Analysis  Further Analysis showed variations: 1. hxxp://clicksor-com.eastmoney.com.mobile- de.homesaleplus.ru:8080/ocn.ne.jp/ocn.ne.jp/classmat es.com/linkhelper.cn/google.com/ 2. hxxp://chip-de.ggpht.com.deezer-com.viewhomesale .ru:8080/google.com/google.com/timeanddate.com/avg. com/zshare.net/
ru:8080 URL Injection Campaign Similarities between infected sites:  Port 8080  Various changing .ru domains  Legitimate content on port 80 served by Apache  Malicious domains are mapped to 5 different IPs  Malicious IP addresses are on hosting providers Leaseweb (Netherlands) and OVH.com (France)  Landing domains were NXD Dec 09’/Jan 10’
The Never-ending story  Fresh injections
Observations from ru:8080 attack  Compromised websites can and are updated automatically  Compromised websites are injected with multiple redirectors  Sharing of stolen FTP credentials e.g. Many infected sites also led to Gumblar infected domains, indicating that attackers perhaps had shared stolen FTP credentials
Injection Example #3  Mass Injection #3  ~5700 infected pages  ~5300 unique hosts…sent 1k for analysis
Breadth – Popularity of Responses
Breadth – Popularity of Responses  sportgun.pl.ua very common type of attack  sends a response back to 50+ hosts
Connection Request/No Response Src: hxxp://sportgun.pl.ua/st/go.php?sid=2& Dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php
Round #2 Connection Request/Response  Success!
Fetches Exploits  Fetches PDF and Java Exploits - connection: type: response src: hxxp://uplevelgmno.vn.ua/111/sv777/pdf.php dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php status: 200 - connection: type: response src: hxxp://uplevelgmno.vn.ua/111/sv777/dev.s.AdgredY.class dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php status: 200
PDF VirusTotal Results
Eleonore Exploits Pack hxxp://uplevelgmno.vn.ua/111/sv777/stat.php
Obfuscated Chunk in Source Code  howtofindmyip.com obfuscation
Deobfuscated DOM  howtofindmyip.com deobfuscated
Exploit Kit  uplevelgmno.vn.ua
Observations from Injection attack #3  The bad guys are tracking/hiding, redundancy redirectors are common  Exploits that are being used are current e.g. all platforms/browsers are targeted  Exploit kits are easily attainable, setup is quick  Many kits serve user polymorphic exploits/malware, thus traditional AV signatures are always behind
From 1.0 to 1.1… FIRESHARK RELEASES 96
Fireshark 1.0  Released Blackhat Europe April 2010 – Firefox Browser-Plugin – PERL Post processing scripts – CYMRU ASN – GraphViz 97
Fireshark 1.0  YAML Log format  Scripts:  GraphViz.pl  IngressEgress.pl 98
Fireshark 1.1 (Release in November 10’)  XUL GUI Front-end – Shows network traffic – Redirection chains – DOM/SOURCE/DIFF – Top Destination and Source URLs – Suspected Redirectors/Exploit Sites  Configurable options  Output in JSON (1.0 was in YAML) 99
Get it!… FIRESHARK WHERE TO DOWNLOAD 100
Download Fireshark 1.0 http://fireshark.org/  Free (GPL v3)  Open Source  PERL/Python scripts included for post- processing 101
The end… CONCLUSION + Q&A 102
Conclusions/Take-away  Compromised websites: – Increase of 225% over the last 12 months – Frequently updated to contain fresh links – Current tools are insufficient if desire is to monitor and analyze mass URL injections  Use Fireshark for: – Mass Injection Analysis – Redirection Chaining – Content Profiling 103
Q&A Questions?  Contact: Stephan Chenette Twitter: StephanChenette Email: stephan@packetsector.net  Fireshark Feedback: Join the Fireshark mailing list!! or.. send an email to feedback@fireshark.org 104

Empfohlen

Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 

Empfohlen

Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websitesshehab najjar
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortanaWill Schroeder
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware AnalysisPrathan Phongthiproek
 

Weitere ähnliche Inhalte

Was ist angesagt?

Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websitesshehab najjar
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 

Was ist angesagt? (20)

Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websites
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 

Ähnlich wie Fireshark - Brucon 2010

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
Web application security
Web application securityWeb application security
Web application securityrandhawa121985
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxFunctional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxtarkovtarkovski
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 

Ähnlich wie Fireshark - Brucon 2010 (20)

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
Web application security
Web application securityWeb application security
Web application security
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackers
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxFunctional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
 

Mehr von Stephan Chenette

2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Stephan Chenette
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 

Mehr von Stephan Chenette (9)

Landing on Jupyter
Landing on JupyterLanding on Jupyter
Landing on Jupyter
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 

Fireshark - Brucon 2010

  • 1. Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette Principal Security Researcher, Websense Labs
  • 2. Fireshark Agenda  Overview  Who Am I  What is Fireshark  The Malicious Webscape  Fireshark Introduction  Down the Rabbit hole (use cases) – Website Architecture / Redirection Chains – Mass Injection Points (dead or alive) – Content Profiling  Fireshark Releases  Download Location  Q&A 2
  • 3. Let’s start at the beginning… WHAT IS FIRESHARK 3
  • 4. The Fireshark Project Author: Stephan Chenette Contributions by: Wladimir Palant (AdBlockPlus FF Plugin) Organize and analyze malicious website data Correlate data  Similar mass injection attacks (C/R/E)  attacker patterns (providers/content/kits) 4
  • 5. The Fireshark Project  Current Status – 1.0 Release - April 2010 (GPL v3 license) – 1.1 Release - due in November 2010 (selective beta) 5
  • 6. Overview of Fireshark Architecture  Browser Plugin allows automated control of browser  Passively logs information to log file – Connections (contextual reference) – Source and DOM content – JavaScript function calls – Page Links – Screen Shot  Your Job: Use post-processing scripts/database to output organized results 6
  • 7. Understanding the interweb… THE MALICIOUS WEBSCAPE 7
  • 8. URL Injection attacks are increasing 225% increase in the number of new compromised legitimate websites in the last 12 months. Source: Websense Security Labs, State of Internet Security, Q3-Q4 2009 Report Translation: There is a large chance that a website you have visited In the recent past served malicious code. 8
  • 9. Victims of “Malvertisements” (2009)  The Drudge Report  Horoscope.com  Lyrics.com  slacker.com  Eweek.com  The New York Times  Philadelphia Inquirer  Expedia, Rhapsody 9
  • 10. Redirection chains/ Mass Compromises Nine-ball mass-injection 10
  • 11. Redirection chains/ Mass Compromises Nine-ball mass-injection  There are a varied but unique set of hosts involved in the redirection chain  Any repeat visitor is diverted to ask.com instead of a malicious landing page  The structure of the injected deobfuscation algorithm is equivalent throughout all the infected sites 11
  • 13. compromised website using a redirector 13
  • 14. Exploit site goes through redirector 14
  • 15. 15
  • 16. Exploit Site Serves Rogue Anti-Virus 16
  • 17. Exploit Site Serves Rogue Anti-Virus  XP Security Tool 2010  XP Defender Pro  Vista Security Tool 2010  Vista Defender Pro 17
  • 18. Malicious Site Serves – Exploit Kits 18
  • 19. Malicious Site Serves – Exploit Kits  CRIMEPACK  PHOENIX  ELEONORE  FRAGUS  YES EXPLOIT  SEBERIA  EL FIESTA  ICEPACK  MPACK  WEB ATTACKER 19
  • 20. Malicious Site Serves – Exploit Kits CVE-2003-0111 CVE-2006-5745 CVE-2007-0655 CVE-2009-0806 CVE-2006-5820 CVE-2007-5755 CVE-2009-0927 CVE-2004-1043 CVE-2006-6884 CVE-2007-6250 CVE-2009-1136 CVE-2005-2265 CVE-2009-1869 CVE-2007-0015 CVE-2008-0015 CVE-2009-2477 CVE-2006-0003 CVE-2007-0018 CVE-2008-1309 CVE-2009-3269 CVE-2006-0005 CVE-2007-0024 CVE-2008-2463 CVE-2009-3867 CVE-2006-1359 CVE-2007-0071 CVE-2008-2992 CVE-2009-4324 CVE-2006-3643 CVE-2007-3147 CVE-2008-4844 CVE-2006-3677 CVE-2007-3148 CVE-2008-5353 CVE-2010-0188 CVE-2006-3730 CVE-2007-4034 CVE-2010-0806 CVE-2006-4868 CVE-2007-4336 CVE-2009-0075 CVE-2006-4777 CVE-2007-5327 CVE-2009-0076 CVE-2006-5559 CVE-2007-5659 CVE-2009-0355 20
  • 21. Malicious Site Serves – Exploit Kits  Firefox  Internet Explorer  Opera  Java/Reader/Flash 21
  • 23. Crimepack 2.8 released before March 10’ Exploits include: • Adobe Acrobat Reader Exploits (including CVE-2010-0188) • JRE (GSB & SERIALIZE) • MDAC (IE) • MS09-032 (IE) • MS09-002 (IE) • CVE-2010-0806 (IE) 23
  • 24. Crimepack 2.8 Anti-Analysis Features include: 1. Undetected by AV Scanners (JavaScript & PDF/JAR/JPG files) 2. Random PDF Obfuscation (Not using static PDF file like other packs) 3. Blacklist checker & AutoChecker 4. Prevent Wepawet, JSunpack and other JavaScript unpackers to decode your page 24
  • 25. Crimepack 2.8 Changes  Added CVE-2010-0806  Added CVE-2010-0188  Added more ip's to block  IFrame generator  Redirector for non-vulnerable traffic  New JS cryptor  Anti-Kaspersky emulation 25
  • 26. RECAP OF NEEDS: Track and Organize Organize and analyze malicious website data Correlate data  Similar mass injection attacks (C/R/E)  attacker patterns (providers/content/kits) 26
  • 27. Current Resources Websites: Tools:  Wepawet  Malzilla  Anubis  Rhino Debugger  ZeusTracker  FF JavaScript  BLADE (*new*) Deobfuscator  Robtex  DS’s SpiderMonkey  Unmask Parasites  Jsunpack  Malwaredomainlist.com  Caffeine Monkey  Badwarebusters.org  NJS  VirusTotal.com  Etc.  Etc. 27
  • 28. Malzilla V.S. The Phoenix Exploit Kit 28
  • 29. Malzilla V.S. The Phoenix Exploit Kit 29
  • 30. JSUNPACK V.S. The Phoenix Exploit Kit 30
  • 31. JSUNPACK V.S. The Phoenix Exploit Kit ERROR: CAN NOT FULLY DECODE 31
  • 32. Spidermonkey/ CaffeineMonkey  JavaScript Engine + Limited browser features 32
  • 33. Emulation -> Implementation is behind  document.body is undefined  document.title is undefined  document.forms is undefined  document.documentElement is undefined  document.URL is undefined  document.getElementsByTagName is not a function 33
  • 34. Emulation -> Implementation is behind  window.location.search  window.addEvent is not a function  window.onDomReady is not a function  window.parent is undefined  window.screen is undefined  window.top is undefined  screen is not defined  top is not defined  parent is not defined  self is not defined  location.protocol 34
  • 35. When an alternative just won’t do… FIRESHARK INTRODUCTION 35
  • 36. Why do we need Fireshark?  Researcher  Network Administrator  Penetration Tester  We need tools to analyze mass injection attacks – Website Architecture/Redirection Chains – Source / Changes to DOM / JavaScript function calls – Content Profiling / Screen shot  Using an organized and ultimately VISUAL approach 36
  • 37. List view V.S. Graph view 37
  • 38. List view V.S. Graph view 38
  • 39. Architecture of a youtube.com 39
  • 41.
  • 42. 42
  • 43. 43
  • 44. 44
  • 45. Original Source code (Phoenix pack) 45
  • 47. How to use Fireshark 1.0  Install Fireshark Firefox plugin (.xpi file)  Create data.txt file, place in your home directory  Tools->Go! (then go and get a cup of coffee)  ** Reportlog.yml **  Use post-processing scripts – FiresharkInitInfo.pl (must be run first) – GraphViz.pl – IngressEgress.pl 47
  • 48. 48
  • 49. Post-Run Analysis / data correlation  Log is analyzed manually or automatically via post- analysis correlation process
  • 51. Use cases… DOWN THE RABBIT HOLE 51
  • 52. Down the Rabbit hole  Analysis of Three exemplary Injection campaigns  Injection campaigns occur daily  A breadth view analysis  Gain a better understanding of the malicious webscape  Use Fireshark to do it.
  • 53. Down the Rabbit hole •Injection Example #1
  • 54. Injection Example #1  13k matches/24hrs
  • 55. Injection Example #1  Step 1) Analyze a subset (500/13k)  Breadth – Popular campaign will emerge • Injections into unique websites will lead to same hosts  Depth – Details of the attack • Screen Shots • Source code, Deobfuscted DOM, Network traffic
  • 56. Bird’s Eye View of 500/13k
  • 60. Down the Rabbit hole •Injection Campaign #1: 93.186.127.49
  • 66.
  • 67. Infamous Rascop.com •rascop.com = NXD (feb 10’) •Waledac •Fast-flux •domain
  • 68. Rascop.com and friends gone but landing pages here to stay  Waladec domains were NXD in the takedown  Landing pages were still online though
  • 69. Injection Example #2 •Attack #2: ru:8080
  • 70. Popularity of Requests  250/5k URLs lead to homesalesplus.ru
  • 71. Breadth – Popularity of Request connection  250/5k URLs lead to homesalesplus.ru
  • 75. Depth – Diff DOM/SRC
  • 76. Depth – Script link in DOM
  • 78. DOM View  DOM ==> Mutable Memory representation (Final View of DOM after JS/events)
  • 79. Log Analysis  Further Analysis showed variations: 1. hxxp://clicksor-com.eastmoney.com.mobile- de.homesaleplus.ru:8080/ocn.ne.jp/ocn.ne.jp/classmat es.com/linkhelper.cn/google.com/ 2. hxxp://chip-de.ggpht.com.deezer-com.viewhomesale .ru:8080/google.com/google.com/timeanddate.com/avg. com/zshare.net/
  • 80. ru:8080 URL Injection Campaign Similarities between infected sites:  Port 8080  Various changing .ru domains  Legitimate content on port 80 served by Apache  Malicious domains are mapped to 5 different IPs  Malicious IP addresses are on hosting providers Leaseweb (Netherlands) and OVH.com (France)  Landing domains were NXD Dec 09’/Jan 10’
  • 81. The Never-ending story  Fresh injections
  • 82. Observations from ru:8080 attack  Compromised websites can and are updated automatically  Compromised websites are injected with multiple redirectors  Sharing of stolen FTP credentials e.g. Many infected sites also led to Gumblar infected domains, indicating that attackers perhaps had shared stolen FTP credentials
  • 83. Injection Example #3  Mass Injection #3  ~5700 infected pages  ~5300 unique hosts…sent 1k for analysis
  • 84. Breadth – Popularity of Responses
  • 85. Breadth – Popularity of Responses  sportgun.pl.ua very common type of attack  sends a response back to 50+ hosts
  • 86.
  • 87. Connection Request/No Response Src: hxxp://sportgun.pl.ua/st/go.php?sid=2& Dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php
  • 88. Round #2 Connection Request/Response  Success!
  • 89. Fetches Exploits  Fetches PDF and Java Exploits - connection: type: response src: hxxp://uplevelgmno.vn.ua/111/sv777/pdf.php dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php status: 200 - connection: type: response src: hxxp://uplevelgmno.vn.ua/111/sv777/dev.s.AdgredY.class dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php status: 200
  • 92. Obfuscated Chunk in Source Code  howtofindmyip.com obfuscation
  • 95. Observations from Injection attack #3  The bad guys are tracking/hiding, redundancy redirectors are common  Exploits that are being used are current e.g. all platforms/browsers are targeted  Exploit kits are easily attainable, setup is quick  Many kits serve user polymorphic exploits/malware, thus traditional AV signatures are always behind
  • 96. From 1.0 to 1.1… FIRESHARK RELEASES 96
  • 97. Fireshark 1.0  Released Blackhat Europe April 2010 – Firefox Browser-Plugin – PERL Post processing scripts – CYMRU ASN – GraphViz 97
  • 98. Fireshark 1.0  YAML Log format  Scripts:  GraphViz.pl  IngressEgress.pl 98
  • 99. Fireshark 1.1 (Release in November 10’)  XUL GUI Front-end – Shows network traffic – Redirection chains – DOM/SOURCE/DIFF – Top Destination and Source URLs – Suspected Redirectors/Exploit Sites  Configurable options  Output in JSON (1.0 was in YAML) 99
  • 101. Download Fireshark 1.0 http://fireshark.org/  Free (GPL v3)  Open Source  PERL/Python scripts included for post- processing 101
  • 103. Conclusions/Take-away  Compromised websites: – Increase of 225% over the last 12 months – Frequently updated to contain fresh links – Current tools are insufficient if desire is to monitor and analyze mass URL injections  Use Fireshark for: – Mass Injection Analysis – Redirection Chaining – Content Profiling 103
  • 104. Q&A Questions?  Contact: Stephan Chenette Twitter: StephanChenette Email: stephan@packetsector.net  Fireshark Feedback: Join the Fireshark mailing list!! or.. send an email to feedback@fireshark.org 104