nullcon 2010 - Signature based Malware Detection PoC for Websites
•Als PPT, PDF herunterladen•
2 gefällt mir•539 views
nullcon 2010 - Signature based Malware Detection PoC by Anant Kochhar
![[object Object],[object Object],Back Door, Key Logger, Botnet Zombie](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Mehr von n|u - The Open Security Community
Mehr von n|u - The Open Security Community (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
nullcon 2010 - Signature based Malware Detection PoC for Websites
- 1. Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar
- 4. Know them, “Trust” them
- 5. Drive-By Downloads AKA IFRAME and Script Injections
- 11. Affected Page With Rubbish Data
- 12. Source: http://www.scmagazineus.com/mass-sql-injection-attack-compromises-70000-websites/article/100497/ Source: http://www.scmagazineus.com/sql-attack-hits-125000-sites/article/159445/
- 14. Movies College Fashion Sports .abc.xyz
- 17. Movies College Fashion Sports .abc.xyz
- 21. Indirect Risks: The Legitimate can also becomes Dangerous A Site B B Iframe Injection All internal and external users of the “clean” site A are also at risk now.
Hinweis der Redaktion
- This is a malware detection method for websites, not for end users/ victims.
- Malware, for this presentation, is a piece of code with intent to harm computer users. It maybe a back door, key logger, or a botnet client. End victims of malware are individuals and not websites.
- Attackers are always looking to deliver the malware to the victim. Maybe over WWW or may include techniques like infected USBs. The initial attacks were email based or through phishing sites. Now, they are using an alternative ‘trust’ based method- exploiting the trust that users have for ‘known’ websites. Malicious coders, working for RBN, create malware. These malware can be bought online. Example…- this is something I can work on.
- All are trusted names. There is implicit ‘trust’ when you visit their sites. Although not the end victim, these websites were victims of attacks. And they lost reputation.
- In the HTML source of the web pages, an ‘invisible’ redirection to a malicious site from where malware is downloaded. Note the obfuscation. The decoded URL: http: //chura.pl- one of the many malicious websites. This can also be a ‘script’ redirection- several variations of the same. How widespread is the problem?
- An attacked site.
- This is what the source looks like.
- With any of the above warning, a website loses reputation. Organizations lose reputations. Especially bad for ‘traffic-driven’ web based businesses. For banking websites, users will get keyloggers.
- Automated Tools discovered vulnerable pages and spray them with payloads which inserted scripts in databases. Scripts were inserted in all dynamic pages which picked up data from the corrupted database.
- The payload was encoded in hex to bypass IPS and IDS signatures.
- An infected page will look like the above, with lots of corrupted data as. With invisible redirections in the background.
- A medium sized domain with 4 sub domains. 4 sub domains= at least 4 separate web content administrators.
- The best Antivirus have less than 50% chance of catching the malware. Source: http://www.cyveillance.com/web/docs/WP_CyberIntel_H1_2009.pdf
- 1 of 4 content admin infected with malware. Entire domain is at risk of losing reputation.
- With any of the above warning, a website loses reputation. Organizations lose reputations. Especially bad for ‘traffic-driven’ web based businesses.
- How prevalent?
- Since almost all malwares are designed to exploit windows vulnerabilities, it is safer to use linux based systems.
- Site A links to Site B- Basis of the internet. Site B gets infected with Iframe Injection. All internal and external users of the “clean” site A are also at risk.
- Containing the spread is important if you are an internet bank. Protecting reputation is important if you are a web portal with a traffic driven revenue model.
- Multiple sources of signatures. Instead of dynamically comparing every external site with the new signatures, compare the entire list of external sites from the previous scan with new signatures. This will ensure that nothing gets missed.