SlideShare ist ein Scribd-Unternehmen logo

Web Wreck-utation - CanSecWest 2008

Stephan Chenette
Stephan Chenette
1 von 91
Downloaden Sie, um offline zu lesen
Wreck-utation Dan Hubbard Stephan Chenette Websense Security Labs CanSec 2008
Reputation: is the opinion (more technically, a social evaluation) of the public toward a person, a group of people, or an organization. It is an important factor in many fields, such as business, online communities or social status.
Reputation: is the opinion (more technically, a social evaluation) of the public toward a person, a group of people, or an organization. It is an important factor in many fields, such as business, online communities or social status. Online Reputation is a factor in any online community where trust is important. Examples include eBay, an auction service which uses a system of customer feedback to publicly rate each member's reputation.
Best thing since sliced bread?
Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM”
Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM” “You are only as good as your reputation”
Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM” “You are only as good as your reputation” “Reputation is the next stage in the antivirus evolution”
Good *or* Bad
Good *or* Bad Mozilla.org
Good *or* Bad Mozilla.org Russian Business Network
Good *and* Bad
Good *and* Bad MSNBC Sports
Good *and* Bad MSNBC Sports MSNBC Sports Stats
Good *gone* Bad
Good *gone* Bad Super Bowl Site
Good *gone* Bad Super Bowl Site 0wned from China
Using Reputation for Security Decisions
Using Reputation for Security Decisions Web Reputation Email Reputation Domain Reputation Bonus: Binary Reputation
GEO AGE HISTORY LEXICAL REPUTATION NEIGHBORS COUSIN TYPOS TRAFFIC
Web Reputation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE
Web Reputation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE PHISH, FRAUD, SPAM
Web Wreck-utation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE PHISH, FRAUD, SPAM
Web Wreck-utation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE HOSTING + REGIONAL + PHISH, COLLATERAL FRAUD, DAMAGE SPAM
Web Wreck-utation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE BIG NAME HOSTING + COMPROMISES REGIONAL + PHISH, & SEO COLLATERAL FRAUD, DAMAGE SPAM
Web Wreck-utation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE BIG NAME HOSTING + EXPLOIT PHISH, COMPROMISES REGIONAL + 2.0 & SEO COLLATERAL FRAUD, DAMAGE SPAM
mysql>
mysql> SELECT COUNT  FROM vurldb WHERE hostname RLIKE '(.+.)?(googlepages|geocities|yahoo| facebook|myspace|google|live).com' AND category IN ('Malicious Web Sites', 'Spyware', 'Keylogger') AND add_date BETWEEN '2008-02-01' AND '2008-02-29'; mysql> 3032
The BLOG TAIL / WEB TWO DOT UH OH
The BLOG TAIL / WEB TWO DOT UH OH Blogger: Allows embedded URL’s to malicious code
The BLOG TAIL / WEB TWO DOT UH OH Blogger: Allows embedded URL’s to malicious code Calendar + DOCS: allow embedded malicious code
The BLOG TAIL / WEB TWO DOT UH OH Blogger: Allows embedded URL’s to malicious code Calendar + DOCS: allow embedded malicious code GooglePages: allows upload of malicious code
The BLOG TAIL / WEB TWO DOT UH OH Blogger: Allows embedded URL’s to malicious code Calendar + DOCS: allow embedded malicious code GooglePages: allows upload of malicious code Picasso Albums: allow embedded URL’s to malicious code
Using Reputation for Security Decisions
What’s the Problem ? The webs most visited sites are increasingly being used to host malicious code Spammers, and malcode groups have wised up to industry use of reputation and are exploiting it > 50% of malicious websites are compromised 70% of top 100 sites rely on user uploaded content Most top sites have poor, if any, input validation
eBay input validation eBay is unquestionably one of the most popular websites (high reputation) eBay does some input but not in real-time
Seller Reputation We blogged in the past of sellers making their reputation go from 0 to “Power Seller”
Seller Reputation We blogged in the past of sellers making their reputation go from 0 to “Power Seller”
“make me a power seller” • How did this user accomplish this?
Congrats, your have been 0wned
Adding malicious listings to eBay…
eBay Sploit
eBay Sploit
90 minutes later.....
Easy as Pie?
Easy as Pie?
Everything has a price! Buying good Reputation
Expired Domain dreamcast.com
IFRAME: Content Injection > 20,000 sites infected today (all had good reputation) ZDNet.com, news.com, history.com, usatoday.com, etc. The list goes on This attack used search engine optimization caching within high reputable sites to cache malicious content
IFRAME: Content Injection
IFRAME: Content Injection Attacks are using a bot to automatically search inside Blogdigger search engine. In turn Blogdigger is caching the results.
IFRAME: Content Injection IFRAME is able to escape the parent tag
IFRAME: Content Injection Unsuspecting user who trust the site is redirected automatically to this PUS site
Email Wreck-utation
Email Wreck-utation Has been around for a lot longer than Web Reputation Several sender technologies: (SPF, DKIM,SenderID) Reputation systems have helped move the problem
Email Wreck-utation
Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around
Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relay
Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relay Use a webmail provider like Yahoo!, Gmail, Microsoft
Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relay Use a webmail provider like Yahoo!, Gmail, Microsoft Spread wealth to BLOGS (Splogs)
Email Wreck-utation “Legit Sender”
Email: “Legit” SPF
Email: “Legit” SPF "Theres never been a better time to get a new car" mail.yakdrive.com [67.218.177.112] mail.jadeblond.com [67.218.177.54] mail.routevery.com [67.218.177.53] mail.filterwind.com [67.218.185.50] mail.routevery.com [67.218.177.53] mail.bendton.com [67.218.177.73] mail.wellcometo.com [67.218.185.76] mail.domesell.com [67.218.185.96] mail.smashoot.com [67.218.185.94] mail.arrivespark.com [67.218.185.117] mail.spearmine.com [67.218.185.74] mail.cleanfluff.com [67.218.171.33] mail.thirdground.com [67.218.171.20]
Email: “Legit” SPF
Email: “Legit” SPF
MS Live Sending SPAM
MS Live Captchas
Gmail Captchas
Cruel Irony: Google Redirects http://www.google.com/pagead/iclk?sa=3Dl&ai=3DoOfDzh&num= =3D07504&adurl=3Dhttp://visamedicalopinion.com/run.exe
Moving Targets
Moving Targets: SPLOG
Moving Targets: SPLOG
Moving Targets: SPLOG
Domain Reputation
Domain Reputation Mostly used for email Some people are re-factoring for Web Domain tasting best example (age) Cousin / Likeliness of other domains used We have something called LexiRep also
Domain Wreck-utation
Domain Wreck-utation Web 80 - 20 rule works against this Compromised sites are not accounted for Domain stealing, acquiring, breaks age and history algorithms DNS spoofing, hacks ,etc Do not account for URL’s, hostnames
Application reputation Packer heuristics are commonly used to categorize a malicious binary, because 90% of all malicious binaries are packed. Malicious authors have increasingly started to try to fool application detection engines into thinking the binary in question is not a packed binary.
Storm Ecard Application reputation Sections look normal
Storm Ecard Application reputation Entry point matches MinGW GCC
Storm Ecard Application reputation • Eventually a call to the packed code…
Storm Ecard Application reputation How did it do this? There are multiple programs to scramble the true identity…. i.e. DotFix Fake Signer, pseudo signer, etc
Conclusion
Conclusion Reputation systems for security are effective in long tail of Internet
Conclusion Reputation systems for security are effective in long tail of Internet Reputation can be used with other parts of the equation to make better decisions
Conclusion Reputation systems for security are effective in long tail of Internet Reputation can be used with other parts of the equation to make better decisions Web reputation is less affective than email reputation based on the new dynamics of the web, the large numbers of compromised web-sites, and web two dot uh-oh
Conclusion
Conclusion
Conclusion
THANKS ! dhubbard | schenette <at>websense.com

Empfohlen

The Triangle to Media Success: How to Leverage your Edit, Ads and Audience to...
The Triangle to Media Success: How to Leverage your Edit, Ads and Audience to...The Triangle to Media Success: How to Leverage your Edit, Ads and Audience to...
The Triangle to Media Success: How to Leverage your Edit, Ads and Audience to...ArabNet ME
 
Building links in a penguin ridden world - BizUp
Building links in a penguin ridden world - BizUpBuilding links in a penguin ridden world - BizUp
Building links in a penguin ridden world - BizUpBizup
 
5 effective seo tips
5 effective seo tips5 effective seo tips
5 effective seo tipsRUBEN LICERA
 
Pr 2 presentation
Pr 2 presentationPr 2 presentation
Pr 2 presentationJustin Davies
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Ten Characteristics Common To Highly Effective Entrepreneurs
Ten Characteristics Common To Highly Effective EntrepreneursTen Characteristics Common To Highly Effective Entrepreneurs
Ten Characteristics Common To Highly Effective EntrepreneursAbhishek Shah
 
WTF - Why the Future Is Up to Us - pptx version
WTF - Why the Future Is Up to Us - pptx versionWTF - Why the Future Is Up to Us - pptx version
WTF - Why the Future Is Up to Us - pptx versionTim O'Reilly
 

Empfohlen

The Triangle to Media Success: How to Leverage your Edit, Ads and Audience to...
The Triangle to Media Success: How to Leverage your Edit, Ads and Audience to...The Triangle to Media Success: How to Leverage your Edit, Ads and Audience to...
The Triangle to Media Success: How to Leverage your Edit, Ads and Audience to...ArabNet ME
 
Building links in a penguin ridden world - BizUp
Building links in a penguin ridden world - BizUpBuilding links in a penguin ridden world - BizUp
Building links in a penguin ridden world - BizUpBizup
 
5 effective seo tips
5 effective seo tips5 effective seo tips
5 effective seo tipsRUBEN LICERA
 
Pr 2 presentation
Pr 2 presentationPr 2 presentation
Pr 2 presentationJustin Davies
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Ten Characteristics Common To Highly Effective Entrepreneurs
Ten Characteristics Common To Highly Effective EntrepreneursTen Characteristics Common To Highly Effective Entrepreneurs
Ten Characteristics Common To Highly Effective EntrepreneursAbhishek Shah
 
WTF - Why the Future Is Up to Us - pptx version
WTF - Why the Future Is Up to Us - pptx versionWTF - Why the Future Is Up to Us - pptx version
WTF - Why the Future Is Up to Us - pptx versionTim O'Reilly
 
Building a web framework: Django's design decisions
Building a web framework: Django's design decisionsBuilding a web framework: Django's design decisions
Building a web framework: Django's design decisionsJacob Kaplan-Moss
 
The Phishing Ecosystem
The Phishing EcosystemThe Phishing Ecosystem
The Phishing Ecosystemamiable_indian
 
Why do THEY want your digital devices?
Why do THEY want your digital devices?Why do THEY want your digital devices?
Why do THEY want your digital devices?ESET
 
Online Reputation Management
Online Reputation ManagementOnline Reputation Management
Online Reputation ManagementBart De Waele
 
Keeping Your Affiliate Program Clean
Keeping Your Affiliate Program CleanKeeping Your Affiliate Program Clean
Keeping Your Affiliate Program CleanAffiliate Summit
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketYury Chemerkin
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetSource Conference
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issuesebusinessmantra
 
Protecting Yourself Online
Protecting Yourself OnlineProtecting Yourself Online
Protecting Yourself OnlineGary Wagnon
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
Innovation and Community
Innovation and CommunityInnovation and Community
Innovation and CommunityRobyn Tippins
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2BCamp
 
Capstone It 101 Final
Capstone It 101 FinalCapstone It 101 Final
Capstone It 101 Finalguest745203
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
018 CYBER SAFETY.pdf
018 CYBER SAFETY.pdf018 CYBER SAFETY.pdf
018 CYBER SAFETY.pdfYashikaTanwar2
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?Saumil Shah
 
The Death of the Yellow Pages - ROI 2010
The Death of the Yellow Pages - ROI 2010The Death of the Yellow Pages - ROI 2010
The Death of the Yellow Pages - ROI 2010radiusofinfluence
 
Ims Gc 2007 V2
Ims Gc 2007 V2Ims Gc 2007 V2
Ims Gc 2007 V2Sean O'Sullivan
 
글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018
글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018
글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018Amazon Web Services Korea
 
Landing on Jupyter
Landing on JupyterLanding on Jupyter
Landing on JupyterStephan Chenette
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 

Weitere ähnliche Inhalte

Ähnlich wie Web Wreck-utation - CanSecWest 2008

Building a web framework: Django's design decisions
Building a web framework: Django's design decisionsBuilding a web framework: Django's design decisions
Building a web framework: Django's design decisionsJacob Kaplan-Moss
 
The Phishing Ecosystem
The Phishing EcosystemThe Phishing Ecosystem
The Phishing Ecosystemamiable_indian
 
Why do THEY want your digital devices?
Why do THEY want your digital devices?Why do THEY want your digital devices?
Why do THEY want your digital devices?ESET
 
Online Reputation Management
Online Reputation ManagementOnline Reputation Management
Online Reputation ManagementBart De Waele
 
Keeping Your Affiliate Program Clean
Keeping Your Affiliate Program CleanKeeping Your Affiliate Program Clean
Keeping Your Affiliate Program CleanAffiliate Summit
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketYury Chemerkin
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issuesebusinessmantra
 
Protecting Yourself Online
Protecting Yourself OnlineProtecting Yourself Online
Protecting Yourself OnlineGary Wagnon
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
Innovation and Community
Innovation and CommunityInnovation and Community
Innovation and CommunityRobyn Tippins
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2BCamp
 
Capstone It 101 Final
Capstone It 101 FinalCapstone It 101 Final
Capstone It 101 Finalguest745203
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?Saumil Shah
 
The Death of the Yellow Pages - ROI 2010
The Death of the Yellow Pages - ROI 2010The Death of the Yellow Pages - ROI 2010
The Death of the Yellow Pages - ROI 2010radiusofinfluence
 
글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018
글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018
글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018Amazon Web Services Korea
 

Ähnlich wie Web Wreck-utation - CanSecWest 2008 (20)

Building a web framework: Django's design decisions
Building a web framework: Django's design decisionsBuilding a web framework: Django's design decisions
Building a web framework: Django's design decisions
 
The Phishing Ecosystem
The Phishing EcosystemThe Phishing Ecosystem
The Phishing Ecosystem
 
Why do THEY want your digital devices?
Why do THEY want your digital devices?Why do THEY want your digital devices?
Why do THEY want your digital devices?
 
Online Reputation Management
Online Reputation ManagementOnline Reputation Management
Online Reputation Management
 
Keeping Your Affiliate Program Clean
Keeping Your Affiliate Program CleanKeeping Your Affiliate Program Clean
Keeping Your Affiliate Program Clean
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black market
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issues
 
Protecting Yourself Online
Protecting Yourself OnlineProtecting Yourself Online
Protecting Yourself Online
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
 
Innovation and Community
Innovation and CommunityInnovation and Community
Innovation and Community
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the Inbox
 
Capstone It 101 Final
Capstone It 101 FinalCapstone It 101 Final
Capstone It 101 Final
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 
018 CYBER SAFETY.pdf
018 CYBER SAFETY.pdf018 CYBER SAFETY.pdf
018 CYBER SAFETY.pdf
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?
 
The Death of the Yellow Pages - ROI 2010
The Death of the Yellow Pages - ROI 2010The Death of the Yellow Pages - ROI 2010
The Death of the Yellow Pages - ROI 2010
 
Ims Gc 2007 V2
Ims Gc 2007 V2Ims Gc 2007 V2
Ims Gc 2007 V2
 
글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018
글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018
글로벌 미디어 고객사의 AWS 활용 사례-워싱턴 포스트 ::지정아::AWS Summit Seoul 2018
 

Mehr von Stephan Chenette

Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 

Mehr von Stephan Chenette (9)

Landing on Jupyter
Landing on JupyterLanding on Jupyter
Landing on Jupyter
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 

Web Wreck-utation - CanSecWest 2008

  • 1. Wreck-utation Dan Hubbard Stephan Chenette Websense Security Labs CanSec 2008
  • 2.
  • 3. Reputation: is the opinion (more technically, a social evaluation) of the public toward a person, a group of people, or an organization. It is an important factor in many fields, such as business, online communities or social status.
  • 4. Reputation: is the opinion (more technically, a social evaluation) of the public toward a person, a group of people, or an organization. It is an important factor in many fields, such as business, online communities or social status. Online Reputation is a factor in any online community where trust is important. Examples include eBay, an auction service which uses a system of customer feedback to publicly rate each member's reputation.
  • 5. Best thing since sliced bread?
  • 6. Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM”
  • 7. Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM” “You are only as good as your reputation”
  • 8. Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM” “You are only as good as your reputation” “Reputation is the next stage in the antivirus evolution”
  • 11. Good *or* Bad Mozilla.org Russian Business Network
  • 14. Good *and* Bad MSNBC Sports MSNBC Sports Stats
  • 17. Good *gone* Bad Super Bowl Site 0wned from China
  • 18. Using Reputation for Security Decisions
  • 19. Using Reputation for Security Decisions Web Reputation Email Reputation Domain Reputation Bonus: Binary Reputation
  • 20. GEO AGE HISTORY LEXICAL REPUTATION NEIGHBORS COUSIN TYPOS TRAFFIC
  • 21. Web Reputation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE
  • 22. Web Reputation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE PHISH, FRAUD, SPAM
  • 23. Web Wreck-utation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE PHISH, FRAUD, SPAM
  • 24. Web Wreck-utation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE HOSTING + REGIONAL + PHISH, COLLATERAL FRAUD, DAMAGE SPAM
  • 25. Web Wreck-utation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE BIG NAME HOSTING + COMPROMISES REGIONAL + PHISH, & SEO COLLATERAL FRAUD, DAMAGE SPAM
  • 26. Web Wreck-utation THE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE BIG NAME HOSTING + EXPLOIT PHISH, COMPROMISES REGIONAL + 2.0 & SEO COLLATERAL FRAUD, DAMAGE SPAM
  • 28. mysql> SELECT COUNT  FROM vurldb WHERE hostname RLIKE '(.+.)?(googlepages|geocities|yahoo| facebook|myspace|google|live).com' AND category IN ('Malicious Web Sites', 'Spyware', 'Keylogger') AND add_date BETWEEN '2008-02-01' AND '2008-02-29'; mysql> 3032
  • 29. The BLOG TAIL / WEB TWO DOT UH OH
  • 30. The BLOG TAIL / WEB TWO DOT UH OH Blogger: Allows embedded URL’s to malicious code
  • 31. The BLOG TAIL / WEB TWO DOT UH OH Blogger: Allows embedded URL’s to malicious code Calendar + DOCS: allow embedded malicious code
  • 32. The BLOG TAIL / WEB TWO DOT UH OH Blogger: Allows embedded URL’s to malicious code Calendar + DOCS: allow embedded malicious code GooglePages: allows upload of malicious code
  • 33. The BLOG TAIL / WEB TWO DOT UH OH Blogger: Allows embedded URL’s to malicious code Calendar + DOCS: allow embedded malicious code GooglePages: allows upload of malicious code Picasso Albums: allow embedded URL’s to malicious code
  • 34. Using Reputation for Security Decisions
  • 35. What’s the Problem ? The webs most visited sites are increasingly being used to host malicious code Spammers, and malcode groups have wised up to industry use of reputation and are exploiting it > 50% of malicious websites are compromised 70% of top 100 sites rely on user uploaded content Most top sites have poor, if any, input validation
  • 36. eBay input validation eBay is unquestionably one of the most popular websites (high reputation) eBay does some input but not in real-time
  • 37. Seller Reputation We blogged in the past of sellers making their reputation go from 0 to “Power Seller”
  • 38. Seller Reputation We blogged in the past of sellers making their reputation go from 0 to “Power Seller”
  • 39. “make me a power seller” • How did this user accomplish this?
  • 40. Congrats, your have been 0wned
  • 44.
  • 48. Everything has a price! Buying good Reputation
  • 50. IFRAME: Content Injection > 20,000 sites infected today (all had good reputation) ZDNet.com, news.com, history.com, usatoday.com, etc. The list goes on This attack used search engine optimization caching within high reputable sites to cache malicious content
  • 52. IFRAME: Content Injection Attacks are using a bot to automatically search inside Blogdigger search engine. In turn Blogdigger is caching the results.
  • 53. IFRAME: Content Injection IFRAME is able to escape the parent tag
  • 54. IFRAME: Content Injection Unsuspecting user who trust the site is redirected automatically to this PUS site
  • 56. Email Wreck-utation Has been around for a lot longer than Web Reputation Several sender technologies: (SPF, DKIM,SenderID) Reputation systems have helped move the problem
  • 58. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around
  • 59. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relay
  • 60. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relay Use a webmail provider like Yahoo!, Gmail, Microsoft
  • 61. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relay Use a webmail provider like Yahoo!, Gmail, Microsoft Spread wealth to BLOGS (Splogs)
  • 62. Email Wreck-utation “Legit Sender”
  • 64. Email: “Legit” SPF "Theres never been a better time to get a new car" mail.yakdrive.com [67.218.177.112] mail.jadeblond.com [67.218.177.54] mail.routevery.com [67.218.177.53] mail.filterwind.com [67.218.185.50] mail.routevery.com [67.218.177.53] mail.bendton.com [67.218.177.73] mail.wellcometo.com [67.218.185.76] mail.domesell.com [67.218.185.96] mail.smashoot.com [67.218.185.94] mail.arrivespark.com [67.218.185.117] mail.spearmine.com [67.218.185.74] mail.cleanfluff.com [67.218.171.33] mail.thirdground.com [67.218.171.20]
  • 70. Cruel Irony: Google Redirects http://www.google.com/pagead/iclk?sa=3Dl&ai=3DoOfDzh&num= =3D07504&adurl=3Dhttp://visamedicalopinion.com/run.exe
  • 76. Domain Reputation Mostly used for email Some people are re-factoring for Web Domain tasting best example (age) Cousin / Likeliness of other domains used We have something called LexiRep also
  • 78. Domain Wreck-utation Web 80 - 20 rule works against this Compromised sites are not accounted for Domain stealing, acquiring, breaks age and history algorithms DNS spoofing, hacks ,etc Do not account for URL’s, hostnames
  • 79. Application reputation Packer heuristics are commonly used to categorize a malicious binary, because 90% of all malicious binaries are packed. Malicious authors have increasingly started to try to fool application detection engines into thinking the binary in question is not a packed binary.
  • 80. Storm Ecard Application reputation Sections look normal
  • 81. Storm Ecard Application reputation Entry point matches MinGW GCC
  • 82. Storm Ecard Application reputation • Eventually a call to the packed code…
  • 83. Storm Ecard Application reputation How did it do this? There are multiple programs to scramble the true identity…. i.e. DotFix Fake Signer, pseudo signer, etc
  • 85. Conclusion Reputation systems for security are effective in long tail of Internet
  • 86. Conclusion Reputation systems for security are effective in long tail of Internet Reputation can be used with other parts of the equation to make better decisions
  • 87. Conclusion Reputation systems for security are effective in long tail of Internet Reputation can be used with other parts of the equation to make better decisions Web reputation is less affective than email reputation based on the new dynamics of the web, the large numbers of compromised web-sites, and web two dot uh-oh
  • 91. THANKS ! dhubbard | schenette <at>websense.com