![Page 1: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/1.jpg)
1
Web Browser Attacks:Summer 2006 Threat Landscape
Lenny Zeltser
July 25, 2006
![Page 2: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/2.jpg)
2Copyright © 2006 Lenny Zeltser. All rights reserved.
The browser is becoming a universal platform for important transactions.
![Page 3: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/3.jpg)
3Copyright © 2006 Lenny Zeltser. All rights reserved.
Protecting the web browser is critical to ensuring security of transactions.
![Page 4: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/4.jpg)
4Copyright © 2006 Lenny Zeltser. All rights reserved.
Attackers use the web browser as a gateway for application-level attacks.
![Page 5: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/5.jpg)
5Copyright © 2006 Lenny Zeltser. All rights reserved.
Understand browser threats to establish an effective defense strategy.
![Page 6: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/6.jpg)
6Copyright © 2006 Lenny Zeltser. All rights reserved.
Let’s group browser-oriented attacks in three general categories.
#1: Website to personal computer
#2: Personal computer to website
#3: Website to website
![Page 7: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/7.jpg)
7Copyright © 2006 Lenny Zeltser. All rights reserved.
Personal Computer
#1: A malicious site compromising the PC via the browser
Browser
Website
![Page 8: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/8.jpg)
8Copyright © 2006 Lenny Zeltser. All rights reserved.
An ad on MySpace installed adware on up to 1 million PCs.
![Page 9: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/9.jpg)
9Copyright © 2006 Lenny Zeltser. All rights reserved.
According to Hitwise, MySpace is the Web’s most popular destination.
Visits to Google.com
Visits to MySpace.com
Website market share chart by Hitwise
![Page 10: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/10.jpg)
10Copyright © 2006 Lenny Zeltser. All rights reserved.
The PopupSh ActiveX Control has operated for about one month.
Screenshot on right by Michael La Pilla via Security Fix
Control panel.
Total installations: 1076640Installations per month: 1075346Installations per day: 135Installations per hour: 8
Installations: 474
![Page 11: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/11.jpg)
11Copyright © 2006 Lenny Zeltser. All rights reserved.
The WMF exploit and the patch have been available for 7 months.
![Page 12: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/12.jpg)
12Copyright © 2006 Lenny Zeltser. All rights reserved.
WebAttacker automates the creation of malicious websites.
![Page 13: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/13.jpg)
13Copyright © 2006 Lenny Zeltser. All rights reserved.
A control panel lets the operator monitor campaign effectiveness.
![Page 14: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/14.jpg)
14Copyright © 2006 Lenny Zeltser. All rights reserved.
![Page 15: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/15.jpg)
15Copyright © 2006 Lenny Zeltser. All rights reserved.
The malicious site attack often includes three components.
Exploit
Payload
Dropper
![Page 16: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/16.jpg)
16Copyright © 2006 Lenny Zeltser. All rights reserved.
#2: Malware on the PC compromising website interactions via the browser
Browser
WebsitePersonal Computer
![Page 17: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/17.jpg)
17Copyright © 2006 Lenny Zeltser. All rights reserved.
A spoofed E-Gold email encouraged the recipient to open the attachment.
![Page 18: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/18.jpg)
18Copyright © 2006 Lenny Zeltser. All rights reserved.
https://www.e-gold.com/acct/
https://www.e-gold.com/acct/spend.asp
https://www.e-gold.com/acct/verify.asp
The dropper downloaded a program that spied on E-Gold transactions.
URL details courtesy of Trend Micro
![Page 19: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/19.jpg)
19Copyright © 2006 Lenny Zeltser. All rights reserved.
Another spyware spread via spoofed email targeted banking credentials.
From: "Spysoftcentral Team" <[email protected]>
Subject: Order Approval Notification
*******************************************************
SPY DOCTOR / Order : DD269901/
*******************************************************
This e-mail was generated by a mail handling system.
Please do not reply to the address listed in the "From"
field. Please read the CUSTOMER SERVICE section for
answers to your questions.
*******************************************************
Dear Madame/Sir,
Thank you for your order. Spysoftcentral processes
orders and collects payments on behalf of PC Tools.
...
![Page 20: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/20.jpg)
20Copyright © 2006 Lenny Zeltser. All rights reserved.
The dropper tweaked Windows firewall settings before downloading the spyware.
![Page 21: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/21.jpg)
21Copyright © 2006 Lenny Zeltser. All rights reserved.
A powerful Sdbot variant had worm, backdoor and spyware capabilities.
![Page 22: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/22.jpg)
22Copyright © 2006 Lenny Zeltser. All rights reserved.
Text file “devenv.dll” contained a log of the day’s activity.
![Page 23: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/23.jpg)
23Copyright © 2006 Lenny Zeltser. All rights reserved.
#3: A malicious site compromising website interactions via the browser
Browser
WebsiteWebsite
![Page 24: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/24.jpg)
24Copyright © 2006 Lenny Zeltser. All rights reserved.
A worm spread through MySpace via embedded Flash objects.
![Page 25: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/25.jpg)
25Copyright © 2006 Lenny Zeltser. All rights reserved.
A Flash object in a person’s profile redirected to another MySpace page.
ActionScript in redirect.swf:
getURL("http://editprofile.myspace.com/index.cfm?fuseaction=blog.view&friendID=94634371&blogID=143876075", "_self");
ActiveScript above from kinematictheory.phpnet.us
![Page 26: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/26.jpg)
26Copyright © 2006 Lenny Zeltser. All rights reserved.
The malicious page embedded the worm in the victim’s profile.
![Page 27: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/27.jpg)
27Copyright © 2006 Lenny Zeltser. All rights reserved.
MySpace has disabled network access from embedded Flash objects.
allowNetworking="internal"
![Page 28: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/28.jpg)
28Copyright © 2006 Lenny Zeltser. All rights reserved.
An XSS flaw on the PayPal website fueled a powerful phishing campaign.
![Page 29: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/29.jpg)
29Copyright © 2006 Lenny Zeltser. All rights reserved.
The spoofed page seemed to reside on www.paypal.com.
Screenshot by Netcraft
![Page 30: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/30.jpg)
30Copyright © 2006 Lenny Zeltser. All rights reserved.
The exploit may have been active for two years before it got fixed.
If the email address of the account you are donating to has the following message on the donation page:
‘This recipient is currently unable to receive money.’
You can exploit this flaw by replacing the currency value in the donation form with a "> followed by any html you wish to execute.
Exploit by “e_D”
![Page 31: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/31.jpg)
31Copyright © 2006 Lenny Zeltser. All rights reserved.
Many other websites have similar XSS vulnerabilities.
![Page 32: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/32.jpg)
32Copyright © 2006 Lenny Zeltser. All rights reserved.
An XSS hole was found on visa.com; it’s now fixed.
Screenshot by Lance James via Security Fix
![Page 33: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/33.jpg)
33Copyright © 2006 Lenny Zeltser. All rights reserved.
An XSS hole was found on Microsoft; it’s now fixed.
Screenshot by Lance James via Security Fix
![Page 34: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/34.jpg)
34Copyright © 2006 Lenny Zeltser. All rights reserved.
Consider the 3 categories when devising a browser defense strategy.
#1: Website to personal computer
#2: Personal computer to website
#3: Website to website
![Page 35: Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006](https://reader030.vdocument.in/reader030/viewer/2022041203/5d4ec33888c9939e308b47b4/html5/thumbnails/35.jpg)
35Copyright © 2006 Lenny Zeltser. All rights reserved.
Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com