Proof-Of-Concept: Signature Based Malware

Detection for Websites and Domain Administrators

- Anant Kochhar

2

Malware /`mæl.weə(ɹ)/

Software developed for the purpose of causing harm to a computer system and its users.

Back Door, Key Logger, Botnet Zombie

3

4

Know them, “Trust” them

5

Drive-By Downloads AKAIFRAME and Script Injections

6

7

8

9

First Wave: Mass SQL Injection

First noticed in late 2007.

Tool based.

Identified vulnerable pages across the internet using search engines.

Sprayed them with SQL injection payloads-• Inserted script injections indiscriminately in all database columns

• Infected data was reflected in dynamic pages

10

Payload

Source: http://www.f-secure.com/weblog/archives/00001427.html

11

Affected Page With Rubbish Data

12

Source: http://www.scmagazineus.com/mass-sql-injection-attack-compromises-70000-websites/article/100497/

Source: http://www.scmagazineus.com/sql-attack-hits-125000-sites/article/159445/

13

Bulk of the spread: Self Propagation

Inserts IFrame/ Script injections in all web pages in the victim’s machine •If victim = website admin, all his websites will be updated with infected pages.

Or steals FTP passwords from victims’ computer and updates the pages directly on the web server.

14

Movies

College

Fashion

Sports

.abc.xyz

15

16

PC Based Security for Malwares

•Source: http://www.cyveillance.com/web/docs/WP_CyberIntel_H1_2009.pdf

17

Movies

College

Fashion

Sports

.abc.xyz

18

19

20

Prevention…

“Process”.

Use linux-based dedicated machines for website administration.

But even the best process cannot be 100% effective because…

21

Indirect Risks:The Legitimate can also

becomes Dangerous

All internal and external users of the “clean” site A are also at risk now.

22

Accept the risk… the Alternative: Fast Detection and Quick Remedy

1. Contain the spread of infection.

2. Protect reputation of the website.

23

Detection Part 1:

Detect ALL External Sites Linking from your websites

24

2 Methods

Internal Scans- Scanners that reside in the web server and scan all web pages for external links.

External Scans- Crawlers, not residing in the web server, that will scan all pages from the internet.

25

Internal Scans

ProsWill be exhaustive and will scan pages behind authentication.

ConsWill affect web server performance and can even crash the server.

26

External Scans

ProsCan be run as often as possible.

Has virtually no affect on the web server.

ConsWill depend on network conditions.

Breadth and the Depth of the scan may not be exhaustive.

27

The Scanner Must:

Detect and list all external sites in a website.

Ideally NOT visit any external websites• Because it may put the system at risk.

28

Detection Part 2:

Detecting malware spreading sites in the list of external sites.

29

Behavior Analysis Detection ModelVisit the external site

Download suspected malware

Analyze it

And determine if it is malware or not.

30

fashion.abc.xyz

efg.xyz

•Iframe redirection•Malware

•Legitimate

•Dynamic Scan

31

Behavior Analysis

Expensive- requires a dedicated setup.

Slow- takes time to analyze all codes downloaded from external websites.

Newer malwares are designed to fool it- delayed activation etc.

Will not detect infected ‘site B’

32

Signature Based Detection Model

Downloads signatures of malware infected sites.

Compares the list of external sites to the signatures.

33

•Multi Sourced Signatures

•List of external sites.

•Positive Matches

34

Signature Based

Cheap- can be done on any machine.

Several “freely” available sources of signatures.

Fast- comparison takes a fraction of the time.

Safe- malware is not downloaded on the machine.

Will detect infected ‘site B’.

35

Final Model

External Scanner/ crawler that will continuously scan the entire domain for external sites.

At least 2 sources of signatures. Update as frequently as possible.

36

Ideally…

Crawl time > Signature update time.

On every signature update, the list of external site from (n-1)th crawl should be used for full comparison.

37

On A Positive Match

Immediately remove the malware site link from the infected page.

Run AV and malware detection scans on the affected server.

Or quarantine suspected computers…

Change FTP password.

38

•Multi Sourced Signatures

•List of external sites.

•Positive Matches

•Continuous Crawl

•Compare

39

Thank you

anant.kochhar@secureyes.net