1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically...
-
Upload
alfred-burke -
Category
Documents
-
view
217 -
download
2
Transcript of 1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically...
11
All Your iFRAMEs Point to Us
All Your iFRAMEs Point to Us
Mike BurryMike Burry
22
Drive-by downloadsDrive-by downloads
•Malicious code (typically Javascript)
•Downloaded without user interaction (automatic), just by visiting malicious URL.
•Executable(s) downloaded to client machine without visitors’ knowledge & installed
•Unpatched, vulnerable browsers or plugins
•Traditional defenses are powerless (firewalls, proxies, dynamic addressing) - pull-based
•Malicious code (typically Javascript)
•Downloaded without user interaction (automatic), just by visiting malicious URL.
•Executable(s) downloaded to client machine without visitors’ knowledge & installed
•Unpatched, vulnerable browsers or plugins
•Traditional defenses are powerless (firewalls, proxies, dynamic addressing) - pull-based
33
‘Malicious’ websites are typically victims too
‘Malicious’ websites are typically victims too
•Vulnerable scripting applications (phpBB2) allow direct access to O/S and its web server(s)
• Inject new content via invisible HTML components (0 pixel iFRAME)
•Visitor contributed content (forum, blog) - very dangerous - no web server compromise needed
• ALWAYS sanitize user input!
•Malicious content is typically hosted elsewhere (distribution site)
•Vulnerable scripting applications (phpBB2) allow direct access to O/S and its web server(s)
• Inject new content via invisible HTML components (0 pixel iFRAME)
•Visitor contributed content (forum, blog) - very dangerous - no web server compromise needed
• ALWAYS sanitize user input!
•Malicious content is typically hosted elsewhere (distribution site)
44
Infection ProcessInfection Process
•Visit malicious URL
•Initial exploit script (via iFRAME) downloaded
•Script targets browser or plugin vulnerability
•Exploit results in browser connecting to malware distribution site (typically on different host) to retrieve executable(s).
•Executable is installed on infected system
•Visit malicious URL
•Initial exploit script (via iFRAME) downloaded
•Script targets browser or plugin vulnerability
•Exploit results in browser connecting to malware distribution site (typically on different host) to retrieve executable(s).
•Executable is installed on infected system
55
Avoiding DetectionAvoiding Detection
•Hidden from view on website (iFRAME)
•Javascript obfuscation
•Multiple redirections before contacting malware distribution site
•Hidden from view on website (iFRAME)
•Javascript obfuscation
•Multiple redirections before contacting malware distribution site
66
Scanning/Verification Process
Scanning/Verification Process
•Large honeynet simultaneously runs many MS Windows VM’s
• Each running unpatched IE instances
•Combination of:• Execution based heuristics
• run for ~2 minutes - monitor: file system / processes / registry
• Anti-virus engines to check HTTP responses
• A score is assigned to all URLs & threshold set
•Large honeynet simultaneously runs many MS Windows VM’s
• Each running unpatched IE instances
•Combination of:• Execution based heuristics
• run for ~2 minutes - monitor: file system / processes / registry
• Anti-virus engines to check HTTP responses
• A score is assigned to all URLs & threshold set
77
How Common are D-BD’s?
How Common are D-BD’s?
Data collection period Jan - Oct 2007 (10 months)
Total URLs checked (in-depth)
66,534,330
Unique suspicious URLs 3,385,889
Unique malicious URLs 3,417,590
Unique malicious sites 181,699
Unique distribution sites 9,340
*Malicious: meets threshold AND one of the incoming HTTP responses is marked as malicious by at least one anti-virus scanner
*Suspicious: meets threshold BUT none of the incoming HTTP responses are marked as malicious by any anti-virus scanner
approx. 1 million URLs daily / 25k flagged as maliciousapprox. 1 million URLs daily / 25k flagged as malicious
88
Potential Impact on End-User
Potential Impact on End-User
•Nearly 1.3% of Google’s search queries return at least one malicious result
• About 0.6% of the top million URLs that appeared most frequently in Google's search results led to exposure of malicious activity at some point.
•“Gray content” (Adult) sites have a higher risk (0.6+% vs 0.2-0.35%) -- 2-3 times more common.
•Other functional categories on the Web have about equal distribution
• “Safe browsing” helps, but is not an effective safeguard
•Nearly 1.3% of Google’s search queries return at least one malicious result
• About 0.6% of the top million URLs that appeared most frequently in Google's search results led to exposure of malicious activity at some point.
•“Gray content” (Adult) sites have a higher risk (0.6+% vs 0.2-0.35%) -- 2-3 times more common.
•Other functional categories on the Web have about equal distribution
• “Safe browsing” helps, but is not an effective safeguard
99
Geography of Malicious Sites
Geography of Malicious Sites
•96% of landing sites in China point to malware distribution servers located in same country
•Remaining distribution/landing sites (~10%) spread out across globe
•96% of landing sites in China point to malware distribution servers located in same country
•Remaining distribution/landing sites (~10%) spread out across globe
Distribution. Sitehosting country
% of all distribution sites
Landing site hosting country
% of all landing sites
China 67% China 64.4%
US 15% US 15.6%
Russia 4% Russia 5.6%
Malaysia 2% Korea 2%
Korea 2% Germany 2%
1010
Web Server SoftwareWeb Server Software
•A significant # of landing sites are running outdated software with well known vulnerabilities.
• 38% of Apache servers had known vulnerabilities
• 40% of servers with PHP support had known vulnerabilities
•A significant # of landing sites are running outdated software with well known vulnerabilities.
• 38% of Apache servers had known vulnerabilities
• 40% of servers with PHP support had known vulnerabilities
1111
Ad SyndicationAd Syndication•Majority of Web advertisements are distributed
in the form of 3rd party content (Ad syndication)
•A web page is only as secure as its weakest component
• A “secure” site with insecure ads is insecure
•2% of landing pages delivered malware via ads
• 75% of these landing pages use multiple levels of syndication
•Ads appear on 1,000’s of websites instantaneously
• Very easy way to inject content to large visitor base without need to compromise any web server. Large impact, but short lived.
•Majority of Web advertisements are distributed in the form of 3rd party content (Ad syndication)
•A web page is only as secure as its weakest component
• A “secure” site with insecure ads is insecure
•2% of landing pages delivered malware via ads
• 75% of these landing pages use multiple levels of syndication
•Ads appear on 1,000’s of websites instantaneously
• Very easy way to inject content to large visitor base without need to compromise any web server. Large impact, but short lived.
1212
Distribution NetworksDistribution Networks
•Distribution Network = all the landing sites which point to a single distribution site
•Vast majority were subdomains on free hosting services or short-lived domains created in bulk
•Networks range from sizes of 1 to over 21,000
• 45% have only 1 landing site
• Is this to avoid detection?
•Distribution Network = all the landing sites which point to a single distribution site
•Vast majority were subdomains on free hosting services or short-lived domains created in bulk
•Networks range from sizes of 1 to over 21,000
• 45% have only 1 landing site
• Is this to avoid detection?
1313
Distribution Networks (cont.)
Distribution Networks (cont.)
•42% deliver only a single malware binary, while 3% had over 100.
•80% of networks share at least 1 landing page
• Several landing pages have multiple iFRAMES to different distribution sites
• Easy targets?
•42% deliver only a single malware binary, while 3% had over 100.
•80% of networks share at least 1 landing page
• Several landing pages have multiple iFRAMES to different distribution sites
• Easy targets?
1414
Post Infection ImpactPost Infection Impact
•On average, 8 downloads occur
• Up to 60 downloads has been observed
•Increase in # of running processes on VM
•58% of landing pages caused registry changes
•On average, 8 downloads occur
• Up to 60 downloads has been observed
•Increase in # of running processes on VM
•58% of landing pages caused registry changesCategory BHO Preferences Security Startup
URL % 7% 24% 36% 51%
*BHO: Browser Helper Object (privileged state)*BHO: Browser Helper Object (privileged state)*Preferences: Homepage / search engine / name server changes*Preferences: Homepage / search engine / name server changes*Security: Firewall settings / disable automatic updates*Security: Firewall settings / disable automatic updates*Startup: Persist across reboots*Startup: Persist across reboots
1515
Post Infection Impact (cont.)
Post Infection Impact (cont.)
•Network activity
• 87%: HTTP (ports 80 & 8080) due to binary downloads
• 8.3%: IRC (6660 - 7001) account for more than 50% of all non-HTTP traffic. Most likely adding to botnet.
• < 1 %: FTP (21), UPnP (1900), Mail (25)
• 2.25%: Other ports combined
•Network activity
• 87%: HTTP (ports 80 & 8080) due to binary downloads
• 8.3%: IRC (6660 - 7001) account for more than 50% of all non-HTTP traffic. Most likely adding to botnet.
• < 1 %: FTP (21), UPnP (1900), Mail (25)
• 2.25%: Other ports combined
1616
Anti-Virus Detection Rates
Anti-Virus Detection Rates
•The best AV engine tested (out of 3) successfully detected an average of 70% of malware.
•The worst AV engine detected approx. 25%.
•The best AV engine tested (out of 3) successfully detected an average of 70% of malware.
•The worst AV engine detected approx. 25%.