Introducing Malware Script Detector
-
Upload
guest31a5be -
Category
Technology
-
view
2.787 -
download
4
description
Transcript of Introducing Malware Script Detector
Introducing The Malware Script Detector
(MSD)By
d0ubl3_h3lixhttp://yehg.net
Tue Feb 19 2008
Agenda• Counter Strategy
• Overview
• XSS Coverage
• Versioning Info
• Standalone MSD
• Detection Screenshots
• Why MSD?
• Weaknesses
Counter Strategy
• Using the Power of JavaScript,
Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript
Overview
• Run on Gecko browsers (Firefox, Flock, Netscape, …etc)
• GreaseMonkey addon needed
• Acted as Browser IDS
• Intended for Web Client Security
• Recommended for every web surfer
• Please don’t underestimate MSD by looking its simplest source code
Overview (Cont.)
• Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF
• Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon
XSS Coverage
MSD was coded to detect the following XSS exploitation areas:
• data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html
• jar: protocol exploitation
• file: protocol exploitation by locally saved malicious web pages
XSS Coverage
• Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc
• unicode injection• utf-7,null-byte (\00), black slash injection
(u\r\l), comments star slash injection (/* */),injection like \u00, \x00....etc
XSS Coverage
• MSD was thoroughly tested with:
- RSnake’s XSS CheatSheet - XSS-ME Addon Attack List
- Dabbledb.com’s Xssdb list - CAL9000 XSS List
Versioning Info
GreaseMonkey Version
• Main Objective: Alert XSS Attacks to users• Must be Installed by users• Requires Gecko Browser + GreaseMonkey
Addon• Version 1 – Detect Malware Scripts• Version 2 – Detect Malware Scripts +• Prevailing XSS
Versioning Info
Standalone Version
• Main Objective: Alert XSS Attacks to users & webmaster
• Must be Deployed by web developers• Browser-Independent• No Checking if users have GreaseMonkey
version• Version 1 – Detect Malware Scripts +
Prevailing XSS
Standalone MSD
• Standalone version was created as single .js file for web developers
• To embed in their footer files • To notify both visitors and webmasters
of XSS injection attempts & attacks• Browser-independent unlike
GreaseMonkey Script version• Intended for web application security as
a portable lightweight solution
Detection Screenshots
Why MSD?
• XSS Payloads like
• http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc
Why MSD? (Cont.)
• Never get DETECTED by
Web Server-level Firewall/IDS/IPS
• Because the code is Totally Executed at Client’s Browser
Why MSD? (Cont.)
• Malicious sites intentionally embed malicious JavaScript attack frameworks
• Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users
Why MSD? (Cont.)
• No ways to detect such Malware scripts unless we check HTML source codes
• Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases
• According to above scenarios,MSD becomes a nice solution for us
Oh, But …
Weaknesses
• Doesn’t check POSTS/COOKIES variables
• No guarantee for full protection of XSS
• Many ways to bypass MSD
• XSS Filtering needs to be updated regularly where extensive filtering may cause false alerts and much annoyance to users
Where Can I get it ?
Check Under Tools Sectionhttp://yehg.net/lab/#tools.greasemonkey
If you wish to contribute, there is a smoketest page.
Insert your own XSS payload to defeat MSD.
Notify me of whenever new Attack frameworks are created
Special Thanks
Goes to
Mario, http://php-ids.org
Secgeek, http://www.secgeeks.com
Andres Riancho, http://w3af.sf.net
For encouragements and suggestions
Reference
• XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth FogieSyngress PublishingISBN-13:987-1-59749-154-9
Thank you!