SlideShare una empresa de Scribd logo

Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exploits

Aditya K Sood
Aditya K Sood
Tecnología
1 de 27
Browser Exploit Packs Exploitation Paradigm (Tactics) Death by Bundled Exploits Virus Bulletin 2011 - Conference 5-7th October, 2011 Barcelona, Spain Aditya K Sood | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
About Us  Aditya K Sood ─ Founder , SecNiche Security ● Independent Security Consultant, Researcher and Practitioner ● Worked previously for Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content – ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NES|CFS ● LinkedIn : http://www.linkedin.com/in/adityaks | @AdityaKSood ● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com ─ PhD Candidate at Michigan State University  Dr. Richard J Enbody ─ Associate Professor, CSE, Michigan State University ● Since 1987, teaching computer architecture/ computer security / mathematics ● Website: http://www.cse.msu.edu/~enbody ─ Co-Author CS1 Python book, The Practice of Computing using Python. ─ Patents Pending – Hardware Buffer Overflow Protection 2
Agenda  Underground Malware Economy  Browser Design Agility ─ Browser Malware Taxonomy  Experimental Design  Browser Framework Components  Exploitation Tactics ─ Inbuilt + Attacker Driven  Conclusion 3
Underground Malware Economy © GDATA 4
Browser Design Agility  Browsers Robust Design ─ Vulnerabilities ● Inherent component based design flaws ● Security issues present browser components – Exploitable to give complete access to system – Remember, JavaScript heap spraying ─ Three Layer Model ● Browser extensibility model – Add-ons (NoScript) ● Browser interoperability model – Plugins such as Adobe, Flash ● Browser as a Software – Browser executables (firefox.exe, iexplorer.exe) – Required dynamic link libraries Note: Malware can impact any of the three layers as presented 5
Browser Malware Anatomy Bundled Exploits Vulnerability Exploited Malware Hazard 6
Browser Malware Taxonomy Class B Class C Class A 7
Browser Exploit Packs – Viola ! 8
Experiments Conducted  Target – BlackHole BEP + Phoenix BEP ─ Targets were selected using public available database – Malware Domain List (MDM) and Clean MX – Apart from these, we choose targets from forums ─ Malware Hunting – Web application vulnerability analysis – Penetration testing of malware domains – Traffic analysis ─ Performed Tests and Extracted Results ● Tests conducted – Complete analysis of BlackHole BEP and inherent design – Reverse engineering, deobfuscation, decoding and penetration testing ● Extracted Results – Web environments that favor BlackHole – Techniques and tactics (Generalizing the Infection Strategies) Note: Research Paper – Concentrated more on BlackHole BEP. 9
BEP Framework and Components  BEP Framework ─ A complete set of bundled exploits and management interface ● Configuration files ● JavaScript files for fingerprinting the browser environment ● plugin.js , min.js , jquery.js ─ Sibling software in use ● MAX Mind Geo Location Library is used extensively ● Traffic stats with geographical locations ● Capturing data based on IP addresses ● A legitimate open source library for collecting traffic statistics ● PHP ION Cube Encoder ● Almost all the BEP frameworks utilize this PHP encoder ● Make the analysis real hard as it is damn hard to decode it 10
BEP’s & Botnets Collaboration  Is This True Artifact? ─ Yes it is. – BEP’s are used in conjunction with botnets – On successful exploitation, bot is dropped into victim machine – Harnessing the power of two different frameworks to deliver malware – Some traces have been seen of ZEUS (Botnet) + BlackHole (BEP) 11
BEP’s – Tactical Infections Techniques and Tactics (Inbuilt + Attacker Driven) 12
Dedicated Spidering  Dedicated Spidering ─ Target specific information gathering – Unavoidable part of Advanced Persistent Threats (APT) attacks – It can be transformed into a remote scanning engine » Detecting website insecurities and vulnerabilities – Spidering modules are collaboratively used with BEP’s » A custom code used by attacker for attacking specific websites to gather information » Example:- BEP implements blacklisting approach 13
Dynamic Iframe Generators  Dynamic Iframe Generators ─ Exploiting technique used to infect virtual hosts ● Typically used for injecting iframes in large number of websites ● Traffic infection – Iframes point to BEP’s are loaded – 1000 websites infection  1000 BEP’s serving exploit (Mass Exploitation) – BEP is hosted on the main server  infected hosts point to the source ● BEP’s are mostly loaded with obfuscated iframes Decoded Encoded 14
Exploit Obfuscation / Encoding  Exploit Obfuscation ● Exploits are obfuscated to bypass the detection mechanisms ● Reverse encoding, string concatenation and randomization ● Interpreted as an exact exploit when rendered in the browser 15
Exploit Obfuscation / Encoding  BEP Framework Encoding ─ All the exploit framework files are encoded ● Most of the BEPs are designed in PHP. ● Encodes all the exploits in a robust manner (efficient code protection) – All PHP files in BEP’s are encoded except configuration file – No restoration of compiled files back to source level. » Protection is applied at compilation time – Encoded files have digital signatures. – MAC protection enabled. Encoding Layer {n} ● Exploit detection becomes hard Encoding Layer { … } Encoding Layer {2} Encoding Layer {1} Optimized compiled Byte codes 16
BEP Encoding – Example  Java Skyline Exploit - Layout 17
User Agent Based Fingerprinting 18
IP Logging Detection Trick (IPLDT)  What it is all about? ─ Hampering the analysis process – Exploit is served only once a time to the required IP – BEP uses GeoLocation PHP library to keep a track of IP addresses – Dual infection process using Content Delivery Networks (CDN’s) – Appropriate check is performed before serving exploit » If IP is already served no more exploits are delivered » In other terms, no more infection to the specific IP address 19
Blacklisting – Anti Detection  Blacklisting ─ Technique to prevent tracing of malware domain by analysts – Non legitimate usage of blacklisting approach – It serves very well for BEP’s. – Explicit declaration of domain names in the panel (file listing also provided) » Anti detection and no exploit serving ( dual layer in addition to IPLDT) 20
Dynamic Storage and Mutex  Dynamic Storage and Mutex ─ Managing the incoming connects – Looks for the particular IP address to verify the number of requests – Tracking the incoming requests and cookie tracking (Mutex implementation) – Primarily, avoid serving the duplicate exploits to the same machine » Implements the concept of worker thread when exploit is served » Efficient way of serving exploits through HTTP » Filter the victim information so that appropriate content should be served ─ Wait, till the full exploit is sent to the victim browser – Drive by Downloads 21
Polymorphic Shellcodes  Polymorphic Shellcodes ─ Polymorphism provides multiple way to bypass detection mechanisms ● Self decrypting routines are available – On successful exploitation, encrypted malware decrypts itself in the system – Encryption provides random entry points that bypass the detection modules – Heavily used to bypass intrusion detection systems – Provides multiple code execution points ─ Exploit in BEP’s : shellcodes are polymorphic in nature 22
Generic - Shellcode Unwrapping 23
Conclusion ─ BEP - Efficient way of serving malware ─ Collaborates very well with third generation botnets ─ Hard to design a protection solution because ● It exploits the default design of browsers ─ Hyperlinks/ URL verification is the best solution at present. ─ Its good to hunt malware for educational purposes  24
References ─ HITB - Exploiting Web Virtual Hosting – Malware Infections ● http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf ─ Virus Bulletin – Browser Malware Taxonomy ● http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser- malware-taxonomy ─ BruCon Hacking Conference – Botnets and Browsers ● http://www.slideshare.net/adityaks/brucon-brussels-2011-hacking-conference- botnets-and-browsers-brothers-in-the-ghost-shell ─ Hack In The Box Conference – Spying on SpyEye ● http://www.slideshare.net/adityaks/spying-on-spyeye-what-lies-beneath ─ OWASP App Sec – Hunting Web Malware ● http://www.appsecusa.org/talks.html#goodhacker 25
Questions ? 26
Thanks  SecNiche Security Labs ─ http://www.secniche.org  Computer Science Department, Michigan State University ─ http://www.cse.msu.edu  Virus Bulletin 2011 ─ http://www.virustbn.com 27

Recomendados

Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
PRIMERAS JORNADAS TÉCNICAS DE CAPACITACIÓN EN TRAZABILIDAD PARA PRODUCTORES
PRIMERAS JORNADAS TÉCNICAS DE CAPACITACIÓN EN TRAZABILIDAD PARA PRODUCTORESPRIMERAS JORNADAS TÉCNICAS DE CAPACITACIÓN EN TRAZABILIDAD PARA PRODUCTORES
PRIMERAS JORNADAS TÉCNICAS DE CAPACITACIÓN EN TRAZABILIDAD PARA PRODUCTORES
Hugo Estavillo
 
Masters Thesis on Ethical Hacking Sagar - MISCU
Masters Thesis on Ethical Hacking Sagar - MISCUMasters Thesis on Ethical Hacking Sagar - MISCU
Masters Thesis on Ethical Hacking Sagar - MISCU
Sagar
 
Hacking With Sql Injection Exposed - A Research Thesis
Hacking With Sql Injection Exposed - A Research ThesisHacking With Sql Injection Exposed - A Research Thesis
Hacking With Sql Injection Exposed - A Research Thesis
corbanmiferreira
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Aditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
Aditya K Sood
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 

Recomendados

Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
PRIMERAS JORNADAS TÉCNICAS DE CAPACITACIÓN EN TRAZABILIDAD PARA PRODUCTORES
PRIMERAS JORNADAS TÉCNICAS DE CAPACITACIÓN EN TRAZABILIDAD PARA PRODUCTORESPRIMERAS JORNADAS TÉCNICAS DE CAPACITACIÓN EN TRAZABILIDAD PARA PRODUCTORES
PRIMERAS JORNADAS TÉCNICAS DE CAPACITACIÓN EN TRAZABILIDAD PARA PRODUCTORES
Hugo Estavillo
 
Masters Thesis on Ethical Hacking Sagar - MISCU
Masters Thesis on Ethical Hacking Sagar - MISCUMasters Thesis on Ethical Hacking Sagar - MISCU
Masters Thesis on Ethical Hacking Sagar - MISCU
Sagar
 
Hacking With Sql Injection Exposed - A Research Thesis
Hacking With Sql Injection Exposed - A Research ThesisHacking With Sql Injection Exposed - A Research Thesis
Hacking With Sql Injection Exposed - A Research Thesis
corbanmiferreira
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Aditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
Aditya K Sood
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
Aditya K Sood
 
Inspection of Windows Phone applications
Inspection of Windows Phone applicationsInspection of Windows Phone applications
Inspection of Windows Phone applications
Andrey Chasovskikh
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Aditya K Sood
 
Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007
ClubHack
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
Rahul Mohandas
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
ch0psticks
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
Anusha Chavan
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008
Ali Ikinci
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
Sunghun Kim
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
Stephan Chenette
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Stephan Chenette
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
DefconRussia
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Maksim Shudrak
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
FFRI, Inc.
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
hakersinfo
 
Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
Sasha Goldshtein
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
Aditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
Aditya K Sood
 

Más contenido relacionado

Similar a Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exploits

BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
Aditya K Sood
 
Inspection of Windows Phone applications
Inspection of Windows Phone applicationsInspection of Windows Phone applications
Inspection of Windows Phone applications
Andrey Chasovskikh
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Aditya K Sood
 
Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007
ClubHack
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
ch0psticks
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008
Ali Ikinci
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
Sunghun Kim
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Stephan Chenette
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Maksim Shudrak
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
FFRI, Inc.
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
hakersinfo
 

Similar a Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exploits (20)

BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
Inspection of Windows Phone applications
Inspection of Windows Phone applicationsInspection of Windows Phone applications
Inspection of Windows Phone applications
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
 

Más de Aditya K Sood

BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
Aditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
Aditya K Sood
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
Aditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
Aditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
Aditya K Sood
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
Aditya K Sood
 

Más de Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exploits

  • 1. Browser Exploit Packs Exploitation Paradigm (Tactics) Death by Bundled Exploits Virus Bulletin 2011 - Conference 5-7th October, 2011 Barcelona, Spain Aditya K Sood | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
  • 2. About Us  Aditya K Sood ─ Founder , SecNiche Security ● Independent Security Consultant, Researcher and Practitioner ● Worked previously for Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content – ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NES|CFS ● LinkedIn : http://www.linkedin.com/in/adityaks | @AdityaKSood ● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com ─ PhD Candidate at Michigan State University  Dr. Richard J Enbody ─ Associate Professor, CSE, Michigan State University ● Since 1987, teaching computer architecture/ computer security / mathematics ● Website: http://www.cse.msu.edu/~enbody ─ Co-Author CS1 Python book, The Practice of Computing using Python. ─ Patents Pending – Hardware Buffer Overflow Protection 2
  • 3. Agenda  Underground Malware Economy  Browser Design Agility ─ Browser Malware Taxonomy  Experimental Design  Browser Framework Components  Exploitation Tactics ─ Inbuilt + Attacker Driven  Conclusion 3
  • 5. Browser Design Agility  Browsers Robust Design ─ Vulnerabilities ● Inherent component based design flaws ● Security issues present browser components – Exploitable to give complete access to system – Remember, JavaScript heap spraying ─ Three Layer Model ● Browser extensibility model – Add-ons (NoScript) ● Browser interoperability model – Plugins such as Adobe, Flash ● Browser as a Software – Browser executables (firefox.exe, iexplorer.exe) – Required dynamic link libraries Note: Malware can impact any of the three layers as presented 5
  • 6. Browser Malware Anatomy Bundled Exploits Vulnerability Exploited Malware Hazard 6
  • 7. Browser Malware Taxonomy Class B Class C Class A 7
  • 8. Browser Exploit Packs – Viola ! 8
  • 9. Experiments Conducted  Target – BlackHole BEP + Phoenix BEP ─ Targets were selected using public available database – Malware Domain List (MDM) and Clean MX – Apart from these, we choose targets from forums ─ Malware Hunting – Web application vulnerability analysis – Penetration testing of malware domains – Traffic analysis ─ Performed Tests and Extracted Results ● Tests conducted – Complete analysis of BlackHole BEP and inherent design – Reverse engineering, deobfuscation, decoding and penetration testing ● Extracted Results – Web environments that favor BlackHole – Techniques and tactics (Generalizing the Infection Strategies) Note: Research Paper – Concentrated more on BlackHole BEP. 9
  • 10. BEP Framework and Components  BEP Framework ─ A complete set of bundled exploits and management interface ● Configuration files ● JavaScript files for fingerprinting the browser environment ● plugin.js , min.js , jquery.js ─ Sibling software in use ● MAX Mind Geo Location Library is used extensively ● Traffic stats with geographical locations ● Capturing data based on IP addresses ● A legitimate open source library for collecting traffic statistics ● PHP ION Cube Encoder ● Almost all the BEP frameworks utilize this PHP encoder ● Make the analysis real hard as it is damn hard to decode it 10
  • 11. BEP’s & Botnets Collaboration  Is This True Artifact? ─ Yes it is. – BEP’s are used in conjunction with botnets – On successful exploitation, bot is dropped into victim machine – Harnessing the power of two different frameworks to deliver malware – Some traces have been seen of ZEUS (Botnet) + BlackHole (BEP) 11
  • 12. BEP’s – Tactical Infections Techniques and Tactics (Inbuilt + Attacker Driven) 12
  • 13. Dedicated Spidering  Dedicated Spidering ─ Target specific information gathering – Unavoidable part of Advanced Persistent Threats (APT) attacks – It can be transformed into a remote scanning engine » Detecting website insecurities and vulnerabilities – Spidering modules are collaboratively used with BEP’s » A custom code used by attacker for attacking specific websites to gather information » Example:- BEP implements blacklisting approach 13
  • 14. Dynamic Iframe Generators  Dynamic Iframe Generators ─ Exploiting technique used to infect virtual hosts ● Typically used for injecting iframes in large number of websites ● Traffic infection – Iframes point to BEP’s are loaded – 1000 websites infection  1000 BEP’s serving exploit (Mass Exploitation) – BEP is hosted on the main server  infected hosts point to the source ● BEP’s are mostly loaded with obfuscated iframes Decoded Encoded 14
  • 15. Exploit Obfuscation / Encoding  Exploit Obfuscation ● Exploits are obfuscated to bypass the detection mechanisms ● Reverse encoding, string concatenation and randomization ● Interpreted as an exact exploit when rendered in the browser 15
  • 16. Exploit Obfuscation / Encoding  BEP Framework Encoding ─ All the exploit framework files are encoded ● Most of the BEPs are designed in PHP. ● Encodes all the exploits in a robust manner (efficient code protection) – All PHP files in BEP’s are encoded except configuration file – No restoration of compiled files back to source level. » Protection is applied at compilation time – Encoded files have digital signatures. – MAC protection enabled. Encoding Layer {n} ● Exploit detection becomes hard Encoding Layer { … } Encoding Layer {2} Encoding Layer {1} Optimized compiled Byte codes 16
  • 17. BEP Encoding – Example  Java Skyline Exploit - Layout 17
  • 18. User Agent Based Fingerprinting 18
  • 19. IP Logging Detection Trick (IPLDT)  What it is all about? ─ Hampering the analysis process – Exploit is served only once a time to the required IP – BEP uses GeoLocation PHP library to keep a track of IP addresses – Dual infection process using Content Delivery Networks (CDN’s) – Appropriate check is performed before serving exploit » If IP is already served no more exploits are delivered » In other terms, no more infection to the specific IP address 19
  • 20. Blacklisting – Anti Detection  Blacklisting ─ Technique to prevent tracing of malware domain by analysts – Non legitimate usage of blacklisting approach – It serves very well for BEP’s. – Explicit declaration of domain names in the panel (file listing also provided) » Anti detection and no exploit serving ( dual layer in addition to IPLDT) 20
  • 21. Dynamic Storage and Mutex  Dynamic Storage and Mutex ─ Managing the incoming connects – Looks for the particular IP address to verify the number of requests – Tracking the incoming requests and cookie tracking (Mutex implementation) – Primarily, avoid serving the duplicate exploits to the same machine » Implements the concept of worker thread when exploit is served » Efficient way of serving exploits through HTTP » Filter the victim information so that appropriate content should be served ─ Wait, till the full exploit is sent to the victim browser – Drive by Downloads 21
  • 22. Polymorphic Shellcodes  Polymorphic Shellcodes ─ Polymorphism provides multiple way to bypass detection mechanisms ● Self decrypting routines are available – On successful exploitation, encrypted malware decrypts itself in the system – Encryption provides random entry points that bypass the detection modules – Heavily used to bypass intrusion detection systems – Provides multiple code execution points ─ Exploit in BEP’s : shellcodes are polymorphic in nature 22
  • 23. Generic - Shellcode Unwrapping 23
  • 24. Conclusion ─ BEP - Efficient way of serving malware ─ Collaborates very well with third generation botnets ─ Hard to design a protection solution because ● It exploits the default design of browsers ─ Hyperlinks/ URL verification is the best solution at present. ─ Its good to hunt malware for educational purposes  24
  • 25. References ─ HITB - Exploiting Web Virtual Hosting – Malware Infections ● http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf ─ Virus Bulletin – Browser Malware Taxonomy ● http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser- malware-taxonomy ─ BruCon Hacking Conference – Botnets and Browsers ● http://www.slideshare.net/adityaks/brucon-brussels-2011-hacking-conference- botnets-and-browsers-brothers-in-the-ghost-shell ─ Hack In The Box Conference – Spying on SpyEye ● http://www.slideshare.net/adityaks/spying-on-spyeye-what-lies-beneath ─ OWASP App Sec – Hunting Web Malware ● http://www.appsecusa.org/talks.html#goodhacker 25
  • 27. Thanks  SecNiche Security Labs ─ http://www.secniche.org  Computer Science Department, Michigan State University ─ http://www.cse.msu.edu  Virus Bulletin 2011 ─ http://www.virustbn.com 27