Sucuri Webinar: The Anatomy of Website Malware
•Download as PPTX, PDF•
3 likes•1,794 views
What is website malware? In this webinar, we’ll cover the most common website malware types, what various samples look like so you can recognize them, and also show you how they work. Our primary focus will be on the various methods used to hide malware in the infected sites. Topics include: - What is malware and how does it work? - Where and how does it hide? - What is obfuscation and its most common methods? - What are mass infections? - Why should you never use pirated themes/plugins?
Recommended
Recommended
More Related Content
More from Sucuri
More from Sucuri (20)
Recently uploaded
Recently uploaded (20)
Sucuri Webinar: The Anatomy of Website Malware
- 1. Tweet #AskSucuri to @SucuriSecurity The Anatomy of Website Malware S U C U R I W E B I N A R Peter Gramantik, Sr. Malware Researcher
- 2. Tweet #AskSucuri to @SucuriSecurity Peter Gramantik Sr. Malware Researcher Find me on Twitter @petergramantik W E B I N A R S P E A K E R Tweet #AskSucuri to @SucuriSecurity
- 3. Tweet #AskSucuri to @SucuriSecurity Peter Gramantik • Sucuri 6 years • Sr. Malware Researcher • Happily Married • Love wreck & cave diving, UW filming, riding my Harley Davidson Sportster, finding new detection techniques, … W E B I N A R S P E A K E R Tweet #AskSucuri to @SucuriSecurity
- 4. Tweet #AskSucuri to @SucuriSecurity In this webinar you will learn: • What is web malware and how does it usually work. • Where and how does it hide? • What is obfuscation and its most common methods? • What are mass infections? • Why should you never use pirated themes/plugins?
- 5. Tweet #AskSucuri to @SucuriSecurity What is malware? Tweet #AskSucuri to @SucuriSecurity ”Malware (malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network.” SHORT HISTORY OF MALWARE: 1970: “Let’s see if we can destroy this computer.” 1990: “Let’s destroy this computer (evil laugh).” 2000: “Let’s infect this computer secretly and profit from it.”
- 6. Tweet #AskSucuri to @SucuriSecurity What is website malware? Tweet #AskSucuri to @SucuriSecurity ”Malware (malicious software) is any software intentionally designed to cause damage to a computer, server, client, computer network or a website.” • Websites are the “new” target • First vulnerable website • Unified environment of CMS helps the infections • WordPress is the leader
- 7. Tweet #AskSucuri to @SucuriSecurity How does it work: Visible • Defacements • Redirects • Unwanted popups / ads Hidden • Backdoors • CC Stealers • Blackhat SEO
- 8. Tweet #AskSucuri to @SucuriSecurity How does it work: Visible • Defacements • Redirects • Unwanted popups / ads Hidden • Backdoors • CC Stealers • Blackhat SEO
- 9. Tweet #AskSucuri to @SucuriSecurity How does it work: Visible • Defacements • Redirects • Unwanted popups / ads Hidden • Backdoors • CC Stealers • Blackhat SEO
- 10. Tweet #AskSucuri to @SucuriSecurity
- 11. Tweet #AskSucuri to @SucuriSecurity How does it work: Visible • Defacements • Redirects • Unwanted popups / ads Hidden • Backdoors • CC Stealers • Blackhat SEO
- 12. Tweet #AskSucuri to @SucuriSecurity Malicious Code in Legitimate Magento File Tweet #AskSucuri to @SucuriSecurity
- 13. Tweet #AskSucuri to @SucuriSecurity Where and how does it hide: Site Files Tweet #AskSucuri to @SucuriSecurity
- 14. Tweet #AskSucuri to @SucuriSecurity Where’s the malware? Site Files
- 15. Tweet #AskSucuri to @SucuriSecurity Here it is! Site Files Tweet #AskSucuri to @SucuriSecurity
- 16. Tweet #AskSucuri to @SucuriSecurity Where and how does it hide: Databases Tweet #AskSucuri to @SucuriSecurity
- 17. Tweet #AskSucuri to @SucuriSecurity Where and how does it hide: Server-level Infection
- 18. Tweet #AskSucuri to @SucuriSecurity What is obfuscation: Purpose • Make the code unclear • Hard to decode • Hide • Hard to spot
- 19. Tweet #AskSucuri to @SucuriSecurity What is obfuscation: Purpose • Make the code unclear • Hard to decode • Hide • Hard to spot Types • Packers • Faking legitimate code • Random names • Undocumented functions • Random place, ….
- 20. Tweet #AskSucuri to @SucuriSecurity What is obfuscation: Tweet #AskSucuri to @SucuriSecurity
- 21. Tweet #AskSucuri to @SucuriSecurity What is obfuscation: Tweet #AskSucuri to @SucuriSecurity
- 22. Tweet #AskSucuri to @SucuriSecurity What is obfuscation: Tweet #AskSucuri to @SucuriSecurity
- 23. Tweet #AskSucuri to @SucuriSecurity Obfuscation Through Legitimate Appearances Obfuscation Blog Articles Uncommon Radixes Used in Malware Obfuscation Decoding Complex Malware – Step-by-Step Go to blog.sucuri.net to learn about website security, emerging vulnerabilities, and web malware infections from our team of website security researchers.
- 24. Tweet #AskSucuri to @SucuriSecurity What is obfuscation: Tweet #AskSucuri to @SucuriSecurity
- 25. Tweet #AskSucuri to @SucuriSecurity Mass Infections • Infections spreading to thousands websites • Common entry point: vulnerability in outdated software • Could lead to secondary infections • Problems in shared hosting environments: cross site infections Tweet #AskSucuri to @SucuriSecurity Massive Malware Infection Breaking WordPress Sites B L O G P O S T
- 26. Tweet #AskSucuri to @SucuriSecurityTweet #AskSucuri to @SucuriSecurity Risk of 3rd Party Software: • Updating CMS could not be sufficient • Abandoned / hijacked plugins and themes • Pirated software • Malwaretising • Backdoors • Spam injections • Business impact
- 27. Tweet #AskSucuri to @SucuriSecurity Thank you for your attention :) The Anatomy of Website Malware https://blog.sucuri.net/2019/02/the-anatomy-of-website-malware-an-introduction.html Tweet #AskSucuri to @SucuriSecurity N E W B L O G S E R I E S
- 28. Tweet #AskSucuri to @SucuriSecurity Peter Gramantik You can reach me at @petergramantik Submit your questions on Twitter at @SucuriSecurity using the hashtag #AskSucuri
Editor's Notes
- “But before that” - switch to next slide.
- Hello everyone Welcome to this webinar My name is I’m Sr. Malware Researcher here at Sucuri And let me tell you something more about me >
- I spent last 15 years in AV – antivirus - industry Previously in AVG antivirus company as Malware Analysis Specialist *now Sucuri as Sr. Malware Researcher But started as Support Analyst – used to clean websites directly since I join Sucuri and in last few years, I’m working on signatures, making sure we detect and clear everything correctly. * And last time I asked my wife if I am, she told me Yes! you are very happy. That’s awesome :) *My job is my hobby but...you’ll be probably able to find some of my diving videos on youtube. We are time limited and since the world of malware is really complex, I'll cover following topics briefly >
- * here, we’ll fix the common malware definition * I’ll show you three common ways where malware hides * I’ll try to deobfuscate this magic word little bit And in the end of this webinar I’ll tell you something about… * * So what is malware >
- *According to Wikipedia, malware is... Malware is with us since first computers Short history of malware as I see it can be divided to these three phases Academic times - Wild times - Business times *In other words – 1970... Business times until now, only it got really massive. In old times - single persons, academic attempts while nowadays - professional teams – results in much more mature malware. But something still changed – and the target. >
- We have Internet, websites, stories we want to share. As an example, let’s say I have this awesome My Little Pony website where I sell T-shirts with quotations from my MLP stories which are so great that everyone buys my T-shirts. And that’s the new malware target. I'd like to change the definition – add website*. *Our lives are moving to virtual world, so does malware. It’s following us. Website are "programs" - coded in some language, providing some input and output. Murphy law says: Every non trivial program has at least one bug. And websites are programs. *First vulnerable website was probably the first one created The more complex they are the the bigger is the need for various frameworks and content management systems whe leads to:* * Unified environment…..when a vulnerability appears, the attackers know they can exploit it on vast amount of victims. *Not everyone is a programmer - I go and download wordpress for my MLP blog And it will be, sooner or later vulnerable – in other words infectable by malware. So how does malware work? >
- In fact only two main categories For example when my site is infected with redirect, you are - as a visitor - redirected to website of my competitor who does much worse MLP stories – but you end up on his site instead of mine. Allowing the visitors to buy his terrible T-shirts. Give him money for them. Your money. That’s malicious behavior. However, you are able to spot it easily - you know something happens. What's more interesting and dangerous from my point of view is this Hidden malware... >
- Ouch, looks like we’ve been infected and the popup even covers part of my original content. This is how it might really look in real life. But as I said, you can spot it easily. Back to the hidden malware >
- This category of malware works secretly *** You won’t see anything suspicious on your site. But hackers have now full control of it. There are many more sub-categories like droppers, hacktools or injectors. I’m having a really interesting complete overview of malware on next slide! >
- Bam – here we go again. This happens every time you are searching for something interesting. We've been infected by defacement which was probably installed by using some backdoor. The attacker with backdoor has full access to your site and its content! And all the awesome MLP stories are GONE :( Fortunately, you are Sucuri client and we'll fix this for you! You're lucky :) [more about defacements]… just index.php Actually, when I’m looking at this defacement, instead of thinking more about these hackers, I’m thinking about having a pizza. Well, they sometimes use interesting color combinations. But seriously >
- I’ve been talking about hidden malware and I'd like to show you how a CC Stealer works And why it's so dangerous >
- This is example of malicious code in legitimate Magento file. [how it works] Your clients buy your MLP T-shirt, but it will later cost them much more. The attacker has their complete credit card information and will buy something with this credit card. Not now, maybe in few months, because they don’t want to point directly to your site – they want to keep it running as long as possible - but they’ll do that. They’ll abuse that stolen data. And since you have many fans, they’ll chat together and eventually find out that more of them had similar problems. This will be ultimately leading to destroyed reputation of your website and loss of fans / clients. In this case, the malware was “buried” deep in the Magento filesystem in one of its legitimate files. This brings the question - Where does malware hide? >
- 1st choice - Files - 9/10 malware creators recommend! The malware is hidden somewhere in your site files – for example clean Wordpress installation has 1713 files in 172 subfolders. While some are easy to spot...like this one [little about this malware] we can probably directly delete the file. But there are some others which are not so easy to spot >
- Where's the malware here? Obviously legit-looking code. But there's hidden malware malware somewhere >
- And this is just a small piece of the malware, randomly placed to legit looking file. Sometimes it's really not easy to find it, and sometimes it's not even in files… >
- Like the DB infections. Modern CMS use database – mostly they store the real content there and use the files just to keep the CMS running – whenever the files are updated, the content of your site won’t change – it’s still in the DB. And the attackers are aware of this fact. Simple reinstallation of the CMS won’t fix your malware problem. After the reinstall, malware is still there… [something about this malware] Removing could be tricky. Common users are less experienced with DB manipulation. They are probably able to remove a basic malware from a file, but modifying DB content is not “that” easy. In this case the malware is placed within serialized data and if it would be simply removed, it would break the site. Unless the serialization is handled correctly there. Be careful with your DB, it’s often much more important than files! There's also third possibility >
- This is not classic website infection and is slightly out of scope of this webinar. But I wanted to mention it as it happens and we are seeing these infections every now and then. The malware is not part of website files or DB, but rather the whole server is compromised and e.g. some server modules are infected. For example, such infected web server module will simply attach the malware to every request from a visitor. Like request to open the site via browser. The visitor gets your site and a bonus in form of additional malicious code. You won’t be able to find it in your files or DB. Such infection is hardest to find and usually the whole server needs to be reinstalled. But there are other techniques for hiding malware in your files or the DB. Obfuscating them >
- So what is obfuscation? It’s an action to make something unclear, obscure. Nothing less, nothing more. Lot of techniques are hiding behind this single word. >
- These are just few basic types of obfuscation. *packers - can hide any suspicious code parts by using some shrinking algorithm which makes the code smaller, but much harder (and sometimes completely impossible) to read. *Faking legit code - pretending to be legitimate part of the site. *Random names - variables, functions, other code objects *Undocumented functions - less used functions, not straightforward to understand Random places – we saw it earlier – malware placed to random places within legitimate code. Let's take a look on few examples >
- This is a typical packer. It’s impossible to tell whether it's malicious or not without deobfuscation. Legit on the left, malicious on the right. But without decoding, we’re lost. That’s why creating signatures is not a trivial task and that’s why every Anti Virus is generating a False Positives – sometimes, it’s really hard to decide whether the code we are looking at is malicious or legitimate. And as you can see, even authors of legitimate software are using obfuscation. Possibly to protect their code against piracy, but I’ve got my suspicion, that their main goal is to make our work as difficult as possible. Why? It usually takes me few seconds to minutes to get through such obfuscations. And if I could do, anyone – and specially pirates – can. I’d like to greet specially Magento plugin developers. I really love to identify and removing a False Positive detections on your software. Brilliant! Another example of obfuscation could be faking the legitimate code >
- Looks legit on the first look When you try to understand how it works, you’ll notice some suspicious functions. Why a routine doing something with MIME formatting standard should e.g. prepare a directory? I had to study the file more and understand every aspect of the code and in the end >
- After putting some comments regarding the real functionality, it turned out it’s just another backdoor. Evaluating something stored in a “file which pretended to be an image”. Sorry about the image quality, I took it from my blogpost I write about it. If you are interested more in obfuscation techniques and some nice articles, I recommend checking following links >
- First link is mine – of course :) It’s about this obfuscation I just demonstrated. But there are lot of other very interesting articles such as these two from my colleagues Denis Sinegubkgo and Rodrigo Escobar. You can actually find other articles in our blog. Under tag obfuscation. I’d like to show you one more sample. This time, it’s about how a deobfuscated malware could look like >
- This is classic obfuscation. Uses: random variable names, random function names everything put together piece by piece. And in the end: We have another backdoor getting its payload from some malicious site and evaluating it through the assert function. Which is kind of obfuscation itself – assert function is primarily used for debugging code, not actually evaluating it. But it could be abused in this way. And that’s what obfuscation is about too. Our time is slightly running out, but as I promised, I’ll cover briefly also mass infections and 3rd party software issues >
- So what are mass infections * out of nowhere, we start to see a lot of same infections in our client sites, this is a mass infection indicator * * and usually are leading to secondary infections. The attackers are e.g. able to to upload a malicious code, like a backdoor by exploiting some vulnerability, but this backdoor is later used to anything evil action you can imagine. Injection of spam, redirects, etc… * the problem is usually on shared hosting environments where one site infects another inside this shared space leading the cross-site contamination. A really nice example of such mass infection was this vulnerability in MailPoet plugin for WordPress. This was serious infection wave where thousands of websites were compromies. If I remember correctly, the infector was even broken and under some conditions, it was breaking the infected websites. And as I said the problem was in third party vulnerable software. What does this mean? >
- I mentioned it in the beginning of this webinar - every code has at least one bug. In theory, if you use just a clean WordPress without any plugins, there will be definitely some bugs, but thanks to the extensive QA process, hopefully no easy exploitable holes are usually released. Situation is different with 3d party software such as Plugins. The more plugins you have, the bigger is the risk of serious exploitable vulnerability in your website. * because you’ll need to think about these plugins as well. And there are other risks... * we’ve seen cases of abandoned or hijacked plugins in the past when the developers simply quit, they left the plugin to live it its own life, but the black hats took this chance and added something malicious there. And with the next update of a plugin that you used for several years – you were infected. Spam and backdoor intentionally hidden in pirated themes and plugins.. And that’s it. I hope I gave you some basic overview about malware and how it works. But this is so complex topic that it could take several books -or at least one really thick to cover it completely. Also I’m better in writing than speaking so if you are interested more in malware and various case studies, just search for some of my blogposts. SO >
- Now it’s time to have a beer! But before that, I’d like to point you to my new blogpost series “The Anatomy of Website Malware” where I’ll be covering this topic in many more details, describing various forms of malware. Also, if you have any questions, I’ll be happy to answer them.