RIA SECURITY TECHNOLOGY

Size: px

Start display at page:

Download "RIA SECURITY TECHNOLOGY"

Florence Griselda Ball
10 years ago
Views:

2 Agenda RIA Introduction Flash Security Attack Vectors Threats In the Wild Detection PDF Security Attack Vectors Threats In the Wild Detection Conclusion Q&A 2009 Websense, Inc. All rights reserved. 2

3 RIA Introduction 3

4 Rich Internet Application Key Characteristics Deliver rich user experience Based on Internet Highly interactive 4

5 RIA Plugins Adobe Flash, Java and Microsoft Silverlight 5

6 Adobe Vulnerability 6

7 Attack Vectors 7

8 Flash Exploit 25 Flash Player Related Vulnerability

9 Flash Exploit (cont.) 34 million swf application are vulnerable according to Websecurity Flash Exploit In the Wild CVE CVE CVE

vulnerable according to Websecurity 2009.

10 Flash XSS Renren.com flash XSS worm 10

11 Flash Malvertizement Yahoo,CNN,New York Times Ad bars for products Download Rogue AV 11

12 Threats In the Wild 12

13 CVE (version 1) CVE May

14 CVE (version 2) CVE Wrapped with Actionscript3 14

15 CVE (version 2) CVE Wrapped with Actionscript3 April

16 CVE (version 3) Wrapped with Actionscript3 and store the encrypted data in the Javascript code Phoenix exploit kit 16

17 CVE (version 3) Phoenix exploit kit payload page flash 1. Payload page call embedded flash file 2. Flash call payload page for encrypted data 3. Payload page detect version and return encrypted data 4. Flash decode data and run cve file 17

18 Future Trends Most dangerous is vulnerability to execute code More AS obfuscation like Javascript obfuscation Combined with Javascript more closely 18

19 Detection 19

20 Module Signature scanner Exploit scanner Actionscript scanner Scanner Honeyclient scanner 20

21 Signature Scanner Parse SWF format Signature base detection 21

22 Exploit Scanner Check DefineSceneAndFrameLabelData shellcode detection 22

23 Actionscript Scanner Detect suspicious Actionscript Loader.loadBytes parseint, charcodeat Too many push action Based on Websense URL database Suspicious Tag File size and Tag count 23

24 Honeyclient Scanner Honeyclient detection Log http traffic Monitor files, registry key values, and processes 24

25 PDF Security 25

26 PDF Security Trend PDF's CVE records

27 Why Malware Use PDF Portable Document Format = Easy + Quick Support all platform Can around Can work offline $ Support embedded RIA

28 PDF Frame %PDF obj <</Type /Pages /Kids [3 0 R ] /Count 1 /MediaBox [ ] >> endobj xref f n n n n trailer << /Size 10 /Root 9 0 R /Info 8 0 R >> startxref 8983 %%EOF File Header Objects Cross-Reference Table Trailer

29 Filters Used in Malicious PDF ASCIIHexDecode Filter Hex encode start with # Sample: /Filter /#46#6c#61#74#65#44#65#63#6f#64#65 (FlateDecode) FlateDecode Filters Compressed stream Use zlib Crypt Filter /Filter /Standard

30 Encrypted PDF 14 0 obj <</R 3 Indirect Objects /P /O (6E 訚 u;?\( 鎓 Zん5?? 婼 h 撱臂 \\W? /Filter /Standard /Length 128 Crypt Filter /V 2 /U (\r 覑 u 屴 p 袶 U 癨 r 渿 [????????????????) >> trailer <</Encrypt 14 0 R /Info 15 0 R Name Filter /Root 1 0 R /Size 16 /ID [<3249d6fe1386f4984c3df5d288c0bb49><3249d6fe1386f4984c3df5d288c0bb49>] >>

31 POC Demo Exploit User-Lure

32 How Malicious PDF Spread? SQL Injection SPAM Botnet Zbot etc. Exploit Kit

33 Attack Time Line Mass Injections Trigger Exploit Install Clients Spread to Others Spam s Src= Goto virus.pdf virus.swf Shellcode Infostealer.exe botclient.exe smtphost.dll other.dll Spam IMs Spams Inject Hosts Hxxp://ip/trojan.exe 2009 Websense, Inc. All rights reserved. 35

34 Weak of AV /Filter /#46#6c#61#74#65#44#65#63#6f#64#65 >> Stream x 趠?n? 噍 ю\??y? N 缮茄 χhs 豛?? Embeded a bad pdf into a good pdf AV signatures Threat categories

36 How to Detect Rules Signatures Heuristics Application Behaviors JBIG2Decode FlateDecode ASCIIHEX ASCII85 Decode Input Decrypt Deobfuscate Scan Output Javascript RC4 MD5 Unescape Eval Regex

37 Malicious Content Stripping Web Security Gateway Active Security Module Content Gateway Module security Module Remove malicious Script, ActiveX etc. and display safe content

38 Other Solutions Server Side Display Virual client / Sandbox

39 Portable RIA

40 PDF Portfolio

41 PDF Portfolio Scan Embedded Files Stripping Pictures Portfolio Multimedia Documents

42 THANKS June 2010

Shane Hartman CISSP, GCIA, GREM Suncoast Security Society

Shane Hartman CISSP, GCIA, GREM Suncoast Security Society Analyzing Malware Why Flash Malware Structure of an SWF File History of Flash Scripting Exploit Example 1: Social Engineering Exploit Example 2: