Advancements in Botnet Attacks and Malware Distribution

Similar documents
Botnets Die Hard Owned and Operated

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

MALWARE ANALYSIS 1. STYX EXPLOIT PACK: INSIDIOUS DESIGN Aditya K. Sood & Richard J. Enbody Michigan State University, USA COMMUNICATION DESIGN

SOCIAL NETWORKS AND INFECTION MODEL

Factoring Malware and Organized Crime in to Web Application Security

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels

Where every interaction matters.

Malicious Network Traffic Analysis

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

EyjafjallajöKull Framework (aka: Exploit Kits Krawler Framework)

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

CS5008: Internet Computing

Check list for web developers


Operation Liberpy : Keyloggers and information theft in Latin America

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Penetration Testing with Kali Linux

Adobe Systems Incorporated

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web Application Worms & Browser Insecurity

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Protect Your Business and Customers from Online Fraud

Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS

F5 (Security) Web Fraud Detection. Keiron Shepherd Security Systems Engineer

Innovations in Network Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report

Spyware. Summary. Overview of Spyware. Who Is Spying?

Exploring the Black Hole Exploit Kit

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Gateway Apps - Security Summary SECURITY SUMMARY

The Top Web Application Attacks: Are you vulnerable?

MITB Grabbing Login Credentials

Criteria for web application security check. Version

Web Application Security

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

(WAPT) Web Application Penetration Testing

April 11, (Revision 2)

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Networks and Security Lab. Network Forensics

Security Evaluation CLX.Sentinel

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

UNMASKCONTENT: THE CASE STUDY

Using a Malicious Proxy to Pilfer Data & Wreak Havoc. Edward J. Zaborowski ed@thezees.net

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Vulnerability Assessment and Penetration Testing

Targeted attacks: Tools and techniques

Course Content: Session 1. Ethics & Hacking

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Last update: February 23, 2004

Web Maniac Hacking Trust. Aditya K Sood [adi_ks [at] secniche.org] SecNiche Security

Introduction to Web Security

Intrusion detection for web applications

Protect your internal users on the Internet with Secure Web Gateway. Richard Bible EMEA Security Solution Architect

Web-Application Security

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

WEB ATTACKS AND COUNTERMEASURES


CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Executive Summary On IronWASP

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Web Application Security 101

IBM Advanced Threat Protection Solution

Basic & Advanced Administration for Citrix NetScaler 9.2

Pwning Intranets with HTML5

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Common Security Vulnerabilities in Online Payment Systems

Cyber Attack Trend and Botnet

Lecture 15 - Web Security

What do a banking Trojan, Chrome and a government mail server have in common? Analysis of a piece of Brazilian malware

Web Application Penetration Testing

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

CS 558 Internet Systems and Technologies

Understanding Web Application Security Issues

Covert Operations: Kill Chain Actions using Security Analytics

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

OWASP Top Ten Tools and Tactics

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Analysis of the Australian Web Threat Landscape Christopher Ke, Jonathan Oliver and Yang Xiang

What is Web Security? Motivation

Introduction to Computer Security

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Web application security

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Transcription:

Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York, July 2012 Aditya K Sood Rohit Bansal Richard J Enbody SecNiche Security Department of Computer Science and Engineering Michigan State University

Aditya K Sood About Us PhD Candidate at Michigan State University Rohit Bansal Working for isec Partners. Active Speaker at Security conferences LinkedIn - http ://www.linkedin.com/in/adityaks Website: http://www.secniche.org Blog: http://secniche.blogspot.com Twitter: @AdityaKSood Security Researcher, SecNiche Security Labs Twitter: @0xrb Dr. Richard J Enbody Associate Professor, CSE, Michigan State University Since 1987, teaching computer architecture/ computer security Co-Author CS1 Python book, The Practice of Computing using Python. Patents Pending Hardware Buffer Overflow Protection 2

Agenda Malware Paradigm Browser Malware Taxonomy Present-day Malware Propagation Tactics Information Stealing Tactics Conclusion 3

FUD (Fear, Uncertainty & Doubt) FUD FUD Three pillars of robust malware design 4

Malware Paradigm 5

The Reality of Internet! 6

Browser Malware Taxonomy Class A Browser Malware 7

Browser Malware Taxonomy Class B Browser Malware 8

Browser Malware Taxonomy Class C Browser Malware 9

Malware Lifecycle Java Exploit Malware making a place into your system Step 1: Vulnerability in high traffic website is exploited To serve malware at large scale Step 2: Detecting malicious iframe in the website Lets extract the iframe from the malicious website The iframe is pointing to some domain having applet.html. Avoid running it in the browser. Fetch it directly using wget/curl 10

Malware Lifecycle Java Exploit Malware making a place into your system Step 3 : Detecting the malicious code So, there is Java applet with param variable holding an executable Quick analysis of the executable can be seen here https://www.virustotal.com/file/5cb024356e6b391b367bc6a313da5b5f744d8a14ce c860502446aaa3e1b4566e/analysis/1330713741/ 11

Malware Lifecycle Java Exploit Dissecting Malicious Java Applet Let s see what we have VBScript embedded in Java applet code 12

Implanting Malware (Bots) Present-day Propagation Tactics 13

Exploiting Web Hosting Data Centers Web Hosting - Exploitation Several websites are hosted on a single server sharing IP address DNS names are mapped virtually to the same IP Vulnerability in one website can seriously compromise the server Insecure file uploading functionality» Uploading remote management shells such c99 etc» Automated iframe injector embeds malicious iframe on all webpages» Making configuration changes such as redirecting users to malicious domains Cookie replay attacks in hosting domain website» Authentication bypass : reading customer queries on the web based management panel» Extracting credentials directly by exploiting design flaws in hosting panels 14

Data Centers Exploitation Exploiting Web Hosting Automated Iframe injector cpanel Exploitation Automated iframer in action 15

Exploiting Web Hosting Remote shell in action 16

Infection through Glype Proxies Glype proxies Simple PHP scripts for anonymous surfing Hosted on legitimate domains and forcing users to surf through the proxy Logging is enabled to fetch the information about users» A tactical way of exploiting the integrity of anonymous surfing Exploiting misconfigured proxies to deliver malware Embedding Browser Exploit Packs (BEPs) with Glype proxies» Very effective and successful technique 17

Demonstration 18

Obfuscated Iframes 19

Browser Exploit Packs (BEPs) Browser Exploit Pack BlackHole is running on fire Techniques User-agent based fingerprinting Plugin detector capability for scrutinizing the plugins Serving exploit once per IP Address Java exploits are used heavily for spreading infections Support for other exploits such as PDF, Flash etc BlackHole configuration parameters Java version fingerprinting 20

Browser Exploit Packs (BEPs) Browser Exploit Pack Encoded exploit with PHP Ioncube 21

Browser Exploit Packs (BEPs) Browser Exploit Pack Interesting Tactics A brief walkthrough JAVA SMB One of the most effective exploit used in BH Exploit downloads new.avi file for triggering exploitation At present times, Java Array exploit is on fire. Interesting to see what this file does Running file in VLC player produces an error. Can we change new.avi to new.jar? YES! We can.» Result is here. 22

Drive-by Frameworks 23

Drive-by Frameworks 24

Demonstration 25

AWS Cloud Malware Malware on the Cloud Attackers are targeting AWS to host malware Unpacked 26

AWS Cloud Malware Malware on the Cloud On reversing, package downloads the malware into c:\winsys directory from another repository on the AWS Downloaded files are presented below Malicious files extracted from the package 27

AWS Cloud Malware Afterwards Malware on the Cloud Some of the files were again packed with UPX packer All the files were flagged as malicious Sent an alert in the form of tweet to Amazon. Malware was removed. Executables are f lagged as malicious 28

Malvertisement Malvertisements Online malicious advertisements Content Delivery Networks (CDNs) are infected to trigger malvertising Distributed attack Armorize s Blog - http://blog.armorize.com/2011/05/porn-sites-have-lots-of-trafficand.html Malvertisement Paper - http://www.slideshare.net/adityaks/malvertising-exploiting-web-advertising 29

Social Networks Exploiting Social Networks Attackers exploit the inherent design flaws in the social networks Use to spread malware at a large scale LikeJacking (=~ClickJacking) Use to add malicious links on user s profile in Facebook LikeJacking collaboratively used with ClickJacking Efficient in spreading malware 30

Demonstration 31

Present-day Botnets Information Stealing and Manipulation Tactics 32

Man-in-the-Browser (MitB) Subverting Browser Integrity Exploits the victim system and the browser environment SSL / PKI does not stop the infections by MitB Two Factor/ SSO authentication module does not stop it Concept of browser rootkits Implements Hooking Exploits online banking http://www.cronto.com/download/internet_banking_fraud_beyond_phishing.pdf 33

Web Injects Infection on the Fly Web Injects Injecting incoming request with malicious content Primary aim is to inject credential stealing forms, JavaScripts and input tags Concept of Third Generation Botnets ( Give me your money ) 34

Web Injects Log Detection http://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html 35

Web Injects Action 36

Understanding Web Fakes How? Web Fakes Plugins used to spoof the content in browsers Supports both protocols HTTP/HTTPS Based on the concept of internal URL redirection All browsers are affected Plugins use the defined metrics in the configuration file URL_MASK URL_REDIRECT FLAGS POST_BLACK_MASK POST_WHITE_MASK BLOCK_URL WEBFAKE_NAME UNBLOCK_URL 37

Web Fakes Function Calls 38

Web Fakes Real Example 39

Why? Browsers - Form Grabbing Keylogging produces plethora of data Form grabbing extracting data from the GET/POST requests Based on the concept of hooking Virtual Keyboards Implements the form grabbing functionality to send POST requests No real protection against malware 40

Facts and Reality Browsers - Form Grabbing All the third generation botnets use this technique Very hard to overcome the consequences All browsers can be circumvented to execute non legitimate hooks 41

Demonstration 42

Other Information Stealing Tactics.. Bot Plugin Architecture Credit Card Grabber Certificates Grabber SOCKS 5 Backconnect FTP Backconnect RDP BackConnect DDoS Plugins Webcam Hijacker Infecting Messengers (Spreaders) And so on depending on the design! 43

Questions! 44

HOPE Conference Crew http://www.hope.net Thanks SecNiche Security Labs http://www.secniche.org http://secniche.blogspot.com Contact Me Email : adi_ks [at] secniche.org 45

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information