Interception and Analysis Framework for Win32 Scripts

www.cigital.com(not for public release)

Tim Hollebeek, Ph.D.tim@cigital.com

OverviewOverview

• Background• Preliminary characterization of

attacks/threats• What we’ve built• Coverage of threats• Tech Transfer successes• Integration

Background: ActiveScriptingBackground: ActiveScripting

• Microsoft architecture for integrating scripts with applications in a language-neutral way.

• Scripting is often used as “Turing glue” to connect and drive disparate software components.

Active Scripting Applications/Hosts

• Web browsers• Mail readers• Embedded HTML viewers• MS Office 2000 applications• Windows Scripting Host

Active Scripting Languages• Perl• Jscript• VBscript/VBA (macros)• Rexx• Python

Technical ObjectivesTechnical Objectives

• Address the threat of a significant class of mobile malicious code:– ActiveScripting (JScript, VBscript)

• Provide interception and logging framework that allows policies to be developed and enforced

• Constrain active scripting capability effectively to balance:– legitimate uses vs. malicious uses

ScopeScope

• Malicious Scripts on Microsoft Windows based platforms

– Script-based viruses, trojans– malicious web pages– malicious HTML embedded in various files

– Especially: scripts that use one of about 30 vulnerabilities that allow compromise of the machine from scripts

(most recent … 9 days ago)

Attacker ObjectivesAttacker Objectives

• Traditional “malware” activities– Viruses, trojan horses

• Fully compromising host computers• Accessing sensitive data/manipulating

sensitive functionality– Compromising script-aware applications– Compromising script-dependent applications

Why is this easy?Why is this easy?

• MS Windows contains lots of bad code and very few boundaries

• Microsoft architecture is script-friendly

• “big bag of components”• Much of this infrastructure built to

support distributed applications

DefensesDefenses

• Must be at the correct level (or multi-level)

• Most existing defenses aren’t:– Secure sessions– Filtering– Signature schemes– Kernel/filesystem level defenses

• Commercial world focused on today’s attacks

Categories of Malicious Scripts

Categories of Malicious Scripts

Easy

Hard

VeryHard!

• Malicious scripts distributed as attachments

• Scripts that exploit the distributed nature of web applications

• Malicious scripts injected into dynamic web pages

• Malicious scripts that manipulate legitimate functionality

• Embedded scripts that exploit flaws in components or host applications

Malicious Script Capability Matrix

Malicious Script Capability Matrix

Attach Flaw Legitimate Inject Webbased

ILOVEYOU

Kak

Malicious web site

E*TRADE hack

E-bayla

Web bugs

E-mail wiretapping

Future threats

Intercepting ActiveScriptingIntercepting ActiveScripting

• What works well:– Blocking access to flawed components/methods

• Feasible:– Correlating script activity with lower level

information– Reducing exposure of script-aware applications– Restricting script actions to safer subset

• Still difficult:– Script-dependent and script-based applications

Tech TransferTech Transfer

• Produced:– Robust prototype

• Capable of extensive logging of script behavior on a number of machines to a remote server

• Ability to block malicious script actions• Stable, efficient

– Developing prototype into a tool to be used by Air Force community

– Extensive logs (14,000 distinct scripts, gigabytes of information about their execution)

– JustBeFriends (~4000 downloads)

IntegrationIntegration

• We can provide:

• Information on all page views• Script contents and URLs• Information on script behavior• During script execution:

– Accesses to all members and methods (with parameters) of Automation objects the scripting engine interacts with

– All actions of the scripting engine– Other related COM methods

(possibly) user level correlation information

LogsLogs

• 3 Cigital Labs researchers• 6-12 months of browsing• Work-related and “other” sites

• Also some “random” browsing (uses Yahoo!)

ArchitectureArchitecture

Scripting Engine

Script Actions

Browser Architecture

Events

EventManager

Policy

XML

CentralizedLogging Server

ConclusionsConclusions

• Architecture provides a very successful and flexible way to monitor and control scripts on Windows systems

• Can address commonly exploited risks from malicious scripts, which are unaddressed by current generation of commercial tools

• Work still needed to get a handle on more complex attacks

ENDEND

• The End