Reversing malware analysis trainingpart9 advanced malware analysis
Introducing Malware Script Detector
-
Upload
guest31a5be -
Category
Technology
-
view
2.785 -
download
4
description
Transcript of Introducing Malware Script Detector
![Page 1: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/1.jpg)
Introducing The Malware Script Detector
(MSD)By
d0ubl3_h3lixhttp://yehg.net
Tue Feb 19 2008
![Page 2: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/2.jpg)
Agenda• Counter Strategy
• Overview
• XSS Coverage
• Versioning Info
• Standalone MSD
• Detection Screenshots
• Why MSD?
• Weaknesses
![Page 3: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/3.jpg)
Counter Strategy
• Using the Power of JavaScript,
Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript
![Page 4: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/4.jpg)
Overview
• Run on Gecko browsers (Firefox, Flock, Netscape, …etc)
• GreaseMonkey addon needed
• Acted as Browser IDS
• Intended for Web Client Security
• Recommended for every web surfer
• Please don’t underestimate MSD by looking its simplest source code
![Page 5: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/5.jpg)
Overview (Cont.)
• Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF
• Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon
![Page 6: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/6.jpg)
XSS Coverage
MSD was coded to detect the following XSS exploitation areas:
• data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html
• jar: protocol exploitation
• file: protocol exploitation by locally saved malicious web pages
![Page 7: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/7.jpg)
XSS Coverage
• Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc
• unicode injection• utf-7,null-byte (\00), black slash injection
(u\r\l), comments star slash injection (/* */),injection like \u00, \x00....etc
![Page 8: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/8.jpg)
XSS Coverage
• MSD was thoroughly tested with:
- RSnake’s XSS CheatSheet - XSS-ME Addon Attack List
- Dabbledb.com’s Xssdb list - CAL9000 XSS List
![Page 9: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/9.jpg)
Versioning Info
GreaseMonkey Version
• Main Objective: Alert XSS Attacks to users• Must be Installed by users• Requires Gecko Browser + GreaseMonkey
Addon• Version 1 – Detect Malware Scripts• Version 2 – Detect Malware Scripts +• Prevailing XSS
![Page 10: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/10.jpg)
Versioning Info
Standalone Version
• Main Objective: Alert XSS Attacks to users & webmaster
• Must be Deployed by web developers• Browser-Independent• No Checking if users have GreaseMonkey
version• Version 1 – Detect Malware Scripts +
Prevailing XSS
![Page 11: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/11.jpg)
Standalone MSD
• Standalone version was created as single .js file for web developers
• To embed in their footer files • To notify both visitors and webmasters
of XSS injection attempts & attacks• Browser-independent unlike
GreaseMonkey Script version• Intended for web application security as
a portable lightweight solution
![Page 12: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/12.jpg)
![Page 13: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/13.jpg)
Detection Screenshots
![Page 14: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/14.jpg)
Why MSD?
• XSS Payloads like
• http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc
![Page 15: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/15.jpg)
Why MSD? (Cont.)
• Never get DETECTED by
Web Server-level Firewall/IDS/IPS
• Because the code is Totally Executed at Client’s Browser
![Page 16: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/16.jpg)
Why MSD? (Cont.)
• Malicious sites intentionally embed malicious JavaScript attack frameworks
• Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users
![Page 17: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/17.jpg)
Why MSD? (Cont.)
• No ways to detect such Malware scripts unless we check HTML source codes
• Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases
• According to above scenarios,MSD becomes a nice solution for us
![Page 18: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/18.jpg)
Oh, But …
![Page 19: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/19.jpg)
Weaknesses
• Doesn’t check POSTS/COOKIES variables
• No guarantee for full protection of XSS
• Many ways to bypass MSD
• XSS Filtering needs to be updated regularly where extensive filtering may cause false alerts and much annoyance to users
![Page 20: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/20.jpg)
Where Can I get it ?
Check Under Tools Sectionhttp://yehg.net/lab/#tools.greasemonkey
If you wish to contribute, there is a smoketest page.
Insert your own XSS payload to defeat MSD.
Notify me of whenever new Attack frameworks are created
![Page 21: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/21.jpg)
Special Thanks
Goes to
Mario, http://php-ids.org
Secgeek, http://www.secgeeks.com
Andres Riancho, http://w3af.sf.net
For encouragements and suggestions
![Page 22: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/22.jpg)
Reference
• XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth FogieSyngress PublishingISBN-13:987-1-59749-154-9
![Page 23: Introducing Malware Script Detector](https://reader036.fdocuments.in/reader036/viewer/2022062312/5562a4f9d8b42a2e6e8b4671/html5/thumbnails/23.jpg)
Thank you!