Malware Injection FAQ GS
Transcript of Malware Injection FAQ GS
-
7/31/2019 Malware Injection FAQ GS
1/34
2010 Armorize Technologies Inc. All Rights Reserved
1
WebMalwareInjection FAQ
Version1.0
February12,2010
WebMalware
Injection
FrequentlyAskedQuestions(FAQ)
1. WhatisaWebapplication?........................................................................................................................... 3
2. HowareWebapplicationscreated?.............................................................................................................. 3
3. WhatarethethreatstoWebapplications?................................................................................................... 4
4. Whatisahacker?.......................................................................................................................................... 4
5. WhyareWebapplicationsvulnerabletoHackers?........................................................................................ 5
6.
Whatis
malware
injection
(Part
I)?
................................................................................................................
5
7. WhatisMalware?......................................................................................................................................... 5
8. Whatismaliciouscode?................................................................................................................................ 6
9. InaWebapplicationcontext,whatisinjection?............................................................................................ 6
10. Whereisthecodeinjectedto?.................................................................................................................. 7
11. Whatisdrivebydownloading?.................................................................................................................. 8
12. Whywasmalwareinjectioncreated?........................................................................................................ 8
13. Whydoesmalwareinjectionutilizelegitimatewebsites?..................................................................... 10
14.
Why
should
website
owners
care
about
malware
Injection?
....................................................................
11
15. Whyissearchengineblacklistingaconcern?........................................................................................... 11
16. IfmywebsiteisflaggedbyGoogleasmaliciouswhatisthenextstep?.................................................... 12
17. WhydoesmalwareinjectiontargetInternetusers?................................................................................. 13
18. WhyshouldInternetuserscareaboutmalwareInjection?.......................................................................13
19. Whatissocialengineering?..................................................................................................................... 13
20. WhatistheroleofSocialEngineeringinmalwareinjection?....................................................................14
21. Whatismalwareinjection(PartII)?......................................................................................................... 14
22. Whatarethecomponentsofmalwareinjection?.................................................................................... 15
23. Howismaliciouscodeinjectedintoavulnerablewebpage?................................................................... 16
24. WhattypeofmaliciouscodeisinjectedintothevulnerableWebapplication?........................................ 17
25. Whatisaniframe?.................................................................................................................................. 17
26. Whatisjavascript?.................................................................................................................................. 17
-
7/31/2019 Malware Injection FAQ GS
2/34
2010 Armorize Technologies Inc. All Rights Reserved
2
WebMalwareInjection FAQ
Version1.0
February12,2010
27. Whatistherelevanceofiframesandjavascriptinmalwareinjection?..................................................... 18
28. Whatdoesinjectedcodelooklike?.......................................................................................................... 18
29. Whathappenswhenuserrequestsawebpagewithinjectedcode?........................................................ 19
30. Whatismeantbyabrowserexploit......................................................................................................... 20
31. Whathappensoncethebrowserhasbeenexploited?............................................................................. 20
32. Whatismalwareinjection(PartIII)?........................................................................................................ 20
33. HowdoIknowmywebsiteisinfectingmycustomerswithmalware?......................................................22
34. WhenmanuallytestingforMalwareinjectionwhatprecautionsarenecessary?...................................... 23
35. HowdoIknowmywebsitehasbeeninjected?........................................................................................ 24
36.
Isthere
ageneral
format
for
injected
code?
............................................................................................
25
37. HowcanItellifmywebsitehasinjectediframes?................................................................................... 25
38. HowcanItellifmywebsitehasinjectedjavascript?................................................................................ 26
39. Aretheothermeansofmalwareinjectionbesidesiframes?.................................................................... 29
40. HowcanItellifmywebsitehasinjectedobjectssuchasflashorPDFs?................................................... 30
41. HowdoIknowmydatabasehasbeeninjected?...................................................................................... 30
42. Whatotherservicesmightahackerexploitforinjection?........................................................................ 31
43. Ifmywebsiteisinjected,ismywebserverorOperatingSystemalsocompromised?............................... 31
44.
Ifaweb
server
hosts
multiple
websites,
are
they
all
affected
by
asingle
injection?
.................................
32
45. IfmywebsiteisdownloadingmalwaretousershowdoImitigate?......................................................... 32
46. IfmywebsiteisdownloadingmalwaretousershowdoIremediate?...................................................... 33
-
7/31/2019 Malware Injection FAQ GS
3/34
2010 Armorize Technologies Inc. All Rights Reserved
3
WebMalwareInjection FAQ
Version1.0
February12,2010
1. WhatisaWebapplication?AWebapplication
1isasoftwareapplicationthatisaccessedviaawebbrowseroveranetworksuchasthe
Internet.
Generallyspeaking,WebapplicationsprovidedynamicwebpagesthatfacilitateinteractionbetweenInternet
usersandmorecomplexcomponentsthatdriveapplicationssuchasonlinepaymentsystems,socialnetworking
sitesorwebbasedemail.
Webapplicationtechnologyhasboostedonlinebusinesscapabilitiesandhasenteredthecorporateworkplaceas
ameans
of
reducing
overhead
associated
with
software
installed
on
aper
computer
basis.
2. HowareWebapplicationscreated?BasicWebapplicationsaretypicallycreatedusingcodewhichthebrowserrendersintoawebpage. Themost
typicalexampleofthisisHTML(HyperTextMarkupLanguage)usedinstaticwebsites.
HTMLcombinedwithmultimediapluginsandscriptingfunctionalitypresentsmoredynamicfunctionalitytothe
browserwhileWebapplicationdevelopmentplatformsanddatabasesprovidebusinesslogicanddatastorage
capabilities.Thisenablesdevelopmentofcomplexfeaturerichapplicationsthatcanbedeliveredtoendusersvia
webbrowser.
Figure
1:
Basic
Web
Application
Architecture
1AWebapplicationcanbeconsideredamorecomplexandfeaturerichformofthecommonlyusedtermwebsite.Bothareaccessed
fromawebbrowserbyanaddressthattakesthehttp://www.abc.comformat.Howeveritisassumedthatawebsitesimplypresents
pageswithstaticcontenttoabrowserwhileawebapplicationhashigherlevelcomponentsforbusinesslogicprocessinganddatastorage.
-
7/31/2019 Malware Injection FAQ GS
4/34
2010 Armorize Technologies Inc. All Rights Reserved
4
WebMalwareInjection FAQ
Version1.0
February12,2010
Nomatter
what
technology
is
used
to
create
the
Web
application,
it
is
important
to
note
that
all
of
its
features
arenothingmorethancarefullycodedstatementsthatthebrowserprocessesandpresentstotheenduser.
Thiscanbedemonstratedusing astandardwebbrowsersuchasFirefoxorInternetExplorer.Whenviewinga
webpage,onthetopmenu,ClickViewandPageSource(Firefox)orSource(IE)toviewtheactualsourcecode
fromwhichthedisplayedpagehasbeenrendered. ThisisdemonstratedinFigure2.
Figure2:WebPagewithSourceCode
3. WhatarethethreatstoWebapplications?Webapplicationspresentthecorporateimagetoaglobalaudience.Thewebsiteisthefirstportofcallfor
anyonelookingtolearnmoreaboutgivencompany.However,arealsoexposedtomaliciouselementswhoseek
tousethispublicpresenceasmeansofdamagingcorporatereputation,stealingresourcesorasapointfrom
whichtolaunchInternetwideinformationsystemattacks.
4. Whatisahacker?ThetermHackerhasseenmanydefinitionssinceitwascoinedover40yearsago.However,thegeneral
consensusnowadaysisthathackersareindividualsorgroupsthatseektocircumventsecuritycontrolsinorderto
compromise
the
confidentiality,
integrity
and/or
availability
of
electronic
information
systems.
Whiletherearenumeroushackersubclasseswithvaryingtechnologyfocusandskilllevels,thetermHackeris
usedexclusivelythroughoutthisdocument.Itisalsoassumedthattheprimarytargetsofhackersattentionare
Webapplications.
-
7/31/2019 Malware Injection FAQ GS
5/34
2010 Armorize Technologies Inc. All Rights Reserved
5
WebMalwareInjection FAQ
Version1.0
February12,2010
5. WhyareWebapplicationsvulnerabletoHackers?Traditionally,whensoftwareapplicationsweredeployed,theywereprotectednotonlybysomeformofuser
credentialsbutalsothroughphysicalandnetworklevelseparationfromtherestoftheworld.Howeverwiththe
adventofonlinebusiness,amoremobileworkforceandincreasedavailabilityrequirements,theseapplications
arenowhostedonWebfacingserverswhicharereachablebyanyonewithaconnectiontotheInternet.
Theubiquitousnatureandconstantexposure ofWebapplicationscombinedwiththerelativeimmaturityof
thetechnologymakesthemparticularlyvulnerabletorepeatedandeverevolvingattacksfromhackerswho
comfortablyenjoytheanonymitythattheInternetprovides.
6. Whatismalwareinjection(PartI)?Malware injection is theactof insertingor injecting maliciouscode intoawebpageso that so thatwhen
Internetusersbrowsethepagetheircomputer2isinfectedwithmalware.
It is important tonote that theultimate targetofamalware injectionattack is rarely thewebsite itself.The
hackergenerallywantstoquietlyinsertcodeintotheWebapplicationinordertocompromiseeverycomputer
that browses the website. The methods used to inject code, the types of code and the actual malware
categoriesarediscussedinmoredetailthroughoutthisdocument.
7. WhatisMalware?Malware is the industry termused togenerallydescribemalicioussoftware, i.e.,software that isdesigned to
compromisetheconfidentially,integrityoravailabilityofcomputersystems.
ThetermMalwareisbroaderthanthebetterknownexpressionVirusasitalsoencompassesWorms,Trojan
Horses, Rootkits, Spyware, Adware, Crimeware, Robot (botnet) Clients, etc. A detailed discussion of these
specifictermsisbeyondthescopeofthisdocument.FormoreinformationrefertoWikipediasmalwarepage3.
Itisassumedthatmalwareisunwantedsoftwarethatinstallswithoutthecomputerusersknowledgeorconsent
andresultsinactivitiessuchas:
2NotethetermComputerisusedheretorefertoallplatformsusedbyanaverageInternetusersurfingtheweb.Thiscouldbea
desktopcomputer,laptop,mobiledevice,smartphoneetc.ItisdistinctfromaServerwhichistheadvancedcomputingplatformusedto
hosttheWebapplication.
3http://en.wikipedia.org/wiki/Malware
-
7/31/2019 Malware Injection FAQ GS
6/34
2010 Armorize Technologies Inc. All Rights Reserved
6
WebMalwareInjection FAQ
Version1.0
February12,2010
Degradedcomputeroperations; Intrusivepopupwindowsthatmayormaynotsolicitpaymentforgoodsandservices; Spamemailpromotingunwantedproducts,servicesoractivitiesdeemeddistastefulorevenillegal; Theftofpersonal,financialorcorporateinformation;or Installationofremotecontrolsoftwarethatallowshackerstocontrolandmonitorcomputeractivities
8. Whatismaliciouscode?WebapplicationsarebuiltuponcodethatispresentedtoandrenderedintheWebbrowser.WhattheInternet
userseeswhentheyaccesstheirfavoritesocialnetworkingsiteissimplycodethathasbeenprocessedbythe
browsertoprovidethetext,graphics,forms,video,audio,etc.thatapplicationdeveloperwantspresented.
However,itispossiblethatthiscodecanbeusedtoadverselyaffecttheWebbrowser.Ifahackercaninserthis
owncodepriortothebrowserprocessingit,itispossiblethathecancontrolwhatthebrowserdoes.
Thus it can be said thatmalicious code in this context isWeb application code thatwhen processed by the
browsersomehowcompromisesorcontrolsthebrowseractions. Itshouldbenotedthatthis isaverygeneral
termandthatthespecificsofmaliciouscodewillbeexaminedinmoredetailthroughoutthisdocument.
9. InaWebapplicationcontext,whatisinjection?ManyWebapplicationsrequestuserinputthroughmechanismssuchasonlineforms,checkboxes,etc.Inan
adequatelysecured
Web
application,
there
will
be
filters
in
place
to
ensure
that
data
only
enters
through
these
interfacesinaformatthatactuallymatcheswhattheapplicationexpects.Forexample,iftheapplicationrequires
numbersintheformofabirthdate,itshouldnotacceptletters.
Injectioniswhendatathatenterstheapplicationbybypassingsecuritycontrolsandalteringtheapplications
behaviorinanunexpectedmanner.
Injectioniscommonlyusedbyhackerstoinsertmaliciouscodeintootherwiselegitimatewebpages. Common
injectionattacksinclude:
Codeinjectionwhichisthegeneralnamegiventoattackswhereadditionalcodeisinsertedintotheapplication
CommandInjectionwherethehackerinsertssystemcommandswiththeaimofhavingthewebserveracceptandprocessthosecommand
Databaseinjectionwherethehackerinsertsdatabasecommandsorqueries sothatthedatabaseprocessesthemandreturnsaresponse
-
7/31/2019 Malware Injection FAQ GS
7/34
2010 Armorize Technologies Inc. All Rights Reserved
7
WebMalwareInjection FAQ
Version1.0
February12,2010
10.Whereisthecodeinjectedto?
Whendiscussingcodeinjection,itisimportanttonotethattherearemanypossiblescenariosandattack
methodsasfollows:
Figure3:Maliciouscodeinjectionpaths
(a) Inthisscenario,thehackerutilizesapplicationformfieldstopassunfiltereddatabasequeriestodatabase.Heeithercircumventsdatabaseaccesscontrolsorgainsaccesstothepasswordsstoredintheaccount
database.Oncehehascontrolofthedatabase,hecanwritecontentthatisechoedbackwhenpagesare
requested.
(b) ThehackerexploitsadditionalvulnerableservicessuchasFTPorSMTP.Thismaybethroughspecificvulnerabilitiesorthroughpasswordsobtainedfromhackerforumsorthroughsocialengineering.Thisgives
thehackeraccesstotheserverandthustotheapplicationfilesandcode.
(c) ThehackergainsdirectaccesstotheserverOperatingSystem(OS)througheitheravulnerableserviceorwith
stolen
credentials.
Once
this
access
is
gained
the
hacker
can
direct
access
to
the
application
files
and
code.
(d) Insomecases,thehackermaybeabletodirectlycompromisethewebapplicationitself:
-
7/31/2019 Malware Injection FAQ GS
8/34
2010 Armorize Technologies Inc. All Rights Reserved
8
WebMalwareInjection FAQ
Version1.0
February12,2010
-Iftheapplicationrequiresuserinput,thehackermayprovidedatathatwritestoafileonthelocalhard
drive.
In
certain
cases,
it
may
be
possible
to
include
executable
data
in
this
input
which
in
turn
wouldeitherretrievepassworddataorcircumventaccesscontrols.
-Manyweb serversarevulnerablebydefault;either throughvulnerabilities that requirepatchingafterinstallationorthroughdefaultconfigurationandcredentials.Forexample,manywebservers
comewithawebbasedadministrationconsole.Ifahackercanexploitthiswebapplication,hecan
controltheentirewebserver.
-WebapplicationfilesaretypicallystoredwithintheOSfolderstructure. Incertainwebservers,itmay be possible to execute an attack such as Path Traversal
4to browse through the folder
structureandaccessfilesoutsidethewebapplication.
11.Whatis
drive
by
downloading?
Malwarecanbedownloadedtoendusercomputersfromcompromisedwebsitesthroughanumberofmethods.
Traditionally,someuser interactionwas requiredandpeoplewereoften luredtoawebsiteandpersuaded to
clickonalinkwhichresultedinmalwaredownloadingandexecutingontheircomputers.
However, the term driveby downloading specifically refers to the case where no enduser interaction is
required.Itisenoughtosimplyvisitthewebpagethathasbeeninjected.Thereisnorequirementtoclickonany
link.
Therealseverityofthisparticulartypeofattackisthatitisentirelysilent.Itquietlydownloadsmalwarewithout
theusers
knowledge
or
consent.
Generally,
website
owners
have
no
idea
that
this
attack
has
occurred
and
that
theirwebsiteisleadingtoseriouscompromiseoftheirowncustomerssecurity
Forexample, in2009amajorUSnewspaperwascompromisedthroughanadvertisement in itsonlineedition.
Internetusersbrowsing thewebpagehosting theadvertisementautomaticallyandunknowinglydownloaded
malwarewithouthavingtoclickonanylinks.
12.Whywasmalwareinjectioncreated?
Whenmalwarefirstcametothefore,theimpactwaslargelydisruptiveand/orembarrassing.Commonimpacts
includeautomated
mass
emailing
to
all
contacts
in
the
infected
computers
outlook
address
book
or
insertion
of
offensivefilestostoreddata.Inextremecases,filesweredeletedfrominfectedcomputerswhichimpacteduser
productivityanddamagedfaithininformationsystemsasacorporatetool.
4FormoreinformationonPathTraversalrefertotheOpenWebApplicationSecurityProject(OWASP)
http://www.owasp.org/index.php/Testing_for_Path_Traversal
-
7/31/2019 Malware Injection FAQ GS
9/34
2010 Armorize Technologies Inc. All Rights Reserved
9
WebMalwareInjection FAQ
Version1.0
February12,2010
Withthe
emergence
of
the
Internet,
hackers
have
focused
more
on
Web
applications
but
even
this
has
had
distinctphasesasoutlinedinFigure4.
Figure4:WebApplicationAttackComplexityvs.Goals
Initialwebsiteattacksweredirectedat the corporation itselfwith theprimary goalbeingprominentwebsite
defacementandthebraggingrightsthatcamewithit.
AstheInternetbecameanacceptedbusinesstool,attackerschangedtheirfocustoeCommercewebsiteswith
theintentionofstealinginformationsuchascreditcardnumbersfromcorporatedatabases.
HoweverwiththeadventofWeb2.0, improvements increditcardprotectionmechanismsandan increasingly
wiredgeneralpopulation,hackershaverealizedthatendusersPCsrepresentfareasiertargetsforprofitdriven
criminalenterprises.
Modern malware activities are typically designed to compromise information stored on Internet users
computerssuchaswebbankingcredentialsoremail,filesharingandsocialnetworksitepasswords.
-
7/31/2019 Malware Injection FAQ GS
10/34
2010 Armorize Technologies Inc. All Rights Reserved
10
WebMalwareInjection FAQ
Version1.0
February12,2010
Attackersaregenerallyaffiliatedwithorganizedcrimeandhaveestablishedabusinessmodelbasedonbuying
andselling
malicious
code
or
active
malware
with
guaranteed
antivirus
evasion
capability.
There
are
even
defined price structures for information such as credit card numbers, social networking credentials, social
securitynumbers,etc.
13.Whydoesmalwareinjectionutilizelegitimatewebsites?
Malwaredeveloperstargetvulnerablewebsitesasarouteformalwareinjectionforanumberofreasons.
Improvedperimetersecurity technologieshavemadetraditionalnetworkandsystemlevelattacksmoredifficult to execute. But system and network security is not the same as application security. With the
adventof
Web
2.0,
many
businesses,
in
arush
to
develop
an
online
presence,
have
failed
to
secure
their
Web
applicationsatthecodelevel.ThishasprovidedanewattackavenueforhackerswithSQLInjectionandCross
SiteScripting(XSS)capabilities.
AsWebapplicationsareaccessibletobothdesirable(customers)andundesirable(hackers)Internetusersbydesign, there is essentially an open channel between the untrusted Internet and corporate systems as
illustratedinFigure5.
Figure5:HackersexploitvulnerableWebapplicationthroughopenports
-
7/31/2019 Malware Injection FAQ GS
11/34
2010 Armorize Technologies Inc. All Rights Reserved
11
WebMalwareInjection FAQ
Version1.0
February12,2010
By leveragingvulnerablewebsites,hackerscansilentlydownloadandexecutemalwareonthecomputerofevery
user
who
accesses
the
site.
Vulnerable
websites
expose
their
entire
user
base
and
hackers
now
have
an
avenuefordistributingmalwaretothousands orevenmillions ofusers.
Astheinjectedwebsitemerelyservesasaconduitthatredirects Internetusercomputerstomalwaresites(oftenviamultiplehoppoints),itisharderforforensicanalysistoidentifytheactualmalwaresource.
14.WhyshouldwebsiteownerscareaboutmalwareInjection?
When a vulnerable website is injected in this manner, it becomes a conduit for malware delivery to all
computersbrowsingthesite.Thismalwareistypicallydesignedtostealinformationfromcomputersbrowsing
theinfected
sites.
Thecorporatewebsiterepresentsacompanyspublicface.Ifitisinfectingthecomputersoftheverypeopleitis
supposedtoserve,itcannotbetrusted.Withoutthistrust,websitetrafficwilldecreasewhichinturnwillleadto
areducedmarketingprofileandlostsalesopportunities.
Ifawebsitedevelopsa reputationasasourceofmalware,business reputationwillbeseverely impacted. In
addition,malware injectionwill lead tononcompliancewithstandardssuchasPCIandmayevenbring legal
consequencesifcustomerconfidentialityorprivacyhavebeenimpacted.
Inaddition, ifawebsite isdownloadingmalware tocomputersbrowsing it, itwillbe flaggedasmaliciousby
searchenginessuchasGoogleandmayeventuallybedroppedfromsearchqueryresults.
15.Whyissearchengineblacklistingaconcern?
WiththeadventofGoogleSafeBrowsingandGooglesabilitytoflagsitessuspectedofbeingmalwaresources,
malwareinjectionsimpactisgrowingevermoreimmediate.If,duringaGoogleindexcycle,awebsiteappearsto
behostingmalware,thesitewillbeflagged.ThismeansthatuserswhoaccessaflaggedsiteviaGooglewillbe
givenanominouswarningsimilartothatshowninFigure6.
-
7/31/2019 Malware Injection FAQ GS
12/34
2010 Armorize Technologies Inc. All Rights Reserved
12
WebMalwareInjection FAQ
Version1.0
February12,2010
Figure6:GoogleSafeBrowsingFlagsWebsiteswithMalware
Ifthewebsiteremainsinfected,itmayeventuallybedroppedcompletelyfromGooglessearchresults. Evenif
themalware is removed from thewebsite immediately,thesitewillstay flagged forasignificant timeperiod,
drivingcustomers
away.
In
order
to
remove
this
status,
website
owners
must
submit
proof
that
their
website
is
malwarefree. WebsitesflaggedbyGoogleasmaliciousaredocumentedathttp://www.stopbadware.org.
Given the importanceofSearchEngineOptimization (SEO)asamarketing tool,there isnodoubtthatGoogle
flaggingawebsiteasmaliciousordroppingitfromsearchresultsisnotgoodforbusiness.
16.IfmywebsiteisflaggedbyGoogleasmaliciouswhatisthenextstep?
OnceawebsitehasbeenflaggedasmaliciousbyasearchenginesuchasGoogle,itiscriticaltoremoveinjected
codeinordertostopthedrivebydownload.Fordetailsonidentifyinginjectedcodereferto(28). Forimmediate
mitigationsteps
as
well
as
more
thorough
remediation
refer
to
(45)
and
(46).
Oncetheinjectedcodehasbeenremovedandithasbeenverifiedthatmalwareisnolongerbeingpushedto
Internetusercomputers,itispossibletorequestanewwebsitereview.
-
7/31/2019 Malware Injection FAQ GS
13/34
2010 Armorize Technologies Inc. All Rights Reserved
13
WebMalwareInjection FAQ
Version1.0
February12,2010
SitesflaggedbyGoogleasmaliciousarelistedathttp://stopbadware.organdtheinstructionsonrequestinga
revieware
listed
at
http://stopbadware.org/home/reviewinfo
.
17.WhydoesmalwareinjectiontargetInternetusers?
Increasedpublicityandawarenesshasmade itdifficult tocompromisecorporateresources from the Internet
butanincreasinglywiredgeneralpublicissharingmoreandmoreinformationviatheInternet. TheseInternet
users:
Storepersonal,businessandothersensitivedataoncomputersconnectedtoInternet. Generallytrustanywebsitetheychoosetoaccesswhetherbrowsingdirectly,accessingviasearchengineor
clickingon
alink
sent
from
afriend.
Rely on commercial antivirus solutions for security. These are often outdated due to failure to updatesignatures. In addition, advances in obfuscation and packing techniques have resulted inmostmalware
beingundetectablebycommercialantivirusscanners.
Theresultisamassiveamountofcomputerswithpersonal/financialinformationliveontheInternet.Theyare
largelyprotectedby inadequatesecuritymechanismsandarepoweredbyuserswho implicitly trustwebsites
thatarevulnerabletomaliciouscodeinjection. Byleveragingvulnerablewebsites,hackersnowhaveanavenue
fordistributingmalwaretothousandsorevenmillionsofusers.
18.WhyshouldInternetuserscareaboutmalwareInjection?
When Internet users browse to a compromisedwebsite, the injected code causes hackercreated content to
executeintheirbrowseralongwiththelegitimatewebsitecontent.
Thehackersultimategoalistoforce theuserscomputertosilentlydownloadand installmalwarefromasite
that thehackerspecifies.Thismalware typicallygrants thehacker full controlover thePC includingaccess to
stored,processedortransmitteddata.
Theimpactofmalwareinjectionisstoleninformationsuchasonlinebankingcredentialsandcreditcarddetails.
Theftofpersonal information in thismanneralso leads to increased incidencesofemailhijacking, fraudulent
accesstosocialnetworksitesand,inmanycases,fullblownidentitytheft.
19.Whatissocialengineering?
-
7/31/2019 Malware Injection FAQ GS
14/34
2010 Armorize Technologies Inc. All Rights Reserved
14
WebMalwareInjection FAQ
Version1.0
February12,2010
Socialengineeringrevolvesaroundpersuadingormanipulatingpeopleintorevealinginformationorperforming
specificactions.
In
acomputer
security
context,
social
engineering
means
exploiting
people
through
deception
ratherthanfocusingoncircumventingtechnologicalcontrols.
20.WhatistheroleofSocialEngineeringinmalwareinjection?
IfInternetuserscanbeattractedtowebsitescontaininghypedcontentsuchascelebritysextapesoradvance
moviecopies,theybecometargetsformalwareinjection.
In2008,sexuallyexplicitphotosofHongKongmoviestarEdisonChenwithnumerousfemalecelebritieswere
releasedon the Internet.ArmorizeTechnologies,workingwith lawenforcementand cybersecurityagencies
throughoutthe
region
quickly
uncovered
numerous
websites
that
enticed
Internet
users
with
promises
of
the
photos in question but actually subjected them to malware injection. By taking advantage of the hype
surroundingthephotos,hackersfoundamassivetargetbaseforpersonaldatatheft.
In thisexample, therewasnorequirement foruserinteraction.Themalwaredownloadhappened invisiblyas
soonasthebrowserdisplayedtheexpectedpage.
21.Whatismalwareinjection(PartII)?
Havingreviewedsomeconceptscriticaltoanunderstandingofmalwareinjection,itistimetolookalittledeeper
athowmalwareinjectionworks.
Malware Injection alsoknownasdrivebydownloading isahackertechniquedesigned tosteal information
from Internetusersbyforcingthemtoautomaticallydownloadmalicioussoftwarewithout theirknowledgeor
consent.
Morespecifically,thehackerexploitsfundamentalWebapplicationvulnerabilitiessuchaspoorapplicationinput
filteringinordertoinjectamaliciousiframeorjavascriptintotheWebapplication.
Ataveryhighlevel,theconceptcanbeillustratedasinFigure7.Howeveritshouldbenotedthattheprocessis
actuallymorecomplexandthisispresentedfromtheperspectiveofanenduserwhohasbeencompromised.
Whilethe
injected
Web
application
may
also
be
on
the
server
hosting
the
malware
it
is
more
typical
for
it
to
act
merelyasaconduitformalwareinjectionbyensuringthebrowserprocessesmaliciouscodethatcompromisesit.
-
7/31/2019 Malware Injection FAQ GS
15/34
2010 Armorize Technologies Inc. All Rights Reserved
15
WebMalwareInjection FAQ
Version1.0
February12,2010
Figure7:BasicDrivebyDownloadConcept
22.Whatarethecomponentsofmalwareinjection?
Inatypicalmalwareinjectionscenario,thehackersendgoalistotakecontroloftheendusercomputer. Ata
highlevelandinthemosttypicalexample,malwareinjectionrequires3componentsasfollows:
Maliciouscode: Ifthewebsiteisvulnerabletoinjectionattacks,thehackerwillinsertcodethatwillbeprocessed
byanybrowserrequestingtheinjectedwebpage.Thiswillcausethebrowsertorequestcontentfromanother
websitecontrolledthehacker
Exploit: Theexploitiswhatactuallytakesadvantageofsecurityflawsintheenduserswebbrowser.Ifthe
exploitissuccessful,thehackerwillhavefullcontrolofthewebbrowser.Theexploitistypicallydownloaded
fromthewebsitethattheinjectedcoderedirectthebrowserto.
Malware: Oncethebrowserhasbeenexploited,itcanbeinstructedtocarryoutanyactionthehackerrequests.
Typicallythisincludesaccessinganotherhackercontrolledwebsiteorservertodownloadactivemalware.
Theoverall
process
can
be
summarized
as
follows:
Injectingavulnerablewebsitewithmaliciouscodethatwebbrowserswillprocess Usingthisinjectedcodetoexploitwebbrowserstotakecontrolofthem; ForcingtheexploitedwebbrowsertodownloadmalwaretoInternetuserscomputers;and Silentlyexecutingandinstallingthismalwareonendusercomputers
-
7/31/2019 Malware Injection FAQ GS
16/34
2010 Armorize Technologies Inc. All Rights Reserved
16
WebMalwareInjection FAQ
Version1.0
February12,2010
Thepayloadof thismalwaremay varybut it typically includes software that grants thehacker theability to
remotelycontrol
the
computer,
view
video
output,
capture
key
strokes
and
search
through
the
hard
disk
for
data
suchascreditcardnumbers,storedcredentialsforbanking,socialnetworkandwebmailsites.
Notethat this list is far fromexhaustive.Newmalware isreleasedweeklywithevermorecomplexbehavioral
characteristicsandgoals.
23.Howismaliciouscodeinjectedintoavulnerablewebpage?
ManyWebapplicationsrequestuser input through form fields.That input is thenprocessedwith the results
relayedbacktotheenduser.
Webapplicationdevelopersshouldensurethatdataisprocessedinaccordancewiththeapplicationsbusiness
rulesandthatserver,applicationordatabasecommandsarenotsuppliedtotheapplicationthroughthisavenue.
Thisrequiresfilteringapplicationinputtoensurethatonlydatadeemedvalidinaccordancewiththeapplication
expectations isaccepted.Forexample, if theapplicationexpectsnumericdata froman input field, thenany
othertypeofdatashouldeithergeneratearequestforproperlyformatteddata,bereplacedwithdefaultdata
orbeignored.
However, many Web applications are developed without these controls in place. It is common for poorly
securedWebapplicationstoacceptcommandsthroughformfieldswhicharethenpassedtotheotherbackend
systems powering the applications such as the web server, server operating system or database for
processing.
Withsuitablycraftedcommandspassingthroughtheweb form tothecoreapplication,serverordatabase,a
hackercanfreelyinjectthecontentrequiredforsuccessfulmalwareinjection. Typicalinjectionattacksinclude
thefollowing:
ArgumentInjectionorModification BlindSQLInjection BlindXPathInjection CodeInjection CommandInjection DirectStaticCodeInjection Formatstringattack
FullPathDisclosure LDAPinjection ParameterDelimiter ServerSideIncludes(SSI)Injection SpecialElementInjection WebParameterTampering XPATHInjection
For more information on Injection attacks refer to the Open Web Application Security Project (OWASP) at
http://www.owasp.org/index.php/Category:Injection
-
7/31/2019 Malware Injection FAQ GS
17/34
2010 Armorize Technologies Inc. All Rights Reserved
17
WebMalwareInjection FAQ
Version1.0
February12,2010
24.WhattypeofmaliciouscodeisinjectedintothevulnerableWebapplication?
In themost commonexample, thehacker injects code into theWeb application that is rendered in theweb
browser
Thehackersgoal is tohave thebrowserprocesshiscodewithouteither thewebapplicationadministratoror
endusersknowledgeorconsent. Thisiscommonlyachievedthroughinjectionofmaliciouscontentsuchas:
Iframes Javascript Objects Databasequeriesorcommands
25.Whatisaniframe?
An inlineframe or iframecausesanHTMLdocumentfromanexternaldomaintorender insidearequested
webpage.
Iframe syntax utilizes the HTML tag and allows specification of a number of
parameterssuchas:
Actualwebsitefromwhichiframecontentisretrieved
Position
of
the
Iframe
within
the
overall
webpage
Displaydimensionswhichcanbesettozero DisplaystatuswhichcanbesettononeThereforeitispossibletouseaniframetoembedcontentfroma3
rdpartywebsiteandhaveitrenderinvisiblyin
thewebbrowserwhenanotherwise legitimatewebpage isrequested.Atypicaliframeisshownbelow.Ifthis
was inserted into a corporatehome page, content from page.htmlwould renderwhen thehome pagewas
openedinthebrowser.
26.Whatisjavascript?
-
7/31/2019 Malware Injection FAQ GS
18/34
2010 Armorize Technologies Inc. All Rights Reserved
18
WebMalwareInjection FAQ
Version1.0
February12,2010
JavaScript isascripting languagethat is interpretedbyWebbrowsers.ItallowsWebapplicationdevelopersto
controland
augment
browser
functionality
and
to
add
dynamic
features
that
cannot
easily
be
achieved
through
HTML.
Typicallyjavascriptfunctionality includesvisualeffects,formfieldvalidationandthedynamiccreationofevent
dialogsandnewwindows.Itisalsopossibletousejavascripttodynamicallycreateiframes.Thiswouldmakethe
iframemoredifficulttofindthroughrudimentaryvisualinspection.
27.Whatistherelevanceofiframesandjavascriptinmalwareinjection?
Inmalwareinjectionscenarios,hackerstakeadvantageofvulnerableWebapplicationstoinjectmaliciousiframes
intootherwise
legitimate
and
typically
popular
web
pages.
The
injected
iframe
will
either
use
standard
HTML
syntaxorcanbeintheformofjavascriptwhichwilldynamicallycreatetheiframewhenthepageisdisplayedin
thebrowser.
Whatevertheinjectionmethod,thegoalisthesame.Theiframecausesa3rd
partywebpagetorenderinsidethe
requestedwebpage. This isusedtocallupanexternalexploitdesignedtocompromisethewebbrowserthat
requeststhatpage.
28.Whatdoesinjectedcodelooklike?
Themost
basic
form
of
injected
code
is
amalicious
iframe
such
as:
If this iframe is present in the HTML of a requested web page it would cause content from
http://www.example.com/page_with_malware.htmtorenderinaninvisible1pixelx1pixelwindow.
However,typicallywhenhackersinjectaniframeintoawebsitetheymaydisguisethecodebymakingitlooklike
somethingelse. Forexample, the injected iframecodecanbe scrambledorencodedso thatvisually it looks
nothingliketheoriginalsyntaxbutactsasnormalwhenexecutedasawebpage.
Notethat
this
does
not
protect
or
encrypt
HTML
code
but
simply
serves
to
hide
it
from
someone
looking
for
an
iframe. ForexampletheiframereferencedearliercanbeconvertedtoaJavaScriptUnicodestringusingafreely
availableencodingtool5. Theprocessofdisguisingcodethroughscramblingorencodingisgenericallyreferredto
asobfuscation.
5http://www.auditmypc.com/html-encoder.asp
-
7/31/2019 Malware Injection FAQ GS
19/34
2010 Armorize Technologies Inc. All Rights Reserved
19
WebMalwareInjection FAQ
Version1.0
February12,2010
29.Whathappenswhenuserrequestsawebpagewithinjectedcode?
In the above example, when an Internet user browses to the injected web page, thejavascript dynamically
generatesaniframe.Thiscausesmaliciouscontentfromawebsitecontrolledbythehackertoexecuteinsidethe
requested(andpresumedlegitimate)webpage.
ThishackercontrolledwebsiteisoftenreferredtoastheHopPointandcontainstheactualattackdirectedat
theWebbrowser. ThemalwareinjectionprocessisdescribedinmoredetailinFigure8.
Inthe
case
of
an
exploit
that
is
loaded
from
the
Hop
Point
through
the
iframe,
the
target
is
typically
the
web
browseritself. Inonecommonexample,theexploitengagesinaparticularattackcalledHeapSpraying6which
resultsininstallationofaspecificpiecesetofinstructionsthatthebrowserexecutes.
6 A discussion of Heap Spray attack is beyond the scope of this document. Refer tohttp://en.wikipedia.org/wiki/Heap_sprayingfor more information.
-
7/31/2019 Malware Injection FAQ GS
20/34
2010 Armorize Technologies Inc. All Rights Reserved
20
WebMalwareInjection FAQ
Version1.0
February12,2010
30.Whatismeantbyabrowserexploit
Theinitialgoaloftheinjectediframeistorendercontentfromawebsitecontrolledbythehackerinsidethe
requestedwebpage.
Theiframecontenttypicallycontainsawebbrowserexploit,i.e.,codethatexploitssoftwareflawsinaweb
browserinordertoforceittodosomethingunexpectedsuchascrashingorreading/writingdataonlocalhard
drive.
Appropriatelycraftedexploitcodewillcausethebrowsertofallundercontrolofthehacker.Itwillthenaccept
commandsembeddedintheexploitandwillcarryouttasksassignedittobythosecommands.
Alternatively,the
exploit
may
be
specific
to
any
number
of
browser
extensions
such
as
those
that
support
PDF,
Flash,etc. Ineithercase,thegoalistotakecontrolofthebrowser,forcingittoperformtasksspecifiedbythe
hacker.
31.Whathappensoncethebrowserhasbeenexploited?
Theprimarygoaloftheexploitistoforcethewebbrowsertoconnecttoamalicioussiteinordertodownload
malwaresuchasremotecontrolutilitiesandbackdoorsaswellasprogramsthatautomaticallycrawlthehard
diskinsearchofinformationsuchascreditcarddetailsorbankaccounts.
32.Whatis
malware
injection
(Part
III)?
Nowwehavereviewedbasicandintermediateconcepts,wecanlook inmoredetailatthemalware injection
process.AtypicalmalwareinjectionscenarioisillustratedinFigure8.
-
7/31/2019 Malware Injection FAQ GS
21/34
2010 Armorize Technologies Inc. All Rights Reserved
21
WebMalwareInjection FAQ
Version1.0
February12,2010
Figure8:MalwareInjectionProcessFlow
Step1 Maliciousiframeinjection
ThehackertakesadvantagesofWebapplicationvulnerabilitiestoinjectamaliciousiframeintooneormoreweb
pages. Theinjection istypicallyeitherinHTMLcode(orjavascriptthatdynamicallygeneratesthe iframewhen
thebrowser
requests
the
webpage).
In
addition,
the
injected
code
is
usually
scrambled
or
encoded
to
make
it
moredifficulttodiscoverbybothautomatedandmanualinspection.
Step2BrowserExploitplacedonHoppoint
-
7/31/2019 Malware Injection FAQ GS
22/34
2010 Armorize Technologies Inc. All Rights Reserved
22
WebMalwareInjection FAQ
Version1.0
February12,2010
Inparalleltostep1,thehackerplacestheexploitcodethatwillattackthebrowserontheHopPointwebsite.The
injectedcode
in
step
1causes
this
web
page
to
render
in
the
requested
web
page.
Step3Malwareplacement
Inparalleltostep1andstep2,thehackerplacesmalwareonaserverunderhiscontrol.Thismalwarecontains
theutilitiesthatwillbesilentlydownloadedtothecomputerofeveryuserthatbrowsestheinjectedwebsitein
Step1.
Step4LegitimateWebapplicationaccess
Internetusersbrowsetheinjectedwebsiteandrequestthepagethathasbeeninjectedwithamaliciousiframe.
Step5 Maliciousiframeexecution
When Internetusersrequestthecompromisedwebpage,the iframerenderscontentfromtheHopPoint.This
page contains the exploit code that directly targets the browser or takes advantage of vulnerable browser
extensionssuchasaPDFreader.
Step6 Exploit
TheexploitcodefromtheHopPointwebpageisexecutedintheWebbrowserviatheinjectediframe. Inone
example,theexploitcodeutilizestheHeapSpray7attacktotakecontrolofthebrowser.Oncetheexploithas
takencontrolofthebrowser,itprovidesasetofinstructionsforthebrowsertoexecute.
Step7MalwareRequest
Theexploitedbrowserexecutescommandsissuedtoitintheexploitcode. Thisincludesrequestingthemalware
fromaserverspecifiedbythehacker.
Step8 Malwaredownload
Thebrowsersilentlydownloadsthemalwarewhichiswrittentodiskandexecuted.
33.Howdo
Iknow
my
website
is
infecting
my
customers
with
malware?
Antivirusisnotadequate
7 A discussion of Heap Spray attack is beyond the scope of this document. Refer tohttp://en.wikipedia.org/wiki/Heap_sprayingfor more information.
-
7/31/2019 Malware Injection FAQ GS
23/34
2010 Armorize Technologies Inc. All Rights Reserved
23
WebMalwareInjection FAQ
Version1.0
February12,2010
Poorlywritten
malware
will
set
off
antivirus
alarms
on
end
user
PCs
accessing
the
injected
website.
While
this
is
embarrassinganddamagesthecorporatereputation,ultimatelyitwillnotcompromisethoseclientswhohave
enabledandproperlyconfiguredtheirbasicdesktopsecuritymechanisms.
However,thevastmajorityofmalwareiscraftedusingobfuscation,encodingandpackingtechniquesthatmake
itinvisibletoeventhemostuptodateAV.Whendealingwiththistypeofmalware,signaturebaseddetectionis
largelyineffective.
GoogleSafeBrowsingAPIisnotadequate
MalwareinjectioncausesInternetuserstodownloadandexecutemalwarewithouttheirknowledgeorconsent.
Withoutactive
malware
injection
monitoring,
business
owners
will
only
be
aware
that
their
website
is
initiating
drivebydownloadswhen it is flaggedby searchengines (suchasGoogle)as a sourceofmalware.Once this
happens,businessreputationwillbeseverelydamagedandwebsitetrafficwilldecrease,drivingdownbusiness
revenueandmarketingprofile.
Thereare technologiesthatconsolidatemalware threat feedsandsignatures fromGooglesmalwaresamples.
However,astheyarelargelyreliantonGooglesSafeBrowsingIndex,theywillrarelyalertbusinessesintimeto
preventGoogleflagging.
Behavioralanalysisdetectsmalwareinjectionimmediately
TheidealsolutionisanactivemalwareinjectionmonitoringservicesuchasHackAlert.Thisbehavioralanalysis
solutionscans
the
website
continuously,
generating
HTTP
requests
and
analyzing
HTTP
responses
for
parameters
thatexhibitpotentialmaliciousbehaviorsuchasobfuscatedredirectionto3rdpartywebsitesoractivemalware
downloads. FormoreinformationonHackAlertrefertoHackAlertFAQformoredetails.
34.WhenmanuallytestingforMalwareinjectionwhatprecautionsarenecessary?
ItisimportanttorememberthatsimplybrowsinganinfectedsiteisenoughtocompromiseaPC.Ifmanual
verificationisrequired,anumberofsafeguardsarerecommended.
Logonasanonprivilegeduser
MuchofthemalwarecirculatingontheInternetrequireslocaladministratorrightstorun.Simplybrowsingthe
Internetwhileloggedonasanonprivilegedregularuseraccountcanlimittheimpactofmalware.Forexample
malwarerunninginthecontextofadmincandothefollowing:
Installkernelmoderootkitsand/orkeyloggers(verydifficultimpossibletodetect)
-
7/31/2019 Malware Injection FAQ GS
24/34
2010 Armorize Technologies Inc. All Rights Reserved
24
WebMalwareInjection FAQ
Version1.0
February12,2010
Installandstartservices InstallActiveXcontrols,IEandshelladdins(commonwithspywareandadware) Accessdatabelongingtootherusers Causecodetorunwheneveranybodyelselogson CapturingpasswordsenteredintotheCtrlAltDellogondialog ReplaceOSandotherprogramfileswithtrojanhorses Accesssensitiveaccountinformation,includingaccountinfofordomainaccounts Disable/uninstallantivirus Coveritstracksintheeventlog Rendermachineunbootable
UseVirtualMachines
InsteadofbrowsingthewebsitefromtheOS,installsoftwaresuchasVMwaretocreateahardenedOSimage
accessedwithnonprivilegedaccountcredentials.Asanaddedsecuritymeasure,configurethisVMto
automaticallyresetaftereachuse.
Thirdpartytools
Insteadofbrowsingdirectlytoawebsiteuse3rd
partytoolssuchas:
cURL Commandlinetoolwritessourcecodetoscreenorfileoutput WGET Commandlinewebsitecrawlerwritestofile(http://daniel.haxx.se/docs/curlvswget.html)
Securethe
browser
Setbrowsersecuritytohightopreventunwantedjavascriptsfromrunning.NotethatthisisnotgoingtopreventexploitsindownloadedPDFsfromrunningthough.
UseFirefoxwithnoscripthttps://addons.mozilla.org/enUS/firefox/addon/722toonlyrunscriptsfromsitesthathavebeenmanuallyaddedtoawhitelist.
35.HowdoIknowmywebsitehasbeeninjected?
Inatypicalmalwareinjectionscenario,ahackerwilltakeadvantageofavulnerablewebsitetoinjectsomeform
ofmalicious
content
that
will
exploit
the
web
browser
when
the
page
is
displayed.
If
aweb
page
is
suspected
to
havebeeninjecteditwillbenecessarytoexaminetheapplicationcodeandwebserverforevidenceof:
InjectedIframes Injectedjavascript Injectedobjectssuchasflash,PDF
-
7/31/2019 Malware Injection FAQ GS
25/34
2010 Armorize Technologies Inc. All Rights Reserved
25
WebMalwareInjection FAQ
Version1.0
February12,2010
DatabaseInjection CompromiseofotherservicessuchasFTP
36.Isthereageneralformatforinjectedcode?
IngeneralinjectedWebapplicationcode(iframesorjavascript)willtakeaformatsimilarto
[obfuscated javascript that contains eval(xyz);]
37.HowcanItellifmywebsitehasinjectediframes?
Theremaybeaneedfor iframesintheapplicationso inmanualinspectionit isuptotheapplicationownerto
distinguish the legitimate code from injected. Automated tools suchasArmorizeHackAlertenable thisbut
evenwithmanualinspectiontherearesometelltalesignstolookfor. Refertothepreviouslydiscussediframe
whichisshownagainbelow.
Inparticular,
reference
to
3rd
party
websites
and
obvious
efforts
to
hide
it
(dimensions
set
to
zero,
visibility
set
to
hidden) would indicate injection. This iframewould typically be disguised (or obfuscated) using one of a
numberoffreelyavailableencoding8toolstoyieldthefollowing:
8http://www.auditmypc.com/html-encoder.asp
-
7/31/2019 Malware Injection FAQ GS
26/34
2010 Armorize Technologies Inc. All Rights Reserved
26
WebMalwareInjection FAQ
Version1.0
February12,2010
38.HowcanItellifmywebsitehasinjectedjavascript?
Initssimplestform,injectedjavascriptwillshowupbetweentagsas:
Howeveritisfarmorelikelythatjavascriptwillbeencodedorsomehowobfuscatedtomakeitlessnoticeableto
eitherhumanorautomateddetection:
[obfuscated javascript that contains eval(xyz);]
Forexample,
the
following
code
snippet
is
apiece
of
drive
by
download
code
that
exploits
MS06
067,
aknown
MicrosoftInternetExplorervulnerability:
-
7/31/2019 Malware Injection FAQ GS
27/34
2010 Armorize Technologies Inc. All Rights Reserved
27
WebMalwareInjection FAQ
Version1.0
February12,2010
Thisappearsasmalicioustoautomatedmechanismaswellashumans.However,ifwerunthiscodethroughan
encodingutilitysuchasDeanEdward'sjavascriptcompressor9wegettheresultsbelow.
9http://dean.edwards.name/packer/
-
7/31/2019 Malware Injection FAQ GS
28/34
2010 Armorize Technologies Inc. All Rights Reserved
28
WebMalwareInjection FAQ
Version1.0
February12,2010
Theeval()iswhatiscarryingthe maliciouscodeandthepayloadiswhat'scontainedinsidetheeval()
function.Theeval()issuspiciousasarethevariablenamesthathavebeenrenamedandtheinclusionof
"shellcode".
Inreality,thehackerwouldrunhiscodethroughanumberofsimilarutilitiestoensurethatitwasundetectable
byboth
human
inspection
and
by
signature
based
malware
detection
tools.
Asarule,whenitcomestoassessingmaliciousjavascriptinjectionitisnecessaryto:
Ensureallcleartextjavascriptislegitimateandistherebydesign
-
7/31/2019 Malware Injection FAQ GS
29/34
2010 Armorize Technologies Inc. All Rights Reserved
29
WebMalwareInjection FAQ
Version1.0
February12,2010
QuestionandexamineALLscrambled,encodedorobfuscatedcodetodeterminewhyitisthereandwhyithas
been
obfuscated.
39.Aretheothermeansofmalwareinjectionbesidesiframes?
Malwareisaneverevolvingtechnology.Changesinattackgoalsandtechnologyimprovementshaveresultedin
manyiterationsandvariationsfromtypicalattackmethods. Insomecasesthemalwareinjectionmaynotrely
oniframesatall:
MalwareplaceddirectlyoncompromisedwebserverEarlier
examples
discussed
the
situation
where
a
web
server
is
compromised
with
the
intent
of
forcing
the
browsertodownloadmalwarefromawebsiteotherthantheonehostingthecompromisedapplication.Inthis
case,someformofredirectionisrequired.
However,iftheserverhostingthecompromisedWebapplicationalsohoststhebrowserexploitandtheactive
malwaredownload,thentherewillbenoneedtoforthehackertoredirectthebrowserandthereforethereisno
needforaniframe.
MaliciouscodeinsideanembeddedobjectRecenttrends
10indicatethatinsteadofinjectingmaliciouscodeintotheHTMLitself,hackersareinjectingobjects
suchasPDFdocumentsorFlashanimationwiththemaliciouscodeinsidethem. Theobjectsareembeddedusing
the
or
tags
and
thus
require
no
iframe.
When
the
browser
requests
the
web
page
with
the
maliciousobject,thebrowserextensionforthatobject(PDFreader,flashplayer,mediaplayer)processesthe
maliciouscodeandisexploited.
MaliciouscodeinjectedintothedatabaseItispossibletoinjectmaliciouscoderightintothedatabasebyinsertingcommandsorqueriesinuserinputform
fields.Itmaybepossibletoexploitpoorapplicationinputfilteringandthusinteractdirectlywiththedatabase.
Oncethisisachieved,databasecredentialscanberetrievedordatabaseoutputcanbemodifiedsoastoredirect
allbrowsersqueryingthedatabasetoawebsiteofthehackerschoosing.Again,iftheredirectionisdynamically
specifiedin
database
output,
there
may
not
be
any
evidence
in
the
web
page
code
itself.
10Adobe Reader Zero-Day Exploit, Dec 2009http://www.pcworld.com/businesscenter/article/184704/adobe_reader_zeroday_exploit_protecting_your_pc.html
-
7/31/2019 Malware Injection FAQ GS
30/34
2010 Armorize Technologies Inc. All Rights Reserved
30
WebMalwareInjection FAQ
Version1.0
February12,2010
40.HowcanItellifmywebsitehasinjectedobjectssuchasflashorPDFs?
ObjectssuchPDFs,Images,iframes,etc.canbeembeddedintheHTMLcodeusingthetagasfollows:
Inaddition,Flashanimationwillalsorelyontheortags.
Hackerscanembedcodeinthesecomponentstocompromisethebrowserextensionsthathandlesthem. Ifthe
objectsthemselvesaremalicious,examinationoftheHTMLcodewillnotrevealanythingotherthanthepresence
oftheobject.Withoutattacksignaturesfromthepluginvendors,itmaybedifficulttoidentifythese
componentsasmalicious.Inthiscaseitisrecommendedtoquestionalltagsrelatedtoobjectembeddingto
ensurethat
they
are
legitimate.
41.HowdoIknowmydatabasehasbeeninjected?
Webapplicationsrelyheavilyondatabases.Theyareoftenreferredtoasbeingdynamicduetothefactthat
muchofwhatisdisplayedinthebrowserisnotaresultofthewebcodeitselfbutisinsteaddynamically
generatedbythedatabaseinresponsetouserinput.
Ifahackerhasmanagedtosuccessfullyinjectcommandsdirectlyintothedatabase,theymaybeabletocontrolit
andthusgovernwhatisreturnedtowebbrowsers.Thismayincludeiframesorothermaliciouscontentthat
seekstoexploitthebrowser.
Insomecases,theremaybelittleevidenceinthesourcecode.Amoreeffectivestrategyatthisstageisto
analyzetheHTTPlogswithaspecificfocusontheapplicationformfields.Inthiswayitmaybepossibleisolate
SQLquerysyntaxthatpassedthroughtheformfields.
QuerieswithparametersthatwillalwaysbetruearegeneralindicatorsofSQLinjectionattemptsasinthe
exampleshowbelow.
SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'
FormoreinformationongeneralSQLinjectiontestingstepsrefertoOWASPsSQLInjectingtestingguide11.
11Testing for SQL Injection (OWASP-DV-005)
http://www.owasp.org/index.php/Testing_for_SQL_Injection_%28OWASP-DV-005%29
-
7/31/2019 Malware Injection FAQ GS
31/34
2010 Armorize Technologies Inc. All Rights Reserved
31
WebMalwareInjection FAQ
Version1.0
February12,2010
42.Whatotherservicesmightahackerexploitforinjection?
TherearenumerousinjectionpathsintothebesidestheWebapplicationandthedatabase.
WebServer
IftheWebserveritselfisvulnerablethehackermaybeabletogainaccesstoitinordertocontrolit.Forexample
iftheserverconfigurationhasnotbeenchangedfromthedefaults,thehackermaybeabletoaccessthe
administrationwebsiteviaknownpasswords.Alternatively,ifthewebsitehasnotbeenpatchedagainstattacks
suchaspathtraversal,thehackermaybeabletonavigatefromthewebsitetotheserverfilesystem.
OtherServices
IfotherservicessuchasFTP,SMTP,etcarerunningontheserver,itmaybepossibletogainelevatedprivilege
throughanassociatedvulnerabilityorcommonlyknownpassword.Forexampleitisverycommonforhackersto
shareFTPpasswordsforhostingservers.Thesepasswordsaretypicallysuppliedtowebsiteownerstofacilitate
contentuploadsbuttheyarerarelychangedandeventuallyleakout.
OperatingSystem
Iftheoperatingsystemitselfisvulnerable,ahackermaybeabletoinjectOSlevelcommandsviathewebsiteor
anotherrunningservice.TherearemanyTrojanapplicationsthatarespecificallydesignedtotrawlinfected
computerharddriveslookingforpasswordsthatcanbeusedtoexploitserversinthesamedomain.Forexample
ifaTrojanisplacedonaworkstationinthecompany.comdomain,itwillreportbackallpasswordsstoredonthat
computer.OncethewriteroftheTrojangetsthese,hewillattempttousethemtobreakintopublicfacing
servers.Iftheinfectedcomputerbelongedtoanadministrator,itishighlylikelythattherewillbesomevaluable
passwordsstored.
43.Ifmywebsiteisinjected,ismywebserverorOperatingSystemalsocompromised?
Malwareinjectiontakesadvantageofvulnerablewebapplicationstoinjectcodethatexploitsandcontrolsweb
browsersaccessingtheapplication.Inatypicalscenarioboththebrowserexploitandthemalwareitselfresides
onserversotherthantheonehostingthewebsite.ThisisillustratedinFigure8.
Therefore,malicious
code
injected
into
asingle
website
does
not
necessarily
indicate
acompromise
of
the
web
serveritself.Itisimportanttonotehowever,thatifthewebsiteisvulnerabletoinjectionitmaybepossiblefora
hackertoleveragethistoinjectdatabaseoroperatingsystemcommandswhichmayresultintotalserver
compromise.
-
7/31/2019 Malware Injection FAQ GS
32/34
2010 Armorize Technologies Inc. All Rights Reserved
32
WebMalwareInjection FAQ
Version1.0
February12,2010
Thisleadstotheothermalwareinjectionscenariowherethebrowserexploitandmalwareresideontheserver
hostingthe
website.
In
this
case,
the
hacker
does
not
use
any
iframes
or
javascript
but
instead
ensures
that
browsersaccessingthewebsitearecompromiseddirectly.
Thisisalesscommonscenarioaswebsiteshostingandservingupactuallivemalwarearemucheasiertofind
thansimpleiframes.
44.Ifawebserverhostsmultiplewebsites,aretheyallaffectedbyasingleinjection?
Malwareinjectiontakesadvantageofvulnerablewebapplicationstoinjectcodeexploitsandcontrolsweb
browsersaccessingtheapplication.Inatypicalscenario,boththebrowserexploitandthemalwareitselfreside
on
servers
other
than
the
one
hosting
the
website.
This
is
illustrated
in
Figure
8.
Therefore,maliciouscodeinjectedintoasinglewebsitedoesnotnecessarilyindicateacompromiseofallthe
websiteshostedontheserver.Itisimportanttonotehowever,thatifthewebsiteisvulnerabletoinjectionandif
theattackergainedentryviatheOSorotherservicesthatarevulnerableitishighlylikelythattheycan
compromisetheotherwebsitesontheserveraswell.
45.IfmywebsiteisdownloadingmalwaretousershowdoImitigate?
It is critical to stop thedrivebydownloadas soon aspossible inorder toprotect clientsand toensure that
websiteis
not
flagged
as
malicious
by
search
engines
such
as
Google12.
However
mitigation
only
addresses
the
immediateproblem.Itdoesnotdealwiththerootcause.
CodeIdentification
Inordertoremovetheinjectedcode,itwillbenecessarytoexaminethewebpageforsyntaxsuchas:
[obfuscated javascript that contains eval(xyz);]
Itisalsonecessarytoreviewalljavascriptstatementstodetermine:
Whethertheylegitimateorhavetheybeeninjectedbyahacker12Note that immediate mitigation steps may have the effect of destroying evidence which could be of use in subsequent investigation.
-
7/31/2019 Malware Injection FAQ GS
33/34
2010 Armorize Technologies Inc. All Rights Reserved
33
WebMalwareInjection FAQ
Version1.0
February12,2010
Whytheyarescrambled,encodedorobfuscated Whatthesyntaxisoncetheyaredecoded Whethertheactualdecodedjavascriptcallsupaniframeorredirectto3rdpartywebsite
Ifthejavascriptcodeisnotalegitimatepartoftheapplicationthenitmustberemoved
It isalsonecessarytoexamineembeddedobjects(usingthe and tags)suchasFlash,
PDF and images. It is possible for hackers to embed code in these components to compromise the browser
extension that handles them. In general, it is recommended to review all objects to be sure they serve a
legitimatefunction.
Removeinjectedcode
Removinginjectedcodefromthecompromisedwebpagewillprovideinstantmitigationbutwillnotresolvethe
underlyingissue.Thisisbecausethevulnerabilitythatallowedinjectioninthefirstplacemostlikelyresulting
fromfailuretofilterapplicationinputoroutputwillcontinuetoexist.Thismeansthatthehackerisfreetocome
backtocarryoutinjectionagain.Formoreinformationonrootcauseremediationseequestion46.
Restorefrombackup
Iftheinjectedcodecannotbeidentifiedandthereisaknowngoodbackupofthewebapplicationsourcecode,
thentheapplicationcanbereinstalled.However,iftherestoredapplicationhasthesamevulnerabilities,itisonly
amatteroftimebeforetheinjectionhappensagain.
Removalthroughegressfiltering
ItisalsopossibletoenableautomatedremovalofmaliciouselementsfromoutboundHTTPresponses.Thiswill
requireintegrationbetweenthemalwaredetectionprocessandperimeteregresscontrolsworkingatapplication
layer.
Iftheactualexploitcodebeingdownloadedtowebbrowserscanbeidentified,itmaybepossibletoutilizethe
outboundHTTP(response)analysiscapabilitiesofthewebserverortheWebApplicationFirewall(WAF)tofilter
outtrafficwiththosepatterns. Forexample,ArmorizeHackAlertsupportsawebserverpluginthatreceives
HackAlertnotificationsandautomaticallyfiltersmaliciouselementsoutofHTTPresponsesinrealtime.
46.IfmywebsiteisdownloadingmalwaretousershowdoIremediate?
-
7/31/2019 Malware Injection FAQ GS
34/34
2010 Armorize Technologies Inc All Rights Reserved
WebMalwareInjection FAQ
Version1.0
February12,2010
ShiftingsecurityfocustoWebapplicationsdoesnotmeanthattriedandtrustedsecuritymechanismsshouldbe
castaside.
Practices
such
as
OS
and
Web
server
patching
as
well
as
network
access
controls
and
Firewalls
continuetobecriticalsecuritysteps.
Howeverwiththefundamentalopenchannel(referenceFigure5)thatexistsbetweenthepublicfacingwebsite
andtheInternet,additionalprotectionhigherintheprotocolstackisrequired.Inordertosecurethewebsiteitis
necessaryto:
SecuretheWebapplicationitself
Secure codinganddevelopmentpracticeswillensure thatWebapplication security is implemented from the
outset.Typicallyagreatdealcanbeachievedbyensuringappropriateinputandoutputfiltering.Thiswillensure
thatno
unexpected
or
malicious
parameters
are
passed
to
the
Web
application
or
back
to
the
users.
However,
whilefairlysimpletoimplementduringdevelopment,inalargecodebase,locationofallpotentialentrypoints
requiringsuchfilteringisbestachievedbyanautomatedsourcecodeanalysisorasoftwareverificationtoolsuch
asArmorizeCodeSecure.
Blackboxtesting
Alsoknownaspenetrationtestingorvulnerabilityassessmentthistestingtechniqueisusedtoemulatehacker
activityontherunningapplication.Implementedthroughspecializedscanningsoftwareorasmanualtesting,the
goalistolocateapplicationentrypointsvulnerabletothesortofattacksthatwouldallowinjection.
BlockattacksininboundHTTPrequests
Web Application Firewalls (WAF) such asArmorize SmartWAF will inspect inbound HTTP traffic analysis to
ensurethattherearenoattacksembeddedinHTTPrequests.Notethatwiththedynamicandevolvingnatureof
attackssimplyblacklistingpotentialattackpatternsmaynotbeveryeffective.
MonitorandfilteroutboundHTTPresponses
Ifawebsiteisinjected,themostobviousindicatorismalwaredrivebydownloadspresentintheHTTPresponse
traffic.ArmorizeHackAlertmonitorsoutboundHTTPtraffictoensurethattherearenomaliciouselementsthat
would signifydrivebydownloading. Additionally,HackAlertwillworkwith itswebservermodule toensure
thatmaliciouselementsareautomaticallyremovedfromHTTPresponsesinrealtime.