The Rise of X-Morphic Exploitation

The Rise of X-Morphic Exploitation

Gunter Ollmann

Director of Security StrategyDirector of Security StrategyIBM Internet Security Systems

Gunter Ollmann


11:00am, 27th April 2008

Abstract

• Imagine it: different exploit code for every user’s browser. Subscription-based managed exploit services. Exploits that are invulnerable to signature-based anti-virus

f X hi l i isoftware. X-morphic exploitation may create such a hacker’s paradise. Learn about this rising threat and how toabout this rising threat and how to combine signature- and behavior-based techniques to fight it.q g

Gunter Ollmann


11:00am, 27th April 2008

The Plan• Understanding X-Morphic

– Drive-by downloads, whatchamacallit-morphic

• Attack Components– Delivery tactics and obfuscation

• Bringing the parts together• Bringing the parts together– Platforms for attack delivery

• What are we observing today?– Malware and attack trends, and 1H observations

• Commercial exploitation servicesManaged Exploit Providers and revenue models– Managed Exploit Providers and revenue models

Gunter Ollmann


11:00am, 27th April 2008

BackdoorsUnderstanding X-Morphicg p

“A great many people enjoy a war provided it’s not in their neighborhood and not too bad”A great many people enjoy a war provided it s not in their neighborhood and not too bad

BERTRAND RUSSEL (1872-1970)

Gunter Ollmann


11:00am, 27th April 2008

Drive-by-downloads• Threat category first appeared in early 2002 (e.g. Spyware popups)

• From 2004, encompasses any download that occurs without the knowledge of the userknowledge of the user

• Exploits vulnerabilities within the Web browser or components accessible through it (e.g. ActiveX plugins)

• Objective of attacker is to install malware

C i l “d i b d l d” k• Commercial “drive-by-download” attacksfrom late 2005.

Gunter Ollmann


11:00am, 27th April 2008

The Drive-by-download ProcessFollow link to malicious site

Shellcode designed to download package

Page includes exploit material

Host infected

Package silently downloaded

Malware package silently installed

Serving the Malicious Content• Started with copy-paste sections of code dropped in to a Web

page

D l d i t d di t d b dl f tt k i t• Developed in to a dedicated bundle of attack scripts– Accessed through JavaScript modules

– Embedded iFrame Shared attack modules updated andShared attack modules updated and sold by third-parties

Inclusion of exploit obfuscation

Development of dedicated attack engines–Subscription servicesp

–IP protected by encryption and other safeguards

Gunter Ollmann


11:00am, 27th April 2008

Whatchamacallit-morphic?• Oligomorphic

– In its simplest form, the malware author ships multiple decrypt engines (or decryptor patterns) instead of just one.

• Polymorphic – An evolutionary step from oligomorphic techniques, polymorphic malware

can mutate their decryptors through a dynamic build process may can yp g y p yincorporate ‘noise’ instructions along with randomly generated or variable keys. This results in millions of possible permutations of the decryptor.

• Metamorphicp– Moving beyond polymorphic techniques, metamorphic malware mutates the

appearance of the malcode body. This may be affected by carrying a copy of the malware source code and, whenever it finds a compiler, recompiles itself

f k– after adding or removing junk code to its source..

Gunter Ollmann


11:00am, 27th April 2008

X-Morphic Attack Principles• Application of oligomorphic, polymorphic and metamorphic

principles

• Attack morphing at many different levels:• Attack morphing at many different levels:– The network layer (e.g. fragmentation)

– The content delivery layer (e.g. base 64 encoding)

Th li ti t t l ( J S i t)– The application content layer (e.g. JavaScript)

• Purpose of x-morphic engine:– Evade signature protection systems

– Evade network protection systems

– Protect exploit code and delivery engine from being uncovered too quickly

• Payload morphing too…Payload morphing too…– Apply principles to the malware too.

Gunter Ollmann


11:00am, 27th April 2008

Web Browser Exploitation

Gunter Ollmann


11:00am, 27th April 2008

X-Morphic Attack Components

“The Machine the genie that man has thoughtlessly let out of its bottle cannot put back again”The Machine, the genie that man has thoughtlessly let out of its bottle cannot put back again

GEORGE ORWELL (1903-1950)

Gunter Ollmann


11:00am, 27th April 2008

The X-Morphic Engine

Gunter Ollmann


11:00am, 27th April 2008

The X-Morphic Engine

Exploit Exploit Morpher Obfuscator• Stock exploits• Subscription exploits

• Custom shellcode• Whitespace & chaffing

• Application content• Content Delivery• Network Layer

Gunter Ollmann


11:00am, 27th April 2008

Types of Exploit being Observed• Originally simple bypasses of trust zones

– Exploitation of ActiveX URL/file-load commands

– JavaScript overflow vectors more important with “heap-spraying”JavaScript overflow vectors more important with heap spraying from 2004

• Ripped from projects such as Metasploit (from 2005)

C d 0 d l i• Custom and 0-day exploits

Gunter Ollmann


11:00am, 27th April 2008

Types of Exploit being Observed

http://www.iss.net/documents/whitepapers/x-force_threat_exec_brief.pdf

Gunter Ollmann


11:00am, 27th April 2008

Exploit Morphing TechniquesD i• Dynamic– substitution ciphers

– decompression enginesp g

– string concatenation from out-of-order elements (perhaps from an array)

– alternating uses of upper and lowercase letters in a stringalternating uses of upper and lowercase letters in a string

– alternating escaped character encodings (e.g. %u -> #u -> \\hex)

• Static– client-side evaluation of browser and browser plugins for redirection

– server-side evaluation of browser id for content selection

– limiting content retrieval per IP addressg p

– client-side setting of cookies for later validation

Gunter Ollmann


11:00am, 27th April 2008

Exploit Morphing Techniques

• Blob of encoded data

• Small decoding stub in JavaScript

var encodedText = "dW5lc2NhcGUoIiV1OTA5MCV1OTA5MCIp…";

var decodedText = decode(encodedText);

document write(decodedText);document.write(decodedText);

decode(input) {. . . }

Gunter Ollmann


11:00am, 27th April 2008

Exploit Morphing Techniques

• Unwrapped content reveals malicious heap spraying JavaScriptp

• Often blobs are encoded multiple times (heap-spraying)var shellcode = unescape("%uyadd%uayad%udaya%uddaa");

var nop_sled = unescape("%u9090%u9090");

while(nop_sled.length <= 40000)

nop sled += nop slednop_sled += nop_sled;

var myArray = new Array();

for(var i=0; i<300; i++)

myArray[i] = nop_sled+shellcode;

Gunter Ollmann


11:00am, 27th April 2008

Exploit Obfuscators

Application C t t L

Content Delivery L

Network LayerContent Layer• JavaScript• File Inclusions

Layer• HTTP Compression• Chunked Encoding• Chaffing

• Packet Fragmentation

• Chaffing

Gunter Ollmann


11:00am, 27th April 2008

Obfuscation: Application Layer (1)

• Multiple application-level obfuscation techniques available:– Splitting up of the source files and dynamically rebuilding the exploit

page. For instance, the use of multiple file inclusions (e.g. .css files, .jsfiles).

– Execution of embedded scripts to “unpack” and subsequently execute the exploit (often inside a new Web browser window or frame).

– Utilizing supported file formats (such as Flash and Adobe Acrobat files) which have their own scripting languages and can be rendered inside the Web browser.

• Number of techniques growing monthly…

Gunter Ollmann


11:00am, 27th April 2008

Obfuscation: Content Delivery Layer (1)

• Lots of options available:– Encryption over SSL and TLS

– HTTP supported compression such as ‘gzip’ (an encoding format produced by GNU zip), ‘compress’ (an encoding format produced by the UNIX compress program) and ‘deflate’ (the zlib encoding format).

– Multiple character sets encoding such as ASCII, UTF-8, UTF-7, UTF-16LE, UTF16BE, UTF-32LE, UTF-32BE, etc.

– Transfer encoding such as ‘chunked’ and ‘token-extension’

– Chaffing content with characters that will not be rendered by the web browser when encoded to a particular character set.

Gunter Ollmann


11:00am, 27th April 2008


• Lets examine a simple exploit (MS04-009)– It allowed an attacker to construct an HTML page that would case Microsoft

Outlook to remotely start and execute code of the attacker’s choice

//<img src="mailto:aa" /select javascript:alert('vulnerable')"><img src="mailto:aa" /select javascript:alert('vulnerable')">

• The important part of this exploit example is the:• The important part of this exploit example is the:• <img src="mailto:aa" /select javascript

Gunter Ollmann


11:00am, 27th April 2008


• Implement Chunked EncodingTransfer-Encoding: chunked 7Content-Type: text/html

5<html9

select5javas5cript

> <body>

5<img4

cript6:alert9('vulnera

src=4"mai4lt

able')“></8body> </

lto:5aa&qu3ot;

y /6html>

1

2/

0


• 7-bit Unicode encoding system

+ADw-html+AD4 +ADw-body+AD4+ADw-img src+AD0AIg-mailto:aa+ACY-quot; /select javascript:alert('vulnerabl ') ACIAP AD /b d AD4 AD /h l AD4le')+ACIAPg+ADw-/body+AD4 +ADw-/html+AD4

Base64 encoding with chaff

P[G;.?h0bW⌂{#w_+%_~&%]I<Dxib!&2$R'5|Pg,^o8(;aW1nI:$H );_N'->yYz$0i\(*~?bWF>p^b.&HRv}OmF#.hJn%#:F1b3Q`7_IC{9(#@z#.Z⌂W}xl⌂Y&3Qg[amF*2YX#N^}|^?^`j()cm$]>⌂l%w dD"$p](hb ⌂\^#GVy'>d@xl⌂Y&3Qg[amF*2YX#N^}|^?^ j()cm$]>⌂l%w,dD"$p](hb.⌂\^#GVy'>d@!!⌂~Cgnd`n[ Vsb](m'VyYW⌂JsZS#c` !)#"p'I@%j4KP'C9i`~b.:2]R5'{P?$i';A_8L *,2)h}0)@bWw⌂+Cgo=

Obfuscation: Network Layer• Simple Fragmentation

AT TAC K ATTACK

• Out of Sequence Fragmentation

AT TAC K ATTACK

• Overlapping Packet Fragmentation

• Overwriting Redundant PacketsAT TAC ACK K ATTACK

• Overwriting Redundant Packets

• Packet Timeouts

AT QWE ACK KTAC RTY ATTACK

Packet TimeoutsLong Pause

ATT ACK ATTACK

Making it all work together

“An army of deer led by a lion is more to be feared than an army of lions led by a deer.”

CHABRIAS (410?-357? BC)

Gunter Ollmann


11:00am, 27th April 2008

Malicious Content Delivery• The attacker must cause their potential victim to request a page

from the malicious Web server– Spam – Email, instant messenger and any other messaging platform that can deliver a messageSpam Email, instant messenger and any other messaging platform that can deliver a message

directing their potential victims to the location of their malicious Web server.

– Phishing – using the same messaging systems as Spam, however the message contains a strong social engineering aspect to it (typically a personal and compelling event).

– Hacking – exploiting flaws in pre-existing popular Web sites or Web pages that have high traffic flow, and embedding links to their x-morphic content.

– Banner Advertising – utilizing banner rings or commercial advertising channels, the attacker can create an advertisement (typically seen on most commercial Web sites) directing potentialcan create an advertisement (typically seen on most commercial Web sites) directing potential victims to their Web server.

– Forum Posting – the attacker visits popular online forums and message boards and leaves their own messages containing URL’s to their malicious Web server.

Gunter Ollmann


11:00am, 27th April 2008

Malicious Content DeliveryA d• And more ways…– Search Page-rank – with a little planning, the attacker can manipulate popular

page ranking systems utilized by popular search engines to ensure that their Web hi h i h li f ’ d b h i h h iserver appears high up in the list of URL’s returned by a search engine when their

potential victim searches for certain words and phrases.

– Expired Domains – many popular and well visited sites fail to renew their domain registrations on time By failing to renew the attacker can purchase them forregistrations on time. By failing to renew, the attacker can purchase them for themselves and associate that entire domain (and all associated host names) to the IP address of their malicious Web server.

– DNS Hijacking – similar to expired domains, the attacker can often manipulate DNSDNS Hijacking similar to expired domains, the attacker can often manipulate DNS entries on poorly secured DNS servers and get them to direct potential victims to the malicious Web server.

Gunter Ollmann


11:00am, 27th April 2008

Using Exploited SystemsTi k d C• Tickers and Counters

– In the past, attackers have compromised Web servers that provide this shared content and appended their malicious exploit material to the served content,

ll i th t i l i th i t ti l i ti diallowing them to massively increase their potential victim audience.

• 404 Page Errors– In previous attacks, the attackers have used spam email to draw potential victims

to non-existent URI's on a previously compromised (but legitimate) Web server, which resulted in a maliciously encoded error page being returned from the server and, after successful exploitation, redirected them to the legitimate page.

S id U A t Ch k• Server-side User-Agent Checks– Attackers are already leveraging this information to ensure that exploit code is

only served to pages most likely to be vulnerable to it and utilizing referrer information to decide whether their potential victim arrived from a linking siteinformation to decide whether their potential victim arrived from a linking site they set up.

Gunter Ollmann


11:00am, 27th April 2008

Attack PersonalizationS i h h hi i d l h• Strategies that the x-morphic engine developers have adopted as part of their personalized attack delivery platform include:

– Using the source IP address information of the request, the attacker can ensure that only one exploit is ever served to that address.

– The attacker may choose to implement a time-based approach to protect their engine from discovery.

– By observing the specific browser-type information, the attacker would ensure that only exploits relevant to that particular browser are ever served.

L i h IP dd i f i h k f– Leveraging the IP address information, the attacker can of course prevent certain IP addresses or ranges from ever being served malicious content.

– One-time URL’s have been popular within Spam messages as a way of validating the existence of a specific email addressvalidating the existence of a specific email address.

Gunter Ollmann


11:00am, 27th April 2008

2007 Browser Exploits & Payloads

“I’d rather be a poor winner than any kind of looser”p y

GEORGE S. KAUFMAN (1889-1961)

Gunter Ollmann


11:00am, 27th April 2008

Browser Exploits in the Wild• Most popular browser exploits:

– MS06-073, Visual Studio WMI Object Broker ActiveX [Bug: F ti lit ]Functionality]

– MS07-017, Animated Cursor [Bug: Overflow]

– MS06-057, WebView ActiveX [Bug: Overflow]

• Increased obfuscation use– Statistically insignificant in 2006

– In 2007 nearly 80% are obfuscated– In 2007 nearly 80% are obfuscated

• Encrypted exploits sky rocketing– Driven by prevalence of exploit toolkits such as mPack

– Exceeding 70%

Gunter Ollmann


11:00am, 27th April 2008

IE Critical Vulnerabilities

Gunter Ollmann


11:00am, 27th April 2008

Firefox Critical Vulnerabilities

Gunter Ollmann


11:00am, 27th April 2008

Malware Evolution• Malware classes used to be

clearly defined

• Malware 2 0 is a mashup• Malware 2.0 is a mashup technology– Take the best features of each

l d bimalware group and combine them

• Unique one-of-a-kind Malware– Serial variants

– PolymorphicPolymorphic

– X-morphic engines

Gunter Ollmann


11:00am, 27th April 2008

The Changing Face of Malware

Gunter Ollmann


11:00am, 27th April 2008

Commercial Exploit ServicesCommercial Exploit Services

“We should expect the best and worst from mankind, as from the weather”p

VAUVENARGUES (1715-1747)

Gunter Ollmann


11:00am, 27th April 2008

Managed Exploit ProvidersM d E l i P id (MEP) i h b i• Managed Exploit Providers (MEP) is the new business

• Selling or leasing exploit code and attack delivery platforms– Outright purchase of the attack engine with subscription updatesOutright purchase of the attack engine, with subscription updates

– Weekly-rental schemes of attack platforms

– Pay-per-visit or pay-per-infection schemes as simple as Google advertising

d ff h ll l• Increased effort in maintaining their intellectual property– A lot of competition for new exploits

– 0-day exploits carefully controlledy p y

• Cottage industry of suppliers to MEP’s– Reverse engineering latest Microsoft patches

and developing exploitsand developing exploits

– Buy/Sell/Auction of new vulnerabilities

Gunter Ollmann


11:00am, 27th April 2008

INET-LUX

Multi-Exploiter

Downloader

Installation Cost $15$

iFrame Biz

Mi i W klMinimum Weekly Payment of €50

iFrame911.com

Iframebiz.comLook QUICK and EASY way to earn on the internet? Start earning with us now! ! ! Just two minutes of your time and you Turn your traffic in real money! Why spend endless force to affiliate programs? Join us, and you will have a steady income every day without losing while visitors! We will not promise mountains of gold. Our job is to help you use your best way traffic. Even more money in the same volume of traffic is real. Try, and you stay with us!

We start earning serious money together!

Anyone can join us! You can do this by:Anyone can join us! You can do this by:

* have at its disposal at least one site;

* REGISTER on the website http://iframebiz.com

* accommodate short (in a row) of Pages iframe code on your site;

* be able to obtain the money through at least one of the monetary systems: Fethard, Webmoney, Wire, E-gold, Western Union (WU), and MoneyGram Epassporte

Th t t li bl hi h d hi h t bilit ThThe system operates on reliable high-speed servers, which ensures stability. The system works without Active-X and pop-up! ! ! This means that you will not lose visitors to their sites by placing our iframe code! ! ! Anyone who comes to us, remains happy! A HIGHER rate is the level of the company IFRAMEBIZ.COM! Sign up today and you will no doubt stay with us!

Example: MPack

• MPack exploit toolkit is a server application

• Uses IFrames

• MPack toolkit available for $700

• Updates cost $50 - $150 per new exploit depending l it biliton exploitability

• AV evasion costs $20 - $30 more

• DreamDownloader bundled for $300 extra

C l t ith t l f• Comes complete with management console for displaying infection statistics

XSOX – Botnet Anonymizer

XSOX – Botnet Anonymizer

The monthly subscription price (without limitation): $ 50.00

Weekly subscription price (without limitation): $ 15.00y p p ( ) $Special offer:

•Allocation port on the server for access to protocols SOCKS4 / 5 with veb-panelyu Management.

•VIP treatment with full control of its own shell-bots, Screen, Run, the team.

•Actual server with full control.

•SOCKS4 / 5 with multiple random IP addresses on the outlet.

The Future for Attack Engines

What’s the Protection?• Signature AV = EOL

• Host-level protection is the best place (at the moment)– Behavioral detection engines (stop the malware component)

– Script interpreters/interceptors (stop the obfuscated exploit component)

• Network-level protection is possible– Content blocking (high false-positive rates)

URL l ifi ti d bl ki ( tt ffi i t)– URL classification and blocking (pretty efficient)

• More work needs to be done– IBM ISS’ WHIRO 0-day discoveryy y

– Global MSS alert correlation

Gunter Ollmann


11:00am, 27th April 2008

Conclusions• X-Morphic engines are an

evolving threat

• The complex browser• The complex browser environment ensures “drive-by downloads” will remain popular

• Lots of innovation going on in bypassing traditional security systemssystems

• Commercial incentive to improve X-Morphic attack engines

Gunter Ollmann


11:00am, 27th April 2008

Thank YouThank YouQuestions before

for the great escape?

Günter OllmannDirector of Security StrategyDirector of Security [email protected]

Gunter Ollmann


11:00am, 27th April 2008

The Rise of X-Morphic Exploitation

Technology

Transcript of The Rise of X-Morphic Exploitation