An Introduction to Internet Explorer DLL Vulnerability and Damage Analysis Bo Sun, Dawei Su {sun,

Slides:

Advertisements

Similar presentations

1 of 4 Malicious software, also known as “malware,” is often only a nuisance, but increasingly, malicious software can damage data, computers, and computer.

Advertisements

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Engaging your Customer Base through Web Services Presented by Ben Liyanage.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

For Removal Info: visit

NetAcumen ActiveX Download Instructions

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

DT211/3 Internet Application Development Active Server Pages & IIS Web server.

Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.

Server-Side vs. Client-Side Scripting Languages

ASP Tutorial. What is ASP? ASP (Active Server Pages) is a Microsoft technology that enables you to make dynamic and interactive web pages. –ASP usually.

B.Sc. Multimedia ComputingMedia Technologies Database Technologies.

What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Computer Security and Penetration Testing

Chapter 4 Application Security Knowledge and Test Prep

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Inline, Internal, and External FIle

An Introduction to ASP.NET Web Pages 2 Module 1: Webmatrix Installation and Your First Web Site Tom Perkins.

Creating a Web Page HTML, FrontPage, Word, Composer.

Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.

Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.

Introduction Our Topic: Mobile Security Why is mobile security important?

4.1 JavaScript Introduction

Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.

JavaScript, Fourth Edition Chapter 12 Updating Web Pages with AJAX.

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

ASP.NET Web Application and Development Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours Digital.

HOW WEB SERVER WORKS? By- PUSHPENDU MONDAL RAJAT CHAUHAN RAHUL YADAV RANJIT MEENA RAHUL TYAGI.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Using Internet Explorer 7.0 to Access Cisco Unity 5.0(1) Web Interfaces Unity 5.0(1)

ASP Introduction Y.-H. Chen International College Ming-Chuan University Fall, 2004.

Universiti Utara Malaysia Chapter 3 Introduction to ASP.NET 3.5.

INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.

An Introduction to JavaScript Summarized from Chapter 6 of “Web Programming: Building Internet Applications”, 3 rd Edition.

Lecture Note 1: Getting Started With ASP.  Introduction to ASP  Introduction to ASP An ASP file can contain text, HTML tags and scripts. Scripts in.

IT Essentials 1 Chapter 9 JEOPADY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.

® IBM Software Group © 2006 IBM Corporation JSF Progress Bar This Learning Module shows how to integrate EGL/JSF functionality into a run-time progress.

Milestone SAP Portal Learning at the Lakes August 12, 2009.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Client-side processing in JavaScript.... JavaScript history Motivations –lack of “dynamic content” on web pages animations etc user-customised displays.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.

ASP. ASP is a powerful tool for making dynamic and interactive Web pages An ASP file can contain text, HTML tags and scripts. Scripts in an ASP file are.

Computer Hope Copyright © Cannady ACOS. All rights reserved. (R1: July 2011)

Shasta Console Operations February 2010 Tony Caleb.

W elcome to our Presentation. Presentation Topic Virus.

JavaScript & Introduction to AJAX

JavaScript Introduction and Background. 2 Web languages Three formal languages HTML JavaScript CSS Three different tasks Document description Client-side.

Windows Administration How to protect your computer.

Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

Fix: Windows 10 Error Code 0x in Mail App u/6/b/ /alexwaston14/reimage-system-repair/ /pages/Reimage-Repair-Tool/

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.

Chapter 5 Electronic Commerce | Security Threats - Solution

Active Server Pages Computer Science 40S.

Introduction to ASP By “FlyingBono” 2009_01 By FlyingBono 2009_01

Chapter 5 Electronic Commerce | Security Threats - Solution

Lecture 2 - SQL Injection

Introduction to JavaScript

Presentation transcript:

An Introduction to Internet Explorer DLL Vulnerability and Damage Analysis Bo Sun, Dawei Su {sun,

1. Introduction and Background 2. Problem Description 3. What We Did 4. Damage Analysis 5. Solution

I. Introduction and Background Windows is popular on personal laptop/desktop Antivirus and firewall software is implemented above Windows The flaw and vulnerability of Windows depends on MS to eradicate

II. Problem Description Internet Explorer “404 Not Found” Page

II. Problem Description (cont’l) The file is located in a DLL file call ieframe.dll with the name of navcancl.htm. As to IE6, the DLL file is called shdoclc.dll, and one of the HTML names is dnserror.htm. This navcancl.htm can be extracted from the DLL file using certain software such as Resource Hacker®. Any code can be inserted. The analysis of 404 Not Found Page

III. What we did The HTML part can be easily found in the shdock.dll file. We can add a customized function after onload=, or just simply add something as below. alert( “Hello World!” ); Hacking Internet Explorer 6

III. What we did (Cont’l) Hacking Internet Explorer 6 (Cont’l)

Hacking Internet Explorer 7 In IE7, there is nearly no such DLL file containing these HTML code parts, since Microsoft created another file called ieframe.dll.mui to store these HTMLs whereas they used ieframe.dll to store the JavaScript file which is used to dynamically generate the error messages. III. What we did (Cont’l)

Simple Attack – Resource Consumption The code is inserted directly below the tag. while(1) { Window.open(“”); /*we can also use ‘alert()’ here*/ } III. What we did (Cont’l)

Simple Attack – CPU and Stack Attack A example to show CPUand stack attack by calculating the Fibonacci numbers function fibonacci(n) { if (n>1) return fibonacci(n-1)+fibonacci(n-2); if (n<=0) return 0; return 1; } for (i=0; i<100000; i++) document.write ("Fibonacci number "+i+" is "+fibonacci(i)+" "); III. What we did (Cont’l)

Simple Attack – Social Engineering Attack Modify the HTML code in ieframe.dll.mui We can add – some if - goto statements. – Or ask the DLL file to modify host file. Once the user types suntrust.com, the browser search for the spoofed file which is then displayed to the screen. We can also add – some hidden code and wait. When the user encounters an error, e.g. he/she enters a URL like sutrust.com, the script captures it and display the fake page. III. What we did (Cont’l)

Simple Attack – Social Engineering Attack (cont’l) III. What we did (Cont’l)

On the attacker’s server: – Write code on server to receive bank account information Simple Attack – Social Engineering Attack (cont’l) III. What we did (Cont’l)

IV. Damage Analysis Some attackers can gain control of the user account remotely by altering certain HTML part of the DLL file. Then the hacked computer can be used as a node to start a DDOS attack Serious Damage Examples

Antivirus and Firewall Software We tested the infected DLL file using Symantec Antivirus / Firewall and Kaspersky Internet Security. The security levels in both software are set to Highest. Even though the software can give user a report when the DLL file tries to access the Internet, most of the users will let it pass, since the users, same as the software, tend to trust the operating system. IV. Damage Analysis (Cont’l)

Antivirus and Firewall Software (Cont’l) IV. Damage Analysis (Cont’l)

V. Solution Applied in Windows XP to prevent programs from replacing critical Windows system files which includes ieframe.dll* WFP uses file signatures and catalog files that are generated by code signing to verify protected system files Windows XP check the signatures about every 6 to 7 seconds Windows File Protection (WFP)

Replacement of protected system files is supported only through the following mechanisms: – Windows Service Pack installation using Update.exe – Hotfixes installed using Hotfix.exe or Update.exe – Operating system upgrades using Winnt32.exe – Windows Update Otherwise system will prompt user to use the installation disk to recover the damaged files V. Solution (Cont’l) Windows File Protection (WFP) (cont’l)

Two major defects. – The prompt can be overridden by users. – Now there are some tools that can completely disable the prompt dialogue, therefore disable the whole protection system. V. Solution (Cont’l) Windows File Protection (WFP) (cont’l)

Write access protection One better way to prevent this malicious modification is to implement a file system like UNIX. – Users, including root, do not have the write access to some system files. V. Solution (Cont’l)

Reference Matt Bishop, Computer Security: Art and Science, Addison-Wesley, 2002 Microsoft Corporation, Microsoft MSDN, Microsoft MSDN, Steven Holzner. Inside JavaScript. New Riders Publishing, 2002 Zakas. Professional JavaScript for Web Developers. Wrox, 2005 David Flanagan. JavaScript: The Definitive Guide. O'Reilly Media, 4 th Edition, 2001 Danny Goodman. JavaScript & DHTML Cookbook. O'Reilly Media, 2003 Danny Goodman, Michael Morrison. JavaScript Bible, 5 th Edition, 2004 Christian Heilmann. Beginning JavaScript with DOM Scripting and Ajax: From Novice to Professional. Apress, 2006 Stuart McClure, Joel Scambrav, George Kurtz. Hacking Exposed. Mcgraw- Hill Osborne Media, 5 th Edition, 2005

Thank you! Any questions?