1. Interception and Analysis Framework for Win32 Scripts www.cigital.com (not for public release) Tim Hollebeek, Ph.D. tim@cigital.com

2. Overview Background Preliminary characterization of attacks/threats What we’ve built Coverage of threats Tech Transfer successes Integration

3. Background: ActiveScripting Microsoft architecture for integrating scripts with applications in a language-neutral way. Scripting is often used as “Turing glue” to connect and drive disparate software components. Active Scripting Applications/Hosts Web browsers Mail readers Embedded HTML viewers MS Office 2000 applications Windows Scripting Host Active Scripting Languages Perl Jscript VBscript/VBA (macros) Rexx Python

4. Technical Objectives Address the threat of a significant class of mobile malicious code: –ActiveScripting (JScript, VBscript) Provide interception and logging framework that allows policies to be developed and enforced Constrain active scripting capability effectively to balance: –legitimate uses vs. malicious uses

5. Scope Malicious Scripts on Microsoft Windows based platforms –Script-based viruses, trojans –malicious web pages –malicious HTML embedded in various files –Especially: scripts that use one of about 30 vulnerabilities that allow compromise of the machine from scripts (most recent … 9 days ago)

6. Attacker Objectives Traditional “malware” activities –Viruses, trojan horses Fully compromising host computers Accessing sensitive data/manipulating sensitive functionality –Compromising script-aware applications –Compromising script-dependent applications

7. Why is this easy? MS Windows contains lots of bad code and very few boundaries Microsoft architecture is script-friendly “big bag of components” Much of this infrastructure built to support distributed applications

8. Defenses Must be at the correct level (or multi-level) Most existing defenses aren’t: –Secure sessions –Filtering –Signature schemes –Kernel/filesystem level defenses Commercial world focused on today’s attacks

9. Categories of Malicious Scripts Easy Hard Very Hard! Malicious scripts distributed as attachments Scripts that exploit the distributed nature of web applications Malicious scripts injected into dynamic web pages Malicious scripts that manipulate legitimate functionality Embedded scripts that exploit flaws in components or host applications

10. Malicious Script Capability Matrix AttachFlawLegitimateInject Web based ILOVEYOU Kak Malicious web site E*TRADE hack E-bayla Web bugs E-mail wiretapping Future threats

11. Intercepting ActiveScripting What works well: –Blocking access to flawed components/methods Feasible: –Correlating script activity with lower level information –Reducing exposure of script-aware applications –Restricting script actions to safer subset Still difficult: –Script-dependent and script-based applications

12. Tech Transfer Produced: –Robust prototype Capable of extensive logging of script behavior on a number of machines to a remote server Ability to block malicious script actions Stable, efficient –Developing prototype into a tool to be used by Air Force community –Extensive logs (14,000 distinct scripts, gigabytes of information about their execution) –JustBeFriends (~4000 downloads)

13. Integration We can provide: Information on all page views Script contents and URLs Information on script behavior During script execution: –Accesses to all members and methods (with parameters) of Automation objects the scripting engine interacts with –All actions of the scripting engine –Other related COM methods (possibly) user level correlation information

14. Logs 3 Cigital Labs researchers 6-12 months of browsing Work-related and “other” sites Also some “random” browsing (uses Yahoo!)

15. Architecture Scripting Engine Script Actions Browser Architecture Events Event Manager Policy XML Centralized Logging Server

16. Conclusions Architecture provides a very successful and flexible way to monitor and control scripts on Windows systems Can address commonly exploited risks from malicious scripts, which are unaddressed by current generation of commercial tools Work still needed to get a handle on more complex attacks

17. END The End