View
218
Download
0
Category
Preview:
Citation preview
1© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Hacked While Browsing —Using the Web to Spread Malware
Kah-Kin Ho
Cisco
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Agenda
Botnet Business Models
Making Bots: Five Infection Vectors
Hacked While Browsing
Solutions
Conclusion
3© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Botnet Business
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
The Professional
Smartbot.Net Malware
Opened CD-ROM tray
“If your cd-rom drive’s open . . .you desperately need to rid your system of spyware pop-ups immediately! Download Spy Wiper now!”
Spy Wiper sold for $30
$4M FTC judgment
Sanford Wallace
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5
“Installs” for Sale — Monetizing Botnets
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Botnet Monetized Four Ways
Rogue AV
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Social Engineering Scareware Spyware
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
If Infected, Fake Scan Recommends “Removal”
“Antivirus XP has found 2794 threats. It is recommended to
proceed with removal”
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
After Scan, Takes Me to Website Identifiesgeo-IP, Hides the Close Button Off the Screen
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Change the Desktop
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Removes Desktop and Screen Saver Tabs from Control Panel
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
More Scareware Spyware Trickery
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Bakasoftware Is Master Criminal
Bakasoftware “scareware spyware” affiliate business
Affiliates load “scareware” onto their bots.
Affiliates paid commission when consumers purchase
This #2 Affiliate earned $147k in 10 days - $5M/year
154,825 installations and 2,772 purchases
Source: http://www.secureworks.com/research/threats/rogue-antivirus-part-2/?threat=rogue-antivirus-part-2
Bakasoftware Dashboard Showing 10 Days Revenue for #2 Affiliate
Day 10Day 10
Day 1 Day 1
Day 2 Day 2
Day 3 Day 3
Day 4 Day 4
Day 5 Day 5
Day 6 Day 6
Day 7 Day 7
Day 8 Day 8
Day 9 Day 9
Total Total
14© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Making a Bot: Infection Vectors
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Making a Bot: Infection Vectors
Social Engineering enables the first four methods
1. Search Engine Optimization
2. Spam with URL or active payload
3. Instant Messaging
4. Social Network Attacks
5. Network-based worm: Conficker
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Social Engineering
17© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Hacked While Browsing
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
18
Surprise Valley, Idaho
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
4 Bedrooms, 2.5 Baths, $379,000
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20
Search Result
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21
21
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Browsing to Brooke’s site
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 29
30© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Understanding the Problem in Four Parts
1. URL: Recipe for Disaster
2. Web Browser Ecosystem Vulnerable
3. Malware Defeats Anti-Virus Signatures
4. Web Servers Vulnerable
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31
The Web Page: A Security Primer
How does a Web Page Work?
1. HTML: Web site “recipe.” Initial HTML retrieval provides “recipe". Browser then fetches all objects listed in initial HTML “recipe”.
2. Web Resources: The actual ingredients.Retrieved, per the HTML, from any specified location. Includes
Images
Scripts
Executable objects (“plug-ins”)
Other web pages
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 32
BoingBoing.net: A Popular Blog
URLs in browser: 1
HTTP Gets: 162
Images: 66from 18 domains including 5 separate 1x1 pixel invisibletracking images
Scripts: 87 from 7 domains
Cookies: 118 from 15 domains
8 Flash objects from 4 domains
33© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Understanding the Problem in Four Parts
1. URL: Recipe for Disaster
2. Web Browser Ecosystem Vulnerable
3. Malware Defeats Anti-Virus Signatures
4. Web Servers Vulnerable
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34
Web Browser Ecosystem Vulnerable
IE and Firefox vulnerable
“…hundreds of vulnerabilities in ActiveX controls installed by software vendors have been discovered.”
Media Players & Browser Helper Objects (BHO)
RealPlayer, iTunes, Flash, Quicktime, Windows Media
Explosion of BHOs and third-party plug-ins
Plug-ins are installed (semi) transparently by website. Users unaware an at-risk helper object or plug-in is installed … introducing more avenues for hackers to exploit users visiting malicious web sites.
SANS Top 20 2007 Security Risks
http://www.sans.org/top20/#c1
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35
Mpack: 13.32% Infection Rate in US
36© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Understanding the Problem in Four Parts
1. URL: Recipe for Disaster
2. Web Browser Ecosystem Vulnerable
3. Malware Defeats Anti-Virus Signatures
4. Web Servers Vulnerable
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Malware Defeats Anti-Virus Signatures
Criminals have developed tools to mutate malware to defect signature-based detection
At DefCon teams of researchers proved their success yet again
Seven viruses and two exploits, all well-known, were mutated to defeat anti-virus engines
Winning time: 2 hours, 25 minutes
38© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Understanding the Problem in Four Parts
1. URL: Recipe for Disaster
2. Web Browser Ecosystem Vulnerable
3. Malware Defeats Anti-Virus Signatures
4. Web Servers Vulnerable
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 39
Online Norwegian Tax Form
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Translated to English
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41
Results of Form Entry
42© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Hacked While Browsing – What Really Happened
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 43
What’s Happening on BrookeSeidl.com
brookeseidl.com registered at eNom 2002
63.249.17.64 hosted at Seattle’s ZipCon with 52 other domains
Script injected onto web page – one extra ingredient!
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 44
What Does Tejary.net/h.js Do?
Browser fetches h.js javascript from tejary.net
Tejary.net registered 2003 at GoDaddy and hosted on 68.178.160.68 in Arizona
Registered by Aljuraid, Mr Nassir A in Saudi Arabia
Tejary.net/h.js calls two remote iframe objects
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 45
V3i9.cn Domain Information
V3i9.cn registered at 北京新网互联科技有限公司 by 贾雨荷 On 3/25/09. DNS by mysuperdns.com
Hosted on 216.245.201.208 at Limestone Networks inDallas, TX
Fetched objects include
ipp.htm, real.html, real.js
14.htm, 14.Js
flash.htm, igg.htm
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 46
It all starts with /c.htm loaded from tejary.net, said7.comReal Player Exploit /ipp.htm – Real Player exploit CVE-2008-1309 2/40 AV anti-virus vendors detect, calls real.html. Includes f#!kyoukaspersky
/real.htm, /real.js – Real Player exploit CVE-2007-5601
MDAC (Microsoft Data Access Component) Exploit /14.htm, /14.js – exploits Exploit-MS06-014 vulnerability in the MDAC functions
Flash Exploit /swfobject.js – detects flash version and selects according content /flash.htm – Flash exploit. 2/40 anti-virus vendors detect /igg.htm - ??? Called from /flash.htm for exploit?
Exploit Resources Fetched from v3i9.cn
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 47
What Is Our Malware?
Dalai Lama reported office computers hacked
University of Toronto Munk Center found “GhostNet” surveillance malware
Keylogging, webcam monitoring, document retrieval
Exploit downloads ce.exe
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 48
Anti-Virus Won’t Protect Us
Ce.exe analyzed on Virus Total
31% detection on days 1, 2
48% detection on day 3
21% detection for SMS.exe
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49
Some Websites Injected with tejary.net
50© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Solutions
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 51
51
Has anyone seen my silver bullet?
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52
52
Security needs to move at the speed of crime
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Solutions
1. Web application security
2. End-user security (social engineering)
3. Client Security
4. Perimeter Web Gateway
5. Monitoring and Botnet Detection
54© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Conclusion
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 55
Conclusion
The web vector has become the #1 weakness targeted by criminals for profit
The web browser ecosystem is vulnerable
Web 2.0 exacerbates these problems
More active content from disparate, uncontrolled sources
Anti-virus is not an adequate solution
Web servers are attacked and use to spread malware via legitimate sites
A different approach is required
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 56
Recommended