1 / 56

Hacked While Browsing — Using the Web to Spread Malware

Hacked While Browsing — Using the Web to Spread Malware. Kah-Kin Ho Cisco. Agenda. Botnet Business Models Making Bots: Five Infection Vectors Hacked While Browsing Solutions Conclusion. Botnet Business. The Professional. Smartbot.Net Malware Opened CD-ROM tray

konala
Télécharger la présentation

Hacked While Browsing — Using the Web to Spread Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacked While Browsing —Using the Web to Spread Malware Kah-Kin Ho Cisco

  2. Agenda • Botnet Business Models • Making Bots: Five Infection Vectors • Hacked While Browsing • Solutions • Conclusion

  3. Botnet Business

  4. The Professional Smartbot.Net Malware Opened CD-ROM tray “If your cd-rom drive’s open . . .you desperately need to rid your system of spyware pop-ups immediately! Download Spy Wiper now!” Spy Wiper sold for $30 $4M FTC judgment Sanford Wallace

  5. “Installs” for Sale — Monetizing Botnets

  6. Botnet Monetized Four Ways Rogue AV

  7. Social Engineering Scareware Spyware

  8. If Infected, Fake Scan Recommends “Removal” “Antivirus XP has found 2794 threats. It is recommended to proceed with removal”

  9. After Scan, Takes Me to Website Identifiesgeo-IP, Hides the Close Button Off the Screen

  10. Change the Desktop

  11. Removes Desktop and Screen Saver Tabs from Control Panel

  12. More Scareware Spyware Trickery

  13. Day 1 Day 2 Day 3 Day 4 Day 5 Day 6 Day 7 Day 8 Day 9 Day 10 Total Bakasoftware Dashboard Showing 10 Days Revenue for #2 Affiliate Bakasoftware Is Master Criminal • Bakasoftware “scareware spyware” affiliate business • Affiliates load “scareware” onto their bots. • Affiliates paid commission when consumers purchase • This #2 Affiliate earned $147k in 10 days - $5M/year • 154,825 installations and 2,772 purchases Source: http://www.secureworks.com/research/threats/rogue-antivirus-part-2/?threat=rogue-antivirus-part-2

  14. Making a Bot: Infection Vectors

  15. Making a Bot: Infection Vectors Social Engineering enables the first four methods • Search Engine Optimization • Spam with URL or active payload • Instant Messaging • Social Network Attacks • Network-based worm: Conficker

  16. Social Engineering

  17. Hacked While Browsing

  18. Surprise Valley, Idaho

  19. 4 Bedrooms, 2.5 Baths, $379,000

  20. Search Result

  21. Browsing to Brooke’s site

  22. URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable Understanding the Problem in Four Parts

  23. The Web Page: A Security Primer • How does a Web Page Work? • HTML: Web site “recipe.” Initial HTML retrieval provides “recipe". Browser then fetches all objects listed in initial HTML “recipe”. • Web Resources: The actual ingredients.Retrieved, per the HTML, from any specified location. Includes • Images • Scripts • Executable objects (“plug-ins”) • Other web pages

  24. BoingBoing.net: A Popular Blog URLs in browser: 1 HTTP Gets: 162 Images: 66from 18 domains including 5 separate 1x1 pixel invisibletracking images Scripts: 87 from 7 domains Cookies: 118 from 15 domains 8 Flash objects from 4 domains

  25. URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable Understanding the Problem in Four Parts

  26. Web Browser Ecosystem Vulnerable SANS Top 20 2007 Security Risks http://www.sans.org/top20/#c1 • IE and Firefox vulnerable • “…hundreds of vulnerabilities in ActiveX controls installed by software vendors have been discovered.” • Media Players & Browser Helper Objects (BHO) • RealPlayer, iTunes, Flash, Quicktime, Windows Media • Explosion of BHOs and third-party plug-ins • Plug-ins are installed (semi) transparently by website. Users unaware an at-risk helper object or plug-in is installed … introducing more avenues for hackers to exploit users visiting malicious web sites.

  27. Mpack: 13.32% Infection Rate in US

  28. URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable Understanding the Problem in Four Parts

  29. Malware Defeats Anti-Virus Signatures • Criminals have developed tools to mutate malware to defect signature-based detection • At DefCon teams of researchers proved their success yet again • Seven viruses and two exploits, all well-known, were mutated to defeat anti-virus engines • Winning time: 2 hours, 25 minutes

  30. URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable Understanding the Problem in Four Parts

  31. Online Norwegian Tax Form

  32. Translated to English

  33. Results of Form Entry

  34. Hacked While Browsing – What Really Happened

  35. What’s Happening on BrookeSeidl.com • brookeseidl.com registered at eNom 2002 • 63.249.17.64 hosted at Seattle’s ZipCon with 52 other domains • Script injected onto web page – one extra ingredient!

  36. What Does Tejary.net/h.js Do? • Browser fetches h.js javascript from tejary.net • Tejary.net registered 2003 at GoDaddy and hosted on 68.178.160.68 in Arizona • Registered by Aljuraid, Mr Nassir A in Saudi Arabia • Tejary.net/h.js calls two remote iframe objects

  37. V3i9.cn Domain Information • V3i9.cn registered at 北京新网互联科技有限公司 by 贾雨荷 On 3/25/09. DNS by mysuperdns.com • Hosted on 216.245.201.208 at Limestone Networks inDallas, TX • Fetched objects include • ipp.htm, real.html, real.js • 14.htm, 14.Js • flash.htm, igg.htm

  38. It all starts with /c.htm loaded from tejary.net, said7.com Real Player Exploit /ipp.htm – Real Player exploit CVE-2008-1309 2/40 AV anti-virus vendors detect, calls real.html. Includes f#!kyoukaspersky /real.htm, /real.js – Real Player exploit CVE-2007-5601 MDAC (Microsoft Data Access Component) Exploit /14.htm, /14.js – exploits Exploit-MS06-014 vulnerability in the MDAC functions Flash Exploit /swfobject.js – detects flash version and selects according content /flash.htm – Flash exploit. 2/40 anti-virus vendors detect /igg.htm - ??? Called from /flash.htm for exploit? Exploit Resources Fetched from v3i9.cn

  39. What Is Our Malware? • Dalai Lama reported office computers hacked • University of Toronto Munk Center found “GhostNet” surveillance malware • Keylogging, webcam monitoring, document retrieval • Exploit downloads ce.exe

  40. Anti-Virus Won’t Protect Us Ce.exe analyzed on Virus Total 31% detection on days 1, 2 48% detection on day 3 21% detection for SMS.exe

  41. Some Websites Injected with tejary.net

  42. Solutions

More Related