Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar.

Published byRonald Lawrence Modified over 8 years ago

Similar presentations

Presentation on theme: "Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar."— Presentation transcript:

1 Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar

2 2 Malware /`mæl.weə( ɹ )/ SoftwareSoftware developed for the purpose of causing harm to a computer system and its users. Back Door, Key Logger, Botnet Zombie

3 3

4 4 Know them, “Trust” them

5 5 Drive-By Downloads AKA IFRAME and Script Injections

6 6

7 7

8 8

9 9 First Wave: Mass SQL Injection First noticed in late 2007. Tool based. Identified vulnerable pages across the internet using search engines. Sprayed them with SQL injection payloads- Inserted script injections indiscriminately in all database columns Infected data was reflected in dynamic pages

10 10 Payload Source: http://www.f-secure.com/weblog/archives/00001427.html

11 11 Affected Page With Rubbish Data

12 12 Source: http://www.scmagazineus.com/mass-sql-injection-attack- compromises-70000-websites/article/100497/ Source: http://www.scmagazineus.com/sql-attack-hits-125000- sites/article/159445/

13 13 Bulk of the spread: Self Propagation Inserts IFrame/ Script injections in all web pages in the victim’s machine If victim = website admin, all his websites will be updated with infected pages. Or steals FTP passwords from victims’ computer and updates the pages directly on the web server.

14 14.abc.xyz SportsFashionCollegeMovies

15 15

16 16 PC Based Security for Malwares Source: http://www.cyveillance.com/web/docs/WP_CyberIntel_H1_2009.pdf

17 17.abc.xyz SportsFashionCollegeMovies

18 18

19 19

20 20 Prevention… “Process”. Use linux-based dedicated machines for website administration. But even the best process cannot be 100% effective because…

21 21 Indirect Risks: The Legitimate can also becomes Dangerous All internal and external users of the “clean” site A are also at risk now.

22 22 Accept the risk… the Alternative: Fast Detection and Quick Remedy 1.Contain the spread of infection. 2.Protect reputation of the website.

23 23 Detection Part 1: Detect ALL External Sites Linking from your websites

24 24 2 Methods Internal Scans- Scanners that reside in the web server and scan all web pages for external links. External Scans- Crawlers, not residing in the web server, that will scan all pages from the internet.

25 25 Internal Scans Pros Will be exhaustive and will scan pages behind authentication. Cons Will affect web server performance and can even crash the server.

26 26 External Scans Pros Can be run as often as possible. Has virtually no affect on the web server. Cons Will depend on network conditions. Breadth and the Depth of the scan may not be exhaustive.

27 27 The Scanner Must: Detect and list all external sites in a website. Ideally NOT visit any external websites Because it may put the system at risk.

28 28 Detection Part 2: Detecting malware spreading sites in the list of external sites.

29 29 Behavior Analysis Detection Model Visit the external site Download suspected malware Analyze it And determine if it is malware or not.

30 30 fashion. abc.xyz efg.xyz Iframe redirection Malware Legitimate Dynamic Scan

31 31 Behavior Analysis Expensive- requires a dedicated setup. Slow- takes time to analyze all codes downloaded from external websites. Newer malwares are designed to fool it- delayed activation etc. Will not detect infected ‘site B’

32 32 Signature Based Detection Model Downloads signatures of malware infected sites. Compares the list of external sites to the signatures.

33 33 Multi Sourced Signatures List of external sites. Positive Matches

34 34 Signature Based Cheap- can be done on any machine. Several “freely” available sources of signatures. Fast- comparison takes a fraction of the time. Safe- malware is not downloaded on the machine. Will detect infected ‘site B’.

35 35 Final Model External Scanner/ crawler that will continuously scan the entire domain for external sites. At least 2 sources of signatures. Update as frequently as possible.

36 36 Ideally… Crawl time > Signature update time. On every signature update, the list of external site from (n- 1)th crawl should be used for full comparison.

37 37 On A Positive Match Immediately remove the malware site link from the infected page. Run AV and malware detection scans on the affected server. Or quarantine suspected computers… Change FTP password.

38 38 Multi Sourced Signatures List of external sites. Positive Matches Continuous Crawl Compare

39 39 Thank you anant.kochhar@secureyes.net

Download ppt "Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
The Threat Landscape Jan 2013. 2013 Threat Report 2.

The Threat Landscape Jan Threat Report 2.
Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.

Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
1 Anti Virus System i-Specific Anti-Virus Product.

1 Anti Virus System i-Specific Anti-Virus Product.
1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.

1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
By Joshua T. I. Towers. 13.3 $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.

By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.
Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.

Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Static VS Dynamic websites. 1-What are the advantages and disadvantages? 2- Which one should you choose and why?

Static VS Dynamic websites. 1-What are the advantages and disadvantages? 2- Which one should you choose and why?
Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google