Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Published byAlfred Burke Modified over 8 years ago

Similar presentations

Presentation on theme: "1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),"— Presentation transcript:

1 1 All Your iFRAMEs Point to Us Mike Burry

2 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic), just by visiting malicious URL. Executable(s) downloaded to client machine without visitors’ knowledge & installed Unpatched, vulnerable browsers or plugins Traditional defenses are powerless (firewalls, proxies, dynamic addressing) - pull-based Malicious code (typically Javascript) Downloaded without user interaction (automatic), just by visiting malicious URL. Executable(s) downloaded to client machine without visitors’ knowledge & installed Unpatched, vulnerable browsers or plugins Traditional defenses are powerless (firewalls, proxies, dynamic addressing) - pull-based

3 3 ‘Malicious’ websites are typically victims too Vulnerable scripting applications (phpBB2) allow direct access to O/S and its web server(s) Inject new content via invisible HTML components (0 pixel iFRAME) Visitor contributed content (forum, blog) - very dangerous - no web server compromise needed ALWAYS sanitize user input! Malicious content is typically hosted elsewhere (distribution site) Vulnerable scripting applications (phpBB2) allow direct access to O/S and its web server(s) Inject new content via invisible HTML components (0 pixel iFRAME) Visitor contributed content (forum, blog) - very dangerous - no web server compromise needed ALWAYS sanitize user input! Malicious content is typically hosted elsewhere (distribution site)

4 4 Infection Process Visit malicious URL Initial exploit script (via iFRAME) downloaded Script targets browser or plugin vulnerability Exploit results in browser connecting to malware distribution site (typically on different host) to retrieve executable(s). Executable is installed on infected system Visit malicious URL Initial exploit script (via iFRAME) downloaded Script targets browser or plugin vulnerability Exploit results in browser connecting to malware distribution site (typically on different host) to retrieve executable(s). Executable is installed on infected system

5 5 Avoiding Detection Hidden from view on website (iFRAME) Javascript obfuscation Multiple redirections before contacting malware distribution site Hidden from view on website (iFRAME) Javascript obfuscation Multiple redirections before contacting malware distribution site

6 6 Scanning/Verification Process Large honeynet simultaneously runs many MS Windows VM’s Each running unpatched IE instances Combination of: Execution based heuristics run for ~2 minutes - monitor: file system / processes / registry Anti-virus engines to check HTTP responses A score is assigned to all URLs & threshold set Large honeynet simultaneously runs many MS Windows VM’s Each running unpatched IE instances Combination of: Execution based heuristics run for ~2 minutes - monitor: file system / processes / registry Anti-virus engines to check HTTP responses A score is assigned to all URLs & threshold set

7 7 How Common are D-BD’s? Data collection periodJan - Oct 2007 (10 months) Total URLs checked (in-depth)66,534,330 Unique suspicious URLs3,385,889 Unique malicious URLs3,417,590 Unique malicious sites181,699 Unique distribution sites9,340 *Malicious: meets threshold AND one of the incoming HTTP responses is marked as malicious by at least one anti-virus scanner *Suspicious: meets threshold BUT none of the incoming HTTP responses are marked as malicious by any anti-virus scanner approx. 1 million URLs daily / 25k flagged as malicious

8 8 Potential Impact on End- User Nearly 1.3% of Google’s search queries return at least one malicious result About 0.6% of the top million URLs that appeared most frequently in Google's search results led to exposure of malicious activity at some point. “Gray content” (Adult) sites have a higher risk (0.6+% vs 0.2-0.35%) -- 2-3 times more common. Other functional categories on the Web have about equal distribution “Safe browsing” helps, but is not an effective safeguard Nearly 1.3% of Google’s search queries return at least one malicious result About 0.6% of the top million URLs that appeared most frequently in Google's search results led to exposure of malicious activity at some point. “Gray content” (Adult) sites have a higher risk (0.6+% vs 0.2-0.35%) -- 2-3 times more common. Other functional categories on the Web have about equal distribution “Safe browsing” helps, but is not an effective safeguard

9 9 Geography of Malicious Sites 96% of landing sites in China point to malware distribution servers located in same country Remaining distribution/landing sites (~10%) spread out across globe 96% of landing sites in China point to malware distribution servers located in same country Remaining distribution/landing sites (~10%) spread out across globe Distribution. Site hosting country % of all distribution sites Landing site hosting country % of all landing sites China67%China64.4% US15%US15.6% Russia4%Russia5.6% Malaysia2%Korea2% Korea2%Germany2%

10 10 Web Server Software A significant # of landing sites are running outdated software with well known vulnerabilities. 38% of Apache servers had known vulnerabilities 40% of servers with PHP support had known vulnerabilities A significant # of landing sites are running outdated software with well known vulnerabilities. 38% of Apache servers had known vulnerabilities 40% of servers with PHP support had known vulnerabilities

11 11 Ad Syndication Majority of Web advertisements are distributed in the form of 3rd party content (Ad syndication) A web page is only as secure as its weakest component A “secure” site with insecure ads is insecure 2% of landing pages delivered malware via ads 75% of these landing pages use multiple levels of syndication Ads appear on 1,000’s of websites instantaneously Very easy way to inject content to large visitor base without need to compromise any web server. Large impact, but short lived. Majority of Web advertisements are distributed in the form of 3rd party content (Ad syndication) A web page is only as secure as its weakest component A “secure” site with insecure ads is insecure 2% of landing pages delivered malware via ads 75% of these landing pages use multiple levels of syndication Ads appear on 1,000’s of websites instantaneously Very easy way to inject content to large visitor base without need to compromise any web server. Large impact, but short lived.

12 12 Distribution Networks Distribution Network = all the landing sites which point to a single distribution site Vast majority were subdomains on free hosting services or short-lived domains created in bulk Networks range from sizes of 1 to over 21,000 45% have only 1 landing site Is this to avoid detection? Distribution Network = all the landing sites which point to a single distribution site Vast majority were subdomains on free hosting services or short-lived domains created in bulk Networks range from sizes of 1 to over 21,000 45% have only 1 landing site Is this to avoid detection?

13 13 Distribution Networks (cont.) 42% deliver only a single malware binary, while 3% had over 100. 80% of networks share at least 1 landing page Several landing pages have multiple iFRAMES to different distribution sites Easy targets? 42% deliver only a single malware binary, while 3% had over 100. 80% of networks share at least 1 landing page Several landing pages have multiple iFRAMES to different distribution sites Easy targets?

14 14 Post Infection Impact On average, 8 downloads occur Up to 60 downloads has been observed Increase in # of running processes on VM 58% of landing pages caused registry changes On average, 8 downloads occur Up to 60 downloads has been observed Increase in # of running processes on VM 58% of landing pages caused registry changes CategoryBHOPreferencesSecurityStartup URL %7%24%36%51% *BHO: Browser Helper Object (privileged state) *Preferences: Homepage / search engine / name server changes *Security: Firewall settings / disable automatic updates *Startup: Persist across reboots

15 15 Post Infection Impact (cont.) Network activity 87%: HTTP (ports 80 & 8080) due to binary downloads 8.3%: IRC (6660 - 7001) account for more than 50% of all non- HTTP traffic. Most likely adding to botnet. < 1 %: FTP (21), UPnP (1900), Mail (25) 2.25%: Other ports combined Network activity 87%: HTTP (ports 80 & 8080) due to binary downloads 8.3%: IRC (6660 - 7001) account for more than 50% of all non- HTTP traffic. Most likely adding to botnet. < 1 %: FTP (21), UPnP (1900), Mail (25) 2.25%: Other ports combined

16 16 Anti-Virus Detection Rates The best AV engine tested (out of 3) successfully detected an average of 70% of malware. The worst AV engine detected approx. 25%. The best AV engine tested (out of 3) successfully detected an average of 70% of malware. The worst AV engine detected approx. 25%.

Download ppt "1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),"

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.

CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.
PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.

PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Mitigating Malware Collin Jackson CS142 – Winter 2009.

Mitigating Malware Collin Jackson CS142 – Winter 2009.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.

Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
1 CS 502: Computing Methods for Digital Libraries Lecture 22 Web browsers.

1 CS 502: Computing Methods for Digital Libraries Lecture 22 Web browsers.
Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.

Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.
Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Similar presentations

Ads by Google