560 likes | 702 Views
Hacked While Browsing — Using the Web to Spread Malware. Kah-Kin Ho Cisco. Agenda. Botnet Business Models Making Bots: Five Infection Vectors Hacked While Browsing Solutions Conclusion. Botnet Business. The Professional. Smartbot.Net Malware Opened CD-ROM tray
E N D
Hacked While Browsing —Using the Web to Spread Malware Kah-Kin Ho Cisco
Agenda • Botnet Business Models • Making Bots: Five Infection Vectors • Hacked While Browsing • Solutions • Conclusion
The Professional Smartbot.Net Malware Opened CD-ROM tray “If your cd-rom drive’s open . . .you desperately need to rid your system of spyware pop-ups immediately! Download Spy Wiper now!” Spy Wiper sold for $30 $4M FTC judgment Sanford Wallace
Botnet Monetized Four Ways Rogue AV
If Infected, Fake Scan Recommends “Removal” “Antivirus XP has found 2794 threats. It is recommended to proceed with removal”
After Scan, Takes Me to Website Identifiesgeo-IP, Hides the Close Button Off the Screen
Day 1 Day 2 Day 3 Day 4 Day 5 Day 6 Day 7 Day 8 Day 9 Day 10 Total Bakasoftware Dashboard Showing 10 Days Revenue for #2 Affiliate Bakasoftware Is Master Criminal • Bakasoftware “scareware spyware” affiliate business • Affiliates load “scareware” onto their bots. • Affiliates paid commission when consumers purchase • This #2 Affiliate earned $147k in 10 days - $5M/year • 154,825 installations and 2,772 purchases Source: http://www.secureworks.com/research/threats/rogue-antivirus-part-2/?threat=rogue-antivirus-part-2
Making a Bot: Infection Vectors Social Engineering enables the first four methods • Search Engine Optimization • Spam with URL or active payload • Instant Messaging • Social Network Attacks • Network-based worm: Conficker
URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable Understanding the Problem in Four Parts
The Web Page: A Security Primer • How does a Web Page Work? • HTML: Web site “recipe.” Initial HTML retrieval provides “recipe". Browser then fetches all objects listed in initial HTML “recipe”. • Web Resources: The actual ingredients.Retrieved, per the HTML, from any specified location. Includes • Images • Scripts • Executable objects (“plug-ins”) • Other web pages
BoingBoing.net: A Popular Blog URLs in browser: 1 HTTP Gets: 162 Images: 66from 18 domains including 5 separate 1x1 pixel invisibletracking images Scripts: 87 from 7 domains Cookies: 118 from 15 domains 8 Flash objects from 4 domains
URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable Understanding the Problem in Four Parts
Web Browser Ecosystem Vulnerable SANS Top 20 2007 Security Risks http://www.sans.org/top20/#c1 • IE and Firefox vulnerable • “…hundreds of vulnerabilities in ActiveX controls installed by software vendors have been discovered.” • Media Players & Browser Helper Objects (BHO) • RealPlayer, iTunes, Flash, Quicktime, Windows Media • Explosion of BHOs and third-party plug-ins • Plug-ins are installed (semi) transparently by website. Users unaware an at-risk helper object or plug-in is installed … introducing more avenues for hackers to exploit users visiting malicious web sites.
URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable Understanding the Problem in Four Parts
Malware Defeats Anti-Virus Signatures • Criminals have developed tools to mutate malware to defect signature-based detection • At DefCon teams of researchers proved their success yet again • Seven viruses and two exploits, all well-known, were mutated to defeat anti-virus engines • Winning time: 2 hours, 25 minutes
URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable Understanding the Problem in Four Parts
What’s Happening on BrookeSeidl.com • brookeseidl.com registered at eNom 2002 • 63.249.17.64 hosted at Seattle’s ZipCon with 52 other domains • Script injected onto web page – one extra ingredient!
What Does Tejary.net/h.js Do? • Browser fetches h.js javascript from tejary.net • Tejary.net registered 2003 at GoDaddy and hosted on 68.178.160.68 in Arizona • Registered by Aljuraid, Mr Nassir A in Saudi Arabia • Tejary.net/h.js calls two remote iframe objects
V3i9.cn Domain Information • V3i9.cn registered at 北京新网互联科技有限公司 by 贾雨荷 On 3/25/09. DNS by mysuperdns.com • Hosted on 216.245.201.208 at Limestone Networks inDallas, TX • Fetched objects include • ipp.htm, real.html, real.js • 14.htm, 14.Js • flash.htm, igg.htm
It all starts with /c.htm loaded from tejary.net, said7.com Real Player Exploit /ipp.htm – Real Player exploit CVE-2008-1309 2/40 AV anti-virus vendors detect, calls real.html. Includes f#!kyoukaspersky /real.htm, /real.js – Real Player exploit CVE-2007-5601 MDAC (Microsoft Data Access Component) Exploit /14.htm, /14.js – exploits Exploit-MS06-014 vulnerability in the MDAC functions Flash Exploit /swfobject.js – detects flash version and selects according content /flash.htm – Flash exploit. 2/40 anti-virus vendors detect /igg.htm - ??? Called from /flash.htm for exploit? Exploit Resources Fetched from v3i9.cn
What Is Our Malware? • Dalai Lama reported office computers hacked • University of Toronto Munk Center found “GhostNet” surveillance malware • Keylogging, webcam monitoring, document retrieval • Exploit downloads ce.exe
Anti-Virus Won’t Protect Us Ce.exe analyzed on Virus Total 31% detection on days 1, 2 48% detection on day 3 21% detection for SMS.exe