1 / 39

Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators

Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators. - Anant Kochhar. Malware /`mæl.weə(ɹ)/ Software developed for the purpose of causing harm to a computer system and its users. Back Door, Key Logger, Botnet Zombie. Know them, “Trust” them.

mindy
Download Presentation

Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar

  2. Malware /`mæl.weə(ɹ)/ Software developed for the purpose of causing harm to a computer system and its users. Back Door, Key Logger, Botnet Zombie

  3. Know them, “Trust” them

  4. Drive-By Downloads AKAIFRAME and Script Injections

  5. First Wave: Mass SQL Injection • First noticed in late 2007. • Tool based. • Identified vulnerable pages across the internet using search engines. • Sprayed them with SQL injection payloads- • Inserted script injections indiscriminately in all database columns • Infected data was reflected in dynamic pages

  6. Payload Source: http://www.f-secure.com/weblog/archives/00001427.html

  7. Affected Page With Rubbish Data

  8. Source: http://www.scmagazineus.com/mass-sql-injection-attack-compromises-70000-websites/article/100497/ Source: http://www.scmagazineus.com/sql-attack-hits-125000-sites/article/159445/

  9. Bulk of the spread: Self Propagation • Inserts IFrame/ Script injections in all web pages in the victim’s machine • If victim = website admin, all his websites will be updated with infected pages. • Or steals FTP passwords from victims’ computer and updates the pages directly on the web server.

  10. PC Based Security for Malwares Source: http://www.cyveillance.com/web/docs/WP_CyberIntel_H1_2009.pdf

  11. Prevention… • “Process”. • Use linux-based dedicated machines for website administration. But even the best process cannot be 100% effective because…

  12. Indirect Risks:The Legitimate can also becomes Dangerous A B Site B Iframe Injection All internal and external users of the “clean” site A are also at risk now.

  13. Accept the risk… the Alternative: Fast Detection and Quick Remedy • Contain the spread of infection. • Protect reputation of the website.

  14. Detection Part 1: Detect ALL External Sites Linking from your websites

  15. Internal Scans- Scanners that reside in the web server and scan all web pages for external links. External Scans- Crawlers, not residing in the web server, that will scan all pages from the internet. 2 Methods

  16. Internal Scans • Pros • Will be exhaustive and will scan pages behind authentication. • Cons • Will affect web server performance and can even crash the server.

  17. External Scans • Pros • Can be run as often as possible. • Has virtually no affect on the web server. • Cons • Will depend on network conditions. • Breadth and the Depth of the scan may not be exhaustive.

  18. The Scanner Must: • Detect and list all external sites in a website. • Ideally NOT visit any external websites • Because it may put the system at risk.

  19. Detection Part 2: Detecting malware spreading sites in the list of external sites.

  20. Behavior Analysis Detection Model • Visit the external site • Download suspected malware • Analyze it • And determine if it is malware or not.

  21. efg.xyz Iframe redirection Malware fashion. abc.xyz Dynamic Scan Legitimate

  22. Behavior Analysis • Expensive- requires a dedicated setup. • Slow- takes time to analyze all codes downloaded from external websites. • Newer malwares are designed to fool it- delayed activation etc. • Will not detect infected ‘site B’

  23. Signature Based Detection Model • Downloads signatures of malware infected sites. • Compares the list of external sites to the signatures.

  24. Multi Sourced Signatures Positive Matches List of external sites.

  25. Signature Based • Cheap- can be done on any machine. • Several “freely” available sources of signatures. • Fast- comparison takes a fraction of the time. • Safe- malware is not downloaded on the machine. • Will detect infected ‘site B’.

  26. Final Model • External Scanner/ crawler that will continuously scan the entire domain for external sites. • At least 2 sources of signatures. Update as frequently as possible.

  27. Ideally… • Crawl time > Signature update time. • On every signature update, the list of external site from (n-1)th crawl should be used for full comparison.

  28. On A Positive Match • Immediately remove the malware site link from the infected page. • Run AV and malware detection scans on the affected server. • Or quarantine suspected computers… • Change FTP password.

  29. Multi Sourced Signatures Positive Matches Continuous Crawl List of external sites. Compare

  30. Thank you anant.kochhar@secureyes.net

More Related