1 / 16

All Your iFRAMEs Point to Us

All Your iFRAMEs Point to Us. Mike Burry. Drive-by downloads. Malicious code (typically Javascript) Downloaded without user interaction (automatic), just by visiting malicious URL. Executable(s) downloaded to client machine without visitors’ knowledge & installed

ronnie
Download Presentation

All Your iFRAMEs Point to Us

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. All Your iFRAMEs Point to Us • Mike Burry

  2. Drive-by downloads • Malicious code (typically Javascript) • Downloaded without user interaction (automatic), just by visiting malicious URL. • Executable(s) downloaded to client machine without visitors’ knowledge & installed • Unpatched, vulnerable browsers or plugins • Traditional defenses are powerless (firewalls, proxies, dynamic addressing) - pull-based

  3. ‘Malicious’ websites are typically victims too • Vulnerable scripting applications (phpBB2) allow direct access to O/S and its web server(s) • Inject new content via invisible HTML components (0 pixel iFRAME) • Visitor contributed content (forum, blog) - very dangerous - no web server compromise needed • ALWAYS sanitize user input! • Malicious content is typically hosted elsewhere (distribution site)

  4. Infection Process • Visit malicious URL • Initial exploit script (via iFRAME) downloaded • Script targets browser or plugin vulnerability • Exploit results in browser connecting to malware distribution site (typically on different host) to retrieve executable(s). • Executable is installed on infected system

  5. Avoiding Detection • Hidden from view on website (iFRAME) • Javascript obfuscation • Multiple redirections before contacting malware distribution site

  6. Scanning/Verification Process • Large honeynet simultaneously runs many MS Windows VM’s • Each running unpatched IE instances • Combination of: • Execution based heuristics • run for ~2 minutes - monitor: file system / processes / registry • Anti-virus engines to check HTTP responses • A score is assigned to all URLs & threshold set

  7. How Common are D-BD’s? approx. 1 million URLs daily / 25k flagged as malicious *Malicious: meets threshold AND one of the incoming HTTP responses is marked as malicious by at least one anti-virus scanner *Suspicious: meets threshold BUT none of the incoming HTTP responses are marked as malicious by any anti-virus scanner

  8. Potential Impact on End-User • Nearly 1.3% of Google’s search queries return at least one malicious result • About 0.6% of the top million URLs that appeared most frequently in Google's search results led to exposure of malicious activity at some point. • “Gray content” (Adult) sites have a higher risk (0.6+% vs 0.2-0.35%) -- 2-3 times more common. • Other functional categories on the Web have about equal distribution • “Safe browsing” helps, but is not an effective safeguard

  9. Geography of Malicious Sites • 96% of landing sites in China point to malware distribution servers located in same country • Remaining distribution/landing sites (~10%) spread out across globe

  10. Web Server Software • A significant # of landing sites are running outdated software with well known vulnerabilities. • 38% of Apache servers had known vulnerabilities • 40% of servers with PHP support had known vulnerabilities

  11. Ad Syndication • Majority of Web advertisements are distributed in the form of 3rd party content (Ad syndication) • A web page is only as secure as its weakest component • A “secure” site with insecure ads is insecure • 2% of landing pages delivered malware via ads • 75% of these landing pages use multiple levels of syndication • Ads appear on 1,000’s of websites instantaneously • Very easy way to inject content to large visitor base without need to compromise any web server. Large impact, but short lived.

  12. Distribution Networks • Distribution Network = all the landing sites which point to a single distribution site • Vast majority were subdomains on free hosting services or short-lived domains created in bulk • Networks range from sizes of 1 to over 21,000 • 45% have only 1 landing site • Is this to avoid detection?

  13. Distribution Networks (cont.) • 42% deliver only a single malware binary, while 3% had over 100. • 80% of networks share at least 1 landing page • Several landing pages have multiple iFRAMES to different distribution sites • Easy targets?

  14. Post Infection Impact • On average, 8 downloads occur • Up to 60 downloads has been observed • Increase in # of running processes on VM • 58% of landing pages caused registry changes *BHO: Browser Helper Object (privileged state) *Preferences: Homepage / search engine / name server changes *Security: Firewall settings / disable automatic updates *Startup: Persist across reboots

  15. Post Infection Impact (cont.) • Network activity • 87%: HTTP (ports 80 & 8080) due to binary downloads • 8.3%: IRC (6660 - 7001) account for more than 50% of all non-HTTP traffic. Most likely adding to botnet. • < 1 %: FTP (21), UPnP (1900), Mail (25) • 2.25%: Other ports combined

  16. Anti-Virus Detection Rates • The best AV engine tested (out of 3) successfully detected an average of 70% of malware. • The worst AV engine detected approx. 25%.

More Related