SlideShare a Scribd company logo

Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks

Aditya K Sood
Aditya K Sood

HOPE 2012 Presentation

Technology
1 of 45
Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York , July 2012 Aditya K Sood | Rohit Bansal | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
About Us  Aditya K Sood ● PhD Candidate at Michigan State University – Working for iSEC Partners. – Active Speaker at Security conferences – LinkedIn - http ://www.linkedin.com/in/adityaks – Website: http://www.secniche.org | Blog: http://secniche.blogspot.com – Twitter: @AdityaKSood  Rohit Bansal – Security Researcher, SecNiche Security Labs – Twitter: @0xrb  Dr. Richard J Enbody ● Associate Professor, CSE, Michigan State University – Since 1987, teaching computer architecture/ computer security – Co-Author CS1 Python book, The Practice of Computing using Python. – Patents Pending – Hardware Buffer Overflow Protection 2
Agenda  Malware Paradigm  Browser Malware Taxonomy  Present-day Malware Propagation Tactics  Information Stealing Tactics  Conclusion 3
FUD (Fear, Uncertainty & Doubt)  FUD – FUD || ─ Three pillars of robust malware design 4
Malware Paradigm 5
The Reality of Internet ! 6
Browser Malware Taxonomy  Class A – Browser Malware 7
Browser Malware Taxonomy  Class B – Browser Malware 8
Browser Malware Taxonomy  Class C – Browser Malware 9
Malware Lifecycle – Java Exploit  Malware making a place into your system ─ Step 1: Vulnerability in high traffic website is exploited – To serve malware at large scale ─ Step 2: Detecting malicious iframe in the website ● Lets extract the iframe from the malicious website ● The iframe is pointing to some domain having applet.html. – Avoid running it in the browser. Fetch it directly using wget/curl 10
Malware Lifecycle – Java Exploit  Malware making a place into your system ─ Step 3 : Detecting the malicious code ● So, there is Java applet with “param” variable holding an executable – Quick analysis of the executable can be seen here https://www.virustotal.com/file/5cb024356e6b391b367bc6a313da5b5f744d8a14ce c860502446aaa3e1b4566e/analysis/1330713741/ 11
Malware Lifecycle – Java Exploit  Dissecting Malicious Java Applet – Let’s see what we have VBScript embedded in Java applet code 12
Implanting Malware (Bots) Present-day Propagation Tactics 13
Exploiting Web Hosting  Data Centers | Web Hosting - Exploitation ─ Several websites are hosted on a single server sharing IP address – DNS names are mapped virtually to the same IP ● Vulnerability in one website can seriously compromise the server – Insecure file uploading functionality » Uploading remote management shells such c99 etc » Automated iframe injector embeds malicious iframe on all webpages » Making configuration changes such as redirecting users to malicious domains – Cookie replay attacks in hosting domain website » Authentication bypass : reading customer queries on the web based management panel » Extracting credentials directly by exploiting design flaws in hosting panels 14
Exploiting Web Hosting  Data Centers Exploitation ─ Automated Iframe injector – cPanel Exploitation Automated iframer in action 15
Exploiting Web Hosting  Remote shell in action 16
Infection through Glype Proxies  Glype proxies ● Simple PHP scripts for anonymous surfing ● Hosted on legitimate domains and forcing users to surf through the proxy – Logging is enabled to fetch the information about users » A tactical way of exploiting the integrity of anonymous surfing ● Exploiting misconfigured proxies to deliver malware – Embedding Browser Exploit Packs (BEPs) with Glype proxies » Very effective and successful technique 17
Demonstration 18
Obfuscated Iframes 19
Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ BlackHole is running on fire ● Techniques – User-agent based fingerprinting – Plugin detector capability for scrutinizing the plugins – Serving exploit once per IP Address – Java exploits are used heavily for spreading infections – Support for other exploits such as PDF, Flash etc – BlackHole configuration Java version fingerprinting parameters 20
Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ Encoded exploit with PHP Ioncube 21
Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ Interesting Tactics – A brief walkthrough ● JAVA SMB – One of the most effective exploit used in BH – Exploit downloads “new.avi” file for triggering exploitation – At present times, Java Array exploit is on fire. ● Interesting to see what this file does – Running file in VLC player produces an error. – Can we change “new.avi” to “new.jar”? YES ! We can. » Result is here. 22
Drive-by Frameworks 23
Drive-by Frameworks 24
Demonstration 25
Malware on the Cloud  AWS Cloud Malware ─ Attackers are targeting AWS to host malware Unpacked 26
Malware on the Cloud  AWS Cloud Malware ─ On reversing, package downloads the malware into “c:winsys” directory from another repository on the AWS ● Downloaded files are presented below Malicious files extracted from the package 27
Malware on the Cloud  AWS Cloud Malware Sent an alert in the form of tweet to Amazon. ─ Afterwards Malware was removed. – Some of the files were again packed with UPX packer – All the files were flagged as malicious Executables are f lagged as malicious 28
Malvertisements  Malvertisement ● Online malicious advertisements ● Content Delivery Networks (CDNs) are infected to trigger malvertising – Distributed attack Armorize’s Blog - http://blog.armorize.com/2011/05/porn-sites-have-lots-of-trafficand.html Malvertisement Paper - http://www.slideshare.net/adityaks/malvertising-exploiting-web-advertising 29
Exploiting Social Networks  Social Networks ● Attackers exploit the inherent design flaws in the social networks ● Use to spread malware at a large scale ─ LikeJacking (=~ClickJacking) ● Use to add malicious links on user’s profile in Facebook ● LikeJacking collaboratively used with ClickJacking ● Efficient in spreading malware 30
Demonstration 31
Present-day Botnets Information Stealing and Manipulation Tactics 32
Man-in-the-Browser (MitB)  Subverting Browser Integrity ─ Exploits the victim system and the browser environment ● SSL / PKI does not stop the infections by MitB ● Two Factor/ SSO authentication module does not stop it ● Concept of browser rootkits ● Implements Hooking ● Exploits online banking http://www.cronto.com/download/internet_banking_fraud_beyond_phishing.pdf 33
Web Injects – Infection on the Fly  Web Injects ─ Injecting incoming request with malicious content ─ Primary aim is to inject credential stealing forms, JavaScripts and input tags ─ Concept of Third Generation Botnets ( Give me your money  ) 34
Web Injects – Log Detection http://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html 35
Web Injects – Action 36
Web Fakes  Understanding Web Fakes ● Plugins used to spoof the content in browsers ● Supports both protocols HTTP/HTTPS ● Based on the concept of internal URL redirection ● All browsers are affected  How ? ─ Plugins use the defined metrics in the configuration file ● URL_MASK ● URL_REDIRECT ● FLAGS ● POST_BLACK_MASK ● POST_WHITE_MASK ● BLOCK_URL ● WEBFAKE_NAME ● UNBLOCK_URL 37
Web Fakes – Function Calls 38
Web Fakes – Real Example 39
Browsers - Form Grabbing  Why? ─ Keylogging produces plethora of data ─ Form grabbing – extracting data from the GET/POST requests ─ Based on the concept of hooking ─ Virtual Keyboards ● Implements the form grabbing functionality to send POST requests ● No real protection against malware 40
Browsers - Form Grabbing  Facts and Reality ─ All the third generation botnets use this technique ─ Very hard to overcome the consequences ─ All browsers can be circumvented to execute non legitimate hooks 41
Demonstration 42
Other Information Stealing Tactics ..  Bot Plugin Architecture ─ Credit Card Grabber ─ Certificates Grabber ─ SOCKS 5 Backconnect ─ FTP Backconnect ─ RDP BackConnect ─ DDoS Plugins ─ Webcam Hijacker ─ Infecting Messengers (Spreaders) ─ And so on…… depending on the design ! 43
Questions ! 44
Thanks  HOPE Conference Crew ● http://www.hope.net  SecNiche Security Labs ● http://www.secniche.org ● http://secniche.blogspot.com  Contact Me ─ Email : adi_ks [at] secniche.org 45

Recommended

from 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootfrom 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootAmmar WK
 
Malware goes to the movies
Malware goes to the moviesMalware goes to the movies
Malware goes to the moviesAleksandr Yampolskiy
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
Abdul Zameer S
Abdul Zameer SAbdul Zameer S
Abdul Zameer SAbdul Zameer Subhan
 
Resume-Suresh Kumar Natesan
Resume-Suresh Kumar NatesanResume-Suresh Kumar Natesan
Resume-Suresh Kumar NatesanSuresh Kumar
 
HatsOff-m1027118-133
HatsOff-m1027118-133HatsOff-m1027118-133
HatsOff-m1027118-133Prabhat Tiwari
 
Graph of UK train stations
Graph of UK train stationsGraph of UK train stations
Graph of UK train stationsDaniyar Mukhanov
 
Malicious url detection using machine learning
Malicious url detection using machine learningMalicious url detection using machine learning
Malicious url detection using machine learningCysinfo Cyber Security Community
 

Recommended

from 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootfrom 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootAmmar WK
 
Malware goes to the movies
Malware goes to the moviesMalware goes to the movies
Malware goes to the moviesAleksandr Yampolskiy
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
Abdul Zameer S
Abdul Zameer SAbdul Zameer S
Abdul Zameer SAbdul Zameer Subhan
 
Resume-Suresh Kumar Natesan
Resume-Suresh Kumar NatesanResume-Suresh Kumar Natesan
Resume-Suresh Kumar NatesanSuresh Kumar
 
HatsOff-m1027118-133
HatsOff-m1027118-133HatsOff-m1027118-133
HatsOff-m1027118-133Prabhat Tiwari
 
Graph of UK train stations
Graph of UK train stationsGraph of UK train stations
Graph of UK train stationsDaniyar Mukhanov
 
Malicious url detection using machine learning
Malicious url detection using machine learningMalicious url detection using machine learning
Malicious url detection using machine learningCysinfo Cyber Security Community
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010Stephan Chenette
 
Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007ClubHack
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript ExploitationRashid feroz
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008Ali Ikinci
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaAlphageeks
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 

More Related Content

Similar to Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks

DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007ClubHack
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript ExploitationRashid feroz
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008Ali Ikinci
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaAlphageeks
 

Similar to Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks (20)

DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript Exploitation
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
 

More from Aditya K Sood

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Aditya K Sood
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 

More from Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks

  • 1. Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York , July 2012 Aditya K Sood | Rohit Bansal | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
  • 2. About Us  Aditya K Sood ● PhD Candidate at Michigan State University – Working for iSEC Partners. – Active Speaker at Security conferences – LinkedIn - http ://www.linkedin.com/in/adityaks – Website: http://www.secniche.org | Blog: http://secniche.blogspot.com – Twitter: @AdityaKSood  Rohit Bansal – Security Researcher, SecNiche Security Labs – Twitter: @0xrb  Dr. Richard J Enbody ● Associate Professor, CSE, Michigan State University – Since 1987, teaching computer architecture/ computer security – Co-Author CS1 Python book, The Practice of Computing using Python. – Patents Pending – Hardware Buffer Overflow Protection 2
  • 3. Agenda  Malware Paradigm  Browser Malware Taxonomy  Present-day Malware Propagation Tactics  Information Stealing Tactics  Conclusion 3
  • 4. FUD (Fear, Uncertainty & Doubt)  FUD – FUD || ─ Three pillars of robust malware design 4
  • 6. The Reality of Internet ! 6
  • 7. Browser Malware Taxonomy  Class A – Browser Malware 7
  • 8. Browser Malware Taxonomy  Class B – Browser Malware 8
  • 9. Browser Malware Taxonomy  Class C – Browser Malware 9
  • 10. Malware Lifecycle – Java Exploit  Malware making a place into your system ─ Step 1: Vulnerability in high traffic website is exploited – To serve malware at large scale ─ Step 2: Detecting malicious iframe in the website ● Lets extract the iframe from the malicious website ● The iframe is pointing to some domain having applet.html. – Avoid running it in the browser. Fetch it directly using wget/curl 10
  • 11. Malware Lifecycle – Java Exploit  Malware making a place into your system ─ Step 3 : Detecting the malicious code ● So, there is Java applet with “param” variable holding an executable – Quick analysis of the executable can be seen here https://www.virustotal.com/file/5cb024356e6b391b367bc6a313da5b5f744d8a14ce c860502446aaa3e1b4566e/analysis/1330713741/ 11
  • 12. Malware Lifecycle – Java Exploit  Dissecting Malicious Java Applet – Let’s see what we have VBScript embedded in Java applet code 12
  • 13. Implanting Malware (Bots) Present-day Propagation Tactics 13
  • 14. Exploiting Web Hosting  Data Centers | Web Hosting - Exploitation ─ Several websites are hosted on a single server sharing IP address – DNS names are mapped virtually to the same IP ● Vulnerability in one website can seriously compromise the server – Insecure file uploading functionality » Uploading remote management shells such c99 etc » Automated iframe injector embeds malicious iframe on all webpages » Making configuration changes such as redirecting users to malicious domains – Cookie replay attacks in hosting domain website » Authentication bypass : reading customer queries on the web based management panel » Extracting credentials directly by exploiting design flaws in hosting panels 14
  • 15. Exploiting Web Hosting  Data Centers Exploitation ─ Automated Iframe injector – cPanel Exploitation Automated iframer in action 15
  • 16. Exploiting Web Hosting  Remote shell in action 16
  • 17. Infection through Glype Proxies  Glype proxies ● Simple PHP scripts for anonymous surfing ● Hosted on legitimate domains and forcing users to surf through the proxy – Logging is enabled to fetch the information about users » A tactical way of exploiting the integrity of anonymous surfing ● Exploiting misconfigured proxies to deliver malware – Embedding Browser Exploit Packs (BEPs) with Glype proxies » Very effective and successful technique 17
  • 20. Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ BlackHole is running on fire ● Techniques – User-agent based fingerprinting – Plugin detector capability for scrutinizing the plugins – Serving exploit once per IP Address – Java exploits are used heavily for spreading infections – Support for other exploits such as PDF, Flash etc – BlackHole configuration Java version fingerprinting parameters 20
  • 21. Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ Encoded exploit with PHP Ioncube 21
  • 22. Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ Interesting Tactics – A brief walkthrough ● JAVA SMB – One of the most effective exploit used in BH – Exploit downloads “new.avi” file for triggering exploitation – At present times, Java Array exploit is on fire. ● Interesting to see what this file does – Running file in VLC player produces an error. – Can we change “new.avi” to “new.jar”? YES ! We can. » Result is here. 22
  • 26. Malware on the Cloud  AWS Cloud Malware ─ Attackers are targeting AWS to host malware Unpacked 26
  • 27. Malware on the Cloud  AWS Cloud Malware ─ On reversing, package downloads the malware into “c:winsys” directory from another repository on the AWS ● Downloaded files are presented below Malicious files extracted from the package 27
  • 28. Malware on the Cloud  AWS Cloud Malware Sent an alert in the form of tweet to Amazon. ─ Afterwards Malware was removed. – Some of the files were again packed with UPX packer – All the files were flagged as malicious Executables are f lagged as malicious 28
  • 29. Malvertisements  Malvertisement ● Online malicious advertisements ● Content Delivery Networks (CDNs) are infected to trigger malvertising – Distributed attack Armorize’s Blog - http://blog.armorize.com/2011/05/porn-sites-have-lots-of-trafficand.html Malvertisement Paper - http://www.slideshare.net/adityaks/malvertising-exploiting-web-advertising 29
  • 30. Exploiting Social Networks  Social Networks ● Attackers exploit the inherent design flaws in the social networks ● Use to spread malware at a large scale ─ LikeJacking (=~ClickJacking) ● Use to add malicious links on user’s profile in Facebook ● LikeJacking collaboratively used with ClickJacking ● Efficient in spreading malware 30
  • 32. Present-day Botnets Information Stealing and Manipulation Tactics 32
  • 33. Man-in-the-Browser (MitB)  Subverting Browser Integrity ─ Exploits the victim system and the browser environment ● SSL / PKI does not stop the infections by MitB ● Two Factor/ SSO authentication module does not stop it ● Concept of browser rootkits ● Implements Hooking ● Exploits online banking http://www.cronto.com/download/internet_banking_fraud_beyond_phishing.pdf 33
  • 34. Web Injects – Infection on the Fly  Web Injects ─ Injecting incoming request with malicious content ─ Primary aim is to inject credential stealing forms, JavaScripts and input tags ─ Concept of Third Generation Botnets ( Give me your money  ) 34
  • 35. Web Injects – Log Detection http://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html 35
  • 36. Web Injects – Action 36
  • 37. Web Fakes  Understanding Web Fakes ● Plugins used to spoof the content in browsers ● Supports both protocols HTTP/HTTPS ● Based on the concept of internal URL redirection ● All browsers are affected  How ? ─ Plugins use the defined metrics in the configuration file ● URL_MASK ● URL_REDIRECT ● FLAGS ● POST_BLACK_MASK ● POST_WHITE_MASK ● BLOCK_URL ● WEBFAKE_NAME ● UNBLOCK_URL 37
  • 38. Web Fakes – Function Calls 38
  • 39. Web Fakes – Real Example 39
  • 40. Browsers - Form Grabbing  Why? ─ Keylogging produces plethora of data ─ Form grabbing – extracting data from the GET/POST requests ─ Based on the concept of hooking ─ Virtual Keyboards ● Implements the form grabbing functionality to send POST requests ● No real protection against malware 40
  • 41. Browsers - Form Grabbing  Facts and Reality ─ All the third generation botnets use this technique ─ Very hard to overcome the consequences ─ All browsers can be circumvented to execute non legitimate hooks 41
  • 43. Other Information Stealing Tactics ..  Bot Plugin Architecture ─ Credit Card Grabber ─ Certificates Grabber ─ SOCKS 5 Backconnect ─ FTP Backconnect ─ RDP BackConnect ─ DDoS Plugins ─ Webcam Hijacker ─ Infecting Messengers (Spreaders) ─ And so on…… depending on the design ! 43
  • 45. Thanks  HOPE Conference Crew ● http://www.hope.net  SecNiche Security Labs ● http://www.secniche.org ● http://secniche.blogspot.com  Contact Me ─ Email : adi_ks [at] secniche.org 45