SlideShare a Scribd company logo

Fireshark - Brucon 2010

Stephan Chenette, profile picture
Stephan Chenette

This document summarizes a presentation on the web forensics and analysis tool Fireshark. It discusses how Fireshark allows automated browsing and passive logging of connection data, source content, JavaScript calls and page links to help analyze malicious websites and mass injection attacks. Specific use cases covered include analyzing website architectures, redirection chains, and profiling compromised content. The document also provides examples of analyzing real injection campaigns using Fireshark to gain insights into exploitation techniques and patterns used by attackers on the web.

1 of 104
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette Principal Security Researcher, Websense Labs
Fireshark Agenda  Overview  Who Am I  What is Fireshark  The Malicious Webscape  Fireshark Introduction  Down the Rabbit hole (use cases) – Website Architecture / Redirection Chains – Mass Injection Points (dead or alive) – Content Profiling  Fireshark Releases  Download Location  Q&A 2
Let’s start at the beginning… WHAT IS FIRESHARK 3
The Fireshark Project Author: Stephan Chenette Contributions by: Wladimir Palant (AdBlockPlus FF Plugin) Organize and analyze malicious website data Correlate data  Similar mass injection attacks (C/R/E)  attacker patterns (providers/content/kits) 4
The Fireshark Project  Current Status – 1.0 Release - April 2010 (GPL v3 license) – 1.1 Release - due in November 2010 (selective beta) 5
Overview of Fireshark Architecture  Browser Plugin allows automated control of browser  Passively logs information to log file – Connections (contextual reference) – Source and DOM content – JavaScript function calls – Page Links – Screen Shot  Your Job: Use post-processing scripts/database to output organized results 6
Understanding the interweb… THE MALICIOUS WEBSCAPE 7
URL Injection attacks are increasing 225% increase in the number of new compromised legitimate websites in the last 12 months. Source: Websense Security Labs, State of Internet Security, Q3-Q4 2009 Report Translation: There is a large chance that a website you have visited In the recent past served malicious code. 8
Victims of “Malvertisements” (2009)  The Drudge Report  Horoscope.com  Lyrics.com  slacker.com  Eweek.com  The New York Times  Philadelphia Inquirer  Expedia, Rhapsody 9
Redirection chains/ Mass Compromises Nine-ball mass-injection 10
Redirection chains/ Mass Compromises Nine-ball mass-injection  There are a varied but unique set of hosts involved in the redirection chain  Any repeat visitor is diverted to ask.com instead of a malicious landing page  The structure of the injected deobfuscation algorithm is equivalent throughout all the infected sites 11
compromised website using an iframe 12
compromised website using a redirector 13
Exploit site goes through redirector 14
15
Exploit Site Serves Rogue Anti-Virus 16
Exploit Site Serves Rogue Anti-Virus  XP Security Tool 2010  XP Defender Pro  Vista Security Tool 2010  Vista Defender Pro 17
Malicious Site Serves – Exploit Kits 18
Malicious Site Serves – Exploit Kits  CRIMEPACK  PHOENIX  ELEONORE  FRAGUS  YES EXPLOIT  SEBERIA  EL FIESTA  ICEPACK  MPACK  WEB ATTACKER 19
Malicious Site Serves – Exploit Kits CVE-2003-0111 CVE-2006-5745 CVE-2007-0655 CVE-2009-0806 CVE-2006-5820 CVE-2007-5755 CVE-2009-0927 CVE-2004-1043 CVE-2006-6884 CVE-2007-6250 CVE-2009-1136 CVE-2005-2265 CVE-2009-1869 CVE-2007-0015 CVE-2008-0015 CVE-2009-2477 CVE-2006-0003 CVE-2007-0018 CVE-2008-1309 CVE-2009-3269 CVE-2006-0005 CVE-2007-0024 CVE-2008-2463 CVE-2009-3867 CVE-2006-1359 CVE-2007-0071 CVE-2008-2992 CVE-2009-4324 CVE-2006-3643 CVE-2007-3147 CVE-2008-4844 CVE-2006-3677 CVE-2007-3148 CVE-2008-5353 CVE-2010-0188 CVE-2006-3730 CVE-2007-4034 CVE-2010-0806 CVE-2006-4868 CVE-2007-4336 CVE-2009-0075 CVE-2006-4777 CVE-2007-5327 CVE-2009-0076 CVE-2006-5559 CVE-2007-5659 CVE-2009-0355 20
Malicious Site Serves – Exploit Kits  Firefox  Internet Explorer  Opera  Java/Reader/Flash 21
Obfuscated content (Phoenix pack) 22
Crimepack 2.8 released before March 10’ Exploits include: • Adobe Acrobat Reader Exploits (including CVE-2010-0188) • JRE (GSB & SERIALIZE) • MDAC (IE) • MS09-032 (IE) • MS09-002 (IE) • CVE-2010-0806 (IE) 23
Crimepack 2.8 Anti-Analysis Features include: 1. Undetected by AV Scanners (JavaScript & PDF/JAR/JPG files) 2. Random PDF Obfuscation (Not using static PDF file like other packs) 3. Blacklist checker & AutoChecker 4. Prevent Wepawet, JSunpack and other JavaScript unpackers to decode your page 24
Crimepack 2.8 Changes  Added CVE-2010-0806  Added CVE-2010-0188  Added more ip's to block  IFrame generator  Redirector for non-vulnerable traffic  New JS cryptor  Anti-Kaspersky emulation 25
RECAP OF NEEDS: Track and Organize Organize and analyze malicious website data Correlate data  Similar mass injection attacks (C/R/E)  attacker patterns (providers/content/kits) 26
Current Resources Websites: Tools:  Wepawet  Malzilla  Anubis  Rhino Debugger  ZeusTracker  FF JavaScript  BLADE (*new*) Deobfuscator  Robtex  DS’s SpiderMonkey  Unmask Parasites  Jsunpack  Malwaredomainlist.com  Caffeine Monkey  Badwarebusters.org  NJS  VirusTotal.com  Etc.  Etc. 27
Malzilla V.S. The Phoenix Exploit Kit 28
Malzilla V.S. The Phoenix Exploit Kit 29
JSUNPACK V.S. The Phoenix Exploit Kit 30
JSUNPACK V.S. The Phoenix Exploit Kit ERROR: CAN NOT FULLY DECODE 31
Spidermonkey/ CaffeineMonkey  JavaScript Engine + Limited browser features 32
Emulation -> Implementation is behind  document.body is undefined  document.title is undefined  document.forms is undefined  document.documentElement is undefined  document.URL is undefined  document.getElementsByTagName is not a function 33
Emulation -> Implementation is behind  window.location.search  window.addEvent is not a function  window.onDomReady is not a function  window.parent is undefined  window.screen is undefined  window.top is undefined  screen is not defined  top is not defined  parent is not defined  self is not defined  location.protocol 34
When an alternative just won’t do… FIRESHARK INTRODUCTION 35
Why do we need Fireshark?  Researcher  Network Administrator  Penetration Tester  We need tools to analyze mass injection attacks – Website Architecture/Redirection Chains – Source / Changes to DOM / JavaScript function calls – Content Profiling / Screen shot  Using an organized and ultimately VISUAL approach 36
List view V.S. Graph view 37
List view V.S. Graph view 38
Architecture of a youtube.com 39
horoscope.com (Content responsibility) 40
Fireshark - Brucon 2010
42
43
44
Original Source code (Phoenix pack) 45
DOM result (Phoenix pack) 46
How to use Fireshark 1.0  Install Fireshark Firefox plugin (.xpi file)  Create data.txt file, place in your home directory  Tools->Go! (then go and get a cup of coffee)  ** Reportlog.yml **  Use post-processing scripts – FiresharkInitInfo.pl (must be run first) – GraphViz.pl – IngressEgress.pl 47
48
Post-Run Analysis / data correlation  Log is analyzed manually or automatically via post- analysis correlation process
Local FireShark Demo
Use cases… DOWN THE RABBIT HOLE 51
Down the Rabbit hole  Analysis of Three exemplary Injection campaigns  Injection campaigns occur daily  A breadth view analysis  Gain a better understanding of the malicious webscape  Use Fireshark to do it.
Down the Rabbit hole •Injection Example #1
Injection Example #1  13k matches/24hrs
Injection Example #1  Step 1) Analyze a subset (500/13k)  Breadth – Popular campaign will emerge • Injections into unique websites will lead to same hosts  Depth – Details of the attack • Screen Shots • Source code, Deobfuscted DOM, Network traffic
Bird’s Eye View of 500/13k
Popularity of Requests
Popularity of Requests
Popularity of Requests
Down the Rabbit hole •Injection Campaign #1: 93.186.127.49
“W93.186” Injection Campaign
“W93.186” Injection Campaign
“W93.186” Injection Campaign SS
Observations from 93.186.127.49 attack •Operation b49
Rascop.com…a familiar foe?
Fireshark - Brucon 2010
Infamous Rascop.com •rascop.com = NXD (feb 10’) •Waledac •Fast-flux •domain
Rascop.com and friends gone but landing pages here to stay  Waladec domains were NXD in the takedown  Landing pages were still online though
Injection Example #2 •Attack #2: ru:8080
Popularity of Requests  250/5k URLs lead to homesalesplus.ru
Breadth – Popularity of Request connection  250/5k URLs lead to homesalesplus.ru
Injected Code Variation #1
Injected Code Variation #2
Injected Code Variation #3
Depth – Diff DOM/SRC
Depth – Script link in DOM
Injected Code Variation #3
DOM View  DOM ==> Mutable Memory representation (Final View of DOM after JS/events)
Log Analysis  Further Analysis showed variations: 1. hxxp://clicksor-com.eastmoney.com.mobile- de.homesaleplus.ru:8080/ocn.ne.jp/ocn.ne.jp/classmat es.com/linkhelper.cn/google.com/ 2. hxxp://chip-de.ggpht.com.deezer-com.viewhomesale .ru:8080/google.com/google.com/timeanddate.com/avg. com/zshare.net/
ru:8080 URL Injection Campaign Similarities between infected sites:  Port 8080  Various changing .ru domains  Legitimate content on port 80 served by Apache  Malicious domains are mapped to 5 different IPs  Malicious IP addresses are on hosting providers Leaseweb (Netherlands) and OVH.com (France)  Landing domains were NXD Dec 09’/Jan 10’
The Never-ending story  Fresh injections
Observations from ru:8080 attack  Compromised websites can and are updated automatically  Compromised websites are injected with multiple redirectors  Sharing of stolen FTP credentials e.g. Many infected sites also led to Gumblar infected domains, indicating that attackers perhaps had shared stolen FTP credentials
Injection Example #3  Mass Injection #3  ~5700 infected pages  ~5300 unique hosts…sent 1k for analysis
Breadth – Popularity of Responses
Breadth – Popularity of Responses  sportgun.pl.ua very common type of attack  sends a response back to 50+ hosts
Fireshark - Brucon 2010
Connection Request/No Response Src: hxxp://sportgun.pl.ua/st/go.php?sid=2& Dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php
Round #2 Connection Request/Response  Success!
Fetches Exploits  Fetches PDF and Java Exploits - connection: type: response src: hxxp://uplevelgmno.vn.ua/111/sv777/pdf.php dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php status: 200 - connection: type: response src: hxxp://uplevelgmno.vn.ua/111/sv777/dev.s.AdgredY.class dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php status: 200
PDF VirusTotal Results
Eleonore Exploits Pack hxxp://uplevelgmno.vn.ua/111/sv777/stat.php
Obfuscated Chunk in Source Code  howtofindmyip.com obfuscation
Deobfuscated DOM  howtofindmyip.com deobfuscated
Exploit Kit  uplevelgmno.vn.ua
Observations from Injection attack #3  The bad guys are tracking/hiding, redundancy redirectors are common  Exploits that are being used are current e.g. all platforms/browsers are targeted  Exploit kits are easily attainable, setup is quick  Many kits serve user polymorphic exploits/malware, thus traditional AV signatures are always behind
From 1.0 to 1.1… FIRESHARK RELEASES 96
Fireshark 1.0  Released Blackhat Europe April 2010 – Firefox Browser-Plugin – PERL Post processing scripts – CYMRU ASN – GraphViz 97
Fireshark 1.0  YAML Log format  Scripts:  GraphViz.pl  IngressEgress.pl 98
Fireshark 1.1 (Release in November 10’)  XUL GUI Front-end – Shows network traffic – Redirection chains – DOM/SOURCE/DIFF – Top Destination and Source URLs – Suspected Redirectors/Exploit Sites  Configurable options  Output in JSON (1.0 was in YAML) 99
Get it!… FIRESHARK WHERE TO DOWNLOAD 100
Download Fireshark 1.0 http://fireshark.org/  Free (GPL v3)  Open Source  PERL/Python scripts included for post- processing 101
The end… CONCLUSION + Q&A 102
Conclusions/Take-away  Compromised websites: – Increase of 225% over the last 12 months – Frequently updated to contain fresh links – Current tools are insufficient if desire is to monitor and analyze mass URL injections  Use Fireshark for: – Mass Injection Analysis – Redirection Chaining – Content Profiling 103
Q&A Questions?  Contact: Stephan Chenette Twitter: StephanChenette Email: stephan@packetsector.net  Fireshark Feedback: Join the Fireshark mailing list!! or.. send an email to feedback@fireshark.org 104

More Related Content

PPT
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Stephan Chenette
 
PPTX
The Ultimate Deobfuscator - ToorCON San Diego 2008
Stephan Chenette
 
PDF
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
Felipe Prado
 
PDF
How to convince a malware to avoid us
Csaba Fitzl
 
PDF
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
PPTX
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
PDF
Windows attacks - AT is the new black
Chris Gates
 
PDF
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
Stephan Chenette
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
Felipe Prado
 
How to convince a malware to avoid us
Csaba Fitzl
 
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
Windows attacks - AT is the new black
Chris Gates
 
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 

What's hot (20)

PDF
Windows Attacks AT is the new black
Rob Fuller
 
PDF
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
PDF
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
PDF
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
PDF
Hacking intranet websites
shehab najjar
 
PDF
Appsec DC - wXf -2010
Chris Gates
 
PDF
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
PDF
Attacking Oracle with the Metasploit Framework
Chris Gates
 
PDF
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
PDF
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
PDF
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
PPTX
Flash it baby!
Soroush Dalili
 
PDF
Exploiting XPC in AntiVirus
Csaba Fitzl
 
PDF
Jwt == insecurity?
snyff
 
PDF
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
PDF
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
PPTX
Wielding a cortana
Will Schroeder
 
PDF
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Windows Attacks AT is the new black
Rob Fuller
 
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Hacking intranet websites
shehab najjar
 
Appsec DC - wXf -2010
Chris Gates
 
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Attacking Oracle with the Metasploit Framework
Chris Gates
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Flash it baby!
Soroush Dalili
 
Exploiting XPC in AntiVirus
Csaba Fitzl
 
Jwt == insecurity?
snyff
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
Wielding a cortana
Will Schroeder
 
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Ad

Similar to Fireshark - Brucon 2010 (20)

PDF
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Wayne Huang
 
PDF
Advanced Malware Analysis
Prathan Phongthiproek
 
PDF
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Aditya K Sood
 
PPT
Web application security
randhawa121985
 
PDF
OWASP AppSec USA 2011 - Dismantling Web Malware
Aditya K Sood
 
PPTX
Using Splunk for Information Security
Splunk
 
PPTX
Using Splunk for Information Security
Shannon Cuthbertson
 
PDF
Vulners: Google for hackers
Kirill Ermakov
 
PDF
Dan Guido SOURCE Boston 2011
Source Conference
 
PDF
DEF CON 20 - Botnets Die Hard - Owned and Operated
Aditya K Sood
 
PPTX
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
PPTX
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
PPTX
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
tarkovtarkovski
 
PPTX
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Positive Hack Days
 
PDF
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
PPT
Analysis Of Adverarial Code - The Role of Malware Kits
Rahul Mohandas
 
PDF
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
PDF
Scaling Web 2.0 Malware Infection
Wayne Huang
 
PDF
IT Vulnerability & Tools Watch 2011
WASecurity
 
PPTX
2013 Security Threat Report Presentation
Sophos
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Wayne Huang
 
Advanced Malware Analysis
Prathan Phongthiproek
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Aditya K Sood
 
Web application security
randhawa121985
 
OWASP AppSec USA 2011 - Dismantling Web Malware
Aditya K Sood
 
Using Splunk for Information Security
Splunk
 
Using Splunk for Information Security
Shannon Cuthbertson
 
Vulners: Google for hackers
Kirill Ermakov
 
Dan Guido SOURCE Boston 2011
Source Conference
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
Aditya K Sood
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
tarkovtarkovski
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Positive Hack Days
 
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
Analysis Of Adverarial Code - The Role of Malware Kits
Rahul Mohandas
 
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
Scaling Web 2.0 Malware Infection
Wayne Huang
 
IT Vulnerability & Tools Watch 2011
WASecurity
 
2013 Security Threat Report Presentation
Sophos
 
Ad

More from Stephan Chenette (9)

PDF
Landing on Jupyter
Stephan Chenette
 
PDF
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
PDF
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
PPT
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
PPT
The Future of Automated Malware Generation
Stephan Chenette
 
PDF
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Stephan Chenette
 
PDF
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
PDF
Web Wreck-utation - CanSecWest 2008
Stephan Chenette
 
PDF
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 
Landing on Jupyter
Stephan Chenette
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
The Future of Automated Malware Generation
Stephan Chenette
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Stephan Chenette
 
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
Web Wreck-utation - CanSecWest 2008
Stephan Chenette
 
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 

Fireshark - Brucon 2010

  • 1. Fireshark [ BruCON 2010 ] Web Forensics and Analysis Tool Stephan Chenette Principal Security Researcher, Websense Labs
  • 2. Fireshark Agenda  Overview  Who Am I  What is Fireshark  The Malicious Webscape  Fireshark Introduction  Down the Rabbit hole (use cases) – Website Architecture / Redirection Chains – Mass Injection Points (dead or alive) – Content Profiling  Fireshark Releases  Download Location  Q&A 2
  • 3. Let’s start at the beginning… WHAT IS FIRESHARK 3
  • 4. The Fireshark Project Author: Stephan Chenette Contributions by: Wladimir Palant (AdBlockPlus FF Plugin) Organize and analyze malicious website data Correlate data  Similar mass injection attacks (C/R/E)  attacker patterns (providers/content/kits) 4
  • 5. The Fireshark Project  Current Status – 1.0 Release - April 2010 (GPL v3 license) – 1.1 Release - due in November 2010 (selective beta) 5
  • 6. Overview of Fireshark Architecture  Browser Plugin allows automated control of browser  Passively logs information to log file – Connections (contextual reference) – Source and DOM content – JavaScript function calls – Page Links – Screen Shot  Your Job: Use post-processing scripts/database to output organized results 6
  • 7. Understanding the interweb… THE MALICIOUS WEBSCAPE 7
  • 8. URL Injection attacks are increasing 225% increase in the number of new compromised legitimate websites in the last 12 months. Source: Websense Security Labs, State of Internet Security, Q3-Q4 2009 Report Translation: There is a large chance that a website you have visited In the recent past served malicious code. 8
  • 9. Victims of “Malvertisements” (2009)  The Drudge Report  Horoscope.com  Lyrics.com  slacker.com  Eweek.com  The New York Times  Philadelphia Inquirer  Expedia, Rhapsody 9
  • 10. Redirection chains/ Mass Compromises Nine-ball mass-injection 10
  • 11. Redirection chains/ Mass Compromises Nine-ball mass-injection  There are a varied but unique set of hosts involved in the redirection chain  Any repeat visitor is diverted to ask.com instead of a malicious landing page  The structure of the injected deobfuscation algorithm is equivalent throughout all the infected sites 11
  • 13. compromised website using a redirector 13
  • 14. Exploit site goes through redirector 14
  • 15. 15
  • 16. Exploit Site Serves Rogue Anti-Virus 16
  • 17. Exploit Site Serves Rogue Anti-Virus  XP Security Tool 2010  XP Defender Pro  Vista Security Tool 2010  Vista Defender Pro 17
  • 18. Malicious Site Serves – Exploit Kits 18
  • 19. Malicious Site Serves – Exploit Kits  CRIMEPACK  PHOENIX  ELEONORE  FRAGUS  YES EXPLOIT  SEBERIA  EL FIESTA  ICEPACK  MPACK  WEB ATTACKER 19
  • 20. Malicious Site Serves – Exploit Kits CVE-2003-0111 CVE-2006-5745 CVE-2007-0655 CVE-2009-0806 CVE-2006-5820 CVE-2007-5755 CVE-2009-0927 CVE-2004-1043 CVE-2006-6884 CVE-2007-6250 CVE-2009-1136 CVE-2005-2265 CVE-2009-1869 CVE-2007-0015 CVE-2008-0015 CVE-2009-2477 CVE-2006-0003 CVE-2007-0018 CVE-2008-1309 CVE-2009-3269 CVE-2006-0005 CVE-2007-0024 CVE-2008-2463 CVE-2009-3867 CVE-2006-1359 CVE-2007-0071 CVE-2008-2992 CVE-2009-4324 CVE-2006-3643 CVE-2007-3147 CVE-2008-4844 CVE-2006-3677 CVE-2007-3148 CVE-2008-5353 CVE-2010-0188 CVE-2006-3730 CVE-2007-4034 CVE-2010-0806 CVE-2006-4868 CVE-2007-4336 CVE-2009-0075 CVE-2006-4777 CVE-2007-5327 CVE-2009-0076 CVE-2006-5559 CVE-2007-5659 CVE-2009-0355 20
  • 21. Malicious Site Serves – Exploit Kits  Firefox  Internet Explorer  Opera  Java/Reader/Flash 21
  • 23. Crimepack 2.8 released before March 10’ Exploits include: • Adobe Acrobat Reader Exploits (including CVE-2010-0188) • JRE (GSB & SERIALIZE) • MDAC (IE) • MS09-032 (IE) • MS09-002 (IE) • CVE-2010-0806 (IE) 23
  • 24. Crimepack 2.8 Anti-Analysis Features include: 1. Undetected by AV Scanners (JavaScript & PDF/JAR/JPG files) 2. Random PDF Obfuscation (Not using static PDF file like other packs) 3. Blacklist checker & AutoChecker 4. Prevent Wepawet, JSunpack and other JavaScript unpackers to decode your page 24
  • 25. Crimepack 2.8 Changes  Added CVE-2010-0806  Added CVE-2010-0188  Added more ip's to block  IFrame generator  Redirector for non-vulnerable traffic  New JS cryptor  Anti-Kaspersky emulation 25
  • 26. RECAP OF NEEDS: Track and Organize Organize and analyze malicious website data Correlate data  Similar mass injection attacks (C/R/E)  attacker patterns (providers/content/kits) 26
  • 27. Current Resources Websites: Tools:  Wepawet  Malzilla  Anubis  Rhino Debugger  ZeusTracker  FF JavaScript  BLADE (*new*) Deobfuscator  Robtex  DS’s SpiderMonkey  Unmask Parasites  Jsunpack  Malwaredomainlist.com  Caffeine Monkey  Badwarebusters.org  NJS  VirusTotal.com  Etc.  Etc. 27
  • 28. Malzilla V.S. The Phoenix Exploit Kit 28
  • 29. Malzilla V.S. The Phoenix Exploit Kit 29
  • 30. JSUNPACK V.S. The Phoenix Exploit Kit 30
  • 31. JSUNPACK V.S. The Phoenix Exploit Kit ERROR: CAN NOT FULLY DECODE 31
  • 32. Spidermonkey/ CaffeineMonkey  JavaScript Engine + Limited browser features 32
  • 33. Emulation -> Implementation is behind  document.body is undefined  document.title is undefined  document.forms is undefined  document.documentElement is undefined  document.URL is undefined  document.getElementsByTagName is not a function 33
  • 34. Emulation -> Implementation is behind  window.location.search  window.addEvent is not a function  window.onDomReady is not a function  window.parent is undefined  window.screen is undefined  window.top is undefined  screen is not defined  top is not defined  parent is not defined  self is not defined  location.protocol 34
  • 35. When an alternative just won’t do… FIRESHARK INTRODUCTION 35
  • 36. Why do we need Fireshark?  Researcher  Network Administrator  Penetration Tester  We need tools to analyze mass injection attacks – Website Architecture/Redirection Chains – Source / Changes to DOM / JavaScript function calls – Content Profiling / Screen shot  Using an organized and ultimately VISUAL approach 36
  • 37. List view V.S. Graph view 37
  • 38. List view V.S. Graph view 38
  • 39. Architecture of a youtube.com 39
  • 42. 42
  • 43. 43
  • 44. 44
  • 45. Original Source code (Phoenix pack) 45
  • 47. How to use Fireshark 1.0  Install Fireshark Firefox plugin (.xpi file)  Create data.txt file, place in your home directory  Tools->Go! (then go and get a cup of coffee)  ** Reportlog.yml **  Use post-processing scripts – FiresharkInitInfo.pl (must be run first) – GraphViz.pl – IngressEgress.pl 47
  • 48. 48
  • 49. Post-Run Analysis / data correlation  Log is analyzed manually or automatically via post- analysis correlation process
  • 51. Use cases… DOWN THE RABBIT HOLE 51
  • 52. Down the Rabbit hole  Analysis of Three exemplary Injection campaigns  Injection campaigns occur daily  A breadth view analysis  Gain a better understanding of the malicious webscape  Use Fireshark to do it.
  • 53. Down the Rabbit hole •Injection Example #1
  • 54. Injection Example #1  13k matches/24hrs
  • 55. Injection Example #1  Step 1) Analyze a subset (500/13k)  Breadth – Popular campaign will emerge • Injections into unique websites will lead to same hosts  Depth – Details of the attack • Screen Shots • Source code, Deobfuscted DOM, Network traffic
  • 56. Bird’s Eye View of 500/13k
  • 60. Down the Rabbit hole •Injection Campaign #1: 93.186.127.49
  • 67. Infamous Rascop.com •rascop.com = NXD (feb 10’) •Waledac •Fast-flux •domain
  • 68. Rascop.com and friends gone but landing pages here to stay  Waladec domains were NXD in the takedown  Landing pages were still online though
  • 69. Injection Example #2 •Attack #2: ru:8080
  • 70. Popularity of Requests  250/5k URLs lead to homesalesplus.ru
  • 71. Breadth – Popularity of Request connection  250/5k URLs lead to homesalesplus.ru
  • 75. Depth – Diff DOM/SRC
  • 76. Depth – Script link in DOM
  • 78. DOM View  DOM ==> Mutable Memory representation (Final View of DOM after JS/events)
  • 79. Log Analysis  Further Analysis showed variations: 1. hxxp://clicksor-com.eastmoney.com.mobile- de.homesaleplus.ru:8080/ocn.ne.jp/ocn.ne.jp/classmat es.com/linkhelper.cn/google.com/ 2. hxxp://chip-de.ggpht.com.deezer-com.viewhomesale .ru:8080/google.com/google.com/timeanddate.com/avg. com/zshare.net/
  • 80. ru:8080 URL Injection Campaign Similarities between infected sites:  Port 8080  Various changing .ru domains  Legitimate content on port 80 served by Apache  Malicious domains are mapped to 5 different IPs  Malicious IP addresses are on hosting providers Leaseweb (Netherlands) and OVH.com (France)  Landing domains were NXD Dec 09’/Jan 10’
  • 81. The Never-ending story  Fresh injections
  • 82. Observations from ru:8080 attack  Compromised websites can and are updated automatically  Compromised websites are injected with multiple redirectors  Sharing of stolen FTP credentials e.g. Many infected sites also led to Gumblar infected domains, indicating that attackers perhaps had shared stolen FTP credentials
  • 83. Injection Example #3  Mass Injection #3  ~5700 infected pages  ~5300 unique hosts…sent 1k for analysis
  • 84. Breadth – Popularity of Responses
  • 85. Breadth – Popularity of Responses  sportgun.pl.ua very common type of attack  sends a response back to 50+ hosts
  • 87. Connection Request/No Response Src: hxxp://sportgun.pl.ua/st/go.php?sid=2& Dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php
  • 88. Round #2 Connection Request/Response  Success!
  • 89. Fetches Exploits  Fetches PDF and Java Exploits - connection: type: response src: hxxp://uplevelgmno.vn.ua/111/sv777/pdf.php dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php status: 200 - connection: type: response src: hxxp://uplevelgmno.vn.ua/111/sv777/dev.s.AdgredY.class dst: hxxp://uplevelgmno.vn.ua/111/sv777/index.php status: 200
  • 92. Obfuscated Chunk in Source Code  howtofindmyip.com obfuscation
  • 95. Observations from Injection attack #3  The bad guys are tracking/hiding, redundancy redirectors are common  Exploits that are being used are current e.g. all platforms/browsers are targeted  Exploit kits are easily attainable, setup is quick  Many kits serve user polymorphic exploits/malware, thus traditional AV signatures are always behind
  • 96. From 1.0 to 1.1… FIRESHARK RELEASES 96
  • 97. Fireshark 1.0  Released Blackhat Europe April 2010 – Firefox Browser-Plugin – PERL Post processing scripts – CYMRU ASN – GraphViz 97
  • 98. Fireshark 1.0  YAML Log format  Scripts:  GraphViz.pl  IngressEgress.pl 98
  • 99. Fireshark 1.1 (Release in November 10’)  XUL GUI Front-end – Shows network traffic – Redirection chains – DOM/SOURCE/DIFF – Top Destination and Source URLs – Suspected Redirectors/Exploit Sites  Configurable options  Output in JSON (1.0 was in YAML) 99
  • 101. Download Fireshark 1.0 http://fireshark.org/  Free (GPL v3)  Open Source  PERL/Python scripts included for post- processing 101
  • 103. Conclusions/Take-away  Compromised websites: – Increase of 225% over the last 12 months – Frequently updated to contain fresh links – Current tools are insufficient if desire is to monitor and analyze mass URL injections  Use Fireshark for: – Mass Injection Analysis – Redirection Chaining – Content Profiling 103
  • 104. Q&A Questions?  Contact: Stephan Chenette Twitter: StephanChenette Email: [email protected]  Fireshark Feedback: Join the Fireshark mailing list!! or.. send an email to [email protected] 104