SlideShare une entreprise Scribd logo

Chasing web-based malware

FACE
FACE
Formation
1  sur  32
Télécharger pour lire hors ligne
Chasing  web-­‐based  malware   Marco  Cova   marco@lastline.com  
Who  am  I?   •  Lecturer  in  Computer  Security  at  the   University  of  Birmingham,  UK   •  Member  of  the  founding  team  of  Lastline,  Inc.   •  Research  interests:   – Malware  analysis   – Vulnerability  analysis  
WEB  MALWARE  
Web-­‐based  malware   evil.js   GET  /   <iframe>  
Malicious  code  
Exploit  
Social  Engineering  
Not  really  LinkedIn   Social  Malware  
Blackhat  SEO  
Watering  Hole  AUacks   •  SomeVmes  it  is  difficult  to   exploit  the  target  of  an  aUack   directly   –  Instead  compromise  a  site  that   is  likely  to  be  visited  by  the   target   •  Council  on  foreign  relaVons   →  governmental  officials   •  Unaligned  Chinese  news  site   →  Chinese  dissidents   •  iPhone  dev  web  site     →  developers  at  Apple,   Facebook,  TwiUer,  etc.   •  NaVon  Journal  web  site     →  PoliVcal  insiders  in   Washington  
CHASING  WEB  MALWARE   Oracles,  Filters,  Seeders,  AnV  Evasions  
Oracle     •  EssenVally,  a  classificaVon  algorithm  for  web   content   – Input:  web  page   – Output:  classificaVon  (malicious  or  benign)   •  In  pracVce,  it  is  useful  to  extract  and  provide   users  with  evidence  to  support  classificaVon   – Exploit  detecVon   – DeobfuscaVon  results   – Anything  that  helps  forensics,  really  
Oracle  approaches   •  Nowadays,  most  oracles  are  dynamic  analysis   systems   –  We  care  about  the  behavior  of  a  sample/web  page/ document   •  Run  a  sample/visit  a  web  page  inside  an   instrumented  environment  and  monitor  its   behavior   •  Bypass  all  obfuscaVon/feasibility  concerns   associated  with  staVc  analysis   •  Opens  up  a  lot  of  interesVng  challenges  related  to   transparency  and  evasion  
Wepawet   •  Detec3on  and  Analysis  of  Drive-­‐by-­‐Download  ABacks  and   Malicious  JavaScript  Code   Marco  Cova,  Christopher  Kruegel,  Giovanni  Vigna  in   Proceedings  of  the  World  Wide  Web  Conference  (WWW),   Raleigh,  NC,  April  2010   •  hUp://wepawet.cs.ucsb.edu     •  By  the  numbers:   –  Number  of  unique  IPs  that  submiUed  to  Wepawet:   141,463   –  Number  of  pages  visited  and  analyzed  by  Wepawet:   67,424,459   –  Number  of  malicious  pages  idenVfied  as  malicious:   2,239,335  
Wepawet  Features   •  Exploit  preparaVon   –  Number  of  bytes  allocated   (heap  spraying)   –  Number  of  likely  shellcode   strings   •  Exploit  aUempt   –  Number  of  instanVated   plugins  and  AcVveX   controls   –  Values  of  aUributes  and   parameters  in  method  calls   –  Sequences  of  method  calls   •  RedirecVons  and  cloaking   –  Number  and  target  of   redirecVons   –  Browser  personality-­‐  and   history-­‐based  differences   •  ObfuscaVon   –  String  definiVons/uses   –  Number  of  dynamic  code   execuVons   –  Length  of  dynamically-­‐ executed  code  
Filter   •  If  everything  goes  well,  amer  a  while  we  will   have  more  samples/pages  than  you  can   analyze  in-­‐depth  with  your  oracle   •  Analysis  Vme  ranges  from  a  few  seconds  to  a   couple  of  minutes   – Oracle  actually  runs  the  sample   – SomeVmes  mulVple  Vmes  (anV-­‐evasion   techniques)   •  Challenge:  how  do  we  scale?  
StaVc  filtering   •  Quick  idenVficaVon  of  drive-­‐by-­‐download  web   pages   –  Each  web  page  is  deemed  likely  benign  or  likely   malicious   •  Basis  for  the  classificaVon  is  a  set  of  staVc   features   •  Necessarily  more  imprecise  than  oracle   –  We  only  worry  about  not  having  false  negaVves   –  Very  tolerant  with  false  posiVves  (consequence:  more   work  for  our  oracle)  
Prophiler   •  Filter  for  malicious  web  pages   •  Prophiler:  a  Fast  Filter  for  the  Large-­‐Scale   Detec3on  of  Malicious  Web  Pages,   Davide  Canali,  Marco  Cova,  Christopher   Kruegel,  Giovanni  Vigna  in   Proceedings  of  the  Interna=onal  World  Wide   Web  Conference  (WWW),  2011  
StaVc  features   •  We  define  three  classes  of  features  (77  in  total)   –  HTML  (19)   •  source:  web  page  content   –  JavaScript  (25)   •  source:  web  page  content   –  URL  and  host-­‐based  (33)   •  source:  page  URL  and  URLs  included  in  the  content   •  One  machine  learning  model  for  each  feature   class  
Example  features   HTML  features   •  iframe  tags,  hidden  elements,  elements  with  a   small  area,  script  elements,  embed  and  object   tags,  scripts  with  a  wrong  filename  extension,   out-­‐of-­‐place  elements,  included  URLs,   scripVng  content  percentage,  whitespace   percentage,  meta  refresh  tags,  double  HTML   documents,  …  
Matches   <div style="display:none"> <iframe src="http://biozavr.ru:8080/index.php" width=104 height=251 > </iframe></div> <body><div  id="DivID">        <script  src='a2.jpg'></script>      <script  src='b.jpg'></script>      <script  src='url.jpg'></script>      <script  src='c.jpg'></script>      <script  src='d.jpg'></script>      <script  src='e.jpg'></script>      <script  src='f.jpg'></script>" </body>  
EvaluaVon   •  Large-­‐scale  evaluaVon  of   Prophiler   •  60  days  of  crawling  +   analysis   •  18,939,908  unlabeled   pages   •  14.3%  of  pages  flagged  as   suspicious  and  submiUed   to  Wepawet  (13.7%  FP)   •  85.7%  load  reducVon  on   Wepawet  =  saving  more   than  400  days  of  analysis!  
Smart  crawler   •  How  do  we  seed  our  oracle  +  filter   •  Obvious  idea:  crawling   – Problem:  toxicity  of  regular  crawling  is  preUy  low   – ObservaVon:  crawling  only  as  good  as  the  iniVal   seeds   •  Challenge:  can  we  find  beUer  seeds?  
EvilSeed   •  Guided  search  approach  to  increase  toxicity  of   pages  that  are  crawled   •  Inputs:  malicious  web  pages  found  in  the  past   •  Output:  set  of  (more  likely  malicious)  web  pages   •  EVILSEED:  A  Guided  Approach  to  Finding   Malicious  Web  Pages,  Luca  Invernizzi,  Stefano   BenvenuV,  Paolo  Milani,  Marco  Cova,  Christopher   Kruegel,  Giovanni  Vigna,  in  Proceedings  of  the   IEEE  Symposium  on  Security  and  Privacy,  2012  
Gadgets  
Gadgets   •  Links  gadget  (malware  hub)   •  Content  dorks  gadget   •  SEO  gadget   •  Domain  registraVon  gadget   •  DNS  queries  gadget  
AnV  evasion   •  At  this  point  of  the  story,  the  bad  guys  will   acVvely  try  to  evade  your  system   •  Lots  of  effort  in  designing  evasion  techniques   – Analysis  environment  detecVon   – User  detecVon   – Stalling   •  Challenge:  how  do  we  detect  if  we  are  being   evaded?  
Revolver   •  AssumpVon:  aUackers  are  likely  to  take   exisVng  malicious  samples/web  pages  and   enhance  them  to  add  evasive  code   •  Idea:  detect  similar  samples  that  are  classified   differently  by  the  oracle   •  Revolver:  An  Automated  Approach  to  the  Detec3on   of  Evasive  Web-­‐based  Malware   A.  Kapravelos,  Y.  Shoshitaishvili,  M.  Cova,  C.  Kruegel,   G.  Vigna  in  Proceedings  of  the  USENIX  Security   Symposium  Washington,  D.C.  August  2013  
Revolver   IF   VAR   <=   NUM   …   Oracle  Web   IF   VAR   <=   NUM   …   Similarity   computaVon   {bi,  mj}   Malicious  evoluVon   Data-­‐dependency   JavaScript  infecVons   Evasions   Pages   ASTs   Candidate   pairs   …   …  
Revolver  
Terms   Extractor   Malicious   Pages   Feature   Extractor   Public   Portal   Crawler   C&C  Site   Honeyclient   Honeyclient   Honeyclient   Wepawet   Cloud   EvilSeed   hUp://www.easymoney.com   hUp://cheapfarma.ru   hUp://rateyourcar.com   hUp://nudecelebriVes.it   Prophiler   Benign   Pages   Possibly   Malicious   Pages   Anubis   Exploit  Site   Malicious   Pages   Benign   Pages   Threat   Intel   Block  
Challenges   •  Evasions   – DetecVon   – Bypass  (when  possible)   •  Targeted  aUacks   •  Defense/offense  imbalance  

Recommandé

Formal, Executable Semantics of Web Languages: JavaScript and PHP
Formal, Executable Semantics of Web Languages: JavaScript and PHPFormal, Executable Semantics of Web Languages: JavaScript and PHP
Formal, Executable Semantics of Web Languages: JavaScript and PHPFACE
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s cannersRashid Khatmey
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Miguel de la Cruz
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferencesmacanazon
 

Recommandé

Formal, Executable Semantics of Web Languages: JavaScript and PHP
Formal, Executable Semantics of Web Languages: JavaScript and PHPFormal, Executable Semantics of Web Languages: JavaScript and PHP
Formal, Executable Semantics of Web Languages: JavaScript and PHPFACE
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s cannersRashid Khatmey
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Miguel de la Cruz
 
InsecureDirectObjectReferences
InsecureDirectObjectReferencesInsecureDirectObjectReferences
InsecureDirectObjectReferencesmacanazon
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hackerbestip
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionPatrycja Wegrzynowicz
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
 
Uweb Meeting Presentation - Website Exploits
Uweb Meeting Presentation - Website ExploitsUweb Meeting Presentation - Website Exploits
Uweb Meeting Presentation - Website Exploitstamuwww
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slidesBehrouz Sadeghipour
 
Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties Behrouz Sadeghipour
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)FFRI, Inc.
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Daniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxDaniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxRomania Testing
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Badneedles
BadneedlesBadneedles
Badneedlesdimisec
 

Contenu connexe

Tendances

Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hackerbestip
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionPatrycja Wegrzynowicz
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
 
Uweb Meeting Presentation - Website Exploits
Uweb Meeting Presentation - Website ExploitsUweb Meeting Presentation - Website Exploits
Uweb Meeting Presentation - Website Exploitstamuwww
 
Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties Behrouz Sadeghipour
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)FFRI, Inc.
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Daniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxDaniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxRomania Testing
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 

Tendances (20)

Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty Hunting
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentation
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
 
Uweb Meeting Presentation - Website Exploits
Uweb Meeting Presentation - Website ExploitsUweb Meeting Presentation - Website Exploits
Uweb Meeting Presentation - Website Exploits
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
 
Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012
 
Daniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxDaniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolbox
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 

Similaire à Chasing web-based malware

Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Badneedles
BadneedlesBadneedles
Badneedlesdimisec
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Lastline, Inc.
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkNetsparker
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
4 Web Crawler.pptx
4 Web Crawler.pptx4 Web Crawler.pptx
4 Web Crawler.pptxDEEPAK948083
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 

Similaire à Chasing web-based malware (20)

Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Badneedles
BadneedlesBadneedles
Badneedles
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech Talk
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
4 Web Crawler.pptx
4 Web Crawler.pptx4 Web Crawler.pptx
4 Web Crawler.pptx
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 

Plus de FACE

Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication
Faces in the Distorting Mirror: Revisiting Photo-based Social AuthenticationFaces in the Distorting Mirror: Revisiting Photo-based Social Authentication
Faces in the Distorting Mirror: Revisiting Photo-based Social AuthenticationFACE
 
Security and Privacy Measurements in Social Networks: Experiences and Lessons...
Security and Privacy Measurements in Social Networks: Experiences and Lessons...Security and Privacy Measurements in Social Networks: Experiences and Lessons...
Security and Privacy Measurements in Social Networks: Experiences and Lessons...FACE
 
Infections as Abstract Symbolic Finite Automata: Formal Model and Applications
Infections as Abstract Symbolic Finite Automata: Formal Model and ApplicationsInfections as Abstract Symbolic Finite Automata: Formal Model and Applications
Infections as Abstract Symbolic Finite Automata: Formal Model and ApplicationsFACE
 
Abstract Symbolic Automata: Mixed syntactic/semantic similarity analysis of e...
Abstract Symbolic Automata: Mixed syntactic/semantic similarity analysis of e...Abstract Symbolic Automata: Mixed syntactic/semantic similarity analysis of e...
Abstract Symbolic Automata: Mixed syntactic/semantic similarity analysis of e...FACE
 
Unveiling Metamorphism by Abstract Interpretation of Code Properties
Unveiling Metamorphism by Abstract Interpretation of Code PropertiesUnveiling Metamorphism by Abstract Interpretation of Code Properties
Unveiling Metamorphism by Abstract Interpretation of Code PropertiesFACE
 
AndRadar: Fast Discovery of Android Applications in Alternative Markets
AndRadar: Fast Discovery of Android Applications in Alternative MarketsAndRadar: Fast Discovery of Android Applications in Alternative Markets
AndRadar: Fast Discovery of Android Applications in Alternative MarketsFACE
 
CopperDroid - On the Reconstruction of Android Apps Behaviors
CopperDroid - On the Reconstruction of Android Apps BehaviorsCopperDroid - On the Reconstruction of Android Apps Behaviors
CopperDroid - On the Reconstruction of Android Apps BehaviorsFACE
 
How to recover malare assembly codes
How to recover malare assembly codesHow to recover malare assembly codes
How to recover malare assembly codesFACE
 
Android *ware: Current Status and Open Problems
Android *ware: Current Status and Open ProblemsAndroid *ware: Current Status and Open Problems
Android *ware: Current Status and Open ProblemsFACE
 

Plus de FACE (9)

Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication
Faces in the Distorting Mirror: Revisiting Photo-based Social AuthenticationFaces in the Distorting Mirror: Revisiting Photo-based Social Authentication
Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication
 
Security and Privacy Measurements in Social Networks: Experiences and Lessons...
Security and Privacy Measurements in Social Networks: Experiences and Lessons...Security and Privacy Measurements in Social Networks: Experiences and Lessons...
Security and Privacy Measurements in Social Networks: Experiences and Lessons...
 
Infections as Abstract Symbolic Finite Automata: Formal Model and Applications
Infections as Abstract Symbolic Finite Automata: Formal Model and ApplicationsInfections as Abstract Symbolic Finite Automata: Formal Model and Applications
Infections as Abstract Symbolic Finite Automata: Formal Model and Applications
 
Abstract Symbolic Automata: Mixed syntactic/semantic similarity analysis of e...
Abstract Symbolic Automata: Mixed syntactic/semantic similarity analysis of e...Abstract Symbolic Automata: Mixed syntactic/semantic similarity analysis of e...
Abstract Symbolic Automata: Mixed syntactic/semantic similarity analysis of e...
 
Unveiling Metamorphism by Abstract Interpretation of Code Properties
Unveiling Metamorphism by Abstract Interpretation of Code PropertiesUnveiling Metamorphism by Abstract Interpretation of Code Properties
Unveiling Metamorphism by Abstract Interpretation of Code Properties
 
AndRadar: Fast Discovery of Android Applications in Alternative Markets
AndRadar: Fast Discovery of Android Applications in Alternative MarketsAndRadar: Fast Discovery of Android Applications in Alternative Markets
AndRadar: Fast Discovery of Android Applications in Alternative Markets
 
CopperDroid - On the Reconstruction of Android Apps Behaviors
CopperDroid - On the Reconstruction of Android Apps BehaviorsCopperDroid - On the Reconstruction of Android Apps Behaviors
CopperDroid - On the Reconstruction of Android Apps Behaviors
 
How to recover malare assembly codes
How to recover malare assembly codesHow to recover malare assembly codes
How to recover malare assembly codes
 
Android *ware: Current Status and Open Problems
Android *ware: Current Status and Open ProblemsAndroid *ware: Current Status and Open Problems
Android *ware: Current Status and Open Problems
 

Dernier

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxAmita Gupta
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 

Dernier (20)

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 

Chasing web-based malware

  • 1. Chasing  web-­‐based  malware   Marco  Cova   marco@lastline.com  
  • 2. Who  am  I?   •  Lecturer  in  Computer  Security  at  the   University  of  Birmingham,  UK   •  Member  of  the  founding  team  of  Lastline,  Inc.   •  Research  interests:   – Malware  analysis   – Vulnerability  analysis  
  • 4. Web-­‐based  malware   evil.js   GET  /   <iframe>  
  • 8. Not  really  LinkedIn   Social  Malware  
  • 10. Watering  Hole  AUacks   •  SomeVmes  it  is  difficult  to   exploit  the  target  of  an  aUack   directly   –  Instead  compromise  a  site  that   is  likely  to  be  visited  by  the   target   •  Council  on  foreign  relaVons   →  governmental  officials   •  Unaligned  Chinese  news  site   →  Chinese  dissidents   •  iPhone  dev  web  site     →  developers  at  Apple,   Facebook,  TwiUer,  etc.   •  NaVon  Journal  web  site     →  PoliVcal  insiders  in   Washington  
  • 11. CHASING  WEB  MALWARE   Oracles,  Filters,  Seeders,  AnV  Evasions  
  • 12. Oracle     •  EssenVally,  a  classificaVon  algorithm  for  web   content   – Input:  web  page   – Output:  classificaVon  (malicious  or  benign)   •  In  pracVce,  it  is  useful  to  extract  and  provide   users  with  evidence  to  support  classificaVon   – Exploit  detecVon   – DeobfuscaVon  results   – Anything  that  helps  forensics,  really  
  • 13. Oracle  approaches   •  Nowadays,  most  oracles  are  dynamic  analysis   systems   –  We  care  about  the  behavior  of  a  sample/web  page/ document   •  Run  a  sample/visit  a  web  page  inside  an   instrumented  environment  and  monitor  its   behavior   •  Bypass  all  obfuscaVon/feasibility  concerns   associated  with  staVc  analysis   •  Opens  up  a  lot  of  interesVng  challenges  related  to   transparency  and  evasion  
  • 14. Wepawet   •  Detec3on  and  Analysis  of  Drive-­‐by-­‐Download  ABacks  and   Malicious  JavaScript  Code   Marco  Cova,  Christopher  Kruegel,  Giovanni  Vigna  in   Proceedings  of  the  World  Wide  Web  Conference  (WWW),   Raleigh,  NC,  April  2010   •  hUp://wepawet.cs.ucsb.edu     •  By  the  numbers:   –  Number  of  unique  IPs  that  submiUed  to  Wepawet:   141,463   –  Number  of  pages  visited  and  analyzed  by  Wepawet:   67,424,459   –  Number  of  malicious  pages  idenVfied  as  malicious:   2,239,335  
  • 15. Wepawet  Features   •  Exploit  preparaVon   –  Number  of  bytes  allocated   (heap  spraying)   –  Number  of  likely  shellcode   strings   •  Exploit  aUempt   –  Number  of  instanVated   plugins  and  AcVveX   controls   –  Values  of  aUributes  and   parameters  in  method  calls   –  Sequences  of  method  calls   •  RedirecVons  and  cloaking   –  Number  and  target  of   redirecVons   –  Browser  personality-­‐  and   history-­‐based  differences   •  ObfuscaVon   –  String  definiVons/uses   –  Number  of  dynamic  code   execuVons   –  Length  of  dynamically-­‐ executed  code  
  • 16. Filter   •  If  everything  goes  well,  amer  a  while  we  will   have  more  samples/pages  than  you  can   analyze  in-­‐depth  with  your  oracle   •  Analysis  Vme  ranges  from  a  few  seconds  to  a   couple  of  minutes   – Oracle  actually  runs  the  sample   – SomeVmes  mulVple  Vmes  (anV-­‐evasion   techniques)   •  Challenge:  how  do  we  scale?  
  • 17. StaVc  filtering   •  Quick  idenVficaVon  of  drive-­‐by-­‐download  web   pages   –  Each  web  page  is  deemed  likely  benign  or  likely   malicious   •  Basis  for  the  classificaVon  is  a  set  of  staVc   features   •  Necessarily  more  imprecise  than  oracle   –  We  only  worry  about  not  having  false  negaVves   –  Very  tolerant  with  false  posiVves  (consequence:  more   work  for  our  oracle)  
  • 18. Prophiler   •  Filter  for  malicious  web  pages   •  Prophiler:  a  Fast  Filter  for  the  Large-­‐Scale   Detec3on  of  Malicious  Web  Pages,   Davide  Canali,  Marco  Cova,  Christopher   Kruegel,  Giovanni  Vigna  in   Proceedings  of  the  Interna=onal  World  Wide   Web  Conference  (WWW),  2011  
  • 19. StaVc  features   •  We  define  three  classes  of  features  (77  in  total)   –  HTML  (19)   •  source:  web  page  content   –  JavaScript  (25)   •  source:  web  page  content   –  URL  and  host-­‐based  (33)   •  source:  page  URL  and  URLs  included  in  the  content   •  One  machine  learning  model  for  each  feature   class  
  • 20. Example  features   HTML  features   •  iframe  tags,  hidden  elements,  elements  with  a   small  area,  script  elements,  embed  and  object   tags,  scripts  with  a  wrong  filename  extension,   out-­‐of-­‐place  elements,  included  URLs,   scripVng  content  percentage,  whitespace   percentage,  meta  refresh  tags,  double  HTML   documents,  …  
  • 21. Matches   <div style="display:none"> <iframe src="http://biozavr.ru:8080/index.php" width=104 height=251 > </iframe></div> <body><div  id="DivID">        <script  src='a2.jpg'></script>      <script  src='b.jpg'></script>      <script  src='url.jpg'></script>      <script  src='c.jpg'></script>      <script  src='d.jpg'></script>      <script  src='e.jpg'></script>      <script  src='f.jpg'></script>" </body>  
  • 22. EvaluaVon   •  Large-­‐scale  evaluaVon  of   Prophiler   •  60  days  of  crawling  +   analysis   •  18,939,908  unlabeled   pages   •  14.3%  of  pages  flagged  as   suspicious  and  submiUed   to  Wepawet  (13.7%  FP)   •  85.7%  load  reducVon  on   Wepawet  =  saving  more   than  400  days  of  analysis!  
  • 23. Smart  crawler   •  How  do  we  seed  our  oracle  +  filter   •  Obvious  idea:  crawling   – Problem:  toxicity  of  regular  crawling  is  preUy  low   – ObservaVon:  crawling  only  as  good  as  the  iniVal   seeds   •  Challenge:  can  we  find  beUer  seeds?  
  • 24. EvilSeed   •  Guided  search  approach  to  increase  toxicity  of   pages  that  are  crawled   •  Inputs:  malicious  web  pages  found  in  the  past   •  Output:  set  of  (more  likely  malicious)  web  pages   •  EVILSEED:  A  Guided  Approach  to  Finding   Malicious  Web  Pages,  Luca  Invernizzi,  Stefano   BenvenuV,  Paolo  Milani,  Marco  Cova,  Christopher   Kruegel,  Giovanni  Vigna,  in  Proceedings  of  the   IEEE  Symposium  on  Security  and  Privacy,  2012  
  • 26. Gadgets   •  Links  gadget  (malware  hub)   •  Content  dorks  gadget   •  SEO  gadget   •  Domain  registraVon  gadget   •  DNS  queries  gadget  
  • 27. AnV  evasion   •  At  this  point  of  the  story,  the  bad  guys  will   acVvely  try  to  evade  your  system   •  Lots  of  effort  in  designing  evasion  techniques   – Analysis  environment  detecVon   – User  detecVon   – Stalling   •  Challenge:  how  do  we  detect  if  we  are  being   evaded?  
  • 28. Revolver   •  AssumpVon:  aUackers  are  likely  to  take   exisVng  malicious  samples/web  pages  and   enhance  them  to  add  evasive  code   •  Idea:  detect  similar  samples  that  are  classified   differently  by  the  oracle   •  Revolver:  An  Automated  Approach  to  the  Detec3on   of  Evasive  Web-­‐based  Malware   A.  Kapravelos,  Y.  Shoshitaishvili,  M.  Cova,  C.  Kruegel,   G.  Vigna  in  Proceedings  of  the  USENIX  Security   Symposium  Washington,  D.C.  August  2013  
  • 29. Revolver   IF   VAR   <=   NUM   …   Oracle  Web   IF   VAR   <=   NUM   …   Similarity   computaVon   {bi,  mj}   Malicious  evoluVon   Data-­‐dependency   JavaScript  infecVons   Evasions   Pages   ASTs   Candidate   pairs   …   …  
  • 31. Terms   Extractor   Malicious   Pages   Feature   Extractor   Public   Portal   Crawler   C&C  Site   Honeyclient   Honeyclient   Honeyclient   Wepawet   Cloud   EvilSeed   hUp://www.easymoney.com   hUp://cheapfarma.ru   hUp://rateyourcar.com   hUp://nudecelebriVes.it   Prophiler   Benign   Pages   Possibly   Malicious   Pages   Anubis   Exploit  Site   Malicious   Pages   Benign   Pages   Threat   Intel   Block  
  • 32. Challenges   •  Evasions   – DetecVon   – Bypass  (when  possible)   •  Targeted  aUacks   •  Defense/offense  imbalance