Embed Size (px)
Citation preview
Web Security Attack Trends & Case Sharing
HKCERTHKCERT
Page 2
Agenda
Information Security Landscape Botnet and Malware Unnoticeable Hack??? Case Sharing How to mitigate risks
Web Security Attack Trends & Case Sharing
Information Security Landscape
HKCERTHKCERT
Page 4
Attacks targeting at our Vulnerabilities
Insecure Configurations– Default password or settings
– e.g. some plug-ins require particular folders be made writeable
All software have security holes– Opportunity Windows between discovery
of security hole and availability of patch
People can be cheated– “Social Engineering” techniques
– The way you gain trust from others == the way hacker gain trust from you
Systems and Applications Human
Page 5
Vulnerabilities : Social Engineering
In May 2010 seminar, we were talking about…
Page 6
And now…
Social Engineering trick allowed a clickjackingworm to spread quickly over Facebook– Curiosity of knowing what your online friend “likes”– Facebook users’ profiles have been updated by the
clickjacking attack– What if it is a malicious Facebook game?
Vulnerabilities : Client Side attack via Social Network Sites
http://www.sophos.com/blogs/gc/g/2010/06/14/facebook-users-clickjacked-101-hottest-women-world/
http://www.sophos.com/blogs/gc/g/2010/05/31/viral-clickjacking-like-worm-hits-facebook-users/
Page 7
Major Threats
Phishing / Defacement
Malware
Malicious Code Injection / SQL Injection
Distributed Denial of Service (DDoS)
Botnet– Sending phishing & spam mail
– Launching Denial-of-Service attack
etc…
Page 8
Botnet is one of the major threats
Botnet and Malware
HKCERTHKCERT
Page 10
Botnet & Malware
Infection through– Web browsing
– Drive-by Download
– Social Engineering Technique
Malware Propagation and Distribution– Executables
– Document Malware
– Website
– Social Network
– SEO (Search Engine Optimization)
Page 11
Malware 2.0
Propagation
Forming a Botnet Manage
Update
Survive the adverse
Encryption or Obfuscation
Morphing
Uses Search Engine to evade detection
Command & Control
Malware today causes victim PC becoming part of botnet
OthersEvade Detection
http://www.usenix.org/event/leet10/tech/full_papers/Rajab.pdf
http://googleonlinesecurity.blogspot.com/2010/04/rise-of-fake-anti-virus.html
Page 12
Malware Propagation Channels
Fake security software
Fake video player codecExecutables
Document Malware
Website
Page 13
Malware Propagation Channels
Embedded malware in PDF or Office files
Zeus botnet served PDF malware (Apr 2010)Executables
Document Malware
Website
Page 14
Malware Propagation Channels
Legitimate and trusted websites compromised
Used to redirect user to malicious websites (via injected invisible iframes)
Web admin may be incapable to detect and mitigate the risks
Executables
Document Malware
Website
http://tech.fortune.cnn.com/2010/07/04/googles-youtube-temporarily-hacked/
Page 15
Mass infection of Wordpress blogs hosted by Network Solutions (Apr 2010) – Use insecure web application configurations
– Outdated version of known vulnerabilities
– Vulnerable plug-ins
Mass infection of Wordpress blogs hosted by GoDaddy (May 2010)– Outdated Wordpress version of known PHP vulnerabilities
SQL injected iframes pointing to malware site in Wall Street Journalwebsite (June 2010)
Malware Propagation via websites
http://www.computerworld.com/s/article/9175783/Network_Solutions_sites_hacked_again http://community.godaddy.com/godaddy/the-latest-information-on-compromised-sites/ http://www.scmagazineus.com/wall-street-journal-others-hit-in-mass-sql-attack/article/172153/ http://blog.scansafe.com/journal/2010/6/9/wsj-a-victim-not-the-source-of-sql-injection.html
Page 16
Malware Propagation Channels
Hackers exploit Social Network Services to convince victims
Hackers use Search Engine Optimizationtechniques to escalate malicious website ranking in search results
Executables
Document Malware
Website
Soc
ial E
ngin
eerin
g &
Bla
ck H
at S
EO
Unnoticeable Hack???
HKCERTHKCERT
Page 18
h4ck3d? d3f4c3d?
Page 19
Defacement
Keyword Search : “hacked by” site:.hk– Number of results (15 July 2010): 6,590 (Google) / 6,310 (Yahoo)
Page 20
HK Forum Websites
295 millions records (Google Search results)
Page 21
Target Attack
“Hacked by ring04h, just for fun” (Jan 2009)
DNS Hack (Domain: customer.discuz.net)– Used for delivering updates and security patches
– Hacked and pointed to malicious DNS server
Page 22
Domain Tasting
the practice of a domain name registrant using the five-day "grace period"(the Add Grace Period or AGP) at the beginning of the registration of an ICANN-regulated second-level domain to test the marketability of the domain.
During this period, when a registration must be fully refunded by the domain name registry, a cost-benefit analysis is conducted by the registrant on the viability of deriving income from advertisements being placed on the domain's website.
Page 23
Domain Tasting Phishing
Page 24
Domain Tasting Phishing
Page 25
Fast Flux Domains
a DNS technique often used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hostsacting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.
multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short TTL (time to live) values to create a constantly changing list of destination addresses for that single DNS name.
Mobile IP addresses are involved (e.g. 3G network)
Page 26
Hacked?
Case Sharing: Blackhat SEO
HKCERTHKCERT
Page 28
SEO
Search Engine Optimization (SEO)– A collection of techniques used to achieve higher ranking of a particular URL in
the search
– Optimize website to increase its relevance to specific keywords searches
Black Hat SEO / SEO poisoning– Hackers use unethical SEO techniques and add numerous fake web pages in
compromised websites to manipulate the relevance of resources indexed by search engines.
Page 29
Blackhat SEO???
Google Search for Vatican directed to ‘paedophile site’ (19 July 2010)
http://hk.apple.nextmedia.com/template/apple/art_main.php?iss_id=20100719&sec_id=15335&subsec_id=15339&art_id=14254412
http://www.tallerseo.com/en/2010/07/para-google-el-vaticano-es-pedofilo-com.html
Page 30
Pharma Hack
Malicious files in the WordPress plugins folder coupled with encrypted code in the WordPress database.
http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html
http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php
Page 31
SEO Poisoning
“keygen” available in “.edu.hk”???
Page 32
JAVASCRIPTBROWSER?
Internet ExplorerMSOfficeWeb
EXPLOIT?
DOWNLOADER
PDF CWS
EXE
DOWNLOADER DOWNLOADER
404
REQUEST
REFERER? 404
RESPONSE
SEO Poisoning- Redirection (.htaccess)
Via Search Engine
Direct Access
Redirect to Fake AV scanning site
Page 33
SEO Poisoning- Redirection
Sample content of “.htaccess” files under hacker’s control
Page 34
Redirection of attacks to central exploit server
Malicious servers redirect victims to the Exploit Server which serves as a central delivery
http://www.honeynet.org/papers/mws
Automatic Botnet System- Gumblar
HKCERTHKCERT
Page 36
Gumblar
First appeared in spring 2009
Stealing FTP credentials
Injecting malicious links in legitimate content
(HTML/PHP/JavaScript files, etc)
Uploading backdoors on compromised servers
Page 37
Gumblar
html-redirectors / php-redirectors
infectorsInternet users
Page Download Download Exploit
Injec
t Cod
e
FTP Accounts
Attacked Users
Got Infected
Inject Code
Inject Code
Page 38
Gumblar (Automatic botnet system)
Stealing FTP credentials
Injecting malicious links in legitimate content
Uploading backdoors on compromised servers
Attacking visitors of a website Visitors have been infected with the
Windows executables Grabs FTP credentials from the
victim machines The FTP accounts are then used to
infect every webpage on new webservers
http://www.securelist.com/en/blog/208187897/The_Gumblar_system
http://www.securelist.com/en/blog?cat=7&page=2
http://www.digitalthreat.net/2009/06/deobfuscating-gumblar/
Consequence of Security Attacks
HKCERTHKCERT
Page 40
Consequences of Security Exposure
Machines fall into control by hackers
Theft of Credentials Financial loss
Hacker launch local attacks to the whole network
Bandwidth and performance downgrade
Legal liability liable for hacking activity within your premise
Mitigation Strategies
HKCERTHKCERT
Page 42
What do we do?
Finding compromised web sites and malware hosting
International Collaboration
Cyber Drill Exercise
Proactive Discovery of Incidents
Intelligence and Research
Collecting information of hacker behaviour
Good example of ConfickerWorking Group
Page 43
What do we do?
Finding compromised web sites and malware hosting
International Collaboration
Cyber Drill Exercise
Proactive Discovery of Incidents
Intelligence and Research
Collecting information of hacker behaviour
Good example of ConfickerWorking Group
Cyber Security Incident Response Drill (coming October 2010)
Page 44
What can you do?
Company Service Provider
Additional measures
At firewall, block all unnecessary traffic to servers except known services
Set up security policy
Install Anti-virus and Update
Fix all security holes– Patch software and application
– Change insecure default settings
Set strong password
Scan you system periodically
Page 45
Awareness Education and Training
Awareness– Understand emerging attacks
– Beware of Social Engineering
Follow Guidelines
Train your staff
Set up Incident Response Procedure
www.hkcert.orgHotline : 81056060
Q&A
