Upload
digitallibrary
View
575
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Imagine different exploit code for every user's browser. Subscription-based exploit services. Exploits that are invulnerable to signature-based anti-virus software. X-morphic exploitation may create such a hacker's paradise. Learn about this rising threat and how to combine signature- and behavior-based techniques to fight it.
Citation preview
The Rise of X-Morphic Exploitation
Gunter Ollmann
Director of Security StrategyDirector of Security StrategyIBM Internet Security Systems
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Abstract
• Imagine it: different exploit code for every user’s browser. Subscription-based managed exploit services. Exploits that are invulnerable to signature-based anti-virus
f X hi l i isoftware. X-morphic exploitation may create such a hacker’s paradise. Learn about this rising threat and how toabout this rising threat and how to combine signature- and behavior-based techniques to fight it.q g
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
The Plan• Understanding X-Morphic
– Drive-by downloads, whatchamacallit-morphic
• Attack Components– Delivery tactics and obfuscation
• Bringing the parts together• Bringing the parts together– Platforms for attack delivery
• What are we observing today?– Malware and attack trends, and 1H observations
• Commercial exploitation servicesManaged Exploit Providers and revenue models– Managed Exploit Providers and revenue models
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
BackdoorsUnderstanding X-Morphicg p
“A great many people enjoy a war provided it’s not in their neighborhood and not too bad”A great many people enjoy a war provided it s not in their neighborhood and not too bad
BERTRAND RUSSEL (1872-1970)
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Drive-by-downloads• Threat category first appeared in early 2002 (e.g. Spyware popups)
• From 2004, encompasses any download that occurs without the knowledge of the userknowledge of the user
• Exploits vulnerabilities within the Web browser or components accessible through it (e.g. ActiveX plugins)
• Objective of attacker is to install malware
C i l “d i b d l d” k• Commercial “drive-by-download” attacksfrom late 2005.
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
The Drive-by-download ProcessFollow link to malicious site
Shellcode designed to download package
Page includes exploit material
Host infected
Package silently downloaded
Malware package silently installed
Serving the Malicious Content• Started with copy-paste sections of code dropped in to a Web
page
D l d i t d di t d b dl f tt k i t• Developed in to a dedicated bundle of attack scripts– Accessed through JavaScript modules
– Embedded iFrame Shared attack modules updated andShared attack modules updated and sold by third-parties
Inclusion of exploit obfuscation
Development of dedicated attack engines–Subscription servicesp
–IP protected by encryption and other safeguards
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Whatchamacallit-morphic?• Oligomorphic
– In its simplest form, the malware author ships multiple decrypt engines (or decryptor patterns) instead of just one.
• Polymorphic – An evolutionary step from oligomorphic techniques, polymorphic malware
can mutate their decryptors through a dynamic build process may can yp g y p yincorporate ‘noise’ instructions along with randomly generated or variable keys. This results in millions of possible permutations of the decryptor.
• Metamorphicp– Moving beyond polymorphic techniques, metamorphic malware mutates the
appearance of the malcode body. This may be affected by carrying a copy of the malware source code and, whenever it finds a compiler, recompiles itself
f k– after adding or removing junk code to its source..
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
X-Morphic Attack Principles• Application of oligomorphic, polymorphic and metamorphic
principles
• Attack morphing at many different levels:• Attack morphing at many different levels:– The network layer (e.g. fragmentation)
– The content delivery layer (e.g. base 64 encoding)
Th li ti t t l ( J S i t)– The application content layer (e.g. JavaScript)
• Purpose of x-morphic engine:– Evade signature protection systems
– Evade network protection systems
– Protect exploit code and delivery engine from being uncovered too quickly
• Payload morphing too…Payload morphing too…– Apply principles to the malware too.
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Web Browser Exploitation
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
X-Morphic Attack Components
“The Machine the genie that man has thoughtlessly let out of its bottle cannot put back again”The Machine, the genie that man has thoughtlessly let out of its bottle cannot put back again
GEORGE ORWELL (1903-1950)
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
The X-Morphic Engine
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
The X-Morphic Engine
Exploit Exploit Morpher Obfuscator• Stock exploits• Subscription exploits
• Custom shellcode• Whitespace & chaffing
• Application content• Content Delivery• Network Layer
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Types of Exploit being Observed• Originally simple bypasses of trust zones
– Exploitation of ActiveX URL/file-load commands
– JavaScript overflow vectors more important with “heap-spraying”JavaScript overflow vectors more important with heap spraying from 2004
• Ripped from projects such as Metasploit (from 2005)
C d 0 d l i• Custom and 0-day exploits
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Types of Exploit being Observed
http://www.iss.net/documents/whitepapers/x-force_threat_exec_brief.pdf
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Exploit Morphing TechniquesD i• Dynamic– substitution ciphers
– decompression enginesp g
– string concatenation from out-of-order elements (perhaps from an array)
– alternating uses of upper and lowercase letters in a stringalternating uses of upper and lowercase letters in a string
– alternating escaped character encodings (e.g. %u -> #u -> \\hex)
• Static– client-side evaluation of browser and browser plugins for redirection
– server-side evaluation of browser id for content selection
– limiting content retrieval per IP addressg p
– client-side setting of cookies for later validation
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Exploit Morphing Techniques
• Blob of encoded data
• Small decoding stub in JavaScript
var encodedText = "dW5lc2NhcGUoIiV1OTA5MCV1OTA5MCIp…";
var decodedText = decode(encodedText);
document write(decodedText);document.write(decodedText);
decode(input) {. . . }
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Exploit Morphing Techniques
• Unwrapped content reveals malicious heap spraying JavaScriptp
• Often blobs are encoded multiple times (heap-spraying)var shellcode = unescape("%uyadd%uayad%udaya%uddaa");
var nop_sled = unescape("%u9090%u9090");
while(nop_sled.length <= 40000)
nop sled += nop slednop_sled += nop_sled;
var myArray = new Array();
for(var i=0; i<300; i++)
myArray[i] = nop_sled+shellcode;
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Exploit Obfuscators
Application C t t L
Content Delivery L
Network LayerContent Layer• JavaScript• File Inclusions
Layer• HTTP Compression• Chunked Encoding• Chaffing
• Packet Fragmentation
• Chaffing
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Obfuscation: Application Layer (1)
• Multiple application-level obfuscation techniques available:– Splitting up of the source files and dynamically rebuilding the exploit
page. For instance, the use of multiple file inclusions (e.g. .css files, .jsfiles).
– Execution of embedded scripts to “unpack” and subsequently execute the exploit (often inside a new Web browser window or frame).
– Utilizing supported file formats (such as Flash and Adobe Acrobat files) which have their own scripting languages and can be rendered inside the Web browser.
• Number of techniques growing monthly…
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Obfuscation: Application Layer (2)
Obfuscation: Application Layer (3)
Obfuscation: Application Layer (4)
Obfuscation: Content Delivery Layer (1)
• Lots of options available:– Encryption over SSL and TLS
– HTTP supported compression such as ‘gzip’ (an encoding format produced by GNU zip), ‘compress’ (an encoding format produced by the UNIX compress program) and ‘deflate’ (the zlib encoding format).
– Multiple character sets encoding such as ASCII, UTF-8, UTF-7, UTF-16LE, UTF16BE, UTF-32LE, UTF-32BE, etc.
– Transfer encoding such as ‘chunked’ and ‘token-extension’
– Chaffing content with characters that will not be rendered by the web browser when encoded to a particular character set.
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Obfuscation: Content Delivery Layer (2)
• Lets examine a simple exploit (MS04-009)– It allowed an attacker to construct an HTML page that would case Microsoft
Outlook to remotely start and execute code of the attacker’s choice
//<img src="mailto:aa" /select javascript:alert('vulnerable')"><img src="mailto:aa" /select javascript:alert('vulnerable')">
• The important part of this exploit example is the:• The important part of this exploit example is the:• <img src="mailto:aa" /select javascript
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Obfuscation: Content Delivery Layer (3)
• Implement Chunked EncodingTransfer-Encoding: chunked 7Content-Type: text/html
5<html9
select5javas5cript
> <body>
5<img4
cript6:alert9('vulnera
src=4"mai4lt
able')“></8body> </
lto:5aa&qu3ot;
y /6html>
1
2/
0
Obfuscation: Content Delivery Layer (4)
• 7-bit Unicode encoding system
+ADw-html+AD4 +ADw-body+AD4+ADw-img src+AD0AIg-mailto:aa+ACY-quot; /select javascript:alert('vulnerabl ') ACIAP AD /b d AD4 AD /h l AD4le')+ACIAPg+ADw-/body+AD4 +ADw-/html+AD4
Base64 encoding with chaff
P[G;.?h0bW⌂{#w_+%_~&%]I<Dxib!&2$R'5|Pg,^o8(;aW1nI:$H );_N'->yYz$0i\(*~?bWF>p^b.&HRv}OmF#.hJn%#:F1b3Q`7_IC{9(#@z#.Z⌂W}xl⌂Y&3Qg[amF*2YX#N^}|^?^`j()cm$]>⌂l%w dD"$p](hb ⌂\^#GVy'>d@xl⌂Y&3Qg[amF*2YX#N^}|^?^ j()cm$]>⌂l%w,dD"$p](hb.⌂\^#GVy'>d@!!⌂~Cgnd`n[ Vsb](m'VyYW⌂JsZS#c` !)#"p'I@%j4KP'C9i`~b.:2]R5'{P?$i';A_8L *,2)h}0)@bWw⌂+Cgo=
Obfuscation: Network Layer• Simple Fragmentation
AT TAC K ATTACK
• Out of Sequence Fragmentation
AT TAC K ATTACK
• Overlapping Packet Fragmentation
• Overwriting Redundant PacketsAT TAC ACK K ATTACK
• Overwriting Redundant Packets
• Packet Timeouts
AT QWE ACK KTAC RTY ATTACK
Packet TimeoutsLong Pause
ATT ACK ATTACK
Making it all work together
“An army of deer led by a lion is more to be feared than an army of lions led by a deer.”
CHABRIAS (410?-357? BC)
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Malicious Content Delivery• The attacker must cause their potential victim to request a page
from the malicious Web server– Spam – Email, instant messenger and any other messaging platform that can deliver a messageSpam Email, instant messenger and any other messaging platform that can deliver a message
directing their potential victims to the location of their malicious Web server.
– Phishing – using the same messaging systems as Spam, however the message contains a strong social engineering aspect to it (typically a personal and compelling event).
– Hacking – exploiting flaws in pre-existing popular Web sites or Web pages that have high traffic flow, and embedding links to their x-morphic content.
– Banner Advertising – utilizing banner rings or commercial advertising channels, the attacker can create an advertisement (typically seen on most commercial Web sites) directing potentialcan create an advertisement (typically seen on most commercial Web sites) directing potential victims to their Web server.
– Forum Posting – the attacker visits popular online forums and message boards and leaves their own messages containing URL’s to their malicious Web server.
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Malicious Content DeliveryA d• And more ways…– Search Page-rank – with a little planning, the attacker can manipulate popular
page ranking systems utilized by popular search engines to ensure that their Web hi h i h li f ’ d b h i h h iserver appears high up in the list of URL’s returned by a search engine when their
potential victim searches for certain words and phrases.
– Expired Domains – many popular and well visited sites fail to renew their domain registrations on time By failing to renew the attacker can purchase them forregistrations on time. By failing to renew, the attacker can purchase them for themselves and associate that entire domain (and all associated host names) to the IP address of their malicious Web server.
– DNS Hijacking – similar to expired domains, the attacker can often manipulate DNSDNS Hijacking similar to expired domains, the attacker can often manipulate DNS entries on poorly secured DNS servers and get them to direct potential victims to the malicious Web server.
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Using Exploited SystemsTi k d C• Tickers and Counters
– In the past, attackers have compromised Web servers that provide this shared content and appended their malicious exploit material to the served content,
ll i th t i l i th i t ti l i ti diallowing them to massively increase their potential victim audience.
• 404 Page Errors– In previous attacks, the attackers have used spam email to draw potential victims
to non-existent URI's on a previously compromised (but legitimate) Web server, which resulted in a maliciously encoded error page being returned from the server and, after successful exploitation, redirected them to the legitimate page.
S id U A t Ch k• Server-side User-Agent Checks– Attackers are already leveraging this information to ensure that exploit code is
only served to pages most likely to be vulnerable to it and utilizing referrer information to decide whether their potential victim arrived from a linking siteinformation to decide whether their potential victim arrived from a linking site they set up.
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Attack PersonalizationS i h h hi i d l h• Strategies that the x-morphic engine developers have adopted as part of their personalized attack delivery platform include:
– Using the source IP address information of the request, the attacker can ensure that only one exploit is ever served to that address.
– The attacker may choose to implement a time-based approach to protect their engine from discovery.
– By observing the specific browser-type information, the attacker would ensure that only exploits relevant to that particular browser are ever served.
L i h IP dd i f i h k f– Leveraging the IP address information, the attacker can of course prevent certain IP addresses or ranges from ever being served malicious content.
– One-time URL’s have been popular within Spam messages as a way of validating the existence of a specific email addressvalidating the existence of a specific email address.
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
2007 Browser Exploits & Payloads
“I’d rather be a poor winner than any kind of looser”p y
GEORGE S. KAUFMAN (1889-1961)
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Browser Exploits in the Wild• Most popular browser exploits:
– MS06-073, Visual Studio WMI Object Broker ActiveX [Bug: F ti lit ]Functionality]
– MS07-017, Animated Cursor [Bug: Overflow]
– MS06-057, WebView ActiveX [Bug: Overflow]
• Increased obfuscation use– Statistically insignificant in 2006
– In 2007 nearly 80% are obfuscated– In 2007 nearly 80% are obfuscated
• Encrypted exploits sky rocketing– Driven by prevalence of exploit toolkits such as mPack
– Exceeding 70%
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
IE Critical Vulnerabilities
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Firefox Critical Vulnerabilities
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Malware Evolution• Malware classes used to be
clearly defined
• Malware 2 0 is a mashup• Malware 2.0 is a mashup technology– Take the best features of each
l d bimalware group and combine them
• Unique one-of-a-kind Malware– Serial variants
– PolymorphicPolymorphic
– X-morphic engines
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
The Changing Face of Malware
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
The Changing Face of Malware
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Commercial Exploit ServicesCommercial Exploit Services
“We should expect the best and worst from mankind, as from the weather”p
VAUVENARGUES (1715-1747)
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Managed Exploit ProvidersM d E l i P id (MEP) i h b i• Managed Exploit Providers (MEP) is the new business
• Selling or leasing exploit code and attack delivery platforms– Outright purchase of the attack engine with subscription updatesOutright purchase of the attack engine, with subscription updates
– Weekly-rental schemes of attack platforms
– Pay-per-visit or pay-per-infection schemes as simple as Google advertising
d ff h ll l• Increased effort in maintaining their intellectual property– A lot of competition for new exploits
– 0-day exploits carefully controlledy p y
• Cottage industry of suppliers to MEP’s– Reverse engineering latest Microsoft patches
and developing exploitsand developing exploits
– Buy/Sell/Auction of new vulnerabilities
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
INET-LUX
Multi-Exploiter
Downloader
Installation Cost $15$
iFrame Biz
Mi i W klMinimum Weekly Payment of €50
iFrame911.com
Iframebiz.comLook QUICK and EASY way to earn on the internet? Start earning with us now! ! ! Just two minutes of your time and you Turn your traffic in real money! Why spend endless force to affiliate programs? Join us, and you will have a steady income every day without losing while visitors! We will not promise mountains of gold. Our job is to help you use your best way traffic. Even more money in the same volume of traffic is real. Try, and you stay with us!
We start earning serious money together!
Anyone can join us! You can do this by:Anyone can join us! You can do this by:
* have at its disposal at least one site;
* REGISTER on the website http://iframebiz.com
* accommodate short (in a row) of Pages iframe code on your site;
* be able to obtain the money through at least one of the monetary systems: Fethard, Webmoney, Wire, E-gold, Western Union (WU), and MoneyGram Epassporte
Th t t li bl hi h d hi h t bilit ThThe system operates on reliable high-speed servers, which ensures stability. The system works without Active-X and pop-up! ! ! This means that you will not lose visitors to their sites by placing our iframe code! ! ! Anyone who comes to us, remains happy! A HIGHER rate is the level of the company IFRAMEBIZ.COM! Sign up today and you will no doubt stay with us!
Example: MPack
• MPack exploit toolkit is a server application
• Uses IFrames
• MPack toolkit available for $700
• Updates cost $50 - $150 per new exploit depending l it biliton exploitability
• AV evasion costs $20 - $30 more
• DreamDownloader bundled for $300 extra
C l t ith t l f• Comes complete with management console for displaying infection statistics
XSOX – Botnet Anonymizer
XSOX – Botnet Anonymizer
The monthly subscription price (without limitation): $ 50.00
Weekly subscription price (without limitation): $ 15.00y p p ( ) $Special offer:
•Allocation port on the server for access to protocols SOCKS4 / 5 with veb-panelyu Management.
•VIP treatment with full control of its own shell-bots, Screen, Run, the team.
•Actual server with full control.
•SOCKS4 / 5 with multiple random IP addresses on the outlet.
The Future for Attack Engines
What’s the Protection?• Signature AV = EOL
• Host-level protection is the best place (at the moment)– Behavioral detection engines (stop the malware component)
– Script interpreters/interceptors (stop the obfuscated exploit component)
• Network-level protection is possible– Content blocking (high false-positive rates)
URL l ifi ti d bl ki ( tt ffi i t)– URL classification and blocking (pretty efficient)
• More work needs to be done– IBM ISS’ WHIRO 0-day discoveryy y
– Global MSS alert correlation
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Conclusions• X-Morphic engines are an
evolving threat
• The complex browser• The complex browser environment ensures “drive-by downloads” will remain popular
• Lots of innovation going on in bypassing traditional security systemssystems
• Commercial incentive to improve X-Morphic attack engines
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008
Thank YouThank YouQuestions before
for the great escape?
Günter OllmannDirector of Security StrategyDirector of Security [email protected]
Gunter Ollmann
The Rise of X-Morphic Exploitation
11:00am, 27th April 2008