Week 7 - Web Security
95% of all malware (both enterprise and consumer) is delivered via the Internet.
The timeline of web-based malware delivery has rapidly changed in a short amount of time. Originally phishing attacks were primarily via redirections to fake websites. As time goes on, phishing got more sophisticated and browser-specific attacks became more common. Currently a lot of attacks remain in the browser and don't write to disk as at this point they will be detected by anti-virus software. This image below shows a basic timeline of web-based malware.
source: lecture slides, Oregon State University CS373 Defense Against the Dark Arts
In terms of web attacks and Windows, there are a couple of different malware injection points. From the top layer down, de-obfuscated content (final rendered content) such as the browser and extensions, Javascript for the script engine, HTML (DOM Tree) also at the browser and extensions, HTML (raw HTML) such as WinInet and ETW/ETL, and HTTP at the HTTP proxy and network layer.
source: lecture slides, Oregon State University CS373 Defense Against the Dark Arts
User level attacks are mostly based around social engineering. Users are considered the weak link and a current browser or operating system will not help in this instance. Common traits for these users include lazy, impatient, clickaholic, and self-proclaimed omniscience. Attacks direct the users to malicious content such as executables, browser exploits, and malicious forms by capitalizing on these user traits. Different types of user attacks include:
Phishing - a faux site that mimics a real site and tricks the user into believing it is real and inputting their user credentials for the legitimate site or will cause a redirection to a malicious site.
SEO (search engine optimization) poisoning - this involves identifying trending Internet search results and manipulating a malicious site's relevance to those trending searches so that the malicious site is among the top results when a user enters that search term. From there the malicious site can redirect to to malicious content.
Fake anti-virus and fake updates - targets people trying to install valid AV and updates, these types of attacks can mimic operating systems level UI components and well-known security brands. Some may deliver malware or some may do nothing at all, but the user has already paid money thinking it was a valid service.
WYSIWYG (what you see is what you get) - URL obfuscation can make illegitimate URLs look like the real URL. This can be done with URL shortening services as well as homographic attacks (e.g. www.arnazon.com, note the aRNazon rather than aMazon)
Social media attacks - catfishing is an example of social media attacks, where a fake profile is created to befriend a person to gain information
Malvertising - a malicious actor uses advertising networks as a delivery mechanism for malware.
Waterhole attacks - identify a forum or site that a target demographic would frequent and try to poison that site. One example would be targeting StackOverflow because many developers go to that site.
How can all of these user attacks be defended against? URL and domain reputation systems can fight against illegitimate sites, site certifications and signing websites can help (although this can be faked fairly easily), content provider education, and end user education.
Browser attacks are understandably based around the browser. There are many defenses built into the browsers including security policy enforcement by implementing a Same Origin Policy (this is for the DOM, HTML, cookies, Flash, Java, etc.), URL scheme access rules, restrictions on redirection, and operating system isolation/sandboxing.
How does a browser exploit happen? The browser will download, render, and execute malicious web content that targets vulnerabilities in the browser. This is usually a multistep process where the user goes to a malicious site, the browser is exploited, then the download and execution of the actual payload occurs.
Content/script obfuscation is one way that the browser is exploited. The content could be encrypted or a different encoding could be used.
Man in the middle attack - intercept and modify traffic and insert manipulated traffic during the transfer
Man in the browser attack - same idea as man in the middle attack except the attack happens within the browser
DNS spoofing/DNS cache poisoning - the ISP's DNS is poisoned that way when the browser requests a legitimate domain the ISP returns a malicious IP. This is used for phishing and exploits.
Clickjacking/UI redressing - tricks the user into clicking a pre-determined link in a rendered HTML page. HTML frames and layers are used to confuse the user and malicious content is hidden behind legitimate content.
SQL injection - can be used to circumvent the normal operations of the database to get around the authentication or authorization to reveal private data. There are many different types of SQL injection including error driven SQL injection, user defined function injection, and blind injection.
Same origin policy attacks - browsers must keep non-related resources isolated, but they must also allow for the modern web where resources and APIs are commonly shared. These are competing ideas and attacks can exploit the gray area here.
There are various tools that we can use to help determine whether a website is malicious or not. They include:
Alexa - a tool used to determine a general site's popularity and prevalence, it is domain based and not URL based
archive.org - could be useful to determine site changes over time
IPVoid - use to check an IP against a large blacklist IP collection
Site Dossier - what is the general information about the site, such as the IP, the DNS servers, the inbound line, and the parent
Webutation - a URL reputation clearinghouse
Web Inspector - input a URL and this tool will scan the web and provide a list of recent malicious sites
Virus Total - an aggregate search to scan the web for malware files
The timeline of web-based malware delivery has rapidly changed in a short amount of time. Originally phishing attacks were primarily via redirections to fake websites. As time goes on, phishing got more sophisticated and browser-specific attacks became more common. Currently a lot of attacks remain in the browser and don't write to disk as at this point they will be detected by anti-virus software. This image below shows a basic timeline of web-based malware.
In terms of web attacks and Windows, there are a couple of different malware injection points. From the top layer down, de-obfuscated content (final rendered content) such as the browser and extensions, Javascript for the script engine, HTML (DOM Tree) also at the browser and extensions, HTML (raw HTML) such as WinInet and ETW/ETL, and HTTP at the HTTP proxy and network layer.
User level attacks are mostly based around social engineering. Users are considered the weak link and a current browser or operating system will not help in this instance. Common traits for these users include lazy, impatient, clickaholic, and self-proclaimed omniscience. Attacks direct the users to malicious content such as executables, browser exploits, and malicious forms by capitalizing on these user traits. Different types of user attacks include:
Phishing - a faux site that mimics a real site and tricks the user into believing it is real and inputting their user credentials for the legitimate site or will cause a redirection to a malicious site.
SEO (search engine optimization) poisoning - this involves identifying trending Internet search results and manipulating a malicious site's relevance to those trending searches so that the malicious site is among the top results when a user enters that search term. From there the malicious site can redirect to to malicious content.
Fake anti-virus and fake updates - targets people trying to install valid AV and updates, these types of attacks can mimic operating systems level UI components and well-known security brands. Some may deliver malware or some may do nothing at all, but the user has already paid money thinking it was a valid service.
WYSIWYG (what you see is what you get) - URL obfuscation can make illegitimate URLs look like the real URL. This can be done with URL shortening services as well as homographic attacks (e.g. www.arnazon.com, note the aRNazon rather than aMazon)
Social media attacks - catfishing is an example of social media attacks, where a fake profile is created to befriend a person to gain information
Malvertising - a malicious actor uses advertising networks as a delivery mechanism for malware.
Waterhole attacks - identify a forum or site that a target demographic would frequent and try to poison that site. One example would be targeting StackOverflow because many developers go to that site.
How can all of these user attacks be defended against? URL and domain reputation systems can fight against illegitimate sites, site certifications and signing websites can help (although this can be faked fairly easily), content provider education, and end user education.
Browser attacks are understandably based around the browser. There are many defenses built into the browsers including security policy enforcement by implementing a Same Origin Policy (this is for the DOM, HTML, cookies, Flash, Java, etc.), URL scheme access rules, restrictions on redirection, and operating system isolation/sandboxing.
How does a browser exploit happen? The browser will download, render, and execute malicious web content that targets vulnerabilities in the browser. This is usually a multistep process where the user goes to a malicious site, the browser is exploited, then the download and execution of the actual payload occurs.
Content/script obfuscation is one way that the browser is exploited. The content could be encrypted or a different encoding could be used.
Man in the middle attack - intercept and modify traffic and insert manipulated traffic during the transfer
Man in the browser attack - same idea as man in the middle attack except the attack happens within the browser
DNS spoofing/DNS cache poisoning - the ISP's DNS is poisoned that way when the browser requests a legitimate domain the ISP returns a malicious IP. This is used for phishing and exploits.
Clickjacking/UI redressing - tricks the user into clicking a pre-determined link in a rendered HTML page. HTML frames and layers are used to confuse the user and malicious content is hidden behind legitimate content.
SQL injection - can be used to circumvent the normal operations of the database to get around the authentication or authorization to reveal private data. There are many different types of SQL injection including error driven SQL injection, user defined function injection, and blind injection.
Same origin policy attacks - browsers must keep non-related resources isolated, but they must also allow for the modern web where resources and APIs are commonly shared. These are competing ideas and attacks can exploit the gray area here.
There are various tools that we can use to help determine whether a website is malicious or not. They include:
Alexa - a tool used to determine a general site's popularity and prevalence, it is domain based and not URL based
archive.org - could be useful to determine site changes over time
IPVoid - use to check an IP against a large blacklist IP collection
Site Dossier - what is the general information about the site, such as the IP, the DNS servers, the inbound line, and the parent
Webutation - a URL reputation clearinghouse
Web Inspector - input a URL and this tool will scan the web and provide a list of recent malicious sites
Virus Total - an aggregate search to scan the web for malware files
Comments
Post a Comment