G Data Presentation 2011 Redesign SK2
Transcription
G Data Presentation 2011 Redesign SK2
On detecting fakeAV online scanners Sascha Schimmler Ruhr-Universität Bochum GData A typical fakeAV webpage Different styles Custom Designs Daily attempted infections 2011 http://www.securelist.com/en/images/pictures/klblog/591.png FakeAV incidents 2011/2012 Percentage of fakeAV incidents in potentally unwanted programs A typical fakeAV webpage A typical fakeAV webpage A typical fakeAV webpage A typical fakeAV webpage A typical fakeAV webpage A typical fakeAV webpage Scoring generation General analysis approach General analysis approach General analysis approach General analysis approach General analysis approach General analysis approach General analysis approach General analysis approach General analysis approach General analysis approach General analysis approach Obfuscation var files = new Array("boot.ini", "ntldr", "autoexec.bat", "config.sys", "atv01nt5.dll", "siint5.dll", "vchnt5.dll", "cdfs.sys", "sysaudio.sys", "usb8023.sys", "nmnt.sys", "bthmodem.sys", "usbport.sys", "dmio.sys", "dmboot.sys", "cxthsfs2.cty", "gm.dls", "parvdm.sys", "wmilib.sys", "icardie.dll", "inetmib1.dll", "ipxwan.dll", "dhcpmon.dll", "dmloader.dll", "dsound3d.dll„ var file_scanner = 'Now scanning: ' + files[ rand(0, files.length-1) ]; if(percent==100) file_scanner = 'Scan complete. 97 threats was found!'; Obfuscation var files = new Array("boot.ini", "ntldr", "autoexec.bat", "config.sys", "atv01nt5.dll", "siint5.dll", "vchnt5.dll", "cdfs.sys", "sysaudio.sys", "usb8023.sys", "nmnt.sys", "bthmodem.sys", "usbport.sys", "dmio.sys", "dmboot.sys", "cxthsfs2.cty", "gm.dls", "parvdm.sys", "wmilib.sys", "icardie.dll", "inetmib1.dll", "ipxwan.dll", "dhcpmon.dll", "dmloader.dll", "dsound3d.dll„ var file_scanner = 'Now scanning: ' + files[ rand(0, files.length-1) ]; if(percent==100) file_scanner = 'Scan complete. 97 threats was found!'; var x1be = mqe8e51d.fq216c11(BASE64.decode('MDhhNTU1MjJjZmFkNG MzNWQwYmM3MmY5YzliMDQyNTQ2MDE0YWNmMWZkNDQ wZTAyMzJmMTRhNTgwYjA0YTkwMDBhODBlMDI4NzJkNDcxN TYyMjMyMDhkYzYzYjM2YjQ4ZDQxYzRlZTQyMzlhYjE3YTNjZjA wMjAxYzk5ZjQzMDE3NjI2ODI1YzI1MDU0MGZjY2RjMjczYzdjM zI2YmQ1NzAzZTQxY2JhMWIyYmI3.......SNIP.......... FkMjJlMjI1ZTgzMGMwN2IwZGQ4MGZiMWUxZDNmNDg1ZGIx Yjk3MWU0'), 60040549, 78751381); z08992.write(x1be); Obfuscation var files = new Array("boot.ini", "ntldr", "autoexec.bat", "config.sys", "atv01nt5.dll", "siint5.dll", "vchnt5.dll", "cdfs.sys", "sysaudio.sys", "usb8023.sys", "nmnt.sys", "bthmodem.sys", "usbport.sys", "dmio.sys", "dmboot.sys", "cxthsfs2.cty", "gm.dls", "parvdm.sys", "wmilib.sys", "icardie.dll", "inetmib1.dll", "ipxwan.dll", "dhcpmon.dll", "dmloader.dll", "dsound3d.dll„ var file_scanner = 'Now scanning: ' + files[ rand(0, files.length-1) ]; if(percent==100) file_scanner = 'Scan complete. 97 threats was found!'; var x1be = mqe8e51d.fq216c11(BASE64.decode('MDhhNTU1MjJjZmFkNG MzNWQwYmM3MmY5YzliMDQyNTQ2MDE0YWNmMWZkNDQ wZTAyMzJmMTRhNTgwYjA0YTkwMDBhODBlMDI4NzJkNDcxN TYyMjMyMDhkYzYzYjM2YjQ4ZDQxYzRlZTQyMzlhYjE3YTNjZjA wMjAxYzk5ZjQzMDE3NjI2ODI1YzI1MDU0MGZjY2RjMjczYzdjM zI2YmQ1NzAzZTQxY2JhMWIyYmI3.......SNIP.......... FkMjJlMjI1ZTgzMGMwN2IwZGQ4MGZiMWUxZDNmNDg1ZGIx Yjk3MWU0'), 60040549, 78751381); z08992.write(x1be); var_9030454=%2f%61%64%69%6e%67%28%29%3b%4%28; var_1433455=%2e%77%6e%64%2c%20%2e2e%61%6c%72'; var_9918456=%74%27%29%3b%69%66%2%62%65%66%6'; document.write(unescape( _000 + _5454 + _88421 + _98352 + _56963 + _63794 + _17075 + _86696467 + _1358468 )); isObfuscated Entropy Longest word (>=X) Ngram => Only search within Javascript => Not all kinds of obfuscation can be detected Dynamic analysis Thug, low-interaction honeyclient from honeynet project DOM (almost) compliant with W3C DOM Core and HTML specifications (Level 1, 2 and partially 3) and partially compliant with W3C DOM Events and Style specifications Google V8 Javascript engine wrapped through PyV8 Vulnerability modules (ActiveX controls, core browser functionalities, browser plugins) Currently 6 IE personalities supported (still) some problems with JQuery Static analysis Phrase and css search is trivial • Aggregation and evaluation of information is not BeautifulSoup Additional regex for non-standard methods Compare pictures against a fakeAV picture set Calculate final scoring value String search Search for phrases instead of single „meaningful“ strings! http://www.spiele-offensive.de/gfx/anti_virus_logik.jpg Preliminary summary FakeAV webpages do have characteristic features • Phrases • Images • CSS elements Combination of these properties is meaningful for the statement if fakeAV or not Only less than 8 different types of webpages were found Number of images in webpages 3924 unique URL‘s 1445 URL‘s > 30 Number of images in fakeAV 100 unique URL‘s 0 URL‘s > 30 Keywords 3752 unique URL‘s 0 URL‘s > 3 In fakeAV 100 unique URL‘s 0 URL‘s > 30 Problems • Sprite images are not detected • Thug is not able to handle some websites (e.g. jquery) • Obfuscation detection is limited • Some fakeAV websites are only triggered with the correct referrer • Image comparison is the bottleneck Future work Improved image comparison algorithm More robust honeyclient Develop methods to detect fakeAV campaign without external information support Herzlich Willkommen. Überblick Questions?