G Data Presentation 2011 Redesign SK2

Transcription

On detecting fakeAV online
scanners
Sascha Schimmler
Ruhr-Universität Bochum
GData
A typical fakeAV webpage
Different styles
Custom Designs
Daily attempted infections 2011
http://www.securelist.com/en/images/pictures/klblog/591.png
FakeAV incidents 2011/2012
Percentage of fakeAV incidents in potentally unwanted programs
Scoring generation
General analysis approach
Obfuscation

var files = new Array("boot.ini", "ntldr", "autoexec.bat",
"config.sys", "atv01nt5.dll", "siint5.dll", "vchnt5.dll",
"cdfs.sys", "sysaudio.sys", "usb8023.sys", "nmnt.sys",
"bthmodem.sys", "usbport.sys", "dmio.sys",
"dmboot.sys", "cxthsfs2.cty", "gm.dls", "parvdm.sys",
"wmilib.sys", "icardie.dll", "inetmib1.dll", "ipxwan.dll",
"dhcpmon.dll", "dmloader.dll", "dsound3d.dll„

var file_scanner = 'Now scanning: ' + files[ rand(0,
files.length-1) ];
if(percent==100) file_scanner = 'Scan complete. 97
threats was found!';
Obfuscation


files.length-1) ];
var x1be =
mqe8e51d.fq216c11(BASE64.decode('MDhhNTU1MjJjZmFkNG
MzNWQwYmM3MmY5YzliMDQyNTQ2MDE0YWNmMWZkNDQ
wZTAyMzJmMTRhNTgwYjA0YTkwMDBhODBlMDI4NzJkNDcxN
TYyMjMyMDhkYzYzYjM2YjQ4ZDQxYzRlZTQyMzlhYjE3YTNjZjA
wMjAxYzk5ZjQzMDE3NjI2ODI1YzI1MDU0MGZjY2RjMjczYzdjM
zI2YmQ1NzAzZTQxY2JhMWIyYmI3.......SNIP..........
FkMjJlMjI1ZTgzMGMwN2IwZGQ4MGZiMWUxZDNmNDg1ZGIx
Yjk3MWU0'), 60040549, 78751381);
z08992.write(x1be);
Obfuscation


files.length-1) ];
var x1be =
mqe8e51d.fq216c11(BASE64.decode('MDhhNTU1MjJjZmFkNG
MzNWQwYmM3MmY5YzliMDQyNTQ2MDE0YWNmMWZkNDQ
wZTAyMzJmMTRhNTgwYjA0YTkwMDBhODBlMDI4NzJkNDcxN
TYyMjMyMDhkYzYzYjM2YjQ4ZDQxYzRlZTQyMzlhYjE3YTNjZjA
wMjAxYzk5ZjQzMDE3NjI2ODI1YzI1MDU0MGZjY2RjMjczYzdjM
zI2YmQ1NzAzZTQxY2JhMWIyYmI3.......SNIP..........
FkMjJlMjI1ZTgzMGMwN2IwZGQ4MGZiMWUxZDNmNDg1ZGIx
Yjk3MWU0'), 60040549, 78751381);
z08992.write(x1be);
var_9030454=%2f%61%64%69%6e%67%28%29%3b%4%28;
var_1433455=%2e%77%6e%64%2c%20%2e2e%61%6c%72';
var_9918456=%74%27%29%3b%69%66%2%62%65%66%6';
document.write(unescape( _000 + _5454 + _88421 + _98352 +
_56963 + _63794 + _17075 + _86696467 + _1358468 ));
isObfuscated





Entropy
Longest word (>=X)
Ngram
=> Only search within Javascript
=> Not all kinds of obfuscation can be
detected
Dynamic analysis






Thug, low-interaction honeyclient from honeynet project
DOM (almost) compliant with W3C DOM Core and HTML specifications
(Level 1, 2 and partially 3) and partially compliant with W3C DOM
Events and Style specifications
Google V8 Javascript engine wrapped through PyV8
Vulnerability modules (ActiveX controls, core browser functionalities,
browser plugins)
Currently 6 IE personalities supported
(still) some problems with JQuery
Static analysis
 Phrase and css search is trivial
• Aggregation and evaluation of information is not




BeautifulSoup
Additional regex for non-standard methods
Compare pictures against a fakeAV picture set
Calculate final scoring value
String search
 Search for phrases instead of single
„meaningful“ strings!
http://www.spiele-offensive.de/gfx/anti_virus_logik.jpg
Preliminary summary
 FakeAV webpages do have characteristic
features
• Phrases
• Images
• CSS elements
 Combination of these properties is meaningful
for the statement if fakeAV or not
 Only less than 8 different types of webpages
were found
Number of images in webpages
3924 unique URL‘s
1445 URL‘s > 30
Number of images in fakeAV
100 unique URL‘s
0 URL‘s > 30
Keywords
3752 unique URL‘s
0 URL‘s > 3
In fakeAV
100 unique URL‘s
0 URL‘s > 30
Problems
• Sprite images are not detected
• Thug is not able to handle some websites (e.g.
jquery)
• Obfuscation detection is limited
• Some fakeAV websites are only triggered with the
correct referrer
• Image comparison is the bottleneck
Future work
 Improved image comparison algorithm
 More robust honeyclient
 Develop methods to detect fakeAV
campaign without external information
support
Herzlich Willkommen.
Überblick
Questions?

G Data Presentation 2011 Redesign SK2

Transcription

Similar documents