Introducing The Malware Script Detector MSD - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Introducing The Malware Script Detector MSD

Description:

Please don't underestimate MSD by looking its simplest source code. Overview (Cont. ... file: protocol exploitation by locally saved malicious web pages. XSS Coverage ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 24
Provided by: abc762
Category:

less

Transcript and Presenter's Notes

Title: Introducing The Malware Script Detector MSD


1
Introducing The Malware Script Detector(MSD)
  • By
  • d0ubl3_h3lix
  • http//yehg.netTue Feb 19 2008

2
Agenda
  • Counter Strategy
  • Overview
  • XSS Coverage
  • Versioning Info
  • Standalone MSD
  • Detection Screenshots
  • Why MSD?
  • Weaknesses

3
Counter Strategy
  • Using the Power of JavaScript,Malware Script
    Detector detects JavaScript Malwares which use
    the Power of JavaScript

4
Overview
  • Run on Gecko browsers (Firefox, Flock, Netscape,
    etc)
  • GreaseMonkey addon needed
  • Acted as Browser IDS
  • Intended for Web Client Security
  • Recommended for every web surfer
  • Please dont underestimate MSD by looking its
    simplest source code

5
Overview (Cont.)
  • Coded mainly to detect todays popular powerfully
    malicious JavaScript attack frameworks
    XSS-Proxy, XSS-Shell, AttackAPI, BeEF
  • Version 2 was enhanced to prevent most XSS
    threats and includes XSS Attack Blacklists based
    on Firefox XSS-Warning addon

6
XSS Coverage
  • MSD was coded to detect the following XSS
    exploitation areas
  • data protocol exploitation like -
    dataimage/gif - datatext/javascript -
    datatext/html
  • jar protocol exploitation
  • file protocol exploitation by locally saved
    malicious web pages

7
XSS Coverage
  • Other protocol exploitation such as vbscript,
    livescript, mocha, ftp, mocha, telnet, ftp,
    res, x-gadget(MS-Vista), call (VOIP), aim etc
  • unicode injection
  • utf-7,null-byte (\00), black slash injection
    (u\r\l), comments star slash injection (/
    /),injection like \u00, \x00....etc

8
XSS Coverage
  • MSD was thoroughly tested with
  • - RSnakes XSS CheatSheet - XSS-ME Addon
    Attack List
  • - Dabbledb.coms Xssdb list - CAL9000 XSS
    List

9
Versioning Info
  • GreaseMonkey Version
  • Main Objective Alert XSS Attacks to users
  • Must be Installed by users
  • Requires Gecko Browser GreaseMonkey Addon
  • Version 1 Detect Malware Scripts
  • Version 2 Detect Malware Scripts
  • Prevailing XSS

10
Versioning Info
  • Standalone Version
  • Main Objective Alert XSS Attacks to users
    webmaster
  • Must be Deployed by web developers
  • Browser-Independent
  • No Checking if users have GreaseMonkey version
  • Version 1 Detect Malware Scripts Prevailing
    XSS

11
Standalone MSD
  • Standalone version was created as single .js file
    for web developers
  • To embed in their footer files
  • To notify both visitors and webmasters of XSS
    injection attempts attacks
  • Browser-independent unlike GreaseMonkey Script
    version
  • Intended for web application security as a
    portable lightweight solution

12
(No Transcript)
13
Detection Screenshots
14
Why MSD?
  • XSS Payloads like
  • http//victim/?qgtltscriptgteval(location.hash.subs
    tr(1))lt/scriptgtxxxxxxxxxxxxxxxxxxxxxxMaliciousxxx
    xxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloa
    dsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxx..etc

15
Why MSD? (Cont.)
  • Never get DETECTED by Web Server-level
    Firewall/IDS/IPS
  • Because the code is Totally Executed at Clients
    Browser

16
Why MSD? (Cont.)
  • Malicious sites intentionally embed malicious
    JavaScript attack frameworks
  • Bad guys 0wn web server boxes, and secretly
    install those attack frameworks as web backdoors
    or trojans to abuse users

17
Why MSD? (Cont.)
  • No ways to detect such Malware scripts unless we
    check HTML source codes
  • Disabling JavaScript, Using NoScript/VMware,
    Always Checking source codes are not effective
    solutions for most cases
  • According to above scenarios,MSD becomes a nice
    solution for us

18
  • Oh, But

19
Weaknesses
  • Doesnt check POSTS/COOKIES variables
  • No guarantee for full protection of XSS
  • Many ways to bypass MSD
  • XSS Filtering needs to be updated regularly where
    extensive filtering may cause false alerts and
    much annoyance to users

20
Where Can I get it ?
  • Check Under Tools Sectionhttp//yehg.net/lab/
    tools.greasemonkey
  • If you wish to contribute, there is a
    smoketest
  • page.
  • Insert your own XSS payload to defeat MSD.
  • Notify me of whenever new Attack frameworks
    are created

21
Special Thanks
  • Goes to
  • Mario, http//php-ids.org
  • Secgeek, http//www.secgeeks.com
  • Andres Riancho, http//w3af.sf.net
  • For encouragements and suggestions

22
Reference
  • XSS Attacks Defenses by PDP, RSnake, Jeremiah,
    Aton Rager, Seth FogieSyngress
    PublishingISBN-13987-1-59749-154-9

23
  • Thank you!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Introducing The Malware Script Detector MSD" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!