Introducing The Malware Script Detector

(MSD)By

d0ubl3_h3lixhttp://yehg.net

Tue Feb 19 2008

Agenda• Counter Strategy• Overview• XSS Coverage• Versioning Info• Standalone MSD• Detection Screenshots • Why MSD?• Weaknesses

Counter Strategy

• Using the Power of JavaScript,

Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript

Overview

• Run on Gecko browsers (Firefox, Flock, Netscape, …etc)

• GreaseMonkey addon needed• Acted as Browser IDS• Intended for Web Client Security• Recommended for every web surfer• Please don’t underestimate MSD by

looking its simplest source code

Overview (Cont.)

• Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF

• Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon

XSS Coverage

MSD was coded to detect the following XSS exploitation areas:

• data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html

• jar: protocol exploitation• file: protocol exploitation by locally

saved malicious web pages

XSS Coverage

• Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc

• unicode injection• utf-7,null-byte (\00), black slash injection

(u\r\l), comments star slash injection (/* */),injection like \u00, \x00....etc

XSS Coverage

• MSD was thoroughly tested with:

- RSnake’s XSS CheatSheet - XSS-ME Addon Attack List - Dabbledb.com’s Xssdb list - CAL9000 XSS List

Versioning Info

GreaseMonkey Version

• Main Objective: Alert XSS Attacks to users• Must be Installed by users• Requires Gecko Browser + GreaseMonkey

Addon• Version 1 – Detect Malware Scripts• Version 2 – Detect Malware Scripts +• Prevailing XSS

Versioning InfoStandalone Version

• Main Objective: Alert XSS Attacks to users & webmaster

• Must be Deployed by web developers• Browser-Independent• No Checking if users have GreaseMonkey

version• Version 1 – Detect Malware Scripts +

Prevailing XSS

Standalone MSD• Standalone version was created as

single .js file for web developers • To embed in their footer files • To notify both visitors and webmasters

of XSS injection attempts & attacks• Browser-independent unlike

GreaseMonkey Script version• Intended for web application security as

a portable lightweight solution

Detection Screenshots

Why MSD?• XSS Payloads like

• http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc

Why MSD? (Cont.)

• Never get DETECTED by

Web Server-level Firewall/IDS/IPS

• Because the code is Totally Executed at Client’s Browser

Why MSD? (Cont.)

• Malicious sites intentionally embed malicious JavaScript attack frameworks

• Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users

Why MSD? (Cont.)

• No ways to detect such Malware scripts unless we check HTML source codes

• Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases

• According to above scenarios,MSD becomes a nice solution for us

Oh, But …

Weaknesses

• Doesn’t check POSTS/COOKIES variables

• No guarantee for full protection of XSS• Many ways to bypass MSD• XSS Filtering needs to be updated

regularly where extensive filtering may cause false alerts and much annoyance to users

Where Can I get it ? Check Under Tools Sectionhttp://yehg.net/lab/#tools.greasemonkey

If you wish to contribute, there is a smoketest page.

Insert your own XSS payload to defeat MSD.

Notify me of whenever new Attack frameworks are created

Special Thanks

Goes to

Mario, http://php-ids.orgSecgeek, http://www.secgeeks.comAndres Riancho, http://w3af.sf.net

For encouragements and suggestions

Reference

• XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth FogieSyngress PublishingISBN-13:987-1-59749-154-9

Thank you!