ISSA Journal Paper - JavaScript Infection Model
2 likes•1,937 views
This document discusses how advancements in Web 2.0 technologies have created security threats to the World Wide Web. It focuses on the negative exploitation of JavaScript, which is heavily used by malware writers to spread infections online. The document describes the JavaScript Infection Model (JIM), which outlines the typical methods used by attackers to inject malware onto websites. These include using an attacker-controlled domain to host malware, exploiting vulnerabilities to inject malicious JavaScript onto legitimate sites, and using JavaScript's abilities to conduct stealth attacks and spread the infection across multiple domains.
ISSA Journal Paper - JavaScript Infection Model
- 1. PreemInent truSted GlobAl ISSA ISSA Journal | November 2010 InformAtIon SecurIty communIty JavaScript Infection model By Aditya K Sood and Richard J. Enbody Advancements in Web 2.0 technologies have enhanced Internet functionality but at the same time have created numerous threats to the World Wide Web. this paper talks about the negative nature of JavaScript, which is exploited heavily by malware writers to spread infections throughout the online world. Abstract creasing4 in spite of versatile functions. These new technolo- gies have made the Web flexible and robust by allowing the Advancements in Web 2.0 technologies have enhanced In- inclusion of content from third-party sites and sending con- ternet functionality but at the same time have created nu- tent to other domains. In reality, data from the third parties merous threats to the World Wide Web. The biggest issue the cannot be verified against presence of potential malware. As online world is grappling with is web malware, which is an a result malware can accompany the data back into the parent outcome of intensive exploitation of web vulnerabilities. This website without restriction and continue spreading across the paper talks about the negative nature of JavaScript, which Web. Security considerations have to be undertaken in the is exploited heavily by malware writers to spread infections best possible manner to combat web exploitation. throughout the online world. new technologies exploitation Shift With the advent of new technologies, the sphere of attack sur- T here is always an element of discrepancy present be- face vulnerability has widened. The Web is getting exposed tween current and upcoming technologies. With the to identity theft, exploitation, scams, phishing, redirection advent of powerful operating system protection mech- vulnerabilities, cross site scripting (XSS), and cross site re- anisms, the attack surface has shifted to web exploitation vec- quest forgery (CSRF).5 CSRF, for example, is a type of attack tors because memory exploitation is becoming tougher for in which HTTP requests are sent in a stealth manner with- the attackers. Technologies such as Microsoft Data Execution out the knowledge of user. This type of attack allows the at- Protection (DEP),1 Address Space Layout Randomization tacker to execute commands and requests on user’s behalf. (ASLR),2 and GS cookies3 have circumvented the attack and The inherent vulnerabilities in web applications are exploited exploitation of system-level vulnerabilities. The use of string by various application injections such as PHP, ASP, LDAP, functions is completely isolated from systems as they are con- SQL, and DOM (Document Object Model).6 The injections sidered as a base for buffer overflow attacks. Exploitation has are widely used to manipulate the content, steal informa- shifted from system vulnerabilities to web vulnerabilities. tion, and spread malware. One step ahead is HTTP Protocol The attack landscape of the Web has a panorama of exploita- manipulation comprising of attack type Response Splitting,7 tions that are proliferating day by day. With the rise of blogs, which bypasses browser protection mechanisms by split- wikis, atom feeds, RSS, and others, the insecurity level is in- ting the HTTP response from the server thereby fooling the browser to interpret two responses instead of one. 4 RSS Attacks, http://www.techspot.com/news/20098-increased-rss-malware-attacks- 1 Data Execution Prevention, http://support.microsoft.com/kb/875352. predicted.html. 2 Address Space Layout Randomization, http://blogs.technet.com/b/security/ 5 Cross Site Request Forgery, https://www.isecpartners.com/files/CSRF_Paper.pdf. archive/2006/05/26/430538.aspx. 6 DOM XSS, http://www.webappsec.org/projects/articles/071105.shtml. 3 GS, http://blogs.technet.com/b/srd/archive/2009/03/20/enhanced-gs-in-visual- 7 HTTP Response Splitting, http://www.securiteam.com/ studio-2010.aspx. securityreviews/5WP0E2KFGK.html. ©2010 Information Systems Security Association • www.issa.org • [email protected] • Permission for author use only. 31
- 2. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 The cropping up of Web 2.0 and AJAX with JSON (JavaS- cript Object Notation) has transformed the structure of Web. Primarily, AJAX is used to interact with a spe- cific set of events in a webpage through asynchronous JavaScript calls, which are usually scattered through- out the webpage. AJAX allows a number of events to be executed in a single page from different domains. Content validation is a big problem because content is fetched from various sources. Further, AJAX serializes all types of data elements into strings, which are used by programming interfaces such as ASP, ASP.NET, etc. Basically, serialization converts data into a stream. It also helps build dynamic scripts in a backend channel, passing information from third-party servers to the browser DOM for execution. These factors can be uti- lized collectively to misuse the AJAX technology8 and the techniques are proliferating in the wild. Numer- ous attacks can be initiated with new parameters and web technologies. The educational community, finan- cial institutions, banks, companies, etc., are all struc- tured over the Web. Browsers are interdependent on a number of components and sometimes it is hard to determine the impact of a vulnerability. Are we ready to handle such attacks? Are our defense mechanisms in- figure 1 – JavaScript Infection model genious enough to thwart Web 2.0 attacks through AJAX and applied policies? namic operations, which can be performed on the vulnerable websites and applications. Every browser uses JavaScript as a Web malware – real world scenario default scripting language and content is rendered without Web malware is infecting websites at a rapid pace. The rea- any notification because this scripting language is a working sons can be security negligence, unpatched vulnerabilities, standard in Web 2.0. That’s the main reason malware writers administration problems, etc., but the impact is growing use JavaScript to conduct stealth attacks by exploiting the in- exponentially. In the last few years, the security community built functionality of browsers. has detected an overwhelming increase in malware using Ja- It is always advisable to understand the benchmark of infec- vaScript.9 10 The malware problem, however, is not restricted tion strategies used by the attackers to launch extensive at- to one business entity but has encompassed all the spheres, tacks on the public websites or social networking environ- thereby resulting in loss of business and compromising the ments. The JavaScript Infection Model (JIM) reflects the stability and robustness of organizations. Dasient11 has pub- generic methods opted by the attackers to launch malware. lished stats which present the sphere of infection by web mal- The model itself clarifies the structure and basic thinking ware. Business is the most exploited entity because of the in- of the attacker to inject malware in the Web, thereby result- herent money element involved in it – there is money to steal. ing in large-scale infection. The overall model is presented in Figure 1. The following steps describe the model in detail. understanding the JavaScript Infection 1. Attacker controlled domain model The base is the attacker’s controlled domain, which hosts a JavaScript is one of the most susceptible scripting language number of malware/programs that are used for malicious used for malware infection by most of the attackers,12 espe- purposes. This step is undertaken to ensure that there is a cially since JavaScript is used extensively in websites and ap- centralized repository of JavaScript malware. The infection plications for accessing various HTML elements and objects vector can be a single website or a number of websites in the dynamically. JavaScript provides more robust control and dy- domain. The attacker’s controlled domain also has custom designed web spiders for collecting information from the 8 Malware using AJAX, http://blogs.securiteam.com/index.php/archives/734. Web. Attackers always look for vulnerabilities in websites to 9 Growth in Web Malware, http://blog.dasient.com/2010/09/continued-growth-in- web-based-malware_9357.html. conduct injections so that malicious content can be included 10 Malware Stats, http://wam.dasient.com/wam/infection_library_index. into the victimized websites. 11 Dasient, http://blog.dasient.com/2010/09/continued-growth-in-web-based- malware_9357.html. 2. Detecting blacklisted and vulnerable websites 12 JavaScript opens doors to browser-based attacks, http://news.cnet.com/JavaScript- The second step is to scrutinize vulnerable websites and do- opens-doors-to-browser-based-attacks/2100-7349_3-6099891.html. mains which possess inherent application vulnerabilities that ©2010 Information Systems Security Association • www.issa.org • [email protected] • Permission for author use only. 32
- 3. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 can be exploited to spread malware. As most malware spread- ing attacks are automated, an attacker should have the infor- Spreading malware: JavaScript functionality mation of blacklisted websites in order to make the malware JavaScript is used extensively in spreading malware13 due to attacks more successful. Automated spiders accumulate in- its inherent nature to provide direct access to browser com- formation about a domain. This is a very important step from ponents. A JavaScript infection pattern is followed by most malware writer’s perspective because if the website is black- malware whether system-resident or web-based to hide the listed, it gives an indication of the fact that most browsers objects used for infection. The concept of hidden infection is will not visit that website. As a result, it hampers the malware not new but is used in a randomized manner. This is a very infections through JavaScript. This information required by effective technique to launch malware attacks in a stealthy the attacker depends on the capability of that spider. As one manner to exploit the user parlance to understand what is knows the Web is an open forest: there is no stringency in happening at the backend. There are definitive methods that accessing the front end of websites directly because it is the are used incessantly by web malware to infect victim ma- Web’s default nature until and unless custom security con- chines. Let’s have a look at the hidden structure which is used trols are implemented. intensively. 3. Designing attack vector remote scripting with hidden iframes After detecting the blacklisted domains, the crawlers push The HTTP specification allows the effective use of <iframe> the information back to the attacker’s controlled domain in a substantial manner to embed one webpage into another for scrutinizing the contents. During this process malicious webpage, irrespective of the domain to which a page belongs, scripts are not injected into blacklisted domains; rather new and can be used in cross-domain context. This functionality sets of websites having vulnerabilities are used as an attack of iFrames is exploited by malware writers in order to infect point. The crawling process is repeated to find new domains systems. Since these are interactive in nature, it is possible having security vulnerabilities. The information can be to bypass Same Origin Policy (SOP) easily to launch cross- scanned in an automated manner or manually; it depends domain attacks if a certain set of vulnerabilities exist in the on the attacker’s strategy how the process will be carried out. base software or in web applications. SOP defines a control For example, user agent strings provide information about policy on scripts that are originating in a same domain to the type of browsers used and other custom software that access properties and objects on various webpages in that do- are used in line with the browsers. This indirectly helps the main. SOP applies restrictions on scripts in order to prevent attackers a lot in crafting an attack by exploiting web vul- access to HTML objects and properties of webpages on differ- nerabilities in the new domains. If we talk about the manual ent domains and websites. SOP is completely browser-based, ways, then the attacker himself can look into the vulnerable and due to inherent vulnerabilities14 in browsers it can be by- websites for latent vulnerabilities. Again, it depends upon the passed easily. This factor relates not only to the HTTP speci- attack vector, which requires a specific set of vulnerabilities fication but also to the browsers as to how effectively SOP is to be exploited for spreading malware. implemented. It also depends on the rendering engine when 4. Exploiting targets the objects are rendered and access is required by them to perform various functions. The information is further looked upon by matching the in- dexed vulnerabilities on the attacker’s domain to explore di- <iframe src=”http://www.malicious.com” width=”1” rect vulnerabilities that can be exploited. If not, the attacker height=”1” style=”visibility:hidden;position:absol tries to inject malicious iFrames in the context of the domain ute”></iframe> with the source pointing to malicious JavaScript hosted on <iframe src=” http://www.malicious.com” width=”0” the attacker’s domain or third-party infected domain. Once height=”0”></iframe> the JavaScript is injected, the code is changed as per require- The above presented iFrame code is used heavily in spreading ments to infect the systems in a versatile manner. Lastly, the malware. The beauty of this code is the fact that the iFrame attacker controls the vulnerable websites hosted on a domain becomes hidden and cannot be displayed on the infected and changes them into a malware spreading entities. The at- website. The hidden iFrame sends a request to malicious.com tacker’s surface becomes diversified when more victims fall for downloading malware or executing rogue JavaScript. into the trap. Malware writers exploit this functionality to a greater extent Many of the online tools used by malware writers primar- to serve malware by infecting websites with iFrames which ily test the weaknesses and entry points through which Ja- can be used to serve hidden malware through infected web- vaScript can be injected. Because JavaScript is dynamic and sites. It is also possible to update databases with malicious robust in its working on the Web, it is the preferential choice iFrames as stored elements to make iFrames persistent in na- of malware writers to conduct attacks and spread malware. 13 JavaScript Malware, http://www.darkreading.com/security/app-security/showArticle. jhtml?articleID=208803932. 14 Mozilla SOP bypass Vulnerability, http://securitytracker.com/alerts/2010/ Jul/1024228.html. ©2010 Information Systems Security Association • www.issa.org • [email protected] • Permission for author use only. 33
- 4. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 ture. This type of attack depends on the XSS vulnerability ity. Image objects a have “src” parameter and are pointed being present in the website, depending on the design of the to URLs that exploit the vulnerability in Firefox. JavaScript application and website which makes the XSS persistent or heap blocks constitute the shellcode with call and jmp in- reflective in nature. Nowadays, SQL-injection attacks have structions. The shellcode may result in downloading of mal- been used in conjunction with XSS to upload malicious iF- ware.18 rames into a database through a vulnerable website. The iFrames are passed as payloads in the form of hexadecimal obfuscation and hybrid codes strings,15 which get stored in the web database. It remains Code obfuscation is used at a very large scale for spreading persistent in the database and is retrieved when a website is- malware. The preferable scripting language is, of course, Ja- sues some database query. This tactic is used heavily in mass vaScript. But obfuscation is not restricted to only JavaScript SQL-injection attacks that spread malware through drive-by- and using only escape functionality and generic encoders. download attacks. Obfuscation is used extensively to make code hybrids now- adays. There can be a scenario in which two scripting lan- JavaScript heap spraying guages are used together. The malware spreading can be done The inherent software vulnerabilities that can be exploited very easily through hybrid codes because it becomes hard to through JavaScript heap spraying16 are also a major source of analyze the code which is encoded with custom encoder and malware infection. The browser-based exploits are used ex- using JavaScript functions to get downloaded into the sys- tensively to trigger malware infection on the client side. If a tem. For example, custom JavaScript decoders can be used to vulnerable version of the browser is running or there is pres- decode the JavaScript-related functions, but in order to deci- ence of vulnerable software, the malware writers try to ex- pher the payloads other extensive tools are required. PERL is ploit the vulnerability in order to execute custom shellcode. a good tool that is used in a wide manner to decode hybrid Heap spraying is a type of attack which exploits memory cor- codes to understand the actual payload which is exploiting ruption vulnerabilities through browsers without any has- the system. sles. The target is unsafe applications. The functional part is to create and allocate arbitrary objects in the heap by using Widgets a type-safe language. The objects used to fill heaps contain The Web 2.0 working model uses widgets at a very large scale. dangerous exploit codes to be run against the target system. Generally, these small chunks of code are used for enhanced Specific notions used for these types of exploits are men- functionality, primarily for advertisement purposes, includ- tioned below: ing content from third parties, notification alerts, etc. They are based on the concept of code reuse. Widgets are provided • Design a string which grows exponentially by concat- by the advertisement agencies, news portals, companies, etc., enating with itself to include content for the user website experience. The vendor • Keep string format as Unicode to avoid any type of offers widgets that can be added manually or automatically stringency in the code in the user websites or blogs, depending on the feasibility of • Exhaust the maximum length that is allowed by the environment. In order to accept data from third parties, the scripting engine widget provides a communication and content transfer inter- face between the parties. Once installed in the user website, it • Shellcode is placed at the end of the string opens the communication channel between the parent node • The set of code is copied over a large sum of arrays and the child node. JavaScript widgets are used heavily for which can control the execution infecting websites because the chunked code sits as HTML in • The attack surface is potentially created so that it can the parent page and follows the same hierarchy functions as have enough memory for exploitation the parent node.19 It means the code becomes in line with the main module and is executed as the webpage is loaded into • Heap blocks are considered to be on the same loca- the browser. Widgets may contain malware which redirects tions every time the website to a malware domain or starts downloading the The above mentioned steps are used to exploit the target malware executables into the system. So JavaScript code in through the browser. The security community has witnessed the form of widgets is used to spread malware through the exorbitant growth of these browser-based exploits in the re- Web thereby impacting the large sets of users who are using cent years.17 These attacks exploit the vulnerability in brows- that specific widget. The widgets can be uploaded to malware ers by manipulating the default heap using JavaScript, used domains or content delivery networks to follow the chain to create heap blocks within a particular memory range and process of infecting large number of websites. dynamic image objects generated to trigger the vulnerabil- 15 SQLXSSI Attacks, http://www.slideshare.net/adityaks/owasp-app-sec-us-2010. 18 Mozilla “Host: Heap Buffer Overflow Exploit,” http://www.exploit-db.com/ 16 Heap Spraying, http://www.blackhat.com/presentations/bh-europe-07/Sotirov/ exploits/1224. Presentation/bh-eu-07-sotirov-apr19.pdf. 19 Web Widget Infection, http://blog.dasient.com/2010/06/third-party-javascript- 17 IE Object Memory Corruption, http://www.exploit-db.com/exploits/930. widget.html. ©2010 Information Systems Security Association • www.issa.org • [email protected] • Permission for author use only. 34
- 5. JavaScript Infection model | Aditya K Sood and Richard J. Enbody ISSA Journal | November 2010 drive-by downloads designed search engine. If a victim uses that search portal to run a query, the resultant links are the most Drive-by Download20 is one of the most long-lived techniques vulnerable links and directed towards malicious web of spreading malware through JavaScript by forcing victims servers. This happens quite often. to download malware without their consent and knowledge. The malicious website usually hosts a number of hidden • Generation of advertisement pop ups in the system iFrames that point to the malicious program or malicious continuously. This can be a time-based logic to gen- Active X control. Essentially, the website forces the user’s erate a pop up after a requisite interval and running browser to install the plug-in directly on the system. How with the same behavior for a longer duration. does the drive-by download work? Let’s consider as generic The infection does not stop here as such. If a victim tries to case. The website offers a browser plug-in to install directly remove the required set of files, a cleanup link is also pro- into the context of system. There is a lot of functional dif- vided which further downloads another plug-in having well- ference between a normal plug-in and Program Loader Stub defined EULA and privacy restrictions. The attackers follow (PLS) which is installed as result of the plug-in. Program the same technique but the overall functional perspective is loader stub defines the nature of execution of plug-in. The different. It is kind of dual entrapment and the directed web- main function of program loader stub is to call functions in site looks like a cleaning solution vendor website, but typi- a hierarchical manner and synchronously. In general terms, cally it is fake. As a result, the victim is trapped again and the the PLS is responsible for calling API’s appropriately that are system gets infected with a different layout. used by plug-ins to download malware. The PLS loads each DLL that is required by the plug-in into the memory space. It conclusion fills in the structures in the import directory of the execut- Malware running rampant in the wild is an outcome of flaws able in the memory. If the DLL is not loaded in the memory, and vulnerabilities that exist in web applications and web- the PLS fails to load the malicious executable. The stub ac- sites that make up the Web. The same language tools are used tually downloads a lot of malicious content into the user’s for development AND exploitation. This paper has presented system by remaining silent and infecting the system at large JavaScript from the malicious infection point of view. In or- in a stealth manner. The plug-in offers fake information to der to defend against these web malware we have to design convince the user it is valid: a number of defenses and protections in the same pattern. 1. Fake certification and end user license agreements Since JavaScript is the major scripting language to add dy- (EULA) links aiming to exploit the user’s ability to namic functionality to webpages, the same is used for dy- make a decision about the software. namic generation of malware. So understanding the diverse nature of JavaScript, we can design protection mechanisms to 2. Incessant and rogue security warnings to exploit the combat its misuse and exploitation by malware writers. user’s inability to decide the working of software plug-in. About the Authors If the required plug-in is allowed to install in the system, a Aditya K Sood is a security researcher, con- stub is installed simultaneously, which further downloads a sultant, and Ph.D. candidate at Michigan number of programs without user consent. The installed pro- State University. He has worked in the se- grams infect the system as mentioned below: curity domain for Armorize, COSEINC, and KPMG and founded SecNiche Secu- • Infection at the folder level by placing malicious files. rity. He has been an active speaker at con- The malware programs follow the concept of cross ferences like RSA, TRISC, Hacker Halted, linking in which one malicious binary is interfaced ExCaliburCon, EuSecwest, XCON, OWASP AppSec, Security- with another malicious binary with randomized Byte, CERT-IN and has written content for HITB Ezine, Ha- names. This becomes hard for a normal user to detect kin9, Usenix Login.He may be reached at [email protected]. the real working of the binary present in the requisite program files folder. Dr. Richard Enbody is an Associate Profes- sor in the Department of Computer Science • Inserting malicious, e.g.,. porn website, links in the and Engineering, Michigan State Universi- browser bookmarks and shortcuts to be placed in the ty. He joined the faculty in 1987 after earn- program bars on the desktop that further links ma- ing his Ph.D. in Computer Science from licious website and malware programs respectively. the University of Minnesota. Richard’s The main criterion of this type of functionality is to research interests are in computer security, infect the generic places in the systems which are used computer architecture, web-based distance by the victims easily. education, and parallel processing. He has • It primarily hijacks the default browser links and web- two patents pending on hardware buffer-overflow protection, pages and points to a malicious website or custom- which will prevent most computer worms and viruses. He re- cently co-authored a CS1 Python book, The Practice of Comput- 20 Drive by Downloads, http://www.spywarewarrior.com/uiuc/dbd-anatomy.htm. ing using Python. He may be reached at [email protected]. ©2010 Information Systems Security Association • www.issa.org • [email protected] • Permission for author use only. 35