저작자 표시
신고

'Security_Study > 악성코드 기초' 카테고리의 다른 글

렌섬웨어 종류별 정리  (0) 2017.04.28
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

OWASP TOP 10 2017년 후보 규격(Release Candidate)이 발표됐습니다. 아직 확정된 내용은 아니지만, 큰 변경을 없을 것 같습니다.
기존 2013버전과 큰 변경은 없으며 일부 취약점이 통합되고 신규 취약점이 추가됐습니다.

A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Broken Access Control (As it was in 2004)
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Insufficient Attack Protection (NEW)
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Underprotected APIs (NEW)

OWASP TOP 10 2013년 버전과 비교하면 다음과 같습니다.




1. 통합된 항목
객체직접참조(Insecure Direct Object References), 기능 수준의 접근제어 누락(Missing Function Level Access Control) 이 '접근제어 실패(Broken Access Control)' 로 통합되었습니다.
Broken Access Control 는 OWASP TOP 10 2003/2004 버전에 있던 취약점 항목입니다.

2. 추가된 항목
불충분한 공격 방어(Insufficient Attack Protection)
보호되지 않은 API(Underprotected APIs)
두 개 항목이 추가되었습니다.
1) Insufficient Attack Protection: 자동/수동 공격에 대한 탐지, 대응, 적시 패치가 이루저지 않은 경우 발생하는 취약점.
2) Underprotected APIs: OpenAPI, JSON/XML 등을 통한 제3자가 제공하는 API 이용 시 접근제어, 인증 등이 취약할 경우 발생하는 취약점.

3. 삭제된 항목
검증되지 않은 리다이렉트(Unvalidated Redirects and Forwards) 항목은 삭제됐습니다.

확정 버전이 나와봐야 알겠지만, 현재 릴리즈 후보인 RC버전에서 큰 변경은 없을 것 같습니다.
원문은 다음 링크에서 에서 확인 가능합니다.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2017_Release_Candidate


저작자 표시 비영리 변경 금지
신고
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

Code Comparison

JavaScript

VBScript

// This is a comment.
/* Multi-line
   comment. */

‘This is a comment.
Rem So is this.  No multi-line comments. 
Variables, Constants, and Arrays
 
var x, y
var z = 10


No way to force variables to be declared


No constants


var Vector = new Array(10)
var Names = new Array()

var Matrix = new Array(4)
Matrix[0] = new Array(5)

Vector[9] = 1.5
Matrix[1][4] = 2

 
Dim x, y
Dim z  ‘ Can’t assign on same line
z = 10

‘Force all vars to be declared before being used.
Option Explicit 

Const PI = 3.14


Dim Vector(9)   ‘ 9 is last slot
‘ Can’t do this – arrays must have upper bound

Dim Matrix(3, 4) 


Vector(9) = 1.5
Matrix(1, 4) = 2
 
Output
str = " there!"
document.write("hello" + str)
document.writeln("good\nbye")

Response.Write(str)  ‘Server-side
<%= str %>           ‘Another way

alert("message")  // Client-side 
str = " there!"
document.write "hello" & str
document.writeln "good" & vbCr & "bye"

Response.Write str     ‘Server-side
<%= str %>             ‘Another way

MsgBox "message"  ‘Client-side 
Functions
 
function Add(a, b)
{
  return a + b
}


Variable are always passed by value.  
Only objects can be passed by reference.







sum = Add(1, 2)


Function Add(ByVal x, ByVal y) 
  Add = x + y
End Function 


Sub Add2(ByVal x, ByVal y, ByRef ans)
  ans = x + y
End Sub 






sum = Add(1, 2) 
Add2 1, 2, sum      ‘No () for Sub params
Call Add2(1, 2, sum)    ‘Alternate call 

Decisions
 
if (score == 100)
 alert("Great!")


if (a == 1 || a == 5)
{
  vector[a] = b
  c = 1
}
else if (a == 2)
  b--
else
  b *= 2


switch(x)
{
  case 1: str = str + "end"  
    break
  case 2:
  case 3: y = y * y * y
    break
  default: z = z / 2
}

If score = 100 Then _
  MsgBox "Great!"


If a = 1 Or a = 5 Then
  vector(a) = b
  c = 1
ElseIf a = 2 Then
  b = b - 1
Else
  b = b * 2
End If



Select Case x
  Case 1 
    str = str & "end"
  Case 2, 3
    y = y ^ 3
  Case 4 To 10
    ‘4 <= x <= 10
  Case Is >= 25
    ‘x >= 25
  Case Else   ‘Default
    z = z \ 2
End Select
 

Loops
 
for (i = 1; i <= 5; i++)
  document.writeln(i)



for (c = 2; c <= 10; c += 2)
  a += c



for (var index in myArray)
  document.write(myArray[index])




while (a < 10)
  a++



do
  a++;
while (a < 10)
For i = 1 To 5
  document.writeln i
Next 


For c = 2 To 10 Step 2
  a = a + c
Next 


Dim element
For Each element in myArray
  document.write element
Next


Do While a < 10       Do Until a = 10
  a = a + 1		a = a + 1
Loop		      Loop


Do		      Do
  a = a + 1		a = a + 1
Loop While a < 10     Loop Until a = 10 


Arithmetic Operators
 
+ - * /
% (mod)
 
+ - * /
\  (integer division)
Mod  
^  (raising to a power)
Relational Operators
 
<  <=  >  >=  ==  !=
<  <=  >  >=  =  <>
Logic Operators
 
&&  ||  !

And  Not  Or  Xor  
Eqv  (Equivalent)
Imp   
Bitwise Operators
 
&  ~  |  ^  <<  >>
And  Not  Or  Xor  (no shift left/right) 
Strings
 
var x
x = "HU"
x = x + " is great!" 
Dim x				
x = "HU"
x = x & " is great!"
VBScript String Functions
FunctionDescriptionExample
StrConvUsed primarily to change the case of letters in the string. Can also do UNICODE and other format changes.x = StrConv("Test", vbUpperCase) --> “TEST”
UCase, LCaseReturns string converted to uppercase/lowercase.x = UCase(“Test”) --> “TEST”
LenReturns the string length.length = Len(“a”) + Len(x) --> 1 + 4
LSet, RSetJustifies chars in fixed-length string to left or right side.RSet y = “right” --> “ right”
Left, RightReturns the specified number of chars from left-hand or right-hand side of string.x = Left(“Harding”, 4) --> “Hard”
MidReturns substring from a search string.x = Mid(“I love you.”, 3, 4) --> “love”
LTrim, RTrim, TrimReturns a copy of the string with leading, trailing, or both leading and trailing spaces removed.x = LTrim(“  <-trim->  “) -->“<-trim->  ” 
x = Trim(“  <-trim->  “) --> “<-trim->”
StrCompCompares 2 strings. Returns –1 if str1 < str2, 1 if str1 > str2, 0 if strings are equal.r = StrComp(“HU”, “ACU”) --> 1
InStrSearches a string for a substring and returns the integer position if found, 0 if not found.r = InStr(1, “To be or not to be”, “be”) --> 4
Asc, AscWAsc returns ASCII value of given string. AscW returns UNICODE value.n = Asc(“A”) --> 65 
n = AscW(“A”) --> 65
ChrReturns string equivalent of given ASCII value.c = Chr(65) --> “A“
StrConverts a number to a string.x = Str(459) --> " 459"
SplitReturns an array of substrings produced from splitting a string based on a delimeter.myArray = Split("IxLovexVBScript!", "x")
‘myArray(0) --> “I” 
‘myArray(1) --> “Love” 
‘myArray(2) --> “VBScript!”
StrReverseReturns a reversed string.x = StrReverse("VBScript") --> "tpircSBV"


저작자 표시 비영리 변경 금지
신고
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

Early today, a reader reported they were seeing a big spike to inbound tcp/6789 to their honeypots. We have seen similar on DShield's data started on December 17.  It was actually a subject of discussion this weekend and this helpful data from Qihoo's Network Security Research lab attributes the large increase to Mirai, the default-password-compromising malware infected various IoT devices that are internet-connected.  It's hard to see in the graph as it is still not a huge (but still it is significant) portion of Mirai scanning traffic. Here is port-specific graphs from Qihoo as well showing the start time of the spike.  The command the it tries to execute once logged in is:

"`busybox telnetd -p 19058 -l /bin/sh`"

Current intelligence suggests this is an attempt to compromise DaHua devices and establishes a reverse shell on port 19508 if the compromise is successful.  The usual defenses apply here (keep this stuff off the public internet, manufacturer's please stop shipping devices with telnet and default passwords) but the amount of potential bandwidth Mirai operators have under their control could potentially swamp even the most robust DDoS defenses. 

저작자 표시 비영리 변경 금지
신고
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

어도비 플래쉬 취약점 내용과 익스플로잇킷 도구 정리 

Key Takeaways

  • Adobe Flash Player provided six of the top 10 vulnerabilities used by exploit kits in 2016. Since our 2015 ranking, Flash Player’s popularity with cyber criminals remains after increased Adobe security issue mitigation efforts.
  • Vulnerabilities in Microsoft’s Internet Explorer, Windows, and Silverlight rounded out the top 10 vulnerabilities used by exploit kits. None of the vulnerabilities identified in last year’s report carried over to this year’s top 10.
  • A 2016 Internet Explorer vulnerability (CVE-2016-0189) saw the most linkage to exploit kits, notably Sundown EK which quickly adopted an exploit in July 2016.
  • Sundown, RIG, and Neutrino exploit kits filled the void created by Angler Exploit Kit’s June 2016 demise. This crimeware can be used for anywhere from $200 a week (RIG) to $1,500 a week (Neutrino).
  • Adobe Flash Player’s CVE-2015-7645 has been incorporated into seven exploit kits, the highest penetration level of our analyzed vulnerabilities likely because it was the first zero-day discovered after significant Adobe security changes.
  • Identifying frequently exploited vulnerabilities can drive action by vulnerability assessment teams.

According to updated Recorded Future analysis, Adobe (Flash Player) and Microsoft products (Internet Explorer, Silverlight, Windows) continue to provide the primary avenue of access for criminal exploit kits. While nation-state targeting of political efforts has dominated information security headlines in 2016, criminals continue to deliver ransomware and banking trojans using new exploit kits targeting new vulnerabilities.

As a follow-up to last year’s ranking of vulnerabilities targeted by exploit kits, Recorded Future conducted updated analysis of over 141 exploit kits (EKs) and known vulnerabilities.

Covering the period of November 16, 2015 to November 15, 2016, Adobe Flash Player comprised six of the top 10 vulnerabilities leveraged by exploit kits.

Vulnerabilities in Microsoft’s Internet Explorer (IE), Silverlight, and Windows rounded out the top 10. Notably, a 2016 IE vulnerability (CVE-2016-0189) saw the most linkage to exploit kits, including Sundown EK which quickly adopted an exploit for it in July 2016.

None of the vulnerabilities identified in last year’s report remained in this year’s top 10.

Reference vs. Cyber Vulnerability

Background

Exploit kits offer an expedited crimeware-as-a-service (CaaS) channel where users pay per install of their malware. Since the emergence of modern exploit kits in 2006, criminals need less and less programming experience, as they only need to provide the payload (such as CrypMIC ransomware or TrickBot banking trojan). The payload is then spread via the exploit kit through compromised sites or malicious third-party advertising (malvertising). The teams behind these exploit kits continue to add fresh exploits for software as increased effectiveness in delivering the “customer’s” payload will generate more revenue.

Exploit kit victims load the compromised web page, malvertisement, or unwittingly follow a malicious link to the exploit kit’s landing page. Per Sophos, “the landing page is the starting point for the exploit kit code.” Using a mix of HTML and JavaScript, the EK identifies the visitor’s browser and plugins, providing the kit the information necessary to deploy the exploit most likely to result in a drive-by download.

In some cases, exploit kits can be rented on a weekly or monthly basis. For example, Nucleus was available at $800 a week or $2,000 a month. The lower-quality RIG exploit kit costs significantly less: $50 a day, $200 week, or $700 a month. While still available, Neutrino was the most expensive: $1,500 a week or $4,000 a month.

Understanding what vulnerabilities are targeted by exploit kits can better inform vulnerability risk assessment functions within organizations.

Methodology

Recorded Future analyzed thousands of sources including information security blogs, deep web forum postings, and dark web onion sites. Analysis focused on exploit kit and vulnerability discussion from November 16, 2015 to November 15, 2016, roughly one year since our 2015 report.

As part of this research, Recorded Future utilized a list of 141 exploit kits, an increase over the 108 analyzed last year. Top EK exploited vulnerabilities were ranked by the number of web references linking them to an exploit kit.

Recorded Future did not reverse engineer any malware mentioned in this analysis and instead performed a meta-analysis of available information from the web. Exploits for dozens of other vulnerabilities are currently employed by EKs and this report’s intent is to highlight top targets of popular exploit kits.

Vulnerability Adoption by Exploit Kits

Based on feedback from our 2015 vulnerability ranking, Recorded Future further evaluated individual vulnerability adoption by exploit kits.

Vulnerability Adoption by Exploit Kit

Vulnerability Adoption by Exploit Kit

Adobe Flash Player’s CVE-2015-7645, number 10 in terms of references to exploit kits, stands out as the vulnerability with the most adoption by exploit kits. Exploit kits adopting the Adobe bug in the past year include Neutrino, Angler, Magnitude, RIG, Nuclear Pack, Spartan, and Hunter.

CVE-2015-7645 impacts Windows, Mac, and Linux operating systems, which makes it extremely versatile. Per Adobe, it can be used to take control of the affected system. Additionally, it was the first zero-day exploit discovered after Adobe introduced new security mitigations, and as such, it was quickly adopted as many other older exploits ceased working on machines with newer Flash versions. The vulnerability was also noted as being used by Pawn Storm (APT28, Fancy Bear), a Russian government-backed espionage group.

Intel Card for CVE-2015-7645

Vulnerability Intel Card for CVE-2015-7645.

While the vulnerability was patched by Adobe fairly quickly, it’s ease of exploitation and the breadth of operating systems affected have kept it active.

Unfortunately, slow enterprise patching and lack of knowledge by home users mean the vulnerability still manages to help kits infect machines.

Sundown Exploit Kit in Focus

The Sundown exploit kit is a rising star in the crimeware world. With the demise of several of last year’s leaders, the Sundown EK has seen significant adoption among criminal elements. Sundown maintainers have been very quick to add new exploits to the kit to differentiate it from other choices, such as the RIG exploit kit.

Last year, Recorded Future wrote on the Angler exploit kit. Usage of that kit virtually died after several arrests in Russia earlier in the year.

Researchers exposed much of the infrastructure behind Nuclear, and Neutrino operators pulled their kit off the public market, leaving a void for the RIG and Sundown exploit kits to fill. Although RIG is still the market leader, Sundown is rising in popularity.

According to our analysis, Sundown was first noticed in April 2015, and was primarily noted for copying other kits and absorbing their vulnerabilities and methods. The developers made a mark with the kit in 2015 by being one of the first to integrate an Internet Explorer bug (CVE-2015-2444), which was used to target Japanese banking customers. Another differentiator for the malware is how it focuses on dropping banking trojans, unlike some of the other kits we have seen which drop everything from ransomware to remote access tools. Sundown also leveraged domain shadowing on a significantly wider scale than competitors.

Most Referenced Exploit Kits Over the Past Year

Timeline showing the most referenced exploit kits over the past year.

Impact

Last year, the primary risk of contracting a nasty exploit kit was through Adobe product bugs, and Flash in particular. Unfortunately, the situation has not significantly improved.

The recommendation was to update Adobe Flash, and this year that recommendation still stands. For those who want to know exactly how this can be done, or who want to uninstall Flash completely, Graham Cluley has written an excellent walkthrough on doing just that.

For other users who simply want things to work, it should also be noted the Google Chrome team bundles the most recent Flash version with the browser, which should keep them a little more secure. Even better, Chrome now defaults to HTML5 for content that supports it instead of loading the content with Flash.

For additional peace of mind, users of most modern browsers can turn on “Click to Load” features which automatically block Flash elements unless the user specifically clicks on them.

Conclusion

  • Patch all vulnerabilities identified in this post.
  • Remove the affected software if it doesn’t impact key business processes.
  • Enable “click to play” for Adobe Flash Player.
  • Consider Chrome due to Google Project Zero’s attention to Flash Player vulnerabilities.
  • Utilize browser ad-blockers to prevent exploitation via malvertising.
  • Frequently backup systems, particularly of shared files which are regular ransomware targets.

저작자 표시 비영리 변경 금지
신고
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

티스토리 툴바