NEPTUNE: Dissecting Web-based Malware via Browser and OS Instrumentation

Presented at Black Hat USA 2010, July 29, 2010, 3:15 p.m. (75 minutes).

Increased built-in security and robust standard configurations have made the classical operating system vulnerabilities a rare occurrence. Malware authors have been forced to switch to alternative channels to get their malicious software installed. One of the main delivery mechanisms is the "drive-by-download": malware is placed on websites and visiting users get infected through their browser, either by attacking a vulnerability in the browser itself; or in one of the common extension or plug-ins.

NEPTUNE is the code name for a project sponsored by Qualys to build an automatic malware analysis engine and deliver it as a free tool for the industry. NEPTUNE intercepts key method invocations within Internet Explorer's TRIDENT rendering engine and reverse engineers its internal data structures in order to trace JavaScript execution. We further hook all relevant operating system entry points in order to monitor browser process activity and network traffic. This allows us to detect any malicious behavior of the browser during the rendering of the page and de-obfuscates layer by layer all JavaScript. We rely heavily on the DETOURS package, which is a Microsoft library for intercepting arbitrary Win32 binary functions on x86 machines.

We will step through two real world examples of web based attacks, one using a JavaScript vector, the other exploiting a weakness in Adobe's Acrobat Reader. We enumerate the APIs necessary to detect and de-obfuscate the attack. We also will discuss in detail the DETOURS library in comparison with traditional API hooking, and points out its strengths and its shortcomings and what was required to overcome them.

We will then investigate and compare NEPTUNE's main strategies for the detection of malware: static analysis that applies heuristics vs. a purely behavioral model. Both methods have pros and cons and we will demonstrate advantages and disadvantages of both approaches discussing accuracy, complexity and performance.

In conjunction with the presentation we will release a free web based tool that can be used by anyone to determine the malware status of single web page. Reports will contain a full breakdown of the page in question, including de-obfuscated JavaScript, Reputation scores by host and results of the behavior analysis. An API will also be released in conjunction for larger scanning needs.


Presenters:

Links:

Similar Presentations: