Interception and Analysis Framework for Win32 Scripts by trf16073


									    Tim Hollebeek, Ph.D.

Interception and Analysis
Framework for Win32 Scripts

           (not for public release)

•   Background
•   Preliminary characterization of attacks/threats
•   What we’ve built
•   Coverage of threats
•   Tech Transfer successes
•   Integration
Background: ActiveScripting

  • Microsoft architecture for integrating scripts with
    applications in a language-neutral way.
  • Scripting is often used as “Turing glue” to
    connect and drive disparate software

Active Scripting Applications/Hosts       Active Scripting Languages
• Web browsers                        •   Perl
• Mail readers                        •   Jscript
• Embedded HTML viewers               •   VBscript/VBA (macros)
• MS Office 2000 applications         •   Rexx
• Windows Scripting Host              •   Python
Technical Objectives

 • Address the threat of a significant class of
   mobile malicious code:
    – ActiveScripting (JScript, VBscript)
 • Provide interception and logging
   framework that allows policies to be
   developed and enforced
 • Constrain active scripting capability
   effectively to balance:
    – legitimate uses vs. malicious uses

• Malicious Scripts on Microsoft Windows based

  – Script-based viruses, trojans
  – malicious web pages
  – malicious HTML embedded in various files

  – Especially: scripts that use one of about 30
    vulnerabilities that allow compromise of the machine
    from scripts
            (most recent … 9 days ago)
Attacker Objectives

• Traditional “malware” activities
  – Viruses, trojan horses
• Fully compromising host computers
• Accessing sensitive data/manipulating sensitive
  – Compromising script-aware applications
  – Compromising script-dependent applications
Why is this easy?

• MS Windows contains lots of bad code and very
  few boundaries
• Microsoft architecture is script-friendly

• “big bag of components”
• Much of this infrastructure built to support
  distributed applications

• Must be at the correct level (or multi-level)

• Most existing defenses aren’t:
   –   Secure sessions
   –   Filtering
   –   Signature schemes
   –   Kernel/filesystem level defenses

• Commercial world focused on today’s attacks
Categories of Malicious Scripts

  • Malicious scripts distributed as attachments

  • Embedded scripts that exploit flaws in
  components or host applications

  • Malicious scripts that manipulate legitimate     Hard
  • Malicious scripts injected into dynamic web

  • Scripts that exploit the distributed nature of   Very
  web applications                                   Hard!
Malicious Script Capability Matrix

                     Attach   Flaw Legitimate Inject Web


Malicious web site

E*TRADE hack


Web bugs

E-mail wiretapping

Future threats
Intercepting ActiveScripting

• What works well:
   – Blocking access to flawed components/methods

• Feasible:
   – Correlating script activity with lower level
   – Reducing exposure of script-aware applications
   – Restricting script actions to safer subset

• Still difficult:
   – Script-dependent and script-based applications
Tech Transfer

• Produced:
  – Robust prototype
     • Capable of extensive logging of script behavior on a
       number of machines to a remote server
     • Ability to block malicious script actions
     • Stable, efficient
  – Developing prototype into a tool to be used by Air
    Force community
  – Extensive logs (14,000 distinct scripts, gigabytes of
    information about their execution)
  – JustBeFriends (~4000 downloads)

• We can provide:

•   Information on all page views
•   Script contents and URLs
•   Information on script behavior
•   During script execution:
    – Accesses to all members and methods (with parameters) of
      Automation objects the scripting engine interacts with
    – All actions of the scripting engine
    – Other related COM methods

    (possibly) user level correlation information

• 3 Cigital Labs researchers
• 6-12 months of browsing
• Work-related and “other” sites

• Also some “random” browsing (uses Yahoo!)

                      Logging Server


Policy                            Script Actions

          Event                  Scripting Engine
                              Browser Architecture

• Architecture provides a very successful and
  flexible way to monitor and control scripts on
  Windows systems
• Can address commonly exploited risks from
  malicious scripts, which are unaddressed by
  current generation of commercial tools
• Work still needed to get a handle on more
  complex attacks

• The End

To top