Monday, September 10, 2007

Popular Web Malware Exploitation Techniques

Who needs zero day vulnerabilities to achieve a widescale malware infection these days? Obviously the lack of this popular in the past prerequisite for a successful client side vulnerability exploitation, is no longer needed, but how come? Rather simple and that's the disturbing part - malicious parties stopped falling victims into the common perception that the end user is so fully patched, that zero day vulnerabilities are needed to break thought his thought to be complex use of security measures, instead, whether an event-study or plain simple common sense on their part, they've realized that an unpatched and obfuscated vulnerability is just as dangerous as a zero day, and the results have been evident ever since.

Going through the screenshots of the infected population of a certain malware kit, you can clearly see the diversity of the outdated vulnerabilities used. Multi-browser vulnerabilities IFRAME-ed all-in-one to achive the highest possible efficiency rate as there's a slight chance a visitor will return to a site they've managed to embedd the malware at, twice. The success of the these kits therefore has nothing to do with malicious innovations, but rather a successful tactical warfare against reactive security response. If perimeter defense cannot be breached, it will get either ignored or bypassed, precisely why client side vulnerabilities are back in the game with full speed.

Evidence showcasing this KISS (Keep it Simple Stupid) principle :

- IcePack, MPack, WebAttacker, the Nuclear Malware Kit, and pretty much every popular malware kit is taking advantage of outdated vulnerabilities, whether obfuscated or not depends on the pack's version and the malicious party's understanding of the concept

- The Massive Embedded Web Attack in Italy was using MPack's outdated arsenal of obfuscated vulnerabilities and despite that it achieved its objectives and infected thousands of hosts

- The recent Bank of India breach was using a modified version of the popular malware kits mentioned above, in between syndicating the hack with another campaign using a multi-IFRAME-ing techniques, again taking advantage of outdated vulnerabilities

- Storm Worm's success is mostly due to the fact that the end user is still living in the "malicious attachment" world, and so outdated vulnerabilities are again successfully used again her

Exploit Prevention Labs's recent stats on common vulnerabilities used as an infection vector can come very handy in terms of demonstrating the mass use of these malware kits. The bottom line is that their modularity combined with features and add-ons for them available either though a purchase or on demand, is an emerging trend by itself, one whether you cannot tell is it a script kiddie or sophisticated malicious party you're dealing with. And even if it's the second, the KISS principle has its own ugly applicability in the malware world.

No comments:

Post a Comment