Thursday, July 10, 2008

The Template-ization of Malware Serving Sites

Just like web malware exploitation kits and phishing pages turned into a commodity underground good, allowing easy localization to different languages, and of course, the natural lowering of entry barriers into web malware and phishing in general, the very same thing is happening with fake ActiveX templates like the ones used on the majority of fake porn and celebrity sites I've been assessing recently.

The increase of these bogus ActiveX templates is due to the fact that despite they are currently available for sale, buyers appear to be leaking them for everyone to use so that they can continue maintaining their current business models, namely, the services they offer with the ActiveX templates. Unethical competitive practices among cybercriminals and scammers are only to starting to take place with one another trying to ruin or extend the lifecycle of their services.

Talking about prevalence, the TonsOfPorn ActiveX remains the most widely used rogue ActiveX in the majority of fake codec campaigns for the last couple of months. The ActiveX is largely abused by using another fake porn site template for PornTube, which in combination result in nothing more than huge domain portfolios with no content at all if we exclude the Zlob variants.

And while template-tization means more efficient malware campaigns, it also results in a common pattern for generic detection of such sites. For instance, the folks at Finjan did an experiment by verifying the signature based detection of the common javascript file that was used in the ongoing waves of SQL injection attacks. Their conclusion :

"Can it be that Anti-virus products are now holding more signatures for domains and URLs rather than trying to identify a malicious code they never inspected before? As my research found, just by changing the domain names, some AVs did not find this code as malicious...... surprisingly enough."

When assessing malware campaigns in general, I usually do the same for the record. Storm Worm's use of ind.php for executing its set of exploits has the same detection rate - scanners result: 10/33 (30.30%) and is detected as JS.Zhelatin.zb.

Getting back to the TonsOfPorn ActiveX, it's structure is more static than a Red Army statue in Estonia, making it easy to proactively protect against, no matter the domain, no matter the exploits served. It's detection rate is close to the javascript from the SQL injection attacks - Scanners Result: 9/33 (27.28%) and is detected as Trojan.HTML.Zlob.L.

From my personal experience, blocking an IP address where a couple of hundred malicious domains remain parked, is just as useful as blocking a single domain acting as the main redirector behind a huge domains portfolio of malicious domains. However, the most beneficial approach on a large scale remains the practice of taking care of the most obvious patterns that still remain faily easy to detect, at least for the time being, due to the efficiency the people behind them aim to achieve, making them easily susceptible to generic detection approaches.