Browsing Known Sites is Safe – True or False: Ill-family malware

Avast Software officials Lukas Hasik and Jiri Sejtko present their observations and insights into the prevalent web infections in the wild during their talk at RSA Conference. The key points in this part of the discussion are the ‘trust phenomenon’ explanation and the analysis of ‘Ill-family’ malware propagating in the ‘grey’ zone of the Internet.

Lukas Hasik Lukas Hasik: Hi, I am Lukas Hasik and I work as a Quality Assurance Director at Avast Software. Next to me is my colleague Jiri Sejtko who works as Senior Virus Analyst and Researcher at Avast Software too. Avast Software is provider of Avast Antivirus – the antivirus with over 130 million users.

Today we will talk about web infections. So, on our agenda we have a short introduction, and then Jiri will talk about three most widespread web infections in the last year. And at the end we will get to some conclusions.

So, our presentation’s name is “Browsing Known Websites is Safe – True or False?” Most people think that they are safe when they don’t go to the ‘grey’ part of the Internet. This is the part where you can usually download illegal software like some keygens1, or you can browse some porn websites, or some warez2 sites.

So, most of the users think that when they don’t go to this ‘grey’ part of the Internet, when they stay in the ‘safe zone’, how we call it, they cannot get infected. However, it is not completely true. These people trust their websites more than the alerts from the antivirus that they are using or other security software. That is something that we call ‘trust phenomenon’.

Also, the website owners complain first to the antivirus companies that their site has been blocked before checking their HTML code for the infection.

'Trust phenomenon' - explanation

'Trust phenomenon' - explanation

Let me show you a short example of how it works (see image). So, we have a trusted website owned or provided to users by some trustworthy company, and we have a common user, we call him George – ‘George’ is ‘Jiri’ in Czech. This user trusts the website, he visits it regularly, and there is no reason why he shouldn’t trust it.

But there is a bunch of bad guys sitting in the ‘grey’ zone of the Internet, who recently infected the website, and user George will not notice it because the website still looks the same. Visually, it is the same website, only the bad guys injected some iframe3 tags or scripts to the web page.

And when user George visits this infected website, the infection gets to his computer through exploits and from his browser. When an antivirus alert appears, he thinks: “Oh my God, what is it? This must be some false positive, I used to go to this website regularly, I’ve been there a hundred times.”

So, we expect that user George turns off the antivirus protection, and this opens a hole to his system for the exploits, and he gets infected. This is the main principle of the web infections, and now we will talk about the most widespread infections in detail.

JS:Ill-family description

Jiri Sejtko Jiri Sejtko: Let’s start with ‘Ill-family’ malware. ‘Ill-family’ has been one of the most widespread infections over the last year. It uses simple iframe tags at the beginning of the attack, and during the attack the bad guys added something new into each new generation, so the injected scripts went to be really anonymous. The web is not the only spreading channel for ‘Ill-family’ malware, but today we will talk only about web infections.

‘Ill-family’ is commonly known as ‘Port 8080’4 infections, because injections target malicious servers on Port 8080.

‘Ill-family’ uses the normal infection flow. So, our user George has his own website which he uses for sharing his life ideas, life stories with the rest of the world. He often uses similar web pages, he often searches the Internet, he often reads newspapers. He never goes into the ‘grey’ zone, so he thinks he is safe without any antivirus protection.

'Ill-family' web malware infection flow

'Ill-family' web malware infection flow

One day, just after he came back from the office, he started to do some usual business, checking his friend’s website. But recently, his friend’s website was infected with the ‘Ill-family’ malware, and when user George connected to this website he was immediately redirected to a malware distribution domain, from where exploits and malware were sent to his computer. And because he doesn’t use any antivirus protection, malware is installed on his computer (see image).

One of the basic functions of this malware is to steal credentials. So, credentials for his website are sent to the command & control server. This command & control server is used by bad guys to create new malware distribution domains and of course to infect new innocent websites with new stolen credentials.

Evolution of the 'Ill-family' malware

Evolution of the 'Ill-family' malware

At the end of this approach, user George is infected, his website is infected as well and used to spread infections over its visitors. This approach repeats again and again, and the network, the botnet is growing.

‘Ill-family’ is very well known for its evolution because the bad guys started using simple HTML tags, simple iframe tags to redirect victims to malware distribution domains. And then, in each new generation they added something new. They added some simple obfuscation, and at the end their scripts, their injections were about 4 kB long (see image).

Lukas Hasik: 4 kB of text? I would definitely notice such long text in my HTML.

'Ill-family' web malware: re-infection rate

'Ill-family' web malware: re-infection rate

Jiri Sejtko: Yes, that is right, it is much more noticeable to see that there is something wrong with your website. But anyway, bad guys are using this approach till today because it allows them to make the scripts and the injections undetected by simply changing the rules of obfuscation.

On this graph, you see the infection rate showing how active the bad guys are (see image). It actually shows the number of domains: how many times and how many domains were infected with how many variants of ‘Ill-family’ malware. The remarkable point here is 5, so more than 3000 domains have been infected with 5 or more variants of ‘Ill-family’ malware.

Lukas Hasik: So, 3,000 domains were infected 5 or more times? It looks like the bad guys really have their favorite domains.

Jiri Sejtko: Yes, that’s right. It’s more likely domain owners or administrators really don’t know their websites are misused by the bad guys to spread malware, so they don’t care or they don’t know. But this is the point you should care about because many of these websites remain infected forever.

Read next: Browsing Known Sites is Safe – True or False 2: malware distribution

1Keygen (key generator) is either a computer program that generates a product licensing key, serial number, or some other registration information necessary to activate a software application, or a program that generates public-key data for cryptographic applications.

2Warez is a term referring primarily to copyrighted works distributed without fees or royalties, and may be traded, in general violation of copyright law.

3iframe (inline frame) is an HTML document embedded inside another HTML document on a website. The IFrame HTML element is often used to insert content from another source, such as an advertisement, into a web page.

4Port 8080 is a popular alternative to port 80 for offering web services. Its use in a URL requires an explicit “default port override” to request a web browser to connect to port 8080 rather than the http default of port 80.

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: