As Neil Daswani and Lars Ewe are moving on with their discussion, they outline the five main steps that cyber criminals tend to take for conducting drive-by downloads. Additionally, some helpful recommendations are provided as to the preventive methods to avoid the consequences of third party web applications being exploited by fraudsters out there.
In fact, there have been specific names that have been attributed to such kinds of cases. For instance, in the case that you have a website and you have an ad widget on your website, which, you know, you may be relying on for revenue and monetizing your website; in the case that your website gets infected via malicious advertisements that come through that ad network, that’s often referred to as malvertising, and malvertising is also being increasingly used to spread malware on websites.
So in any case, attackers can use these techniques to infect a site, or two sites, or three sites, or thousands of sites because of the fact that a particular web application vulnerability might exist, say, in some third party package that is used by lots of websites. Similarly, a particular widget or an ad network might be used by many, many websites, and so when an attacker exploits any of these types of issues it typically allows them to distribute their malware through a network of websites that take advantage of this functionality.
In any case, that’s a little bit about the different vectors. So we will go through the anatomy of the steps that attackers conduct and the steps that take place when a drive-by download occurs.
So, step one in using websites to distribute malware is you have to infect a website. In the demo that we showed earlier, it was a stored cross-site scripting vulnerability that was used to plant some drive-by download code onto a site and infect users. But there are many other ways to do it as well, as I just reviewed with regards to taking advantage of different widgets and whatnot.
And depending upon that, the attackers have an online exploit database which gets consulted. And what happens is that the client-side vulnerability that is most likely to result in a successful infection is chosen, and the corresponding shellcode2 to, say, take advantage of a buffer overflow or other type of vulnerability on the client is selected and the shellcode is delivered.
Once the shellcode is delivered, the attacker basically has control of the stack on the user’s machine and they take advantage of that capability to download a downloader – a piece of malware whose sole purpose in life is to download more malware. It basically also provides a level of interaction, so that once the attackers compromise a machine they can then decide to download different malware every single day if they like. They could one day download something that conducts fraud; another thing that it can do – and that’s the way it usually happens – is add that machine to a botnet of some sort so that they have further control over it.
1 – Infecting a site
2 – Invoking a client-side vulnerability
3 – Delivering a shellcode
4 – Sending a downloader
5 – Taking advantage of the infected PC
So there is a whole bunch of different mechanisms but these five steps: infecting the site, invoking the client-side vulnerability, sending the shellcode, sending the downloader and then doing whatever they would like with the machine – are typically the five steps that cyber criminals execute when they want to effectively conduct drive-by downloads.
So that’s a little bit about that process. What I’ll do is I’ll turn it back over to Lars to just start talking about what are some of the things that organizations can do to help protect themselves using a defense-in-depth3 approach.
Lars Ewe: Now that we have talked about what can happen and hopefully convincingly enough proven the point that bad things can happen, very bad things indeed can happen, you wanna ask yourself – what do you do, how do you defend yourself? You know, it’s no fun just to learn how bad the state of defense is, it’s important to learn what your options are.
So the first thing is that you wanna assess your sites. You need to understand that if you are running a website, not only are you responsible for the data within your site – let’s say, you store credit card information or personal information, anything like that, obviously you carry responsibility, and many different complaints and issues will occur if you do not make sure you secure that data correctly, depending on the vector or vertical that you are in.But just as important as that is the fact that you have responsibility to your user base. You do not want to actually be the one who distributes malware to all your users, and yet no data might get compromised potentially on your site but data on the clients’, on the users’ machines might still be wiped out or it might join the botnet or something like that.
All that being said, that responsibility is yours as the website owner, so do assessments regularly. You have options there as to whose services you want to use, I will encourage you to do some regular antimalware, antivirus scanning – we refer to that often as persistent security.
Every time you do a patch to your site, you might potentially recreate a new security hole. Often the smallest little change in code can result in such thing. New attack vectors come out all the time. Companies like Cenzic update their attack libraries on a very regular basis, in our case on a weekly basis.
So scanning very regularly is one thing. Then, try to prevent once you have findings. Once you know that there are vulnerabilities, try to address them – ideally in code, you have various means there, once the vulnerability is found you then know what specifically you have to do. Either way, at the code level you can also do code reviews, there are best practices you can follow at the code level. You will find that in many cases fixing the code is not an immediate option. If you want to take (and you ought to take) quick preventive steps, then web application Firewalls or any other containment technologies are the next step to look at.
As a matter of fact, you usually wanna do a two-phase approach. First, you immediately wanna put in place a Firewall, you wanna filter the content, and then you wanna also in parallel start looking at the root cause at the code level and fix at the code level, roll out a fix at the code level as well.
So there are many means at that level. After that I’ll hand it over to Neil to talk more about malware aspect of it once you’ve taken care of the web application vulnerability aspect upfront.
1 – Web 2.0 is a loosely defined intersection of web application features that facilitate participatory information sharing, interoperability, user-centered design and collaboration on the World Wide Web.
2 – Shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called ‘shellcode’ because it typically starts a command shell from which the attacker can control the compromised machine.
3 – Defense-in-depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in case a security control fails or a vulnerability is exploited.