During the course of the last 10 years or so, security has gone from being of little to no importance in most enterprises to its current status as one of the top priorities in virtually every IT department. As threats have moved from macro viruses and simple DoS attacks to network-aware worms and Trojans to virtualized rootkits and peer-to-peer malware, the protection technologies have changed with the times. Firewalls, IDS appliances, intrusion prevention systems, content filtering and myriad other innovations have done a fine job of securing our corporate perimeters.
But all of that is about to change. The best and smartest attackers have all but abandoned their old bag of tricks and have taken their game to the Web. And the existing product set that's humming along in your server room and your data center is of little use in defending against these attacks. IDS, endpoint security, antivirus and the rest of it are all well and good, but they stand no chance of preventing users from falling prey to the current and future crop of Web-based attacks.
Google, which has recently built up an anti-malware team that is doing a lot of research on Web-based exploits, has a new paper in the works that sheds quite a bit of light on the extent of the problem. The Google researchers spent more than 10 months looking at 60 million Web pages and analyzing how many of them are serving up malware and what techniques they're using to do so. The simplest way to do this is to get a user to visit your malicious Web server. But that's also the least successful, as the sites on those servers tend to be amateurish and easily identified as malicious. For that reason, most attackers instead choose to park their malware on servers that host popular legitimate sites.
Attackers frequently use iFrames to hide their malicious content and redirect users to a separate URL that they control, where a piece of malware is silently installed. This is simple enough to accomplish with just a small script and a handful of compromised machines serving as malware depots. Google's research found that more than three million individual URLs are serving malware using this method. That's a scary number, even taking into account the unknowably huge number of URLs on the Web. Three million means there's a pretty good chance that your users are running into these sites on a regular basis.
It's also becoming increasingly difficult to identify Web-based exploits, thanks to the ubiquity of exploit obfuscation and encryption. IBM Internet Security Systems annual year-end report found that by the end of 2007 virtually every browser exploit was either obfuscated or encrypted.
Google's researchers offer a compelling explanation for the huge volume of malware floating around on supposedly legitimate sites. "In particular, our results reveal that ad serving networks are increasingly being used as hops in the malware serving chain. We attribute this increase to syndication, a common practice which allows advertisers to rent out part of their advertising space to other parties," the researchers write. "These findings are problematic as they show that even protected web-servers can be used as vehicles for transferring malware. Additionally, we also show that contrary to common wisdom, the practice of following 'safe browsing' habits (i.e., avoiding gray content) by itself is not an effective safeguard against exploitation."
In other words, the attackers are way out in front on this one. They've figured out the logistics, they've set up the distribution networks and they've got a lot of help. There's a second part of this equation that's just as problematic, and that's the rapidly growing number of malicious search results. Google's anti-malware team found that the percentage of Google search queries that returned at least one malicious link in the results has more than quadrupled since early 2007, to about 1.3% in January of this year. While that's still a small fraction of the search results, the rate of increase is alarming, and the Google team took the analysis one step further to see how many of the malicious sites show up in its one million most popular URLs.
"From the top one million URLs appearing in the search engine results, about 6,000 belong to sites that have been verified as malicious at some point during our data collection. Upon closer inspection, we found that these sites appear at uniformly distributed ranks within the top million web sites—with the most popular landing page having a rank of 1,588," the team writes. "These results further highlight the significance of the web malware threat as they show the extent of the malware problem; in essence, about 0.6% of the top million URLs that appeared most frequently in Google's search results led to exposure to malicious activity at some point."
What all of this shows is that the Web-based malware problem is not just some new phenomenon that's popped up and will be replaced by another new technique in a few months. This is a systematic movement by the criminals from network-based attacks to host- and Web-based attacks. Things have been moving in that direction for a couple of years now, but the increase in popularity of Web-based applications and the continued stream of vulnerabilities discovered in both Internet Explorer and Firefox—as well as the various Web server platforms--makes this trend especially worrisome. Both Microsoft and Mozilla have worked hard on the security of their browsers, but they can't force users to patch, no matter how much they'd like to, and they can't stop them from visiting suspect sites. In short, the software makers can't protect users from themselves.
Nor can the security vendors help, at least not yet. Web application security has been a hot market for a couple of years, but simply scanning applications for vulnerabilities only addresses part of the problem. The breadth and depth of this problem requires more than that. It needs a considered, holistic strategy, much like the famous defense-in-depth idea that is the blueprint for most enterprise security plans. How and when that happens is to be determined, but the clock is ticking.