Short-lived Web malware: Fading fad or future trend?

Short-lived Web malware: Fading fad or future trend?

Marcos Christodonte II, Contributor

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Today's threats don't require the execution of files. Modern-day malware can infect through "drive-by downloads," installing and stealing data without a click or action from a user.
,
Recently, security software vendor AVG Technologies asserted that Web-based malware attacks are now so prevalent that attackers craft them to be "secretive, short-lived and fast-moving. It's an acceptable premise, but why the sudden shift? Is it because more active and open attacks aren't as successful or noteworthy? Well, not quite. Let's explore why attackers do this, how they do it, and how enterprises can defend against short-lived Web malware.

Transience is key
Malware delivery has mutated since the arrival of traditional delivery methods like floppy disks, email attachments and word-processor documents. In the past, such methods took time, patience and had a much lower success rate. In those days, malware would lay dormant for days or weeks, waiting on a particular action or trigger, such as a system reboot or specific file execution. While many of the same types of malware are being used today (i.e. worms, Trojans, rootkits, etc.), more sophisticated Web delivery minimizes the likelihood of attackers getting caught by antivirus signatures or heuristic checks.

Listen to this tip
Download Marcos' short-lived malware tip to your PC or favorite MP3 player.
Today's threats don't require the execution of files. Modern-day malware can infect through "drive-by downloads," installing and stealing data without a click or action from a user. This transience is different than previous malware, which required some form of user action, as mentioned above. Stealthy behavior allows attackers to go unnoticed, infect quickly, and move on to other targets. Why they take this approach is fairly clear, nonetheless, security professionals must know how they do it to properly defend against them.

Speed, secrecy and recency

The number of websites blocked around the world for hosting malicious content rose by 197.2% in March, the highest level since October 2008.
MessageLabs
MessageLabs March 2009 Intelligence Report (pdf)
Using crafty and fast-moving operations, attackers take multiple approaches to compromise systems. According to AVG, an attacker "simply sets up hundreds of seemingly legitimate websites with embedded infections, promotes them for a day or two, and then shuts them down, never to be seen again." These actions allow attackers to evade blacklists and Web software designed to track illegitimate sites. AVG further reports that they've seen an upwards of 300,000 uniquely infective sites in a single day.

Another transient approach AVG observed is the use of malicious advertising, or malvertising. Legitimate websites are top targets for Web advertising exploits, as their high traffic levels increase an attacker's potential success rate; the more times an ad appears, the greater the likelihood it will affect an unsuspecting visitor. In my previous tip about Web advertising exploits, I outlined how attackers use malvertising to compromise systems and how enterprises can protect against them. These attacks become much more effective seeing that attackers like appealing to users by focusing on recent events.

Any topic of wide interest, from news headlines to political happenings to holiday gift ideas, can assist an attacker in their malicious efforts. Since such events appeal to hearts and minds of everyday people, attackers can increase their effectiveness two-fold. For example, many of the latest attacks have focused on the sour economy, seeking to exploit those looking to receive stimulus money from the government. An attacker could use a compromised advertisement network to place malware-laden banners on thousands of legitimate sites. To produce better results, they may also create thousands of sites that focuses on their message (economy, news headlines or otherwise), and attempt to achieve a high ranking in Google search queries by maximizing specific key words. That way, when a user searches for ways to obtain stimulus money or headlines on specific events, they may incidentally click on search results that lead to a malicious site. Attackers can continue this approach of creating sites and compromising ad networks using different "news headlines" and new search engine queries.

For more information
Don't let Flash-based malware into your network. Find out how to stop it.

Check out this screencast and learn how to use Wikto for Web server assessment.
Countering evolving Web threats
One of the best ways to counter newly created sites containing malware is to use some sort of proxy or Web filter that denies new sites not yet scanned and classified under a certain category (i.e. business, investing, news, social networking, etc.). While this strategy will help prevent new websites from compromising systems, it doesn't do anything for compromised legitimate sites allowed by default. For those sites, the best option is to ensure the enterprise security products in place are configured to combat the entire Web threat landscape, namely via real-time analysis of sites prior to serving them to users.

Since no Web filtering product offers the silver bullet solution, it's imperative to implement additional proactive countermeasures. I mentioned several in my tip on security beyond compliance, such as log analysis, egress traffic monitoring and whitelisting. To add to these, create a honeytoken (a cleverly titled file that shouldn't be accessed, but sets off an alarm when it is) or an IDS signature that alerts administrators when non-Internet-accessible servers are attempting to access the Web. In most cases, malware will attempt to "phone home" to download additional files, likely for more sinister acts.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
It's also wise to regularly re-evaluate the websites that users are able to access. I'm a firm believer in making only the required resources available to accomplish the job. Providing full Web access to all users is a privilege; therefore it should be controlled and limited. Perhaps the most highly targeted and exploited kinds of sites today are social networks. If they are absolutely required for internal collaboration, create an intranet platform, accessible only to employees and partners. Doing so will not only decrease risks, but also prevent the "accidental" release of proprietary or official information to everyone on the Web.

Malware authors are constantly seeking creative new ways to reach unsuspecting victims, and these short-lived, fast-moving, malware-laden websites seem to be an increasingly popular exploit technique. These attacks will be much more prominent in the foreseeable future. However, by blocking sites not scanned by a Web filter or proxy coupled with real-time analysis of legitimate sites, enterprises can successfully mitigate these evolving Web threats.

Marcos Christodonte II, MBA, CISSP, is an information security professional working for a consulting firm. He maintains an information security blog at www.christodonte.com.


This was first published in April 2009

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top