Problem solve Get help with specific problems with your technologies, process and projects.

Web advertising exploits: Protecting Web browsers and servers

Web browser exploits are nothing new, but few security managers are consciously aware of the threat that Web advertisement exploits represent.

Since Web adverts have a virtually unlimited capacity to reach millions of users, attackers look to them as a doorway to install malicious code.

Web browsers became integrated into many daily job functions years ago. We use them to help streamline business processes, access organizational intranets, and reach across the world within seconds for information.

Browsers are responsible for displaying tons of website data, everything from application data, to links and images, to creative advertisements that rely on Java and Asynchronous JavaScript and XML (Ajax). Attackers realize that enterprises rely heavily on browsers, which is why they seek to compromise legitimate websites to silently install malicious code into enterprises via the Web browser.

Web advertisements (Web adverts)
Online advertising has become a huge profit center for website owners. Web adverts fuel many free websites, particularly social networks, blogs, forums and news sites.

Since Web adverts have a virtually unlimited capacity to reach millions of users, attackers look to them as a doorway to install malicious code. Advertising space on a website works through scripts that display images and media to lure a user into clicking on them. After taking over the server hosting these advertisements, attackers use URL redirection to send users to a website hosting their malware.

How attackers exploit websites and Web Servers
After clicking on a website advertisement, users are typically redirected to another website; if that site is compromised, the attacker has full control of the resulting page displayed by the advertisement.

Attackers look to exploit Web advertising in various ways. One tactic is to find unknown software vulnerabilities and use them to simultaneously exploit multiple legitimate sites. To do this, an attacker needs to find a flaw in commercial software, such as Web server software, before the software vendor. Then he or she must create a script that automatically compiles a database of websites using the vulnerable software.

Many websites use forums provided by popular vendors such as phpBB Group, vBulletin from Jelsoft Enterprises Ltd., or the open source group Phorum. Such software normally comes with a preconfigured string, such as viewtopic.php or showthreap.php, which is added to URLs.

Attackers download tons of these and other types of popular software looking for holes and vulnerabilities to enable massive exploits. If an attacker finds a flaw in the software's source code, he or she can easily use a script that searches the Internet for all website URLs containing that unique string. This way an attacker can quickly assemble a database of vulnerable but legitimate sites, ready for exploit.

For an example of this type of query, Google the following: inurl:showthread.php or inurl:viewtopic.php and notice the millions of websites using the same forum software.

Exploiting flaws in popular software can give an attacker access to the website with the flaw and the entire Web server. Many websites use shared hosting, which means multiple unrelated websites are hosted on one server to save owners server fees. Therefore, a flaw in website software, a Web server's operating system or installed Web applications can grant an attacker access to every website hosted on that server.

There are also times when attackers redirect URLs to a site that appears genuine but is actually a typo of the legitimate site's domain name. I analyzed Web traffic patterns where a user's visit to one site showed traffic from five different sites within the exact time stamp. Although the user thought he visited, he actually established communications with at least five other sites, some for advertising and applications, but two from foreign ".ru" domains later found to host spyware.

For more information
Can IBM's SMash technology secure Web applications?

Learn whether Web browsers will ever be fully equipped to detect and remove malware.

Once malicious code is placed on websites, it can easily be installed silently on a user's browser, especially if the web browser is outdated. When attackers host or control Web servers containing malware, they can change URLs daily and IP addresses as fast as every 120 seconds. This "fast flux" change of IP addresses is similar to what phishing attackers do to keep fraudulent sites online longer. This makes blocking known malicious sites and IP addresses nearly impossible. The task is not easy, but mitigation is possible.

To thwart exploits involving Web advertising, Web-based software and other related attack vectors, organizations must be persistent and adopt a defense-in-depth approach to blanket the infrastructure with security. The following serves as a few countermeasures to mitigating these threats:

  • Install a proxy appliance such as Blue Coat Systems Inc., Secure Computing Corp.'s Secure Web (Web Washer), or SafeSquid from Office Efficiencies of India. These appliances provide Web content filtering and can be used to view and analyze Web traffic patterns. Proxies work in conjunction with a firewall, and all traffic can be forced through them using group policy. In addition, a proxy appliance can specifically block Web adverts, known malicious sites and various other categories (i.e. gambling, pornography, social networking, etc.) as defined by company policy.
  • Install behavior-based malware detection software. One of the latest offerings is through NovaShield Inc. They boast a modern product capable of taking on botnets, Trojans, rootkits, worms, and keyloggers. Other vendors include ScanSafe Inc.'s Security-as-a-Service (SaaS) and Sophos plc's Web security appliance.
  • Maintain constant contact with your antivirus vendor. When suspicious traffic or malware is found, immediately send links or samples to your provider. Doing so will enable the vendor to quickly analyze it and provide a signature file for updates across the enterprise, not to mention protect other enterprises.
  • Install browser and operating system security updates as soon as possible. These updates are released for a reason, if put off, the holes can quickly be exploited without notice.
  • Don't forget education! Users must be made aware of the dangers lurking on the Web. Attackers will use any platform available to circumvent your infrastructure. Social engineering is becoming a greater threat in social networking platforms. Train your employees to use caution when meeting new people online and to never discuss their positions, the organization, or sensitive information.
  • Immerse your employees in security. If no champion of security is appointed, one should be. The organizational security champion must keep users thinking about security constantly. Organizations fail to deliver updated security training after the initial new hire orientation all too often.

Web browsing has become risky business for enterprises, and online adverts are just one of the many methods malicious hackers use to exploit enterprises. Organizations must strive to find a balance between security and convenience. As the amount of organized crime online increases, enterprises must remain committed to preventing attacks and staying a few steps ahead of attackers.

About the author:
Marcos Christodonte II, CISSP, CCNA, MCP, Security+, is an information security officer working for the U.S. government.

This was last published in August 2008

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.