Monday, September 28, 2009

Dasient details new attack @ Cyber Security East

Late last week I gave a talk at the Cyber Security East Conference in Washington, DC. Some of the other speakers included Robert Lentz (Deputy Assistant Secretary of Defense), Dr. Eric Cole (Chief Scientist of Lockheed Martin), and Robert Carey (Chief Information Officer, Department of the Navy). There was a lot of interesting and useful discussion, and I was glad to be able to contribute to the event.

In my talk, I reviewed the fundamental shift we've seen in the way malware is spreading, focusing on the 600% increase in web-based malware in the last two years. These attacks -- in which legitimate sites are compromised and turned into delivery vehicles for malware -- are impacting more than a million webpages per month, and in turn more and more legitimate sites are being blacklisted by major search engines, browsers, and AV companies.

I also shared a few examples of how web-based malware attacks are growing more sophisticated, based on data we've gathered in the last year using our proprietary malware analysis platform. As you may know, some web-based malware attacks can be attributed to a single injection of an iFrame or JavaScript code snippet, with a relatively obvious malicious domain in the SRC of the iFrame. Others employ heavily obfuscated JavaScript that can often be hundreds of characters long, and as such can be more difficult to spot or remove from an infected site -- but they still use a single injection point.

We are now starting to see attackers insert code via multiple injection points, to further obfuscate the bad code and make it more difficult for webmasters and traditional scans to detect. In the screen below is an example of this kind of attack that I presented last week:


Note that the attacker has injected JavaScript here, but it is not obfuscated, and it doesn't appear to point to a malicious domain. Hence, anyone who does a simple check for malicious domains may be easily fooled into thinking that the JavaScript is innocuous. The reality is quite different: The call to "getElementById" in the JavaScript reaches into another part of the document (where the first injection took place) to retrieve and clarify the malicious domain. Once the domain is decoded (in the second injection), the attacker's domain is revealed to be the source of a malicious iFrame.

This new attack makes it clear that the purveyors of web-based malware are actively looking for ways around malware scans, and it underlines the importance of going above and beyond signature-based analysis in the battle against this threat. For example, the Dasient WAM malware-analysis platform was able to proactively capture this new multiple-injection attack in no small part because of its strengths in behavioral analysis. We believe that as the web becomes more sophisticated and as attackers continue to embrace new, increasingly automated attack vectors, businesses on the web will need to deploy protections that work at web speed and web scale to keep themselves safe.

To learn more about how Dasient WAM can help you protect your site, check out our product overview.
Posted by at

45 comments:

  1. Very interesting topic. My online project gambling seo was injected recently I could hardly reveal it. I'll check out your Dasient WAM product, may be it will be useful for me. Thanks for announcing.

    ReplyDelete

  2. Besides simply being swamped within the gone terminate enterprise, everybody was first eventually jam packed with fake louis vuitton handbages potential uses. It's amazing thing. For that reason for viewing hermes replica your business interest, exactly what is any pivot phase? What is it approximately your business interest which any foremost purchasers love it, play with it, and additionally extended all the prada replica message relating to this? It will be probably not goods his or her self still the way you will give you individuals. And that's the things purchasers really are unquestionably selecting. It's any fake tag heuer pivot phase. Discover it numerous experts push your business interest for exclusively cutting edge, and additionally productive, manuals! We are going to, everyone should analyze the best quality high class devices just for men of all ages. Quite often, a watch certainly is the sole little bit of precious jewelry if you have a boyfriend should utilize. A watch describes a fabulous male's check and additionally color. For that reason in which high class keep an eye on might chanel replica you purchase and additionally through take advantage of the top fee? Shall we consider. If you happen to truly strolling all the mall, you should frequently watch smaller sepcialist keep an eye on outlet stores by means of fabulous devices. Devices are often the a version of precious jewelry who are billed just for men of all ages combined with for ladies. Of course, men of all ages utilize bracelets and the best ceremony much more however, the key essential precious jewelry staple in a boyfriend certainly is the keep an eye on.

    ReplyDelete

  34. This web is very helpful and keep the spirit

    ReplyDelete

  37. The Jews Togel Online Singapore welcome Togel Online Hongkong this revolution in the Christian world, Bandar Togel Singapore and the Bandar Togel Jews Togel Online Terpercayashould show anexample. It is not an accident that Judaism gave birth to Marxism, and it is not an accident that the Jews readily took up Marxism: all this was in perfect accord with the progress of
    TheAgen Bandarq
    Communists Agen domino99
    are againstDomino Online
    religion (Christianity),Bandarq
    and Bandarq
    theyBandarq
    seek to Bandar domino destroy religion; yet, when we look deeper into the nature of Communism, we see that it is essential nothing else than a religion (Judaism)." (A Program for the Jews and Humanity, Harry Waton, p. 138).
    I shallAgen Bandarq use such influence asAgen Domino99 I have inDomino Online emphasizing the basic truths common Agen Poker to all denominations,Bandar Domino99 in Nonton Film Bioskop lowering denominational barriers and in promoting effective cooperation among Christians of whatever creed.The goal of Agen Bandarq
    Russia is in the Agen domino
    first instance aDomino Online
    World-Revolution. agen Bandarq
    The nucleus Bandar domino99 of opposition to such plans is to be found in the capitalist powers, England and France in the first instance, with America close behind them.
    In his novel Agen Bola Resmi Coningsby Bandar bola (London, 1844),Agen Bola Terpercaya Disraeli Agen Bola Terbesar drewAgen Bola online a picture Judi bola form Berita Bola the life Berita Bola of the JewsAgen Ibcbet ruling the world frombehind the thrones as graphic as anything in the Protocols of Nilus. Many believe, and it has been proved to most, Coningsby was a plagiarism of a Byzantine novel of the XVIIth century.

    ReplyDelete

  38. Iam really impressed with your writing abilities and also with
    the structure in your weblog. Is that this a paid subject matter or
    did you customize it yourself? Anyway stay up the excellent high quality writing, it
    is uncommon to peer a nice weblog like this
    one these days..

    Hero Poker | Game Poker

    ReplyDelete

  39. Keep up the great piece of content, I read several posts on this site and I think that your web blog is truly attention-grabbing and
    also contains plenty of outstanding information.

    Judi Poker

    ReplyDelete

  41. This is great, you are good, i like your post and i still waiting our next post!
    Foto bugil tante chinese hot

    ReplyDelete

  43. Super website with a great sharing and amazing stories is ur web.. please keep doing what u do now.. thanks to you.
    Agen Bandarq

    Agen Domino99

    Domino Online

    Agen Poker

    Bandar Domino99

    ReplyDelete

Subscribe to: Post Comments (Atom)