The Web becomes an attack vector

by Computer security

As the majority of computer users are now reasonably well protected against emailthreats, malware authors have turned their attention to the Web — and found it to be the ideal attack vector. The vulnerabilities discovered in Web browsers leave computers wide open toexploitation. Additionally, vulnerabilities in browserplug-ins such as AdobeFlash Player and AppleQuickTime open more doors through which private and confidentialinformation can be compromised. Such is the extent of the problem that theSANS Technology Institute listed malicious websites that seek to exploitvulnerabilities at number one on its “Top Ten Cyber Security Menaces for2008” list12.The emergence of Web 2.0 — thename given to the collection oftechnologies that enables peopleto interact with the informationheld on the Web — has alsoresulted in new opportunities forexploitation; opportunities that thecreators of worms such asYamanner13 and Samy14 havealready seized. Similarly,technologies such as RSS andATOM present yet anotherchannel that could potentially beexploited15.“Parts of the UK’s Critical National Infrastructure(CNI)1 are being targeted by an ongoing series ofemail-borne electronic attacks. While the majorityof the observed attacks have been against centralGovernment, other UK organisations, companiesand individuals are also at risk. The emails usesocial engineering to appear credible, with subjectlines often referring to news articles that would beof interest to the recipient. In fact they are‘spoofed’, making them appear to originate fromtrusted contacts, news agencies or Governmentdepartments.”National Infrastructure Security Co-ordinationCentre“Web site attacks on browsers areincreasingly targeting components, such asFlash and QuickTime, that are notautomatically patched when the browser ispatched. At the same time, web site attackshave migrated from simple ones based onone or two exploits posted on a web site tomore sophisticated attacks based on scriptsthat cycle through multiple exploits to evenmore sophisticated attacks that increasinglyutilise packaged modules that caneffectively disguise their payloads.”SANS Technology Institute7To get malware onto users’computers, a wide range oftechniques may bedeployed. Emails or links onwebsites are used to lurepeople to sites which havebeen configured to exploit avulnerability to silentlydownload and installmalware (“drive-bydownloads”16). Web searchresults can be poisoned tolead users to booby-trappedwebsites17. Vulnerable webservers can becompromised using tools such as MPack18 enabling the legitimate websitesthat they host to be hijacked and used as delivery agents for malware19.Malware can also be served via banner ads on legitimate websites.In 2006, up to one million MySpace users were infected by banners adswhich silently installed malware by exploiting a vulnerability in the WindowsGraphics Rendering Engine20. The malware was relatively harmless andsimply caused the computers to display pop-up ads, but it could just aseasily have been a password-stealing Trojan that fed bank accountinformation back to those responsible for the hack.Compounding the problems, Web attacks have also become increasinglysophisticated and attempt to exploit multiple vulnerabilities simultaneouslywhile using complex obfuscation techniques to conceal the payload fromanti-virus and anti-spyware scanners.People who visit a hacked or malicious website may find that their computeris co-opted into a botnet and used like a drug-smuggling “mule” to trafficspam, that their bank account details and other personal information havebeen stolen by a keystroke logger21 or that their computer is suddenlydisplaying unwanted popup advertisements.“Parts of the UK’s Critical National Infrastructure(CNI)1 are being targeted by an ongoing seriesof email-borne electronic attacks. While themajority of the observed attacks have beenagainst central Government, other UKorganisations, companies and individuals arealso at risk. The emails use social engineering toappear credible, with subject lines often referringto news articles that would be of interest to therecipient. In fact they are ‘spoofed’, making themappear to originate from trusted contacts, newsagencies or Government departments.”National Infrastructure Security Co-ordinationCentre