Recently, security software vendor AVG Technologies asserted that Web-based malware attacks are now so prevalent that attackers craft them to be "secretive, short-lived and fast-moving. It's an acceptable premise, but why the sudden shift? Is it because more active and open attacks aren't as successful or noteworthy? Well, not quite. Let's explore why attackers do this, how they do it, and how enterprises can defend against short-lived Web malware.
Transience is key
Malware delivery has mutated since the arrival of traditional delivery methods like floppy disks, email attachments and word-processor documents. In the past, such methods took time, patience and had a much lower success rate. In those days, malware would lay dormant for days or weeks, waiting on a particular action or trigger, such as a system reboot or specific file execution. While many of the same types of malware are being used today (i.e. worms, Trojans, rootkits, etc.), more sophisticated Web delivery minimizes the likelihood of attackers getting caught by antivirus signatures or heuristic checks.
Today's threats don't require the execution of files. Modern-day malware can infect through "drive-by downloads," installing and stealing data without a click or action from a user. This transience is different than previous malware, which required some form of user action, as mentioned above. Stealthy behavior allows attackers to go unnoticed, infect quickly, and move on to other targets. Why they take this approach is fairly clear, nonetheless, security professionals must know how they do it to properly defend against them.
Speed, secrecy and recency
Using crafty and fast-moving operations, attackers take multiple approaches to compromise systems. According to AVG, an attacker "simply sets up hundreds of seemingly legitimate websites with embedded infections, promotes them for a day or two, and then shuts them down, never to be seen again." These actions allow attackers to evade blacklists and Web software designed to track illegitimate sites. AVG further reports that they've seen an upwards of 300,000 uniquely infective sites in a single day.
Another transient approach AVG observed is the use of malicious advertising, or malvertising. Legitimate websites are top targets for Web advertising exploits, as their high traffic levels increase an attacker's potential success rate; the more times an ad appears, the greater the likelihood it will affect an unsuspecting visitor. In my previous tip about Web advertising exploits, I outlined how attackers use malvertising to compromise systems and how enterprises can protect against them. These attacks become much more effective seeing that attackers like appealing to users by focusing on recent events.
Any topic of wide interest, from news headlines to political happenings to holiday gift ideas, can assist an attacker in their malicious efforts. Since such events appeal to hearts and minds of everyday people, attackers can increase their effectiveness two-fold. For example, many of the latest attacks have focused on the sour economy, seeking to exploit those looking to receive stimulus money from the government. An attacker could use a compromised advertisement network to place malware-laden banners on thousands of legitimate sites. To produce better results, they may also create thousands of sites that focuses on their message (economy, news headlines or otherwise), and attempt to achieve a high ranking in Google search queries by maximizing specific key words. That way, when a user searches for ways to obtain stimulus money or headlines on specific events, they may incidentally click on search results that lead to a malicious site. Attackers can continue this approach of creating sites and compromising ad networks using different "news headlines" and new search engine queries.
Countering evolving Web threats
One of the best ways to counter newly created sites containing malware is to use some sort of proxy or Web filter that denies new sites not yet scanned and classified under a certain category (i.e. business, investing, news, social networking, etc.). While this strategy will help prevent new websites from compromising systems, it doesn't do anything for compromised legitimate sites allowed by default. For those sites, the best option is to ensure the enterprise security products in place are configured to combat the entire Web threat landscape, namely via real-time analysis of sites prior to serving them to users.
Since no Web filtering product offers the silver bullet solution, it's imperative to implement additional proactive countermeasures. I mentioned several in my tip on security beyond compliance, such as log analysis, egress traffic monitoring and whitelisting. To add to these, create a honeytoken (a cleverly titled file that shouldn't be accessed, but sets off an alarm when it is) or an IDS signature that alerts administrators when non-Internet-accessible servers are attempting to access the Web. In most cases, malware will attempt to "phone home" to download additional files, likely for more sinister acts.
It's also wise to regularly re-evaluate the websites that users are able to access. I'm a firm believer in making only the required resources available to accomplish the job. Providing full Web access to all users is a privilege; therefore it should be controlled and limited. Perhaps the most highly targeted and exploited kinds of sites today are social networks. If they are absolutely required for internal collaboration, create an intranet platform, accessible only to employees and partners. Doing so will not only decrease risks, but also prevent the "accidental" release of proprietary or official information to everyone on the Web.
Malware authors are constantly seeking creative new ways to reach unsuspecting victims, and these short-lived, fast-moving, malware-laden websites seem to be an increasingly popular exploit technique. These attacks will be much more prominent in the foreseeable future. However, by blocking sites not scanned by a Web filter or proxy coupled with real-time analysis of legitimate sites, enterprises can successfully mitigate these evolving Web threats.
Marcos Christodonte II, MBA, CISSP, is an information security professional working for a consulting firm. He maintains an information security blog at www.christodonte.com.
