The web is a key means of attack for organised crime. Recent figures indicate around 1 in every 150 websites is compromised (i.e. has been subverted in some fashion) and acts maliciously to attack the systems that browse to them.
Web-based exploits are currently the fastest growing attack on the internet with around 0.24 per cent of websites advertising at least one compromised webpage based on a Microsoft study published in December 2009.
Other sources show higher infection rates, for example Kaspersky Labs identified almost 120 million servers in the first quarter of 2010 of which 0.64 per cent were malicious. These web servers typically deliver what is called a ‘drive by download’ which is an exploit that occurs, for example, when your web browser or other web application visits a web page or artefact such as a QuickTime video clip.
Your browser can receive malicious content, which is usually obfuscated to avoid detection and attempts to compromise the users system. For example, a key-logger program could be installed without the user's permission in order to gather sensitive user name and password data.
Web servers can be compromised by a variety of means and can continue to be malicious for some time, even though the exploit itself may have completed its life cycle. A recent study from AVG indicates that these compromised sites can be active for as little as 24 hours, although the server itself may not be cleaned up by system administrators for some time.
The attackers deploy exploit kits such as the well-known MPack server-side PHP-based malware kit that can be purchased over the internet. It is sold commercially, with support and regular updates and can be offered with professional services for bespoke attack or obfuscation features.
The hosting web server is often just one part of an attack that can be made up of several exploit servers working together using redirection. Furthermore the exploit servers used can be changed to avoid detection and countermeasures.
Once servers are compromised the attacking organisation can develop campaigns to target certain exploits and groups of victims. The compromised web server is set to craft exploit code targeted to the client system based on the browser and operating system data passed as part of the HTTP exchange.
The attack tests various vulnerabilities looking for a means to intrude and deliver malware. Once delivered the user’s system is exploited for the organisation’s goals to be fulfilled.
Other attack vectors are well developed such as the use of social networking to spread links to compromised web artefacts. For example malicious spam can advise us of the death of some celebrity and recently web surveys have been used to entice victims with the promise of winning a gadget.
Web content is also being specifically developed to target users of search engines, for example content is crafted based on the top search data from Google. The crafted content is created and put up on the web and its ranking manipulated so that victims searching for topical content are able to easily find the attackers content.
As hinted at above there are many cycles involved in this web malware jungle. The attack itself can be very short lived; it can be targeted specifically, using social networking, spam and highly topical content.
These are often quite short life cycles requiring a large-scale rapid detection mechanism to discover, study and counter threats. The after effects can be long lived, with the compromised user systems forming part of a botnet that can live and grow for months.
Anti-virus vendors such as AVG and Kaspersky, provide solutions for end users to protect against drive-by-downloads. For example, the linkscanner from AVG currently has 110 million deployments acting as a large internet sensor, which identifies online threats.
Search-Shield scans search results from Google, Yahoo, MSN, etc. to provide a safety ranking for websites. Search engines such as Google and Bing provide a ranking system for websites and Google provides an API through which third parties can ask whether a particular website is malicious or not.
The web servers and artefacts can be specifically developed and deployed for an attack or can compromise existing servers and content. Behind these are a shifting set of exploit servers that can change rapidly. Various projects or services, such as HoneySpider run by the Dutch, Polish and Norwegian CERTs routinely survey their clients to detect for signs of malicious activity so that system administrators can clean up their systems.
The malicious nature of the content can be detected in various ways and used to create blacklists, provide feedback in web search results or website rankings to web users.
However, some exploited web pages remain compromised for long periods and are simply inactive because the exploit servers have been redeployed, rather than the attackers cleaning up after their attack.
The user and their computer system is also a moving target. The attacks are based on exploiting some vulnerability in applications and operating system and often the attack is done through a web browser and its helper or plug-in applications. These components have their own development, patch and upgrade cycles that counter various attack vectors, whilst the attackers seek new means to exploit their prey.
In recent years there has been an explosion in the number of browsers in widespread use causing more work for the attackers. For example in June 2010 Firefox was the most popular browser, with 46.6 per cent of the market but the browser space includes significant deployment of IE 6, 7 and 8, and Chrome. New browsers have developments to provide greater security whist browsing, such as sandboxing and cross-site scripting mitigation techniques.
Likewise the number of host operating systems deployed by users has changed over time, however, Microsoft Windows XP still makes up 56.4 per cent of the measured systems in June 2010. The attack space has widened further with the availability of smart phones with capable browsers and rich featured operating systems.
The drive-by-download continues to be an expanding threat making the web a dangerous place but countermeasures from anti-virus systems to search engines and application development cycles are playing their part in fighting the problem.