Browse archive

Latest news

(IN)SECURE Magazine issue 38 released

Collected data helped foil 50 terrorist plots, says NSA chief

65+ websites compromised to deliver malvertising

Customized spam uses cell phone users’ data against them

Facebook once again accessible via Tor

Oracle releases critical security updates for Java

Employees biggest IT threat to businesses

Google asks secret court permission to publish FISA numbers

Failed backups endanger revenue and productivity

How to detect hidden administrator apps on Android

Key obstacles to effective IT security strategies

CyanogenMod founder aims to thwart data-grabbing apps

Microsoft releases Enhanced Mitigation Experience Toolkit 4.0

Hacking charge stations for electric cars

Know Your Enemy: Behind the Scenes of Malicious Web Servers

by The Honeynet Project - Wednesday, 7 November 2007.

In our recent KYE paper on malicious web servers, we identified several hundred malicious web servers. These servers launched, so-called drive by downloads, that allowed them to gain complete control of the client machine without the consent or notice of the user, who merely visited the malicious web server with his (vulnerable) web browser. In our study, we analyzed a large number of web servers with our client honeypot Capture-HPC, which allowed us to assess whether a server was malicious, then inspect the exploit code that was sent to the client and the potential malware downloaded. However, many questions remained unanswered:

1. We observed that malicious servers were not consistent in their behavior. When interacting with a malicious server, it might initially demonstrate malicious behavior, but cease to do so on subsequent attempts. We were unable to discover with certainty the reason or technique for this non-deterministic behavior.

2. We observed that only the Internet Explorer browser was targeted. Was this because attackers were choosing not to attack the other browsers in our study, or because of the specific set of browsers/versions we chose to include?

3. We observed that malicious web pages accessed centralized exploit servers. However, we were unable to determine whether this was common practice or a one-time incident.

4. We consistently observed obfuscation to be deployed on the malicious pages, but could determine neither how the obfuscated code was generated nor whether there are elements of the obfuscation engine that are consistent and detectable with static code analysis.

Web exploitation kits, which increasingly appeared in 2006/7, will provide us with a behind-the-scenes look at how these malicious web servers operate. In this paper we will give a brief functional overview of several web exploitation kits, then dwells into answering the questions above through analysis of these kits and malicious web servers that use it. The web exploitation kits that we will examine are Webattacker, MPack and Icepack. We conclude with implications of our discoveries on client honeypot technology and future studies on malicious web servers.

Download the paper in PDF format here.