Latest Web security trends report reveals new genre of evasive attacks

Finjan today released its Web Security Trends Report (Q2 2007) which focuses on a new genre of highly sophisticated and evasive attacks designed to potentially bypass signature-based and database-reliant security technology. The report also describes the proliferation of affiliation networks based on a “hosted model” for malicious code, which utilize off-the-shelf malicious code packages to compromise highly popular websites and even government domains. Also following on from the trend revealed in Finjan’s Q1 report, new examples show the growing presence of malicious code in online advertising on legitimate websites.

Evasive Attacks Cover Their Tracks to Avoid Detection

Recent findings by Finjan reveal that hackers have created a new class of highly evasive attacks. These attacks represent a quantum leap in terms of their technological sophistication, going far beyond drive-by downloads and code obfuscation. In order to minimize the malicious code’s window of exposure, evasive attacks keep track of the actual IP addresses of visitors to a particular website or web page. Using this information, the attackers restrict exposure to the malicious code to a single view from each unique IP address. This means that the second time a given IP address tries to access the malicious page, a benign page will be automatically displayed in its place. All traces of the initial malicious page completely disappear. The report provides examples of evasive attacks, along with the actual code used by the hacker to run them.

Hacking for Dollar$ – The Financial Affiliations Behind Modern Website Attacks

Driven by strong financial incentives and using widely available malicious code software packages, “affiliations” are being created that promote infections using a “hosted” model for the malicious code. In this scheme, the malicious code is usually located on a dedicated malicious code server (or a site that has been hacked to host the malicious code), while the participants in the affiliation insert a reference to the malicious code in various websites. The website owners are paid according to the number of infected visitors to the site. Finjan’s findings attest to the growing magnitude of these affiliation networks, which have been used to compromise highly popular websites and even government domains. Trojan keylogger log files show that the malicious code is being used to steal sensitive financial and personal information, such as bank account details, credit card numbers and social security IDs, for which e-criminals are willing to pay top dollar. The report includes statistics and maps showing how a single malicious code server operated by just one hacker has infected thousands of legitimate websites worldwide. As hundreds of hackers are already using this technique, this implies that the magnitude of this problem is already having a global impact.

Malicious Code in Online Advertising

A follow-up study conducted by Finjan’s MCRC has shed additional light on the growing presence of malicious code in online advertising. As websites depend more on advertising revenues, they often display ads from third party advertising networks, over which they may have little or no control. While legitimate website owners trust advertisers to display non-malicious content, advertisers sometimes “sublet” their space to others. This hierarchy can often comprise several layers, seriously compromising the level of control the website owner has over advertising content. The report includes a detailed analysis of an innocent blog site that deploys keyword-based advertisements that are placed automatically from an ad server. However, Finjan found that the ad content also included obfuscated references to malicious code on a third site that uses multiple infection techniques to download a Trojan keylogger to the user’s machine. Another recent example of this trend was a banner ad hiding code with the ANI exploit that was unknowingly being hosted on one of the most popular techie websites.

Parting Advice

Finjan’s research confirms that attempts to pattern malicious code and create signatures, or to categorize known malicious sites, are clearly “too little, too late” when it comes to providing adequate protection to today’s dynamic and evasive web threats.