With Web-borne threats and drive-by downloads becoming the most troublesome form of malware today, enterprise IT administrators and users alike need to reconsider the tools and practices they prescribe and employ to protect computers and data-particularly as otherwise legitimate Web sites become the primary vector for malware transmission.
We’ve seen a two-fold approach to malware as evil doers attempt to monetize their evil doings.
The first form stems from the phishing business, where malware authors create new domains and Web sites so fast that URL filtering and signature databases cannot keep up. The goal here is to score a few victims before the security companies can generate new signatures.
The second form consists of hijacked Web sites-sites that are otherwise legitimate but have been corrupted in a way that leads its visitors to malicious content.
An example of the interplay between these two types of Web threats is the Asprox botnet. The botnet originally derived from phishing attempts to draw unwitting users to malware via short-lived Web sites, but, in the last few months, Asprox has morphed into SQL injection attacks against legitimate sites. In automated fashion, the botnet leverages Google to find and exploit Web sites with vulnerable Active Server Pages injecting an IFrame into the assailable site that redirects site visitors to exploit code elsewhere on the Web.
According to some sources, legitimate Web sites now comprise the majority of pages currently hosting malware. In its July 2008 Security Threat Report Update, Sophos Labs declared that 90 percent of the infected Web pages it detected in the first half of 2008 originated from legitimate Web sites that were hacked in some form. The report also stated that Sophos Labs found, on average, more than 16,000 new infected pages each day during that time.
The changes in the way malware is propagated necessitate changes in the way IT managers secure corporate assets and give advice to users on keeping safe.
If the legitimate Web sites a user visits regularly, such as banks, merchants or social networks, can no longer be trusted to be clean, the old “spam-oriented” rule-not clicking on links in e-mail-becomes less relevant.
Indeed, when legitimate Web sites are the major source of malware, and users cannot readily tell whether a site is trustworthy by looking at it, there needs to be a technological solution to fill the breach and provide some assurance to users that the sites they visit are safe at this very moment-not five months ago, not an hour ago, but now.
Security providers have been trying out many new technologies to combat the problem of Web threats, as older, signature-based detections of the file system performed by anti-virus platforms have proven ineffective against new types of threats. (I’ve been trying out some of these systems; see how they’ve fared here.)
Newer technologies layer on Web reputation validation, in-line Web traffic scanning and script-blocking technologies to a browser’s extended capability set, while anti-virus vendors augment their own platforms with more heuristic and behavioral analysis features.
Most of these browser add-on technologies have been targeted squarely on the Wild West that is the consumer’s Microsoft Windows-based PC. Corporate customers, to date, have not suffered as much from Web threats, as enterprise administrators have deployed a tiered phalanx of both network- and host-based security solutions to combat all types of threats.
For example, intrusion prevention appliances or an in-line Web gateway appliance can detect and block both outbound traffic that looks like botnet activity, and inbound, malware-laden Web traffic. However, network-based solutions will not protect users as they go mobile, outside the corporate network perimeter.
Makers of security solutions geared toward enterprise customers have made strides to improve their built-in detection and analysis of Web network traffic-blocking code from touching a protected system by examining the way it behaves or identifying its similarities to known threats before it touches the file system.
There are different approaches that administrators will need to evaluate before making any kind of deployment decision. Some products plug into the browser to specifically examine how things such as ActiveX or JavaScript behave, while others perform a more holistic HTTP scan that determines whether a Web request was made from a browser, e-mail application or other source. Other solutions, meanwhile, are baked into enterprise security platforms.
Some security companies are also changing the model by which malware is identified. Trend Micro, for example, is moving from a signature push model-where signatures need to be updated frequently all over the network-to a request-time pull for threat information from the cloud.
With the latter method, when a Web request is made, Trend Micro’s detection software (be it in a network appliance or an OfficeScan endpoint) polls a real-time database in the company’s threat assessment network to compare the request and detected traffic to an up-to-date database of threats. With this approach, Trend Micro claims a 15-minute response time to new threats in its service-level agreement.
Rethinking Web Browser Security
=Basic advice }
Enterprise IT may be tempted to delve into consumer-oriented tools to augment the security of their most exposed, remote workers. However, such experiments will be fraught with complications. With most of these products, there is no central management component, so each instance is managed and updated on a one-off basis. Also, the products vary in their support for different browsers, which could interfere with the operation of outdated but mission-critical Web applications.
The best practical, vendor-neutral advice I can offer to avoid Web threats is to keep your systems patched-and by this I mean the operating system, the browser and its add-ons, as well as applications.
That said browser updates can sometimes cause incompatibilities with legacy Web applications.
Security software itself can even punish companies that don’t keep fully up-to-date. For example, one of my favorite Web site validation and scanning tools-the stand-alone version of AVG’s LinkScanner Pro-does not yet support Firefox 3.0, more than a month after the release of Mozilla’s latest browser. AVG claims to support Firefox 3.0 with the LinkScanner functionality baked into the company’s full Internet security suite, but support has not yet been extended to the stand-alone version of LinkScanner Pro.
In cases like these, administrators must weigh the use of a security program versus the productivity gained by using the application itself (and productivity usually wins). But if a security company has been known to be slow to adapt to browser improvements, the security solution will likely be a bad fit for corporate use on an ongoing basis.
Rethinking Web Browser Security
=DNS Dilemma}
Interestingly, much of the work being done on Web reputation systems-such as those offered by Trend Micro, McAfee and AVG-could quickly fall apart if DNS (Domain Name System) poisoning attacks gain traction in the wild, leveraging vulnerabilities such as the one recently found by security researcher Dan Kaminsky that prompted most DNS server providers to quickly issue a critical fix.
Trend Micro Director of Web Security Business Ken Beer called DNS poisoning and infected host files “the Armageddon” because validation services base much of a Web site’s reputation score on the actual domain by evaluating the name against details provided by the domain registrars.
“We are starting to ramp up to do some degree of association [between IP address range and a domain name for a given amount of time],” Beer said. “But trying to direct map from this IP address to this domain for a period of time is really like chasing your tail.”
To keep DNS lookups accurate, administrators should make sure to patch their own DNS servers immediately and pressure ISPs to update their DNS servers as soon as possible. Administrators should also turn on features in their endpoint security solution or anti-virus platform that lock down the local hosts file, if that capability is an option.
Senior Analyst Andrew Garcia can be reached at agarcia@eweek.com.