Saturday, 7 November 2009

Increase in Web Malware Activity

There have been many discussions in various Forums, Blogs and Message Boards that the Web has now become the primary vehicle for the Malwares to enter our networks. For more details about such a presentation, please refer to the WebCast “Web Attacks: How Hackers Create and Spread Malware”, presented by Chris McCormack (Web Security Expert - Sophos) and Fraser Howard (Principal Researcher - Sophos). It is very scary, as pointed out in this WebCast, that there is no such thing as a trusted website. Even the most legal site can become the epicenter of spreading out Malware infections. From the popular social networking sites to private/public discussion boards, web sites and blogs, anything can become the harboring ground of these Web Malwares. The table below, taken from Kaspersky Security Bulletin (Statistics 2008), shows the number of Web Malwares detected in some of the popular social networking site. This statistics is compiled by comparing the number of malicious programs that attacked users of different social networking sites.

Social Networking Site

Malwares Detected (2008)

Registered Users (2008)

Odnoklassniki (www.odnoklassniki.ru)

3302 Malwares

22000000 Users

Orkut (www.orkut.com)

5984 Malwares

67000000 Users

Bebo (www.bebo.com)

2375 Malwares

40000000 Users

Livejournal (www.livejournal.com)

846 Malwares

18000000 Users

Friendster (www.friendster.com)

2835 Malwares

90000000 Users

Myspace (www.myspace.com)

7487 Malwares

253000000 Users

Facebook (www.facebook.com)

3620 Malwares

140000000 Users

Cyworld (us.cyworld.com)

301 Malwares

20000000 Users

Skyblog (www.skyblog.com)

28 Malwares

2200000 Users

Source: Kaspersky Security Bulletin (Statistics 2008)

Similarly, the below graph shows the sudden increase of Web Malwares activity related with some of the popular social networking sites.

clip_image002

Source: Kaspersky Security Bulletin (Statistics 2008)

Recently it was discovered that social networking sites were getting used as botnet command control. Arbor Network Security reported that, they have identified a Twitter account that was being used as part of an update server for infected systems that were part of a botnet. This account was issuing base 64 encoded tweets that pointed to links where the infected computers could receive malware updates from. Almost similar kinds of botnet command control mechanism were also detected in Tumblr & Jaiku as well. These bots were using RSS feed to get the status updates.

It was pointed out by Google that ‘1% of all search results contained at least one result that point to malicious content and the trend seems to be increasing’. Of the billions of web pages that they have investigated, more than 3 million unique URLs on over 180,000 web sites automatically install Malwares by drive-by download. Shown below are some of the interesting statistics of Malware activity identified in the Web. These interesting trends were observed by the Google Security Team.

clip_image004

Source: Google Online Security Blog

The above graph shows the percentage of daily queries that contain at least one search result identified as Malicious.

clip_image006

Source: Google Online Security Blog

The above graph shows the number of entries in the Google Safe Browsing Malware List. It becomes obvious from these graphs that in the last few years there has been a constant increase of Web related Malwares. The Google research paper on this increasing trend of Web Malware activity, as observed by the Google Security Team, can be referred to from the URL mentioned below in the reference section of this article (Google Research).

Taken from Kaspersky Monthly Malware Statistics, the below table shows the top twenty Web Malwares with new infections detected (highlighted in yellow) and the number of infected web pages.

Position

Malware Name

Infected Web Pages

Trojan-Downloader.JS.Gumblar.a 

8538 

Trojan-Clicker.HTML.IFrame.kr 

7805 

Trojan-Downloader.HTML.IFrame.sz 

5213 

Trojan-Downloader.JS.LuckySploit.q 

4719 

Trojan-Downloader.HTML.FraudLoad.a

4626 

Trojan-Downloader.JS.Major.c 

3778 

Trojan-GameThief.Win32.Magania.biht 

2911 

Trojan-Downloader.JS.ShellCode.i 

2652 

Trojan-Clicker.HTML.IFrame.mq 

2576 

10 

Exploit.JS.DirektShow.o 

2476 

11 

Trojan.JS.Agent.aat 

2402 

12 

Exploit.JS.DirektShow.j 

2367 

13 

Exploit.HTML.CodeBaseExec 

2266 

14 

Exploit.JS.Pdfka.gu 

2194 

15 

Trojan-Downloader.VBS.Psyme.ga 

2007 

16 

Exploit.JS.DirektShow.a 

1988 

17 

Trojan-Downloader.Win32.Agent.cdam 

1947 

18 

Trojan-Downloader.JS.Agent.czm 

1815 

19 

Trojan-Downloader.JS.Iframe.ayt 

1810 

20 

Trojan-Downloader.JS.Iframe.bew 

1766 

Source: Kaspersky Monthly Malware Statistics

Web Malwares have become a major contributor to this growing Malware menace. According to ScanSafe's Annual Threat Report, on an analysis of 200 billion web requests they came to a conclussion that web malware infection surged 582 percent last year, with a significant increase visible toward the last quater of 2008. Security researchers at AVG Technologies have observed that the number of new infected Web sites has grow by 66 percent, from 100,000 to 200,000 per day to 200,000 to 300,000 per day it is expected that this trend would continue in days to come.

Since 2006, the number of Malware signatures of most of the Antivirus vendors has doubled. But with new variants getting created, newer methods of infection and increase in the numbers of distribution points, which are mainly compromised websites, this has resulted in a situation where the Antivirus vendors are now finding it difficult to block these threats, hence, resulting in misses in Malware detection. Earlier Antivirus companies were blocking a major portion of these Malwares with dedicated and generic signatures. However today, it has become literally impossible to block these Malwares with older methodologies. The below statistics (Jan-Jun 2009) shows the misses by some of the major Antivirus engines to detect Malwares and this trend has increased off late.

clip_image008

Source: CommTouch Labs

After calculating an average daily detection rate of some of the major Antivirus vendors, it was revealed by Cyveillance, a cyber-intelligence gathering company, that none of these Antiviruses were going over the 50% mark as far as successful detection is concerned. The top five scores came from McAfee (44 percent), Sophos (38 percent), Dr. Web (36 percent), Symantec (35 percent) and Trend Micro (34 percent). The list also had details of AVG (31 percent), F-Secure (28 percent), ESET (27 percent), Sunbelt (26 percent), F-Prot (23 percent), Norman (23 percent), Kaspersky (18 percent) and VirusBuster (16 percent). Similarly, Panda Security Research also reported that, out of 1.5 million home computers they looked into, only 37.45 percent were correctly protected with an active anti-malware solution with the latest signature database and out of these protected computers, 22.97 percent had active malware infections which were undetected by the anti-malware solution. This is because, more than 52 percent of the Malwares will get reconfigured within 24 hours of its first release so that they can evade signature-based scanners. They also audited a total of 1,206 companies' network. These networks were protected by a variety of different security vendors and in 69.34 percent of the cases they were correctly protected. However they still found thay 71.79 percent systems of these networks were actively infected with Malware.

Heap Spraying

Heap spraying is a technique which is implemented using Javascript and the sole purpose is arbitrary code execution. Although heap spray exploits has been in use since 2001 but since 2005 a more widespread use of this technique is seen in exploits targeted for web malwares. Let us now see what actually heap spraying is and how it is done.

A vulnerable application (in this case, browsers like IE or Firefox), because of certain illegal operation due to badly coded error handling modules, can jump into invalid memory addresses. Once it jumps to those memory addresses it is unable to read data from that invalid memory address resulting in an application crash. When the application crashes it throws a popup as shown below:

clip_image001

Now, depending on the nature of the vulnerablity in the application, we can inject the heap with "nop + shellcode", as much as possible, untill the invalid memory address gets overwritten with "nop + shellcode" and becomes a valid memory. By this we can create a scenario where we can ensure that our custom "shellcode" gets executed the next time a similar illegal operation happens and the application tries to reference that invalid address again. Once we control this behavior with a properly written exploit code, we can successfully use the vulnerability to our advantage to achieve arbitrary code execution. Please refer to the below image for a better understanding of the concepts mentioned above.

clip_image003

However, to successfully achieve arbitrary code exection using heap spray, there is one important things that we need to keep in mind. That is, as per the Windows Memory Layout, address higher than 0x7FFFFFFF falls in the KERNEL ADDRESS SPACE and address lower than 0x7FFFFFFF falls in the USER ADDRESS SPACE. The address of a program heap falls within this USER ADDRESS SPACE i.e the address is less than 0x7FFFFFFF. So during the overwriting of the heap and the invalid memory address, we must keep in mind that we are overwriting memory addresses that fall within the USER ADDRESS SPACE, not the KERNEL ADDRESS SPACE. If we write in memory locations that belong to the KERNEL ADDRESS SPACE, there will be a system crash.