ISTR XIII: Malicious Code—Who Do You Trust?
In late May 2007, the MPack attack kit was first observed in the wild. This kit relied on compromised Web pages to redirect users to an MPack server that attempted to exploit Web browser and plug-in vulnerabilities in order to install malicious code on computers. MPack experienced great success because it took advantage of the trust many users place in certain Web sites. Since the Web browser is the primary gateway to the Internet for most users, Web pages that they visit frequently—such as online forums and other Internet communities—are a useful means of compromising computers for attackers.
Because of the success of kits like MPack and Ice-Pack, it seems that malicious code authors have begun to incorporate similar features in the threats they create. In the current period, seven percent of the volume of the top 50 malicious code samples observed by Symantec modified Web pages. While this may not seem like much, it’s part of an upward trend. In the first half of 2007, only five percent of the top 50 samples of malicious code modified Web pages, and none did in the last half of 2006. Also in this period, two of the top ten new malicious code families modified Web pages.
There are two ways in which these samples modify Web pages. The first is that the malicious code adds its own code to a Web page so that other people who view the page may become infected. The second way is that an iframe tag is added to the Web page that redirects users to another Web site. Usually this Web site tries to exploit Web browser and plug-in vulnerabilities in a shotgun-style attack*. This type of attack is similar to the one employed by MPack.
While the Web pages that are modified by these threats don’t necessarily reside on a Web server, if the compromised user maintains their own site, the malicious pages can be uploaded to a Web host the next time the user updates their site. From there, any visitors to the site could potentially become infected. This could include the user’s friends and family, or if the user maintains a software application the implications could be even greater.
As more threats use the Web—in particular, browsers and their plug-ins—to install themselves on computers, users need to be careful even when visiting sites they know and trust. Make sure your Web browser is kept up to date with the latest security patches. Just as important is to make sure that any browser plug-ins you have installed are also fully patched. And, as always, make sure you have antivirus software running with the most recent definitions, as well a good intrusion prevention system.
*A shotgun attack is one where a malicious Web page attempts to exploit multiple vulnerabilities at once in order to increase the chances of a user being compromised.