Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence

Use of legitimate sites in malicious web attacks

Created: 17 Jun 2010
MarissaVicario's picture
0 0 Votes
Login to vote

Posted on behalf of Dan Bleaken, Senior Malware Data Analyst, Symantec Hosted Services

The MessageLabs Hosted Web Security Service (WSS) blocks millions of web requests every day to protect users from content that is either malicious or has been determined to be off limits based on company policy.  In a typical week in 2010 Symantec Hosted Services performs about 107 million blocks (up from 90 million per week in 2009), on 5-10 million distinct URLs, for several thousand clients.  That’s tens of thousands of blocks per client per week on average.   

Of these blocked URLs, 99.96% are policy based blocks the biggest proportion of which is for advertising, mostly pop-up ads or auto-forwarding to ads.  Also, Symantec Hosted Services blocks web sites related to Adult/Sexually Explicit material, Violence, Tasteless & Offensive material, Weapons, Criminal Activity, Gambling and Illegal Drugs to name a few.  Clients have full control over what sites are off limits based on company policy. For example, a company whose business is betting/gambling would allow staff to view gambling sites as part of their job.

The remaining 0.04% of blocks is malicious. While this number may seem small, it could realistically translate to many tens of thousands of blocks in a week.  The malicious blocks are tiny in proportion to all blocks but very important as they are of great risk to the client.  Malicious web sites are not a matter of policy and they do not fall under any particular category.  In theory almost any web site is capable of hosting malware or forwarding to a site that does.  Sites can be set up and hosted by criminals, or legitimate websites can be compromised.  One malicious website, visited by one unsuspecting user, may be all that is required to breach the defences of a business, and cause disruption, loss or damage to reputation.  For example, sensitive systems could be accessed, malware could spread within the company networks, or valuable information could be stolen.

Malicious blocks can be classified as spyware or virus. Of all malicious blocks the split is 4% spyware, 96% virus.  URLs that are blocked as spyware could be pop-up ads, attempts to track browsing behaviour or attempts to change the way a browser operates.  URLs can be blocked as a virus for many different reasons.  The ultimate danger is always the same, either to get some malware onto the target computer or to obtain personal details.

There used to be a time when one had to actually do something slightly silly to become infected whilst browsing the internet.  And computer users were much more likely to be infected browsing sites in the ‘shadier’ corners of the internet, for example sites containing adult/sexual content.  The well behaved and educated surfer was pretty safe.  Today, this is no longer the case.

Internet users are in more danger than ever.  Being careful or aware no longer guarantees your safety.  One of the biggest dangers is the drive-by download – no action required!  

Drive by downloads stealthily look for vulnerabilities in the browser, browser plug-ins or other software on a machine.  They then use these weaknesses to download malware onto your PC.  Often the user will be completely unaware that this has happened.  Keeping your browser, plug-ins, and other software up to date greatly reduces the chances of a drive by attack.
In the last two to three years, worryingly, attackers are increasingly shifting from creating new malicious websites and serving malware on them, to compromising legitimate sites.  In 2009, MessageLabs Intelligence estimated that 80% of malicious web attacks take place via legitimate, compromised sites -- sites the average user visits all the time.  This is a survival tactic: we later demonstrated that the threat is more prolonged on legitimate sites, and the attackers are very likely to be aware of this fact (http://www.messagelabs.co.uk/mlireport/MLI_2009.09_Sept_SHSFINAL_EN.pdf, and http://www.messagelabs.co.uk/mlireport/2009MLIAnnualReport_Final_PrintResolution.pdf).  In 2010 so far, using the same approach, the proportion of malicious domains that are legitimate has increased dramatically compared to last year – it’s now about 90%.

Here is a typical example of how legitimate sites can be used in a malicious web attack.

Imagine a user searches for a topic of interest, e.g. oil spill

The user is taken to an apparent You Tube webpage.  Actually, it’s a fake You Tube page, located on a legitimate compromised website (a business that sells paper shredders).  The user clicks to play the video.

No video plays.  Instead, a window pops up asking the user to ‘install media codec’. 

If the user clicks ‘OK’, an executable file is downloaded from yet another legitimate, compromised website (a company selling eco-friendly money saving products).  The file downloaded is called setup_2033.exe.  So far two different compromised legitimate websites have been used in this single attack.

If the user clicks ‘OK’, an executable file is downloaded from yet another legitimate, compromised website (a company selling eco-friendly money saving products).  The file downloaded is called setup_2033.exe.  So far two different compromised legitimate websites have been used in this single attack.

Once setup_2033.exe is downloaded, a window pops up prompting the user to run the executable.  Still believing that setup_2033.exe is an updated media codec, the user clicks ‘Run’.

The executable runs, and connects to a botnet, from which it takes instructions on what to do next.  Another window pops up ‘Attention!  21 infected file detected!’.  This is a rogue AV attack (often also referred to as ‘Fake AV’ or ‘Scareware’).  These attacks are normally designed to simply generate money for the attackers, although sometimes they lock the victims PC and hold them to ransom, or infect the user in some other way as well.

It informs the recipient that their PC is infected (it’s a completely made up message and bears no relation to the state of the victim’s PC).  Upon clicking on this Window e.g. ‘Remove All’ button, the user is taken to a payment page.  The victim believes they are paying to have their PC protected; in actual fact they are paying for absolutely nothing.  The Rogue AV alerts may go away once the victim pays, but some remnant may remain on the PC meaning that pop-ups return at a later date, or the PC is later used for some other nefarious activity.

This is a classic example of multiple legitimate sites being unwitting parts of a malicious attack.  In this case attackers used these sites to store executable files under various directories, either created when they compromised the site or already used by the site for some other purpose.

Legitimate sites affected in this way may be blissfully unaware for days, even weeks that harmful malware is being download from their site.  The attackers could place files on these sites by obtaining the login details of the administrator, either because the password is weak, or by some other method e.g. a phishing attack.