Video Screencast Help
Security Response

Web Protection 2.0

Created: 17 Dec 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:43:44 GMT
Nishant Doshi's picture
0 0 Votes
Login to vote

In a recent blogI discussed the ill effects of Web 2.0 and the main theme revolvedaround security for users of social networking sites. Well, what if youdon’t use social networking sites? What if you only just visit knownand legitimate "good" sites? For example, you read an online newspaperor view your government's national defense Web site, or look up wordson a popular online Web dictionary? Do these actions sound more likeyou? Are you protected in that case?

What most average users don’t know is that legitimate sites can beinfected as well. Symantec has seen a sharp increase in legitimate Websites becoming infected and serving browser-based exploits. For themost part, these sites are innocent victims themselves and in mostcases are unaware of the exploits hosted on their Web sites.

Symantec has recently discovered that the main page of a certainAsian country's heavily visited department of national defense Web sitehad been infected and was serving up browser exploits. Upon visitingthis site the code on the page attempted to exploit a popular browservulnerability that resulted in the silent download and execution of amalicious binary from a site hosted in another Asian country onto thevisitor's machine. The vulnerability being exploited is MS06-014 (MDACcreate object) and its use is really popular among hackers. Here is ascreenshot of the exploit:

(Click for larger image)

Symantec has also discovered another exploit hosted on the main pageof a very popular online dictionary Web site. Independent sourcesestimate around 1.8 million unique visitors to this site. The exploitis cleverly masqueraded behind layers of obfuscated code - one of thescripts on the main page has the following attributes:

(Click for larger image)

Does anyone see the problem here? A script tag asking for an imagefile looks suspicious. In fact, what’s returned here is maliciousJavaScript code and not an image, which when executed results in a callto a second malicious JavaScript file, serving the exploit. Thevulnerability being exploited is again MS06-14 (MDAC create object).Below is a screenshot of that part of the exploit code afterde-obfuscation:

ND_Webprot_img3_lrg.jpeg

The exploitation of the MS06-14 (the MDAC create object)vulnerability is really popular and has been in use for quite some timenow. The reasons could be plenty. It is easy to exploit and the some ofthe vulnerable ActiveX controls used in the exploit are present in astandard XP SP2 image. Also, unlike most of the other browservulnerabilities, this is not a buffer overflow vulnerability. In thecase of many buffer overflow vulnerabilities, exploits rely on atechnique known as “heap spraying.” A side effect of using thistechnique is that a lot of times the browser slows down and almostbecomes non-functional and unusable. This could alert the victim of anintrusion. However, using the MDAC create object vulnerability thehacker could easily download and execute the malicious file withoutalerting the victim. Also, protection solutions relying only on bufferoverflow protection are not effective in this case.

Symantec has built a number of excellent Web-browsing protectionsinto our 2008 products. The Web protection is immune to scriptobfuscation and masquerading and identifies the signatures of knownInternet Explorer browser vulnerabilities. It also blocks exploitsusing these vulnerability signatures as soon as they get released. Bothof these exploits were detected by Symantec’s browser protectionsolution.

So, the moral of this blog is that you are at risk even if you justsurf to some known, good, and/or legitimate sites. Keep your Symantecprotections up-to-date, patch your systems, and I wish you happysurfing.