Danger Zone: Web Use and the Risk to Business >A MessageLabs White Paper by Dan Bleaken, Data Analyst
Now part of Symantec
Introduction: The Rise & Rise of Web Threats >2 Anatomy of an Attack
No Safe Haven
Defending Your Business
>Executive Summary The World Wide Web offers an incredible array of benefits. However, it also presents a wealth of opportunities for abuse. The number of malwareinfected sites polluting the web has grown rapidly – and each has the potential to undermine and damage any business falling victim to them. As well as malicious websites specifically set up to download malware to the computers of unwary visitors, cyber-criminals are increasingly infecting legitimate sites with malware – completely without the knowledge of the sites’ owners. In some cases, the victim has to be enticed into taking a particular action for malware to be downloaded on their machine – for instance, clicking on a button or link. But increasingly no user action is required for the malware to install itself. Techniques that make this possible include driveby downloads, exploitation of vulnerabilities in out-of-date software, and use of web attack toolkits. Regardless of how they become installed, web-borne trojans, spyware and other malware can do enormous harm. They may steal confidential data; they may track browsing behaviour or keystrokes; they may recruit infected machines into ‘botnets’ – the possibilities are almost endless. MessageLabs hosted services equip businesses to protect themselves effectively from these ever more virulent web threats. They provide three key industry-leading capabilities: the capacity to detect suspicious characteristics in malicious websites and compromised legitimate sites; the ability to detect the malware itself, whatever its route to the victim; and proven expertise in stopping converging threats operating across web, email and instant messaging protocols.
>Introduction: The Rise and Rise of Web Threats Data leakage, fraud, identity theft, compromised confidentiality, impaired computing capabilities, financial loss, legal action, damaged reputation. All have the potential to seriously undermine a business. And all can result directly from an inadvertent visit to a malware-infected website.
The number of infected websites has grown at a startling pace.
Like any epoch-making invention, the World Wide Web offers a breathtaking range of benefits. Unfortunately, it also offers a wealth of opportunities for abuse – and the professional gangs now responsible for most online crime are increasingly harnessing it as a prime and potent weapon in their armoury. Long gone are the days when these ‘bad guys’ relied primarily on email to pursue their nefarious objectives. The number of malware-infected sites polluting the web has grown at a startling pace. MessageLabs estimates that internet users around the world now make over 100 million visits to malicious URLs every single month. It’s a genuine web security pandemic. But it’s not just the sheer volume of web threats that poses a danger. So does the ever-growing guile with which they’re devised and delivered. Protecting your business is no longer simply a question of avoiding ‘dodgy’ or unknown websites. Many mainstream sites are also being deliberately infected by cyber-criminals – with spyware, Trojans and other businesscompromising malware just waiting for the chance to download itself on visitors’ machines. This White Paper focuses on the ingenious and expanding array of web threats facing businesses today. It assesses their nature, what they aim to achieve and how computer users fall victim to them. But as well as raising awareness of the dangers, it outlines key steps that businesses can take to defend themselves – and so exploit the web’s potential with complete peace of mind. The information presented here is based on MessageLabs hosted services’ experience of providing messaging and web security management services for over 23,000 clients and 8 million end-users worldwide, with approximately 3 billion attempted SMTP email connections and 1 billion web requests processed each day on their behalf.
>Anatomy of an Attack The bad guys’ underlying aim in concealing malware within a website is, quite simply, to take control of visitors’ computers. Once this has been successfully achieved, the scope to exploit both the infected computer and its hapless owner is almost limitless.
The malware is downloaded without any action by the user.
Fundamentally, any web-based attack comprises three key components: the set-up, the hit and the aftermath. 1. Set-Up: First, the attacker decides exactly why they want to gain access to someone’s computer. For example, they may want to steal sensitive data. They may want to track browsing habits or keystrokes, which could provide access to vital bank account passwords. Or they may want to recruit the machine to a botnet – a ‘robot network’ of computers which, unknown to their owners, can be used by remote controllers to fire out spam or malware-propagating emails. The relevant malware is then obtained and placed on the web – often on a newly registered domain which will at first be regarded with minimal suspicion. Drive-by download attack
Hacker inserts malicious URL
User is re-directed to Bad Web site
Malware sends private data to Hacker
Web user visits Good Web site
Bad Web site sends obfuscated exploit for vulnerability on end user’s system
5 Malware installed without User noticing
2. Hit: Next, the attacker entices or compels potential victims to download the malware. For this to happen, of course, the victim first needs to visit the infected website. They might arrive at the site in the course of their normal browsing behaviour. Alternatively, they might be led there by adverts, links in spam emails, instant messages, social networking sites or blogs, ‘sponsored links’ on internet search engines (e.g. ‘search for Flash player’) or malicious links designed to appear high up on search engine results. If a machine is already infected, a further possibility is that results generated by major search engines will lead not to the website indicated but to a malwareinfected site instead.
In some cases, the victim then has to be lured into taking a particular action in order for the malware to be downloaded. Social engineering, scaremongering, empty promises and outright deception – these are some of the techniques employed to achieve the attacker’s desired result. Examples include:
The malware may collect data, edit and move files, or modify software settings
-- a ‘click here to install’ button which purports to enable the victim to download important software updates etc -- a ‘you’re infected – click here to remove the virus’ pop-up alert -- malicious files placed in areas where the victim expects to download music, software, movies etc. In other cases, however, no action on the part of the victim is required for the malware to download itself. Again, there are a wide variety of ways this can be achieved, such as: -- ‘drive-by downloads’, where a concealed malware program automatically installs itself on a computer simply as a result of the computer’s user visiting the infected website -- exploitation of vulnerabilities in out-of-date software or plugins: malicious content on a website could take advantage of vulnerabilities in the operating system, web browser, multimedia players etc to download files to the victim’s computer -- use of a ‘web attack toolkit’: housed on a malicious server linked to the visited webpage, these toolkits can assess the set-up and physical location of the victim’s computer and then target it with the type of attack most likely to succeed in that particular case. Obviously, techniques like these, which require no action from the user and which cyber-criminals are deploying with increasing frequency, present a particularly acute danger to anyone using the web. 3. Aftermath: Once the malware has installed itself on the victim’s machine, it proceeds to perform the tasks it was specifically designed to undertake. This may happen straightaway. Alternatively, the malware may lay dormant, ready to be activated at a later date in response to commands sent by the attacker or a third party the attacker has sold control of the computer on to. As a result the victim may not experience any problems with their computer immediately. Whatever the timescales involved, the downloaded program may collect personal data, open ports to allow the attacker further access to the infected computer, change registry values, start or stop services/ processes, edit and move files, or modify email, web browser and other software settings.
Such actions will, in turn, open up a range of options for the attacker. They could, for instance: -- hold the victim to ransom by locking them out from their computer and demanding cash in return for a password to unlock it
Attackers can place malicious files on legitimate websites.
-- recruit the computer to a botnet and use it to send spam, steal credit card data, perform distributed denial-of-service (DDoS) attacks etc -- tell the victim their computer is infected (via ‘scareware’) and then charge for downloading useless remedial software, or download more malware to the victim’s machine -- steal personal information, monitor activity and collect data (passwords, email addresses, bank details etc) for use in future social engineering operations -- edit files so that visiting frequently browsed webpages results in the victim being redirected to malicious websites -- hijack the clipboard and alter material which, when pasted later (e.g. onto a site with user-generated content), contains different information such as a malicious weblink. Whatever the exact outcome, one thing is absolutely certain. The attacker wins; the victim (and the organisation they belong to) loses. >No Safe Haven When web threats first started to appear, there were some simple actions that web users could take to substantially reduce the likelihood of malware infection. For example, it paid to be aware that sites incorporating user-generated content were easier for users to seed with malware, ‘bad’ redirect links etc. Web users could also avoid the more dubious corners of the internet, such as pornography sites, sites offering illicit software, music and movie downloads, and other sites functioning on the fringes of legality. Similarly, users tending to browse far and wide across the web, exploring a wide spectrum of sites including personal homepages and blogs, have traditionally put themselves at greater risk of falling foul of malware. Although it wasn’t a complete guarantee of immunity, users could minimise their potential vulnerability by maintaining careful, disciplined browsing habits. Today, there are still a lot of websites that have been set up purely with malicious intent. These are commonly advertised to potential victims in spam, spIM (spam over Instant Messanger), blogs and social networking pages. But now cyber-criminals have become much more systematic and organised in the way they compromise legitimate websites as well, using increasingly sophisticated techniques to do so – and stoking up the danger level for anyone visiting the web.
For instance, attackers can place malicious files on perfectly legitimate sites. Visitors to a legitimate site can also be redirected (in some cases, via one or more stepping-stone sites) to another site where malware is embedded. Another option is for the attacker to add scripts to a legitimate site; these then automatically download malicious files from elsewhere. An even bolder technique is known as ‘clickjacking’. Here, the attacker actually alters what happens when a button or link is clicked on, with malicious code being executed instead of the proper function. So why is it now comparatively easy for the bad guys to subvert reputable websites in this way? Today, many websites harness multiple media types, pulling – or being fed –information from many sources. Scripts, plugins, databases, other sites/ servers and so on may all contribute to a website’s overall content and hence to the visitor’s experience. Not all of them may necessarily be under the control of the site’s owners. In fact, a website can consist of around 100-200 components. And it may only take one of these to be compromised for a visitor to end up downloading malware onto their machine. Moreover, such a component could go unnoticed for quite some time. It’s usually the internet security community that spots them first and alerts legitimate websites that they’re serving up malware to unsuspecting visitors. There are many ways in which a cyber-criminal can compromise a legitimate website. The main ones include: -- structured query language (SQL) injection: attackers probe databases behind websites to determine their structure or obtain login credentials, the database is then updated or new records inserted, and webpage content is changed -- using stolen file transfer protocol (FTP) credentials to access and change files on a webserver: this approach is less likely to be noticed by website administrators as files can be spread subtly across a site -- malicious adverts: adverts are often pulled up randomly on websites, with website owners unable to control exactly what appears; if malicious, an advert will lead the victim to malware -- attacks on backend website-hosting companies, using SQL injection or stolen FTP credentials -- exploitation of vulnerabilities on webservers or in website-hosting software -- cross-site scripting (XSS) attacks, where web browser vulnerabilities allow script code from a remote website to be executed.
Sometimes, legitimate websites are compromised on a one-off basis, with the attacker carefully probing several sites until they find one with potential to be compromised. But sometimes legitimate sites are compromised using large-scale, highly automated campaigns where thousands of sites are trawled.
Attackers also prey on the all-too-widespread – and, as we’ve seen, alltoo-mistaken – belief that legitimate sites are definitely ‘safe to surf’. They do this, for instance, by registering domains that look very similar but are not identical to legitimate sites – a technique known as ‘typo-squatting’. In doing so, they hope users won’t notice that the URL they’re following is not quite what it seems and in fact leads straight to an infected website. >Dangerous Domains Examining the web domains hosting, or redirecting visitors to, malicious content can provide an excellent insight into how the bad guys operate. For example, an analysis of the age of malicious domains (i.e. the amount of time between the date when a domain was registered and the date when it was first detected as having malicious content) reinforces many of the key points noted above. The following graph shows the age distribution of domains blocked by MessageLabs hosted services between February and June 2009: 600
number of domains blocked
Attackers prey on the belief that legitimate sites are safe to surf.
The bad guys also often go to considerable lengths to present a constantly shifting target. They know that compromises, stepping-stone redirect domains and endpoint malicious domains will be discovered quickly once users begin to get infected. So they move on to compromise more sites and set up new domains – rapidly and continuously.
500 1-3 months
101 111 121 131 141 151 161 171
age of domain when first blocked (months)
Around 16% of blocked domains were registered less than three months before being blocked for the first time. These domains can be divided into two categories. The majority were set up expressly to serve malware to visitors. The rest were new, legitimate domains equipped with inadequate security and so very quickly compromised.
The bad guys’ mantra is ‘present a moving target’.
But what about the other 84%? These domains had registration dates more than a few months, and perhaps even many years, old. They’re highly likely to be legitimate websites whose owners were unaware – for days, weeks or months – that their site contained, or redirected to, malicious content. Even the websites of large, well-known businesses and organisations can become infected. So even the most sensible surfer is now in danger – and careless surfers are in more danger than ever before. Each day, MessageLabs makes around 2000 blocks of sites that host or redirect to malicious content, across around 240 domains. Almost half of the domains blocked are being blocked for the first time. This indicates that more and more legitimate sites are being compromised and new malicious sites are continually being established – compensating for the fact that, every day, legitimate sites discover they’re infected and take remedial action, while malicious sites are shut down by Internet Service Providers or other enforcing powers. Clearly, the bad guys’ mantra is ‘present a moving target’. The table below shows the most-used top-level domains (TLDs) identified by MessageLabs as hosting or redirecting to malicious content between February and June 2009: Rank
Domains registered <=3 months before first block* TLD % of domains 1 .com 59.1% 2 .info 10.6% 3 .net 5.7% 4 .cn 5.2% 5 .us 5.1% 6 .ru 3.1% 7 .in 2.8% 8 .com.au 2.7% 9 .org 2.1% 10 .biz 1.1% TOTAL 97.5%
Domains registered >3 months before first block** TLD % of domains .com 55.4% .co.uk 9.2% .net 6.3% .org 4.8% .ru 2.5% .pl 2.1% .com.au 2.0% .cn 1.6% .cz 1.5% .info 1.1% 86.4%
* Mostly websites set up with malicious intent ** Mostly legitimate websites that have been compromised
The bad guys’ predilection for .com is encouraged, no doubt, by its air of legitimacy – making it less likely to provoke suspicions. An additional point is that June 2009 saw a rapid increase in blocks made on newly registered .cn domains, although these domains are not always hosted in China.
country hosting domain with malicious content (age of domain >3 months when first blocked) 70%
% of domains
% of blocks
50% 40% 30% 20%
country hosting domain with malicious content (age of domain <= 3 months when first blocked) 70% % of domains
% of blocks
50% 40% 30% 20%
For any business the web presents a potential minefield.
The following two graphs take up the issue of domain location, again for the period February to June 2009. The first focuses on websites over three months old (i.e. likely to be compromised legitimate sites); the second focuses on sites three months old or less (i.e. likely to be sites set up with malicious intent):
The US, then, hosts over 50% of the legitimate domains that have been compromised – domains which are attracting an awful lot of victims. By contrast, the younger domains are much more widely scattered, with some noteworthy concentrations in Eastern Europe, Canada and the Far East. Most interesting is China, hosting 10% of these younger domains and responsible for a massive 44% of blocks. Just two Internet Protocol (IP) addresses under one registrar account for most of the blocks, with the main threat in the last few months being a Trojan hidden in a dummy ‘help’ page. It should be remembered, though, that the location of cybercriminals setting up a malicious website doesn’t necessarily have to match the country where the domain is hosted.
>Defending Your Business
MessageLabs hosted services offer benchmark protection from web threats.
For any business, the World Wide Web represents a potential minefield. Nothing can be assumed to be ‘safe’. Without effective protection in place, any organisation could find its operations fundamentally – and perhaps even critically – compromised. Indeed, it could unknowingly find its machines not just becoming infected but also playing a role in espionage, extortion and other serious criminal activities. So what can be done to negate the very real and ever-rising risk posed by web-borne threats? Basic good housekeeping is a start. That means keeping software, operating systems, plugins, web browsers and so on up to date. It also means using strong, hard-to-crack passwords and changing them regularly. But today, particularly in the face of drive-by downloads and the explosion in the number of legitimate, ‘normal’ websites being compromised, this just isn’t enough. MessageLabs hosted services offer cost-effective, benchmark protection from malicious web content. And because those services operate across all protocols – web, email and instant messaging – users are secure in the knowledge that, even where cyber-criminals mix and match their angles of attack (e.g. by including links to malicious websites in spam and spIM), all threats are identified and blocked instantly and effectively. Key to this capability is the unrivalled capacity to thwart brand new threats at zero-hour, as well as threats from sources that are already known. A fundamental role here is played by Skeptic™, MessageLabs proprietary predictive technology. Skeptic™ constantly learns, evolves, grows in strength and stays a step ahead of the bad guys as they go on developing, enhancing and transforming the extraordinary arsenal of webbased (and other) weapons at their disposal. Above all, MessageLabs hosted services achieve industry-leading levels of web threat protection because the technologies they use don’t just unmask suspicious characteristics in malicious websites and in compromised legitimate sites. They also detect the malware itself, whatever its route to the victim and regardless of the sites the victim has visited or has been redirected through. The World Wide Web may be a danger zone. But opting for MessageLabs means that making the most of the web won’t bust your business. Find out more about MessageLabs fully managed web protection and other services –visit www.messagelabs.co.uk/products or request a free trial at www.messagelabs.co.uk/trials/free
>WWW.MESSAGELABS.CO.UK >INFO@MESSAGELABS.COM >FREEPHONE UK 0800 917 7733
>EUROPE >HEADQUARTERS 1270 Lansdowne Court Gloucester Business Park Gloucester, GL3 4AB United Kingdom Tel +44 (0) 1452 627 627 Fax +44 (0) 1452 627 628 Freephone 0800 917 7733 Support: +44 (0) 1452 627 766
>AMERICAS >HEADQUARTERS 512 Seventh Avenue 6th Floor New York, NY 10018 USA Tel +1 646 519 8100 Fax +1 646 452 6570 Toll-free +1 866 460 0000 Support +1 866 807 6047
>LONDON 3rd Floor 40 Whitfield Street London, W1T 2RH United Kingdom Tel +44 (0) 20 7291 1960 Fax +44 (0) 20 7291 1937 Support +44 (0) 1452 627 766
>CENTRAL REGION 7760 France Avenue South Suite 1100 Bloomington, MN 55435 USA Tel +1 952 886 7541 Fax +1 952 886 7498 Toll-free +1 877 324 4913 Support +1 866 807 6047
>NETHERLANDS WTC Amsterdam Zuidplein 36/H-Tower NL-1077 XV Amsterdam Netherlands Tel +31 (0) 20 799 7929 Fax +31 (0) 20 799 7801 Support +44 (0) 1452 627 766 >BELGIUM/LUXEMBOURG Cullinganlaan 1B B-1831 Diegem Belgium Tel +32 (0) 2 403 12 61 Fax +32 (0) 2 403 12 12 Support +44 (0) 1452 627 766
>Canada First Canadian Place 100 Kings Street West, 37th floor Toronto, ON M5X 1C9 Tel+1 646 519 8100 Fax +1 646 452 6570 Toll-free +1 866 460 0000 Support +1 866 807 6047
>ASIA PACIFIC >HONG KONG Room 3006, Central Plaza 18 Harbour Road Wanchai Hong Kong Tel +852 2528 6206 Fax +852 2111 9061 >AUSTRALIA Level 14 207 Kent Street, Sydney NSW 2000 Australia Main: +61 2 8220 7000 Fax: +61 2 8220 7075 Support: +1 800 088 099 >SINGAPORE Level 14 Prudential Tower 30 Cecil Street Singapore 049712 Tel +65 6232 2855 Fax +65 6232 2300 Support +852 2111 3658 >Japan Bureau Toranomon 3rd Floor 2-7-16 Toranomon Minato-ku Tokyo 105-0001 Japan Tel +81 3 3539 1681 Fax +81 3 3539 1682 Support +852 2111 3658
>DACH Feringastraße 9a 85774 Unterföhring Munich Germany Tel +49 (0) 89 203 010 300 Support +44 (0) 1452 627 766
© MessageLabs 2009 All rights reserved
Now part of Symantec