Web exploits – from problem to solution
Discuss the article at Agnitum blog
This article discusses the problem of web exploits and the dangers associated with them. Additionally, it details the necessary steps users should take to minimize their exposure to the risks posed by exploits.
The spread of malicious software is one of the most significant problems affecting the use of the Internet today. Unlike the old “in-your-face” viruses, today’s malicious software is silent and stealthy. The following is an all-too-familiar experience for many computer users:
After surfing the web for a couple of months on a new laptop or desktop – or an old computer with a new Windows installation, you notice that it starts behaving weirdly – displaying pop ups, reporting Windows and program errors, having problems starting up, and a host of other strange activities not experienced before. Unfortunately, you didn’t equip yourself with any security software before you went surfing, but you try to make up for lost time and security by installing an anti-virus. Not surprisingly, the first scan reveals active threats in memory and multiple instances of malware on your hard drive. You try to figure out what you did or where you went to get all this stuff – did you (or another member of your family or a coworker) download executables from suspicious sites, participate in peer to peer exchange, respond to spam or phishing messages? It could have been anything, anywhere, any individual authorized to use your computer. The real issue is how to prevent this hidden infection from ever happening again.
An introduction to web exploits
While there is no universal definition of an exploit, essentially an exploit is any piece of software that is designed to expose or exploit vulnerabilities in other software. Web exploits act by taking advantage of the flaws in a browser, browser plug-ins, and other web-enabled applications, including Word, Acrobat, and other ‘standard’ programs.
Web exploits may be named any number of different things - drive-by downloads, behind-the-scenes malware installation, silent or unassisted infections – but they all mean the same thing. Your computer gets infected simply by you surfing the web, without you actually doing anything like downloading a file. Web exploits make it possible for malware to silently install itself on your computer without your knowledge and can cause data theft, botnet recruitment, computer malfunction, and other serious problems.
The diagram below illustrates the lifecycle of a software vulnerability and that of an exploit that is dependent on it1.
- The application is released to the public.
- An unethical researcher or a malicious hacker discovers a vulnerability in the application but doesn’t notify the vendor. Instead, he/she provides this information to malware writers for money or other reward. The malware writers create malicious code to exploit the vulnerability. These threats are not known to the anti-malware companies, so no detection exists; this is what is commonly referred to as zero-day malware.
- The vendor of the vulnerable application learns of the flaw though public channels. This can happen in a variety of ways, usually as a result of the hacker’s findings being leaked on underground forums, through user or partner communications, or through parallel investigative work being conducted by ethical researchers.
- Proof-of-concept code doesn’t carry a malicious payload but simply serves to prove the viability of the findings and that, without a patch, the vulnerability could be exploited by real malware. A POC is mainly used to convince the vendor that the vulnerability is exploitable.
- After the vendor assesses the vulnerability report and concludes that a patch is required, it starts developing a security fix.
- The vendor creates a patch that mitigates the vulnerability. A security update is distributed using the standard update procedure for that application.
- The user installs the vendor’s patch to protect the application against vulnerability exploitation.
Somewhere between stages two and seven, the exploit emerges and starts to infect vulnerable users. This period is called the window of opportunity, when a hacker can “own” users’ systems without their knowledge by taking advantage of the found and unpatched vulnerabilities.
1When a security researcher reports a vulnerability to a software vendor without making that information available to anyone else, the likelihood of the vulnerability being exploited is greatly reduced. After the vendor has mitigated the vulnerability with a patch, details of the past flaw can be publicly disclosed without putting users at risk, provided that users have updated their system with the patch. Research shows that users who don’t patch their machines promptly are at far greater risk of becoming infected by web-based exploits.
How exploits work
As soon as hackers learn of the existence of a vulnerability, they start writing malware to exploit it. This may involve a collective effort by multiple hacker groups or an individual, highly skilled hacker; this latter individual may also be the original discoverer of the vulnerability.
After attackers get their hands on an exploit, they need to plant it so that users deliberately or accidentally visiting a certain site will be automatically infected without their knowledge. Examples of site compromises are numerous, but typically hackers use one or more of the following approaches:
- Use spam to attract users to a site maintained by the hacker. Getting users to visit the infective website also involves sophisticated DNS spoofing, social engineering attacks and other predatory tactics.
- Create a series of infective sites whose names resemble legitimate entities, such as registering a web address with a minor spelling discrepancy (eg. microsooft.com, dowload.com)
- Compromise websites belonging to legitimate entities and plant malicious code before the operator of the site can block the intrusion. This recently happened to the Bank of India’s site.
- Plant links to media elements on social networking sites like FaceBook or MySpace that point to external boobytrapped code exploiting vulnerabilities in third party plugins that are needed to run this code.
Making money from exploits - the business model
Exploits can generate significant income for their creators. Some sources estimate that cybercrime has passed the illegal drug trade in terms of profits, and a large chunk of this money comes from selling exploits. Exploits can benefit their creators in several ways:
- Infect users’ computers with all sorts of malware that can be used to generate income through blackmail, sale of fake anti-spyware, or the sale of personal information acquired through keyloggers, etc.
- The sale of exploits to other criminals.
- As a means of extortion to blackmail a software vendor.
Combating exploit threats
There are a number of simple steps you can take to keep your system protected against exploits:
- Keep your system patched and always use the latest browser versions.
- Disable unnecessary programming functionality like ActiveX, or allow it only for pre-screened and trusted sites.
- Do not visit unknown or potentially untrustworthy sites.
- Use programs that inspect a website’s content in real-time before allowing a user to proceed to them. Programs like Link Scanner Pro check the target site’s HTML code to ensure the hidden threats are not embedded. Finjan SecureBrowsing extension implements code evaluation, alongside site reputation evaluation, to access the potential threat.
- Use a firewall that protects against 0-day malware by blocking inappropriate network and local program activity. Outpost Firewall Pro 2008 will include the ability to build and customize a database of blacklisted sites that will be blocked from access.
Exploits pose a real and quantifiable risk to your computer, but as long as you’re equipped with knowledge, common sense, and the right kind of software, you can rest assured that exploits will not interfere with your digital life.