A big part of what we do here in the research group at Exploit Prevention Labs involves studying the behavior and distribution of malicious websites, and it's really interesting, as we poke around the web, to see different patterns come to light.
Malicious websites can be broken down into two broad categories - social engineer-ers and exploiters.
Social engineer-ers, as the name suggests, are sites that try to trick the visitor into installing some malicious code. A well-known example would be the warez sites, where you might try to find a cracked version of some popular piece of software that for whatever reason you don't want to purchase through legitimate channels. Trust me…. It's much better just to go and buy a legitimate copy in the first place. Almost all the warez sites want you to install "an ActiveX control that you need to download the software", or something along those lines. There's simply no telling what you're really getting, but you certainly don't need to install any extra software in order to download something from the internet.
Another example would be the "fake codec" sites. What happens with these is that you're surfing the web, minding your own business, looking at pictures of one kind or another, and you come across a video that you'd like watch, but … whoops… It tells you that you have to install a codec (compressor/decompressor) in order to watch it. In every example I've looked at recently, the required codec turned out to be a rootkit.
A third, and really rather clever, example is the one where you're presented with a dialog box containing a lot of text and a prominent "Close" button. Most people will assume it's just another unwanted pop-up ad that snuck by their anti-spyware, so they just hit the "Close" button and continue surfing. Unfortunately, what's actually happened is that 30 megabytes of adware and spyware have just been downloaded onto your machine. If you'd taken the time to read the text in the dialog, you would have seen the following:
"If you want to continue the installation of this software, simply click the close button. If you don't want to continue, please check the little checkbox at the side of the dialog."
Which only goes to show just how predictable user behavior on the web has become, making life exceptionally easy for an average-to-smart social engineer-er.
The second broad category is the exploiters. These are websites that don't bother with the social engineering step, they just go right ahead and use an exploit to force an install of whatever malware they want to dump onto you without any interaction from you, witting or unwitting. Usually the malware is a keylogger and rootkit or a huge package of adware and spyware, a fake anti-spyware program that offers to clean up the mess they just installed for $49.95…Oh, and a rootkit.
There are five general sub-categories of exploiters, based on (1) the exploit pattern that they use, (2) the way they attract victims, and (3) the payload. (Yes, I know there are more, but we don't have the space for a full breakdown and these are close enough to get the idea.).
The five categories that I use are:
What this all means is that the web can be transformed into a dark and untrustworthy place in an instant. As researcher Ben Edelman recently reported, the Truste logos don't mean a thing when it comes to poisoned pages. Everything is now much too fluid and dynamic for a static approval process or even most database-driven efforts. What was safe yesterday might not be safe today.
- Roger Thompson is CTO and chief researcher at Exploit Prevention Labs.