A big part of what we do here in the research group at Exploit Prevention Labs involves studying the behavior and distribution of malicious websites, and it’s really interesting, as we poke around the web, to see different patterns come to light.
Malicious websites can be broken down into two broad categories – social engineer-ers and exploiters.
Social engineer-ers, as the name suggests, are sites that try to trick the visitor into installing some malicious code. A well-known example would be the warez sites, where you might try to find a cracked version of some popular piece of software that for whatever reason you don't want to purchase through legitimate channels. Trust me…. It's much better just to go and buy a legitimate copy in the first place. Almost all the warez sites want you to install "an ActiveX control that you need to download the software", or something along those lines. There's simply no telling what you're really getting, but you certainly don't need to install any extra software in order to download something from the internet.
Another example would be the "fake codec" sites. What happens with these is that you're surfing the web, minding your own business, looking at pictures of one kind or another, and you come across a video that you'd like watch, but … whoops… It tells you that you have to install a codec (compressor/decompressor) in order to watch it. In every example I've looked at recently, the required codec turned out to be a rootkit.
A third, and really rather clever, example is the one where you're presented with a dialog box containing a lot of text and a prominent "Close" button. Most people will assume it's just another unwanted pop-up ad that snuck by their anti-spyware, so they just hit the "Close" button and continue surfing. Unfortunately, what's actually happened is that 30 megabytes of adware and spyware have just been downloaded onto your machine. If you'd taken the time to read the text in the dialog, you would have seen the following:
"If you want to continue the installation of this software, simply click the close button. If you don't want to continue, please check the little checkbox at the side of the dialog."
Which only goes to show just how predictable user behavior on the web has become, making life exceptionally easy for an average-to-smart social engineer-er.
The second broad category is the exploiters. These are websites that don't bother with the social engineering step, they just go right ahead and use an exploit to force an install of whatever malware they want to dump onto you without any interaction from you, witting or unwitting. Usually the malware is a keylogger and rootkit or a huge package of adware and spyware, a fake anti-spyware program that offers to clean up the mess they just installed for $49.95…Oh, and a rootkit.
There are five general sub-categories of exploiters, based on (1) the exploit pattern that they use, (2) the way they attract victims, and (3) the payload. (Yes, I know there are more, but we don't have the space for a full breakdown and these are close enough to get the idea.).
The five categories that I use are:
- The St. Petersburg iframers usually throw five or six older exploits, such as the Windows metafile (WMF) exploit from last December, at you in anticipation of something ticking. They often advertise for webmaster partners who are willing to deliberately include their software in their webpages. The content tends to be rotated frequently, so what they deliver tends to depend on the day of the month; recently the focus has been on a direct pitch for a bogus anti-spyware product. "Windows has detected spyware activity on your computer. Click here to clean it up."
- The trimoders, so-called because they throw a three-exploit package at you, again hoping that something sticks, are quite similar to the iframers, and may be a breakaway group. Rather than advertise for partners, they appear to prefer targeting bulletin board systems that are open enough to allow them to post exploitive html along with innocent-seeming messages.
- The bogus search engines use a WMF exploit to try to install a traffic generator, which actually consists of two files – the traffic generator itself and a list of URLs in a text file. What happens is that the traffic generator visits each of the URLs, very quickly and frequently, but in the background, so you're not aware that your PC is being used as a pawn to generate traffic. The headers are forged to make it look like your PC was actually using a genuine web browser, and to pretend that you were actually referred by the bogus search engine. This approach is ideal for spam-based distribution. Naïve website operators see a pitch along the lines of "For just $100 per month, we'll generate 80 million visitors to your website each month!" and believe it. And they do get a big spike in traffic numbers, but that traffic is all machine-generated – no humans involved. Interestingly, these guys typically hang perhaps as many as 100 virtual domains off each of their IPs, and then create as many as 100 hyperlinks in to each of these domains, resulting in a huge web that draws victims in through search engines.
- WebAttackers seem to put all of their effort into hacking into other people's computers in order to use them as either an exploit server for the WebAttacker script or as lures to attract unsuspecting victims to a poisoned site. Not surprisingly, the hacked exploit servers tend not to be around for long – as soon as the webmasters find out that their servers have been hacked, they clean it up. Interestingly, the hacked sites that are acting as lures are rarely cleaned up, giving rise to an unknown number of what we call Orphaned Lures – which are of course primed and ready for the next exploit distribution network to move in.
- And then there is everyone else. This group could be subdivided to the nth degree. They typically use just one of about ten commonly adopted exploits, but have no set behavior pattern and are clearly not one of the above four groups.
What this all means is that the web can be transformed into a dark and untrustworthy place in an instant. As researcher Ben Edelman recently reported, the Truste logos don't mean a thing when it comes to poisoned pages. Everything is now much too fluid and dynamic for a static approval process or even most database-driven efforts. What was safe yesterday might not be safe today.
– Roger Thompson is CTO and chief researcher at Exploit Prevention Labs.