Web Exploits: a bright future ahead

Web Exploits: a bright future ahead

The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever. Vulnerabilities are flaws that exist in various programs and that allow someone to make that piece of software do something it’s not supposed to do such as downloading and running malware. Vulnerabilities exist because software is written by humans who make mistakes or simply are too lazy to put safeguards in their code.

Fortunately software gets patched from time to time as flaws are getting discovered. While one might think this should solve all our problems there are two things that make this patching process an issue:

  1. not all software updates itself automatically (for various reasons) and people certainly “forget” (let’s give them the benefit of the doubt) to update their PC.
  2. the bad guys use those newly discovered flaws in exploit kits (leveraging the hard work of others by simply copying and pasting what others wrote or adapting proof of concepts).

To add to this crippled patching process, there are also vulnerabilities that are discovered before any patch is available and that can be used for days before software/security companies discover them. These are called 0-day threats and although difficult to find, there are enough bright minds out there to make this a reality.

Today’s most common exploits involve:

  • the browser(s) (Internet Explorer, Firefox, Chrome, etc…)
  • third party browser plugins (Flash player, Adobe Reader, Java, QuickTime, VLC player, etc..)
  • the Operating System (Windows, Mac OS)

If we get back to our concept of vulnerabilities, it comes down to exploiting a flaw in a program by forcing specially crafted content in the form of malicious PDF, Flash, Java, font, etc.. file. That file is the intermediary between the web exploit and your computer – it sort of has a foot in and out of the door – and if successful in exploiting the software installed on your PC, it will create and run a malicious file – the final payload – which could be a banking Trojan that captures your usernames and passwords or a spam bot , a piece of malware that will send thousands of emails from your computer .

Here’s how a drive-by download attack happens:

Infected Web site. It all starts here… a legitimate site running WordPress, Joomla! or some other Content Management System. Site was set up by someone with very little knowledge about web security, paying only a few bucks a month for hosting. What could go wrong? Lots, it turns out. Websites are easy to build but yet very difficult to secure and contrary to popular belief, your web hosting company is not going to do all the work or even monitor your site for a handful of dollars per month. The bad guys love easy prey and in a few minutes they will have found insecure file permissions or a vulnerability in WordPress that should have been patched… two years ago! Among the many things one can do once a website is hacked, the bad guys love to insert malicious code in existing web pages. The goal is simple: use all the website’s traffic (people browsing that site) and try to infect their PC by sending them to an exploit kit site.

Exploit kit. The exploit kit is the bad guy’s Swiss Army knife to exploit someone’s computer. Its goals are to assess a potential victim and then deliver a payload. The assessment part is sort of a “let’s get to know who you are” type of introduction. What is your browser, are you running out of date software, etc… This only takes a couple of seconds – if that  -and then the relationship goes sour.

Exploit files. The exploit kit loads files like PDF documents, Java applets, Flash media and any others that are accepted by the victim’s machine. What happens then is the actual exploitation of software vulnerabilities. Adobe Reader will open the PDF just as if it were any other PDF you can find, except it doesn’t know that this one has been crafted carefully to bypass the regular road and go awry. For example, a malicious PDF may download a remote executable and then run it with full admin privileges on the system.

Malware payload. All of the above happened for a reason, and this is it. It took a bit of work to get there (had to travel half way around the world from an infected site hosted in North America to an exploit kit in St Petersburg, Russia).  But if we got here in one piece it means one thing: ‘operation exploitation’ was successful and the computer has been infected with a new piece of malware. Until that machine gets cleaned, it is in the hands of the bad guys who may now do as they wish with it.

This process has been the same for some time and works quite well. But of course, as security vendors learn how to detect these exploits, the bad guys have to work a little bit harder and use countermeasures.

Let’s take a look at what makes drive-by download attacks so successful and persistant:

  • Legitimate websites will continue to get infected as long as people can set up a website in 5 minutes for only $5/month. This equation is just a call for disaster.
  • Exploit kits keep receiving updates thanks to the endless number of vulnerabilities (CVE) and leverage third party scripts to do all the hard work.
  • Encryption is starting to become the de facto standard to hide exploit kit code, malicious files and malware payload.
  • Finally, this business is highly profitable with minimal risks of prosecution.

As an end-user, here are some tips to protect yourself:

Think first, click after. You most likely already come across infected sites or malicious ad banners through your regular browsing but it’s not a reason to click on any links you receive in emails, Facebook or Twitter.

Use your browser wisely:  Regular web surfing should have the Java plugin disabled to minimize the infection risk. If for some reason you must use it for a particular site or application, re-enable it as needed or simply use a different browser with Java enabled. There is a tutorial here. Also, if you are logged into your banking website, refrain from opening a dozen other websites in tabs at the same time. Certain sites can load Cross Site Scripting attacks (XSS) and hijack your banking session.

Install the latest version of every software and set settings to automatic update. For Adobe Reader, open a PDF and go to Edit->Preferences->Updater. For Flash go to Control Panel->Advanced. For Java, use this guide.

Use a combination of antivirus / antimalware software. It’s always better to be proactive rather than reactive. In other words, prevent malware from infecting your system in the first place.

The full version of Malwarebytes Anti-Malware offers multiple layers of protection:

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Backup your data. At the end of the day, you may love your computer but if you really think about it, the stuff that’s on it is actually more valuable. You can always buy a new PC, but you can’t say the same about pictures, work documents, etc…

Hopefully these tips will help to make your computing experience safer because the bad guys are not going to rest any time soon.


Jérôme Segura

Principal Threat Researcher