Drive By Downloads: How To Avoid Getting A Cap Popped In Your App presented at OWASP Appsec 2010

by Neil Daswani (Dasient, Inc),

Tags: Web Application Security Statistics Intrusion Prevention


Summary : Which browser do you claim? What color is your screen-saver? It is a world wide hood out there, don’t let yourself become the next victim of a drive by… a drive by download.

Email attachments have become synonymous with computer viruses and consumers have become accustom to questioning the legitimacy of email touting male enhancement drugs and lottery winnings. This means hackers are having to come up with new ways to distribute malware. Today, just by loading an infected webpage of from a legitimate website, a virus can be downloaded without any other interaction and will often go undetected. Once the virus is on a PC, hackers can access the computer remotely and steal sensitive information like banking passwords, send out spam or install more malicious executables.

According to recent research….

* Every 1.3 seconds a new web page is getting infected
* As of Q3 2009, every month almost 2,000,000 web pages across more than 210,000 websites are infected with Malware. This is almost double the number of web pages reported for Q4 2008

• 77% of Web sites with malicious code are legitimate sites that have been compromised

* The number of malicious sites has grown 671% from 2008-2009
* 57% of data-stealing attacks are conducted over the Web

Examples of major breaches include the Gumblar attack (Apr '09) with infected over 80,000 web servers in just a few weeks, and the Network Solutions attack (Apr '10) in which thousands of WordPress blogs were infected on a single hosting provider.

In this talk, we describe in technical detail the "anatomy of a modern web-based malware attack." Web-based malware attacks have evolved significantly over the past 4 years. We present the state-of-the-art in web-based malware attacks and describe how the techniques used have evolved over time.

Back in 2007, for instance, a typical drive-by attack would be characterized by single injections of malicious JavaScript or IFRAMES into a legitimate site, and dozens of processes would be dropped/started on infected clients. Such injections would be delivered mainly through web application layer attacks such as SQL injections and stored XSS attacks.

Today, attackers use many additional mechanisms to inject malicious code, and will conduct multiple injections into a single web page (each of which are innocuous), such that when combined and run together, only then will a drive-by-download occur. Such new, multi-DOM node injections foil first generation web-based malware scanners. In addition, attackers now only start an average of 2 to 3 processes instead of dozens, and have started increasing reliance on social engineering (such as fake anti-virus windows) to attempt to foil automated detection technologies.

Finally, there has been an uptick in malvertising and spear-phishing as methods of propagating drive-by-downloads, as was used in China-based attacks against Google and other Fortune 500 companies earlier this year. We provide concrete examples of each of these novel attacks and provide example mal-code from the wild illustrating the anatomy of modern web-based malware attacks.