Drive-by downloads or, more accurately, drive-by installations are some of the scariest threats on the Internet. Exploit kits provide the underlying mechanisms for this behavior. They work by examining your browser’s environment – browser type, browser version, installed plugins, and plugin versions, looking for a vulnerable piece of software.
If the exploit kit finds any vulnerabilities, it exploits them all in an attempt to run code directly on your system. In most cases this leads to malware being installed and run on your machine without any user interaction. Worst case scenario, a few minutes later you’ll be staring at instructions on how to pay to restore your newly encrypted files to their original state.
Exploit kits can lurk in a number of places on the Internet. Here are a few examples.
There are plenty of untrustworthy sites out there that you might stumble upon while browsing. Off-the-grid file sharing sites, torrent sites, and porn sites are examples. Some of these sites directly host exploit kits.
You can also end up on intentionally malicious sites by following links from posts or comments on forums, blogs, and social networking sites, or from following links in email you’ve received. However you end up on one of these sites, you’re at risk of being owned.
Most webpages show ads. In many cases, they get them from ad serving agencies. Malvertising happens when an attacker submits an ad containing malicious code to one or more of these agencies. In order to run an effective campaign, malvertisers target the more popular ad serving agencies, which happen to push ads out to the more popular sites. This cheap and effective method provides attackers with a widely used platform from which to distribute malicious content. We see this happen fairly regularly.
Malvertising is a particularly cunning infection vector. Attackers don’t have to persuade victims to deviate from normal browsing habits in order to infect their systems. Once a malicious ad has been planted on an ad serving platform, it is automatically distributed to a wide variety of popular sites. So, the next time a user visits their favorite news site, they could potentially end up with malware on their system, even if the site itself is generally deemed safe. And they don’t even need to click on the malicious ad to get infected.
By the way, malvertising doesn’t just happen on websites. Not too long ago, we documented a case where Skype ads were delivering malicious payloads using exactly the same mechanism.
Legitimate websites get hacked. A lot. In fact a majority of exploits in the wild are being hosted on compromised servers, and are simply not being cleaned up.
Legitimate websites get hacked when new vulnerabilities in underlying web services (e.g., Apache or WordPress) surface. As soon as a new vulnerability is revealed, there’s often a gold rush to exploit all available targets on the Internet. And it’s all heavily automated. WordPress servers are also brute-forced regularly, given how easy it is to get author names.
Naturally, once these services have been hacked, exploit kits are injected into the exploited sites, and from there, well, you know the story.
As you’ve probably already realized, hygienic browsing practices won’t prevent you from being owned by a drive-by download. This is why all modern endpoint protection solutions tend to include URL-blocking and network scanning components. If you can prevent a page, or a component of a page, from loading in the browser, you can prevent the exploit kit from running. Of course, I don’t need to remind you that keeping software up-to-date on your own system helps a ton against these attacks.
The malicious URL landscape changes incredibly quickly, and thus cloud lookups are a great way to keep up with those changes. By simply performing a cloud query on a normalized version of the requested URL, just prior to visiting it, you’ll get a verdict that determines whether the site is safe. That verdict can contain other information as well; in addition to telling the product if a site is malicious, it can contain information about the sort of content the site is serving. This information can be useful for content filtering applications such as parental control.
Here in Labs, we have multiple feeds populating and refreshing our URL repositories. Over 70 of them, at last count. We get over 500,000 new URLs per day. Some come from honeypots and spam traps. Others come from static or dynamic analysis of malware. By feeding potentially malicious URLs into our automated sandbox environments, we can record and examine what happens to the virtual machine, and classify the site accordingly. We also have expert systems that automate the classification of content.
Our systems would probably explode with billions of entries if we were to store a classification of every single URL path possible. To prevent this, complex logic in our automation makes the call between rating a whole domain versus rating individual directories. We also use whois information to rate whole domains.
In addition to the simple tactic of querying URLs from the cloud, we use a few other tricks to make sure our customers are shielded against malicious sites. By performing a heuristic analysis of the URL traffic itself, we are able to spot certain types of malicious behavior. Our protection components also look at the URL’s content, headers, and metadata, and can make decisions based on that.
Blocking access to URLs also prevents malware from talking to C&C servers.
As I mentioned in the first post of this series, preventing a user from coming into contact with a malicious site is the first line of defense against real-world threats. And with the possibility of being owned via a drive-by download, it’s a pretty important first step. So, the next time you see that pop-up in the corner of your screen just after clicking a link, you’ll be happy you didn’t just get hit with some nasty trojan downloader that leads to a case of crypto-ransomware.