Many people believe that most Internet users get infected with malware while browsing questionable sites that offer adult dating, porn, pirated software, etc. Contrary to popular belief, however, thousands of legitimate Web pages are compromised every day to serve malware to unsuspecting users. This method is called a drive by download, in which an unsuspecting user visits a site and malware is silently downloaded and installed onto the PC without any user intervention. The malware typically exploits a Web browser or operating system bug to gain access.

At McAfee Avert Labs in Bangalore we have worked on several recent incidents in which high-profile Indian Web sites have been compromised to serve malware. Pretty much every type of site has become a victim: banks, security vendors, portals, and businesses, as well as educational and government sites.

In the early days of the Web, the driving factor for hackers in compromising Web sites was fame, but today’s generation of malware authors operate as organized crime groups lured by quick money.

Internet users tend to blindly trust known sites that are widely popular. They do not suspect malicious behavior from regularly visited sites. For this reason, legitimate Web sites are increasingly being hacked by exploitable vulnerabilities in Web server software, ARP spoofing, or SQL injection techniques. Once they have access, hackers booby-trap the sites to serve malware.

In a typical attack scenario, the hacked Web pages are appended with a hidden iFrame that points to the attacker’s site. Users enter the address of a legitimate Web site (one they have visited for years) into their browser. Unknown to the users, the iFrame in the page they are viewing redirects them to the attacker’s page, which hosts a cocktail of browser and application exploits that infects their computers.

The rise of malicious Web-attack toolkits
Web-attack toolkits are a collection of malicious scripts that simplify the task of infecting remote computers by using a combination of exploits. These are usually programmed in PHP and store information gathered from infected users in a MySQL database.

Professionally written attack scripts—such as MPack, IcePack, NeoSpoilt, and WebAttacker—are openly available on Russian forums and IRC channels on the Internet. These kits are sold similarly to commercial software (they cost $500 to $1,000) and include regular updates and technical support from their developers. Localized versions of the kits can be configured to target visitors from specific countries based on IP address ranges.

Another widely used method by attackers is to spam a large number of e-mail addresses or to send instant messages inviting recipients to visit a Web site hosting the toolkit. The spammed messages are socially engineered to use sensational or mischievous subjects to entice victims into clicking the link.
When a user visits the rigged page, the toolkit determines if the visiting computer has any vulnerabilities in its browser or installed applications that can be exploited. If the toolkit finds any, it sends the corresponding exploit and infects the computer.

The infecting payload can be anything from key-logger software, password stealers, or Trojan horse programs to a backdoor into the infected system that uses the compromised machine as a launch pad for further Internet attacks.

In addition to taking advantage of bugs in Microsoft Windows, the attack toolkit can be customized to exploit vulnerable versions of Web browsers such Microsoft Internet Explorer, Mozilla Firefox, and Opera as well as popular applications such as Adobe Reader, Apple QuickTime, RealPlayer, and WinZip.

Whenever a new exploit for any popular application appears in the wild, attackers release an updated module of the attack toolkit with support for the new exploit. Each new version contains fresh obfuscation techniques to try to make its scripts and executables undetectable by the latest antivirus software.

These toolkits include a handy administrative console page that gives the owner of the attack server useful metrics and geographical statistics to monitor the success and state of their exploits.

In the preceding example, the statistics page for the MPack toolkit displays real-time details of how many visiting computers were attacked, how successful each attack was, the types of exploits used, and the application or operating system that was targeted.
In the following example, owners can also view the number of visitors to the attack server organized by country of origin.

With the easy public availability of these toolkits on the Internet, script kiddies can install and deploy these attack toolkits with little technical know-how. In a recent crackdown of those involved in distributing virus code in China, none of the arrested resellers were found to be computer experts; one of them worked as a chef in a restaurant.

The road ahead
So how does one know where the next attacks will come from? What can be done to track down the bad guys and combat them?
One of the many ways to fight back is to scan the Internet for weak systems, monitor the sites that are vulnerable, and wait for them to be hacked. Once the site is compromised, don’t attempt to shut down the compromised server—as that would make the bad guys only move elsewhere. Rather, keep an eye on the server and monitor it for any malicious uploads and downloads.

Some may argue this method allows too many users to suffer while letting security companies profit from users who now need products to clean up their systems. Our counterargument, however, is that the more intelligence we can gather, the better prepared we are to shut down attackers. The problem will not go away—but we can make life much more difficult for the bad guys.

Vinoo Thomas is a Virus Research Lead with McAfee Avert Labs in Bangalore. His primary responsibilities are analyzing computer viruses and tracking global malware trends. He is often quoted in the media for his analysis of new threats on the Avert Labs blog. He can be reached at Vinoo_Thomas@McAfee.com.