cally tailored to a user’s computer. Perimeter defenses that disallow incoming connections are rendered useless against exploitation as attackers use the browser to initiate outbound connections to download attack payloads. This type of traffic looks almost identical to the users’ normal browsing traffic and is not usually blocked by network firewalls.
To prevent Web-based malware from infecting users, Google has developed an infrastructure to identify malicious Web pages. The data resulting from this infrastructure is used to secure Web search results, as well as protect browsers such as Firefox and Chrome. In this article, we discuss interesting Web attack trends and some of the challenges associated with this rising threat.
As Web browsers have become more capable and the Web richer in features, it is difficult for the average user to understand what happens when visiting a Web page. In most applications visiting a Web page causes the browser to pull content from a number of different providers (for example, to show third-party ads, provide interactive maps, or display online videos). The sheer number of possibilities involved in designing Web pages and making them attractive to users is staggering. These features increase the complexity of the components that constitute a modern Web browser. Unfortunately, each browser component may introduce some new vulnerabilities that an attacker can leverage to gain control over a user’s computer. Over the past few years we have seen an increasing number of browser vulnerabilities, 5, 7 some of which have gone weeks without official fixes.
To exploit a vulnerability, an attacker must get the user to visit a Web page that contains malicious content. One way to attract user traffic is to send spam that advertises links to malicious Web pages, but this delivery mechanism requires the user to open the spam and then click on the embedded link. The ubiquitous Web infrastructure provides a better solution. While it is easy to exploit a
Web browser, it is even easier to exploit Web servers. The relative simplicity of setting up and deploying Web servers has resulted in a large number of Web applications with remotely exploitable vulnerabilities. Unfortunately, these vulnerabilities are rarely patched, and remote exploitation of Web servers is increasing. Attackers can easily compromise a Web server and inject malicious content (for example, via an IFrame pointing to an exploit server). Any visitor to such a compromised Web server becomes a target of exploitation. If the visitor’s system is
vulnerable, the exploit causes the browser to download and execute arbitrary payloads. This process is known as drive-by download. Depending on the popularity of the compromised Web site, an attacker may get access to a large user population. Last year, Web sites with millions of visitors were compromised in this way.
TAKING OVER WEB SERVERS
Turning Web servers into infection vectors is, unfortunately, fairly straightforward. Over the past couple of years, we have observed a number of different attacks
References:
Archives