Another Horror Story of Websites Attacking Visitors
by Eirik Iverson, Product Management
Since January 2010, over 100,000, possibly up to 5,000,000 websites have been unleashing drive-by download attacks on visitors that were using Internet Explorer or Adobe Reader/Acrobat. Less than a week ago, less than half of the roughly 50 leading antivirus products were detecting the attack. If during this time you visited a website without any content because the owner hasn’t posted any content yet, and there’s some kind of boilerplate content along the lines of ‘under construction’, and if such a “parked” page were hosted by Network Solutions Inc., which may be the largest in the industry, then your computer may be infected!
There are millions of “parked” websites. Visitors reach them by arbitrarily typing in a URL, misspelling, clicking on an erroneous link, or clicking on a search result link. Firms such as Network Solutions Inc. will host these “parked” websites, placing advertisements and other stuff on them. In this horror story, a Javascript “widget” called “Small Business Success Index” was hosted on these “parked” websites. This had been altered by attackers to launch drive-by download attacks on visitors, exploiting zero day vulnerabilities in either Internet Explorer or Adobe Acrobat/Reader. Network Solutions Inc asserts that its in-house investigation has found no examples of its hosted live websites carrying this nasty “widget”. They dispute reports of 500,000 to 5,000,000 affected URLs, saying the figure is around 120,000 known. Network Solutions has removed all known instances of the widget and has issued an advisory to all others to remove the “widget”.
Victims fell prey to an ordinary drive-by download attack where simply visiting a web page was all that was required of the end-user. Once there the “widget” served an exploit of either an Internet Explorer or an Adobe Reader/Acrobat vulnerability. This would result in Internet Explorer or Adobe Reader/Acrobat placing a “downloader” application in the visitors PC, somewhere in “user-space”. Drive-by download attacks usually place their “downloader” in user-space because they can always do so. They can only place the “downloader” in “system-space” if the end-user of the PC is logged in with local admin rights. Once the “downloader” launches, it will download and install persistent malware best suited for the host and the objectives of those behind the attack.
The less than 50% of the antivirus products that detected the attack characterized it as a generic Trojan horse install or a member of the Koobface worm family. Researchers have said the persistent malware consists of something called lsass.exe, which monitors web browsing. When it detects certain keywords, it modifies redirects users to particular pay-per-click advertising sites. While its doing this job, it also looks to enlist more victims by inserting malware onto file shares and into peer-to-peer file sharing directories.
AppGuard Protected Computers from these Attacks
This was an unremarkable drive-by download attack routinely stopped by AppGuard or AppGuard Enterprise but missed by half of the different antivirus software products on the market. Depending on how polymorphic this attack code is, the antivirus products that missed these attacks may have signatures to detect them within a month. Then again, cyber criminals are on to this and discontinuing the use of malware code samples after less than 48 hours to severely reduce the odds of there ever being a signature for detection. AppGuard closes the gap, whether the vulnerability gap is days, weeks, or months. AppGuard prevents these malware attacks from operating at all. This raises a question to computer users living within this gap, what passwords, documents, or other stuff might a cyber criminal want from your computer in a typical one week or one month, or one year time period? If there’s nothing, then no worries. If there’s something, then your traditional antivirus is not enough. You should add something like AppGuard.