For some time now, the browser has been the most dangerous piece of software on the Web, and to hear researchers tell it, the climate it likely to get far worse before it gets any better.
The attack landscape has shifted in a lot of important ways in the last few years, but none of the changes has been as significant as the focus on the browser as the target of choice for attackers of all stripes. Browser-based exploits are the top attack vector, and not just for low-level script kiddies killing time. A number of sophisticated attack crews have been using drive-by downloads and other browser attacks as an initial way to compromise a target machine before jumping to other applications or PCs.
The gangs behind Gumblar, Zeus and other massive Web-based attacks have relied on browser-based exploits for much of their success, and experts say that these well-known attacks are just the ripples on the surface of what is a much larger sea of exploits targeting all of the major browsers. In a talk on drive-by downloads at last week’s OWASP AppSec DC conference, Neil Daswani, CTO and founder of Dasient, said that part of the reason for the success of browser-based attacks is the massive population of vulnerable Web applications that serve as the initial targets for attackers.
“Drive-by downloads are a huge problem. The attackers go after the Web apps on legitimate sites, and once they compromise those, they load them with exploits that go after the browser,” Daswani said. “The problem is that no application exists in a vacuum anymore. Even if the application itself is secure, three out of four sites on the Web include some sort of JavaScript widget. I’ve seen many attacks where they compromise that widget and then inject an iFrame onto the site and it turns everyone into a node in a malware distribution network.”
That’s one of the more popular attack methods right now, and it’s working remarkably well, even though it’s been widely publicized and researchers have been talking about methods for defending against SQL injection and JavaScript attacks for years. Even some of the biggest players in the industry have been taking steps to help bring attention to the problem of legitimate sites being compromised and used as attack platforms. Google has undertaken an effort in the last year or so to provide Web site owners and operators of large networks with tools to help them find and eliminate malicious code on their sites.
Google’s Safe Browsing Alerts gives administrators of large networks the ability to sign up for notifications whenever Google’s automated crawlers find malicious code on one of the network’s sites. Google also has a separate service for site owners that will provide them with a sample of any malicious code the company finds on a site, helping the security team find and eliminate the code and possibly the vulnerability that enabled the compromise.
Browser vendors such as Microsoft, Mozilla and Microsoft have added defenses to their products over the last couple of years to help protect users against drive-by download attacks. Google Chrome, for example, includes a sandbox that’s designed to prevent attackers from being able to break out of the browser and jump to other applications. But the attackers have adapted their tactics to target the thousands of third-party plug-ins and extensions that are available for browsers, most of which are written by third-party developers. Many users are unaware that they have these extensions installed, let alone that they need to be updated regularly, leaving an easy avenue in for attackers.
The attacks that Daswani described are complex, multi-stage operations that often involve multiple redirects and a large cadre of compromised back-end servers hosting various pieces of malware. In one scenario, his team observed a drive-by download attack that exploited a browser bug to download a script that had several layers of obfuscation. The source of the script was a compromised Web server, which then served additional malware to the PC and began fingerprinting the machine to see what versions of the browser, Adobe Reader and other software it was running. The server then threw the appropriate version of the malicious code at the machine to exploit Reader and start moving along.
“It’s a complex problem. Once that’s all done, which takes a few seconds, it’s over,” he said.
And the complexity of the problem means that there’s no simple solution. Fixing the drive-by download mess requires work by the browser vendors, Web site owners and users, all of whom have a vested interest in seeing it done. But as much work as companies such as Google and others have put into it, there’s plenty more to be done.