performzencart

CopyrightIBMCorporation2013TrademarksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage1of8Loadedpages:HowyourwebsitecaninfectvisitorswithmalwareAdeveloper'sintroductiontomaliciouswebsitesJeffOrloffJanuary15,2013Googleclaimsthat9,500websitesperdayareinfectedwithmalwaremeanttoharmthesite'svisitors.
Understandinghowmalwareinfectsawebsiteandwhatcanbedonetostopitcanhelpkeepyourvisitors'computersfreeofmalware.
Overtheyears,thetermmalwarehasbeenusedtodescribeanytypeofmalicioussoftware,includingviruses,Trojanhorses,worms,spyware,scareware,andadware.
Intheearlydaysofcomputers,malwarewasconsideredmoreaprankusedtoannoypeoplethroughdestructivebehaviorortoshowoffprogrammingskills.
Basically,themorepeopleyourmaliciousprogramcouldinfect,thegreateryourstatusincertaincircles.
Themaliciousprogramswereoftendeliveredtotheirintendedvictimsasemailattachments,sharedthroughremovablestoragemediaorthroughfile-sharingservices.
Althoughmalwareofthissortcausedawealthofproblemsforitsvictims,thedrivingforcebehinditdidnotmotivateasmanypeopletogetinvolvedbecausethepayoffwasn'taslucrativetoawidebase.
Today,thedrivingforcebehindmalwarehasshiftedtomoney.
Becausetheseattacksaredrivenbyfinancialrewards,thereismoremalwareinthewildthaneverbefore.
Notonlyaremorepeopleinvolvedinthecreationanddistributionofmalware,buttheattackshavegrownmoresophisticated.
Cyber-criminalshavelearnedhowtousemalwaretoturnlargeprofitsby:DisplayingandclickingadsStealingconfidentialdataHijackingusersessionsCompromisinguserlogincredentialsStealingfinancialinformationMakingfraudulentpurchasesCreatingspamLaunchingdenial-of-serviceattacksTodelivertheirmalicioussoftwaretoasmanyvictimsaspossible,cyber-criminalshaveturnedtowebsitesasoneoftheirprimarysourcesofdistribution.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage2of8WhywebsitesPeoplehavelearnednottodownloadfilesattachedtoemails,andtheyhavestayedawayfrompopularfile-sharingservicesbecausesomanyfilesareinfectedwithmalware.
Onethingthatpeoplehavenotstoppeddoing,though,issurfingtheWeb.
AccordingtoInternetWorldStats(seeRelatedtopicsforalink),in2011therewere2,279,709,629activeInternetusers,andthatnumbercontinuestogrow.
Withanattacklandscapethislargeandwithsomanyusersnotbeingsuspicious,it'snowonderthatwebsiteshavebecomethefavoritemediausedtoinfectuserswithmalware.
Infact,maliciouswebsiteshavebecomesoprevalentthatGoogleblacklistsroughly6,000websiteseverydaybecausetheycarrysomesortofmalicioussoftwarethatisdangeroustovisitors.
HowmalwarespreadsthroughwebsitesThoseresponsibleforinfectingwebsiteswithmalwaredosoinoneofthreeways:Theycreateamaliciouswebsiteoftheirown.
Theyexploitavulnerabilityonthewebserverorinitsconfiguration.
Theyexploitavulnerabilityintheapplicationsthewebsiterelieson.
Becausethisarticlefocusesonwhatyoucandotopreventyourwebsitesfromfallingvictimtotheseattacks,Iaddressonlythelattertwomethods.
Afteranattackerhasfoundavulnerabilitythatheorshecansuccessfullyexploit,theattackerneedstodeterminehowheorshewilldelivermalwaretothewebsite'svisitors.
Table1listssomeofthecommonmethods.
Table1.
CommonwayswebsitesdistributemalwareMethodDescriptionDownloadsTheuseristrickedintodownloadingthemaliciouscode.
Acommontacticusedistotellthevisitorthatheorsheneedstoupdatemultimediasoftwaretoviewavideo,oravictimistrickedintodownloadingaPDForothertypeoffilethatactuallycontainsmalware.
BanneradsUsersaretrickedintodownloadingmaliciousfileswhentheyclickinfectedadsthatappearonthewebsite.
Drive-bydownloadsWhenthismethodisused,thevisitordoesnotneedtoperformanyactiononawebsiteotherthansimplyvisit.
Malwarecanbehiddeninsideinvisibleelementsonthesite,suchasiframesorunobfuscatedJavaScriptcode;itcanevenbeembeddedinmultimediafiles,suchasimages,videos,orAdobeFlashanimations.
Whenthepageloads,themalwareinfectsthevisitor'scomputerusingvulnerabilitiesinthebrowserorplug-ins.
InfectingwebsitesthroughservervulnerabilitiesInaddressingserver-basedvulnerabilities,Ilookattwoofthemorepopularwebserverapplicationsonthemarket:ApacheandMicrosoftInternetInformationServices(IIS).
Thesetwoserverspower78.
65percentofallwebsites.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage3of8BothApacheandIIS—oranyotherwebserver—havevulnerabilitiesthatmaliciousattackerscanexploit.
Whenattackersareabletocompromisetheserversoftwareortheserveritself,theyareabletouploadmaliciouscodeorevenentirewebpagesthatdelivermalwaretothesite'svisitors.
Examplesofvulnerabilitiesthatallowthistypeofattacktotakeplacecomefromtwoprimarysources.
VulnerabilitiesfoundinthedefaultinstallationWhenwebserversoftwareisinstalled,thedefaultconfigurationisusuallysetuptomakepublishingawebsiteeasy,notsecure.
Unnecessarymodulesandservicesmayalsobepartofawebserver'sdefaultinstallation.
Theseextrasmaygiveanattackerunrestrictedaccesstoyourwebsite'sfiles.
Eachoperatingsystem,webserversoftware,andversionhasuniquevulnerabilitiesthatcanbefoundwithasimplewebsearch.
Beforeawebsitegoeslive,anyknownvulnerabilitiesshouldbeaddressed.
BrokenauthenticationandsessionmanagementThissourceencompassesallaspectsofuserauthenticationandthemanagementofactivesessions.
AccordingtotheOpenWebApplicationSecurityProject(OWASP),"Awidearrayofaccountandsessionmanagementflawscanresultinthecompromiseofuserorsystemadministrationaccounts.
Developmentteamsfrequentlyunderestimatethecomplexityofdesigninganauthenticationandsessionmanagementschemethatadequatelyprotectscredentialsinallaspectsofthesite.
"Tomitigateagainstthistypeofvulnerability,thoseresponsiblefortheadministrationofthewebserverandsiteneedtoadheretopasswordpoliciesthatdeterminethestrength,storage,andchangecontrolsofallpasswords.
Furthermore,remotemanagementcapabilitiesforthewebservershouldbesecuredoreventurnedoffsothatusercredentialsarenotcompromisedthroughtransit.
UploadingmalwarethroughvulnerabilitiesinthewebsiteIfwebsiteswerestillstatictextandimages,itwouldbemuchmoredifficultforthebadguystousealegitimatewebsitetoserveupmalicioussoftware.
However,today'swebsitesarepoweredbydatabases,complexcode,andthird-partyapplicationsthatmaketheuserexperiencemuchricherwhileopeningthesitetoanynumberofvulnerabilities.
TakeWordPress,forexample.
Thisbloggingapplicationhaschangedhowwebsitesarecreatedbymakingiteasyforanyonewithabitoftechnicalknowledgetocreateamultimedia-rich,interactivewebsite.
Itissopopularthatitpowersmorethan50millionwebsites.
WordPress'seaseofuse,however,wasalsothecauseofarecentoutbreak,inwhichbetween30,000and100,000sitesrunningtheapplicationredirectedvictimstomalicioussites.
Sitesthatinstalledaparticularplug-infoundtheirpagesinfectedwithcodethatredirectedvisitorstoanothersite.
Thissitewouldtheninfectthevictim'scomputerwithmalwarebasedonthedeveloperWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage4of8operatingsystemandapplicationsthatthecomputerwasrunning.
TheFlashbackTrojanthatinfectedmorethan500,000Macswasoneofthemaliciousprogramsthatspreadthroughthisexploit.
ExampleslikethisarenotlimitedtoWordPress,however.
ApplicationslikeJoomla!
,Drupal,MediaWiki,Magento,ZenCart,andmanyothershaveallhadvulnerabilitiesinthemthatallowmalicioushackerstouploadmalwaretothesesitestobedistributedtovisitors.
PreventingattacksagainstwebapplicationsForattackerstoexploitawebapplication,theymustfindsometypeofvulnerability.
Unfortunatelyfortheownersofwebsites,therearesomanydifferenttypesofknownvulnerabilitiesthattheycan'tallbelistedhere.
Someyoumaybefamiliarwith,however:Cross-sitescripting(XSS)StructuredQueryLanguageinjectionsCross-siterequestforgeryinjectionsURLredirectsCodeexecutionCookiemanipulationAndthelistgoeson.
MitigatingwebapplicationthreatsFortunately,therearewaystofindoutifyoursiteisvulnerabletoanyoftheknownexploitsbyusingwebapplication-penetrationtechniques.
Bythoroughlytestingawebsiteforknownvulnerabilities,youcanaddressthesethreatsbeforeanattackisabletomanipulatethemtodistributemalwaretoyourvisitors.
Youcandosousingavarietyofopensourceorcommercialtools,oryoucanoutsourcetheservicetocompaniesthatspecializeinthis.
Althoughpenetrationtestingwillhelpidentifyproblemsthatneedtobefixedinyourwebsite'scode,webapplicationfirewallscanhelpstopthreatsbeforetheyreachyoursite.
Byidentifyingknownattackpatterns,youcanthwarttheeffortsofmalicioushackersbeforetheyareabletocausedamagetoyoursite.
Moreadvancedwebapplicationfirewallscanevenprovideprotectionagainstunknown,zero-daythreatsbyidentifyingillicittraffic.
LimitingvulnerabilitiesinApacheWheneveraserverisconfigured,itisabestpracticetoinstallonlythemodulesandapplicationsthatarenecessary.
Bynow,thisisnotonlyabestpracticebutacommonpractice.
ThereareotherbasicstepsthatyoushouldtaketolimitthevulnerabilitiesthatexistinApache'swebserver.
Throughoutthecourseofthisarticle,IusethecommandsrelevanttotheUbuntudistributionofLinux.
ForApacherunningonotheroperatingsystemsordistributions,simplysearchforthestepsrequiredtoperformeachtask.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage5of8DisablethebannerBydefault,Apacheshowsitsnameandversionnumberuponawebrequest,announcingtoanypotentialattackerswhatexactlythewebsiteisrunning.
Disablingthatbannermakesitmoredifficulttopinpointanyothervulnerabilities.
Youcandosobynavigatingto/etc/apache2/apache2.
confanddisablingtheServerSignatureandServerTokensentries.
DisabledirectoryindexingAnotherdefaultistheabilitytoprintalistoffilesfoundinthewebsitedirectories.
Thisfeatureletsanattackermapyourserverandidentifypotentiallyvulnerablefiles.
Tomitigateagainstthisissue,youneedtodisabletheautoindexmodule.
Simplyopentheterminalandusethefollowingcommands:rm-f/etc/apache2/mods-enabled/autoindex.
loadrm-f/etc/apache2/mods-enabled/autoindex.
confDisableWebDAVWeb-basedDistributedAuthoringandVersioning(WebDAV)isthefile-accessprotocolofHTTPthatallowsfortheuploading,downloading,andchangingoffilecontentsonawebsite.
Inanyproductionwebsite,WebDAVshouldbedisabledsothatanattackercannotchangeyourfilestouploadmaliciouscode.
Usingtheterminal,youdisablethedav,dav_fs,anddav_lockfilesbyremovingthemwiththefollowing:rm-f/etc/apache2/mods-enabled/dav.
loadrm-f/etc/apache2/mods-enabled/dav_fs.
confrm-f/etc/apache2/mods-enabled/dav_fs.
loadrm-f/etc/apache2/mods-enabled/dav_lock.
loadTurnofftheTRACEHTTPrequestTheHTTPTRACErequestcanbetrickedintoprintingsessioncookiesandthisinformationusedtohijackausersessiontolaunchanXSSattack.
Youcandisablethistracebynavigatingtothe/etc/apache2/apache2.
conffileandmakingsurethatTraceEnablereadsTraceEnableoff.
LimitingvulnerabilitiesinIISOnethingthatmakesWindowsServerproductssoattractivetotheconsumermarketistheireaseofinstallation.
UsingIIS,acompanycangetawebserverupandrunningwithafewclicks.
Whentheserversoftwareisinstalledoutofthebox,thereislittleneedforconfiguration:It'sdoneforyou.
Toaddresssecurityissuesinitswebserverproduct,MicrosofthasmadesignificantchangestohowIISisconfiguredandwhatisinstalledbydefault.
Thereare,however,somestepsthatyoucantaketobetterprotectagainstthreats.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage6of8InstallantimalwaresoftwareCodeRedandNimdawerebothwormsthatattackedtheWindowsServeroperatingsystem,andbothdidagreatdealofdamage.
Withoutadequateantimalwareprotectiononthehostoperatingsystemitself,awebsitequicklybecomesvulnerabletoattack.
Usingkeystrokeloggers,Trojans,andothermalware,attackerscannotonlyeasilycompromisethewebadministrator'slogincredentials,buttheyalsohavetheabilitytoinsertmaliciouscodeintothefilesthatareserveduptopeoplevisitingthesite.
Afterantimalwaresoftwareisinstalled,itshouldbeimmediatelyupdatedandthenrunbeforeanywebsitefilesareuploaded.
Ifanythingisfound,allpasswordsshouldimmediatelybechanged.
UpdateeverythingelseBeforeawebserverrunningIISgoeslive,besuretoupdatetheoperatingsystemsoftwareandwebserversoftwarewiththelatestupdatesfromMicrosoft.
TheseupdatesusuallycontainpatchesthataddressvulnerabilitiesspecifictoMicrosoftproducts.
CleaningupafteranattackWhenawebsiteisguiltyofcausingharmtoitsvisitors,youmusttakestepsimmediately.
Tobeginwith,takedownandquarantineyoursite.
Ifyouneedtohaveyoursiteupandrunningsoastoavoidinterruptingyourbusiness,relyonabackupthatisverifiedmalwarefree.
Whenyourwebpresenceistakencareof,it'stimetocleantheinfectedfiles.
Someinfectionsrequireonlytheremovalofafewlinesofcode,whilemoresophisticatedattacksmightrequirethatyourewritetheentirefile.
Whateverstepsarenecessarytoremovemalwarefromasiteneedtobetakenatthispoint.
RepairyourreputationWhenGoogleandtheothersearchenginesfindasitethatisservingmalware,theycanpullitfromtheirresults.
Thiscanhavedevastatingeffectsonabusiness.
Afterallmalwarehasbeenremovedandanyvulnerabilitiespatched,submitthesitetothesearchenginesforreview.
Iftheydeterminethatitisnolongerathreattoanyvisitors,thewebsitecanbere-listedandtrafficfromthesearchenginecanberestored.
Ifthemalwareinfectionhascompromiseduseraccountinformation,allusersshouldbenotifiedimmediatelysothattheycandealwithanyramifications.
Inaddition,anorganizationwillneedtoseewhetheranylawsorregulationshavebeenviolatedasaresultofthebreachandtakeappropriatemeasurestomitigateanynegativeeffectsandkeepthemincompliance.
ConclusionInareportbyDasient,approximately1.
1millionwebsiteswerefoundtohavesometypeofmalwareinthefourthquarterof2010.
Otherstudiesshowthat85percentofallmalwarecomesibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage7of8fromtheWeb.
Now,itwouldbeeasytowritethisoffifthesitesthatwerecausingalltheproblemshadamaliciousintentfromthebeginning.
Unfortunately,itisthesmallbusinesswebsite,thechurchwebsite,oreventhewell-respectednewswebsitethatisresponsibleforinfectingsomanycomputers.
Theresponsibilityforprotectingwebsitesagainstattackisfallingontheshouldersofthewebdeveloper.
Thedaysofsittingbackandwritingawesomecodeareover.
Now,thedeveloperneedstomakesurethathisorhercodeisfunctionalandsecure.
Thetechniqueslistedinthisarticlewillcertainlyhelpthedeveloperwhodoesn'tunderstandwebsitesecuritybuildafoundationforhisorherknowledge,butitshouldn'tstophere.
Thethreatlandscapechangesdaily.
Aszero-dayexploitsemergeandcyber-criminalsadapttocountermeasures,webdeveloperstooneedtoadaptandbeonthelookoutforhowtheycanbettersecuretheirsites.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage8of8RelatedtopicsInternetWorldStats:FindmoreInternetstatistics.
Googleblacklists:ReadmoreaboutwhyGoogleblacklistsroughly6,000websiteseveryday.
PrevalenceofApacheandIIS:AccordingtoNetcraft,ApacheandIISpower78.
65percentofallwebsites.
WordPress:ReadmoreabouttheprevalenceofWordPress.
"HardeningtheLinuxserver:"LearnhowtohardenyourLinuxserver(developerWorks,December2008).
OWASPTopTenWebApplicationSecurityThreats:LearnmoreaboutOWASPanditswork.
CopyrightIBMCorporation2013(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)