When websites attack.

  • 11 January 2014
  • 0 replies
  • 4 views

Userlevel 7
Badge +54
Windows threats like Cryptolocker and ZeroAccess get all of the attention, but malware targeting (Linux) Web servers continues to evolve.
 
Malware became even smarter, stealthier, and shadier in 2013, according to the latest Sophos Threat Report. Nowhere was this more evident than in the use of the Web as a vector for spreading malware to unsuspecting users. Sure, the payloads -- from the disruptiveCryptolocker ransomware to the silent but deadly ZeroAccess botnet -- were more sophisticated this past year, but the unsung "heroes" of cybercrime are the 20,000 to 30,000 new malicious URLs that come online each day.
 
Those malicious URLs -- 80 percent of which are on compromised, legitimate websites, according to a SophosLabs estimate -- can serve a number of purposes. Some deliver the payload, of course, usually through drive-by downloads, malvertising, or social engineering. But those are just a small handful of the total. The rest serve as the funnel to get users to the payload delivery sites. That includes generating SEO spam that increases exposure to dangerous URLs and shuffling users from the legitimate sites they were viewing through a series of traffic redirectors to the ultimate payload. Recently, Sophos researchers have seen that some compromised sites are centrally controlled like a botnet, allowing them to serve up DDoS and other coordinated attacks.
 
That coordination, and the delivery of the payloads, is handled by exploit kits. While Blackhole has been on the decline, especially after the arrest of its alleged creator, Paunch, plenty of others have stepped up to take its place. Names like Neutrino and Glazunov have become familiar to security researchers, along with Redkit, which wreaked havoc this spring on high profile sites like NBC.com and lesser-known URLs advertised by tasteless spam exploiting the Boston Marathon bombings. These new exploit kits build on the leaked source code of Blackhole, while adding new features and capabilities, like the aforementioned bot-like behavior.
 
Hosting the exploit kits are infected Web servers. This past year saw a rise in the use of malicious modules for the Apache Web server, such as Darkleech. This nasty bugger is capable of using all kinds of tricks to avoid detection and analysis, such as only responding with malicious behavior once per IP address or triggering randomly one in every 10 times a page is accessed.
 
Full Topic

0 replies

Be the first to reply!

Reply