Finding Operating System (OS) level vulnerabilities that can bypass Authentication and perform a Remote Code Execution (RCE) more reliably has become more and more difficult with all the various security solutions in place. On the other hand, finding a vulnerability in the Content Management System (CMS) has become much easier and has a wider impact e.g., FakeAV campaign.
People are getting really good about patching their Operating Systems (OS), but they tend to forget some of the applications that are installed on their own box. Similarly, website owners who use an out of the box CMS solution to kick start their site don’t generally update their CMS solution. Even if they do update the CMS solution, they forget to update the plug-ins that they installed for that CMS. This happens to be an attacker’s playground.
All the attacker has to do is run a simple Google search for websites that have the vulnerable CMS/plugin installed and then send a targeted attack payload to compromise these sites. Once the attacker has successfully compromised the website, they can embed malware in the site that could compromise the computer of any visitors to the site.
There are many ways to find the presence of these vulnerabilities in your website; the simplest and most proactive way being to run a vulnerability scanner against your website at regular intervals and determine all the security flaws. There are many products out there that do this, including Tennable’s “Nessus,” Google’s “Skipfish,” Go Daddy’s “Website Protection Site Scanner,” etc.. We wanted to take a behavioral-based approach that would determine if a particular website was already compromised and whether or not it is malicious. To reach this goal, GoDaddy.com partnered with Arizona State University to devise a new solution that will determine if the website has any malicious intent. Dr. Gail-Joon Ahn and his Ph.D. student, Ziming Zhao, have been working with me on this solution. You can read more about this research at sefcom.asu.edu.
The primary objective of this research initiative is to detect malicious websites and identify embedded attack vectors in web pages. Without going into too much detail, the proposed solution pretty much tries to imitate human behavior. When we supply a domain name to the system, it spawns a base image of an Operating System using VMWare and then crawls through the website using multiple browsers. While crawling the site, we record all activities happening at both the OS and network layer. We look for anything from a random file being created on the file system to a registry entry being created. Sometimes the files that were created are legitimate files, so we run those files through an Anti-Virus Solution to verify that they are clean. Finally, when the analysis is completed and reported back to the centralized repository, we revert back the VM snapshot for the next URL to be scanned. The following illustration shows the high level working of our solution.
In summary, Malware detection should be constantly evolving as Malware writers find new ways to evade detection. The more we can simulate human behavior, the better we are going to be with Malware detection. This could potentially help us stay ahead of the curve for a while.