Wicked web: FireShark finds potentially malicious servers by determining which ones are serving up content to multiple websites.
Websense
Analyzing the connections between sites could help spot Web attacks.
Over the past couple of years, cybercriminals have increasingly focused on finding ways to inject malicious code into legitimate websites. Typically they've done this by embedding code in an editable part of a page and using this code to serve up harmful content from another part of the Web. But this activity can be difficult to spot because websites also increasingly pull in legitimate content, such as ads, videos, or snippets of code, from outside sites.
Now a researcher at Websense, a security firm based in San Diego, has developed a way to monitor such malicious activity automatically.
Speaking at the RSA Security Conference in San Francisco last week, Stephan Chenette, a principal security researcher at Websense, detailed an experimental system that crawls the Web, identifying the source of content embedded in Web pages and determining whether any code on a site is acting maliciously.
Chenette's software, called FireShark, creates a map of interconnected websites and highlights potentially malicious content. Every day, the software maps the connections between nearly a million websites and the servers that provide content to those sites.
"When you graph multiple sites, you can see their communities of content," Chenette says. While some of the content hubs that connect different communities could be legitimate--such as the servers that provide ads to many different sites--other sources of content could indicate that an attacker is serving up malicious code, he says. According to a study published by Websense, online attackers' use of legitimate sites to spread malicious software has increased 225 percent over the past year.
Even legitimate hubs can pose a threat, however. In September, for example, the New York Times acknowledged that online criminals, masquerading as legitimate advertisers, had placed content on its site via an advertising network.
Attacking a network of this kind can be far more lucrative than attacking any single site. "Let's suppose that the site's security is top-notch. How can a malicious attacker get to the user?" Chenette says. "An ad network would be a fine choice."
Approach could help software learn how to identify fake accounts with less honorable intentions.
They get results by exploiting a social network's trusting environment.
A study highlights efforts to take down ISPs that allow malicious activity.
If a legitimate website has a new advertiser, why can't they have effective ID? If I'm selling something on eBay, they have my credit card, bank routing number and great grandmother's birthday.
Quote: "but the guy who is actually supplying the content on the page--God knows who that is." This seems lame. If their home address is Belarus or New Jersey, you know damn well they are scallywags.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
flared0ne
395 Comments
Biggest issue to be dealt with:
"Rotating" ad presentations -- those ads which cycle through like a slide show -- are quite popular because "change" attracts the eye, catches the attention, delivers the message just that little bit more effectively. Not to mention how slide shows boost overall revenues by placing multiple advertisers...
They also create a major headache for anyone attempting to monitor the ad-server for malware -- any monitoring process claiming "due diligence" must stay focused for a minumum of (at LEAST) one slide show cycle; i.e., the malicious code may only be present in a low percentage (say, one or two out of a hundred) rotating ads; a percentage calculated to drop irate report rates below some arbitrary threshold for "take action", and offsetting those reports with "but I was just there and didn't see anything"...
AND because the sequence of ads can be dropping cookies (to track delivery, etc), the actual hidden malware presentation, tied to an otherwise normal advertisement, can be scripted to only get pulled in to strike on a second rotation, which could even be on a later visit. All for the purpose of lulling the victim into a false sense of "been here, done this, nothing to worry about", AND making detection many times more difficult.
Reply
Stormfield
1 Comment
Re: Biggest issue to be dealt with:
These 'ads' can be somewhat mitigated, by turning off 3rd party cookies, and certainly stopped cold with Firefox and "NoScript" add on.
Microsoft hacks of FFox should also be disabled (NET framework, Windows Presentation Foundation, Silverlight).
Any use of add-on's that empower JavaScripting should be considered as "fair game" to hackers.
Reply