Proactive IT Security
 

Insecure web servers - malware spreaders on the rise

[Malware discussion, Social engineering, Spreading mechanisms]

Week 48, 2007

Introduction

In the stone age of malicious software (malware) the main spreading mechanism was floppy disk, and big outbreaks were rare. When email emerged as the main carrier for malware the problem's magnitude multiplied, and major outbreaks became a common phenomenon.

These days there are almost no major outbreaks of malware any more. However, the threat for online users are - if anything - more severe than ever. And a new spreading vector is becoming increasingly popular among the bad girls: Malicious web sites.

Another kind of zombie

The term "zombie" is often used as a term for computers that are part of a bot network, used e.g. to participate in a Distributed Denial of Service attack (DDOS attack) or to spread spam. It is common that the owners of these computers are unaware of the fact that they are part of such an attack, as the computers are often infected by malware without the user's knowledge.

Today's malware often uses several attack vectors to spread and install other pieces of malware. One such spreading mechanism is through web servers. Previously this was not particularly popular, as the common technique then was that the culprit set up her own server and attempted to trick someone to visit that web site. This had at least three major drawbacks:

  • It is not easy to trick many users to visit a particular new web site.
  • To take a malicious server off the Internet by contacting the Internet Service Provider (ISP) is usually very fast.
  • The risk of discovery and consequently prosecution is quite high.

However, several events that are not connected have changed this situation significantly. Web servers are becoming a popular vector for spreading malware. We shall examine in more detail some of the reasons why.

Almost every person has his own web server

Computers at home have become more and more common in recent years. It has also become common that such home computers are connected to the Internet all the time through some kind of direct access (xDSL connection); often with a permanent IP address and registered domain.

The home computers are also often set up as web servers for whatever reason and made accessible from the Internet for friends, co-workers and everyone else who may be interested in the content that is provided by you and your family.

Unfortunately, it is a fact that most private individuals are not as security-aware as professionals working in IT departments. These home-based web servers are therefore often insecure and may easily be used by someone with bad intent - often without the web server owner's knowledge.

Increased focus on operating system and application vulnerabilities

The focus by the "black hat" community on vulnerabilities in operating systems and applications has increased.  There are even special markets on the Internet for buying and selling exploits and exploit code. As a consequence more variants of malicious software utilize these kinds of vulnerabilities. The importance of having fully patched computers is hard to overemphasize.

Web servers run by entities (hereby including private persons) that do not have security as a focus point, may be sucessfully targeted by malware that utilizes even old flaws in operating systems and other sotfware, if the servers are not continously patched/updated.

Firewalls usually don't block web traffic

As an ordinary web surfer you normally have no idea whether the web site you visit is a legitimate one or malicious. Most firewalls (personal and corporate) allow http (web) traffic through, and the malicious content will easily be obscured among legitimate http traffic. 

Some organizations have set up rules in such a way that only traffic from pre-defined web sites are allowed through the firewall. This would protect against being infected from an unknown web site, but has of course other obvious disadvantages.

Goodbye defacing, welcome economic crime

Some years ago defacing web sites was a popular activity among those who used the Internet to commit illegal activity. This in itself has no economic value - at most credibility by obscure groups - and as the Internet has evolved into a big arena for various kinds of criminal activity, the focus has changed from defacing, to show that this is possible, to using access to another's web server as a means for more traditional criminal activity with monetary reward as the end.

She owns your web server

Many options are available to the criminal who has access to a set of web servers around the world.

  • She can use your site as a phishing site masquerading as e.g. a bank's legitimate site. 
    The disadvantage with this setup is of course that the probability that you will see quite quickly that your web site has been altered into something totally different than you intended. 
  • She may use techniques that alter your web pages in such a way that it is not obvious to you or your visitors that your web site is changed at all. 
    This can be accomplished by inserting code in the pages that e.g. downloads malware to the visitors' computers. This malware can be downloaded from other servers in other parts of the world, unknown to you. 
  • Your web site can be used by her as a download site for malware linked to from other compromized web servers around the world. Unless you analyze your log files to check what web resources that are requested, you may not be aware of this at all.
  • Some web servers have been used in quite sophisticated ways as they are parts of a large "farm" of web servers that serve the same content. The malicious person that controls the compromized web servers may register DNS names that change IP addresses extremely often (e.g. each minute). 
    As the server that serves content changes all the time, it is difficult to map the whole structure, and take down these malware spreaders.

Who is legally responsible for web server content

The legislation that governs who is responsible for the content that resides on a web server, varies between different countries. In most cases you will probably be able to argue (successfully?) that your web server was compromized and that you should not be responsible for what others placed on your web. Proving this may be difficult though, unless you are able to provide logs that show the actual break-in.

And even if you are able to ultimately prove that you are innocent, you may experience some quite unpleasant days/weeks/months before you are able to convince the investigators (and your ISP to reconnect you to the Internet).

One interesting point of view that has some advocators is that if the owner of a compromized computer has shown "gross negligence" in protecting his computer, he may be liable even though he is not the person who performed the actual crime. If this thinking was to become the law, there are for certain quite a lot of private web server owners that are at risk of being defined as criminals...

How to protect yourself

As usual there are some quite easy steps that should be mandatory for everyone that runs a public web server from home (as a matter of fact for anyone who has a computer connected to the Internet):

  • Verify that your computer is updated with the latest security patches from your vendor of the operating system and applications. Do this continously - it is not a one-time-step, as new vulnerabilities are becoming known all the time.
  • Use antivirus software and keep this updated. An outdated antivirus application only protect against old malware (obviously!).
  • Use a firewall between your computer/network and the Internet. Only allow access to/from ports (services) that you want to let through.