malware injection faq gs

7/31/2019 Malware Injection FAQ GS

1/34

2010 Armorize Technologies Inc. All Rights Reserved

1

WebMalwareInjection FAQ

Version1.0

February12,2010

WebMalware

Injection

FrequentlyAskedQuestions(FAQ)

1. WhatisaWebapplication?........................................................................................................................... 3

2. HowareWebapplicationscreated?.............................................................................................................. 3

3. WhatarethethreatstoWebapplications?................................................................................................... 4

4. Whatisahacker?.......................................................................................................................................... 4

5. WhyareWebapplicationsvulnerabletoHackers?........................................................................................ 5

6.

Whatis

malware

injection

(Part

I)?

................................................................................................................

5

7. WhatisMalware?......................................................................................................................................... 5

8. Whatismaliciouscode?................................................................................................................................ 6

9. InaWebapplicationcontext,whatisinjection?............................................................................................ 6

10. Whereisthecodeinjectedto?.................................................................................................................. 7

11. Whatisdrivebydownloading?.................................................................................................................. 8

12. Whywasmalwareinjectioncreated?........................................................................................................ 8

13. Whydoesmalwareinjectionutilizelegitimatewebsites?..................................................................... 10

14.

Why

should

website

owners

care

about

malware

Injection?

....................................................................

11

15. Whyissearchengineblacklistingaconcern?........................................................................................... 11

16. IfmywebsiteisflaggedbyGoogleasmaliciouswhatisthenextstep?.................................................... 12

17. WhydoesmalwareinjectiontargetInternetusers?................................................................................. 13

18. WhyshouldInternetuserscareaboutmalwareInjection?.......................................................................13

19. Whatissocialengineering?..................................................................................................................... 13

20. WhatistheroleofSocialEngineeringinmalwareinjection?....................................................................14

21. Whatismalwareinjection(PartII)?......................................................................................................... 14

22. Whatarethecomponentsofmalwareinjection?.................................................................................... 15

23. Howismaliciouscodeinjectedintoavulnerablewebpage?................................................................... 16

24. WhattypeofmaliciouscodeisinjectedintothevulnerableWebapplication?........................................ 17

25. Whatisaniframe?.................................................................................................................................. 17

26. Whatisjavascript?.................................................................................................................................. 17


2/34


2


Version1.0

February12,2010

27. Whatistherelevanceofiframesandjavascriptinmalwareinjection?..................................................... 18

28. Whatdoesinjectedcodelooklike?.......................................................................................................... 18

29. Whathappenswhenuserrequestsawebpagewithinjectedcode?........................................................ 19

30. Whatismeantbyabrowserexploit......................................................................................................... 20

31. Whathappensoncethebrowserhasbeenexploited?............................................................................. 20

32. Whatismalwareinjection(PartIII)?........................................................................................................ 20

33. HowdoIknowmywebsiteisinfectingmycustomerswithmalware?......................................................22

34. WhenmanuallytestingforMalwareinjectionwhatprecautionsarenecessary?...................................... 23

35. HowdoIknowmywebsitehasbeeninjected?........................................................................................ 24

36.

Isthere

ageneral

format

for

injected

code?

............................................................................................

25

37. HowcanItellifmywebsitehasinjectediframes?................................................................................... 25

38. HowcanItellifmywebsitehasinjectedjavascript?................................................................................ 26

39. Aretheothermeansofmalwareinjectionbesidesiframes?.................................................................... 29

40. HowcanItellifmywebsitehasinjectedobjectssuchasflashorPDFs?................................................... 30

41. HowdoIknowmydatabasehasbeeninjected?...................................................................................... 30

42. Whatotherservicesmightahackerexploitforinjection?........................................................................ 31

43. Ifmywebsiteisinjected,ismywebserverorOperatingSystemalsocompromised?............................... 31

44.

Ifaweb

server

hosts

multiple

websites,

are

they

all

affected

by

asingle

injection?

.................................

32

45. IfmywebsiteisdownloadingmalwaretousershowdoImitigate?......................................................... 32

46. IfmywebsiteisdownloadingmalwaretousershowdoIremediate?...................................................... 33


3/34


3


Version1.0

February12,2010

1. WhatisaWebapplication?AWebapplication

1isasoftwareapplicationthatisaccessedviaawebbrowseroveranetworksuchasthe

Internet.

Generallyspeaking,WebapplicationsprovidedynamicwebpagesthatfacilitateinteractionbetweenInternet

usersandmorecomplexcomponentsthatdriveapplicationssuchasonlinepaymentsystems,socialnetworking

sitesorwebbasedemail.

Webapplicationtechnologyhasboostedonlinebusinesscapabilitiesandhasenteredthecorporateworkplaceas

ameans

of

reducing

overhead

associated

with

software

installed

on

aper

computer

basis.

2. HowareWebapplicationscreated?BasicWebapplicationsaretypicallycreatedusingcodewhichthebrowserrendersintoawebpage. Themost

typicalexampleofthisisHTML(HyperTextMarkupLanguage)usedinstaticwebsites.

HTMLcombinedwithmultimediapluginsandscriptingfunctionalitypresentsmoredynamicfunctionalitytothe

browserwhileWebapplicationdevelopmentplatformsanddatabasesprovidebusinesslogicanddatastorage

capabilities.Thisenablesdevelopmentofcomplexfeaturerichapplicationsthatcanbedeliveredtoendusersvia

webbrowser.

Figure

1:

Basic

Web

Application

Architecture

1AWebapplicationcanbeconsideredamorecomplexandfeaturerichformofthecommonlyusedtermwebsite.Bothareaccessed

fromawebbrowserbyanaddressthattakesthehttp://www.abc.comformat.Howeveritisassumedthatawebsitesimplypresents

pageswithstaticcontenttoabrowserwhileawebapplicationhashigherlevelcomponentsforbusinesslogicprocessinganddatastorage.


4/34


4


Version1.0

February12,2010

Nomatter

what

technology

is

used

to

create

the

Web

application,

it

is

important

to

note

that

all

of

its

features

arenothingmorethancarefullycodedstatementsthatthebrowserprocessesandpresentstotheenduser.

Thiscanbedemonstratedusing astandardwebbrowsersuchasFirefoxorInternetExplorer.Whenviewinga

webpage,onthetopmenu,ClickViewandPageSource(Firefox)orSource(IE)toviewtheactualsourcecode

fromwhichthedisplayedpagehasbeenrendered. ThisisdemonstratedinFigure2.

Figure2:WebPagewithSourceCode

3. WhatarethethreatstoWebapplications?Webapplicationspresentthecorporateimagetoaglobalaudience.Thewebsiteisthefirstportofcallfor

anyonelookingtolearnmoreaboutgivencompany.However,arealsoexposedtomaliciouselementswhoseek

tousethispublicpresenceasmeansofdamagingcorporatereputation,stealingresourcesorasapointfrom

whichtolaunchInternetwideinformationsystemattacks.

4. Whatisahacker?ThetermHackerhasseenmanydefinitionssinceitwascoinedover40yearsago.However,thegeneral

consensusnowadaysisthathackersareindividualsorgroupsthatseektocircumventsecuritycontrolsinorderto

compromise

the

confidentiality,

integrity

and/or

availability

of

electronic

information

systems.

Whiletherearenumeroushackersubclasseswithvaryingtechnologyfocusandskilllevels,thetermHackeris

usedexclusivelythroughoutthisdocument.Itisalsoassumedthattheprimarytargetsofhackersattentionare

Webapplications.


5/34


5


Version1.0

February12,2010

5. WhyareWebapplicationsvulnerabletoHackers?Traditionally,whensoftwareapplicationsweredeployed,theywereprotectednotonlybysomeformofuser

credentialsbutalsothroughphysicalandnetworklevelseparationfromtherestoftheworld.Howeverwiththe

adventofonlinebusiness,amoremobileworkforceandincreasedavailabilityrequirements,theseapplications

arenowhostedonWebfacingserverswhicharereachablebyanyonewithaconnectiontotheInternet.

Theubiquitousnatureandconstantexposure ofWebapplicationscombinedwiththerelativeimmaturityof

thetechnologymakesthemparticularlyvulnerabletorepeatedandeverevolvingattacksfromhackerswho

comfortablyenjoytheanonymitythattheInternetprovides.

6. Whatismalwareinjection(PartI)?Malware injection is theactof insertingor injecting maliciouscode intoawebpageso that so thatwhen

Internetusersbrowsethepagetheircomputer2isinfectedwithmalware.

It is important tonote that theultimate targetofamalware injectionattack is rarely thewebsite itself.The

hackergenerallywantstoquietlyinsertcodeintotheWebapplicationinordertocompromiseeverycomputer

that browses the website. The methods used to inject code, the types of code and the actual malware

categoriesarediscussedinmoredetailthroughoutthisdocument.

7. WhatisMalware?Malware is the industry termused togenerallydescribemalicioussoftware, i.e.,software that isdesigned to

compromisetheconfidentially,integrityoravailabilityofcomputersystems.

ThetermMalwareisbroaderthanthebetterknownexpressionVirusasitalsoencompassesWorms,Trojan

Horses, Rootkits, Spyware, Adware, Crimeware, Robot (botnet) Clients, etc. A detailed discussion of these

specifictermsisbeyondthescopeofthisdocument.FormoreinformationrefertoWikipediasmalwarepage3.

Itisassumedthatmalwareisunwantedsoftwarethatinstallswithoutthecomputerusersknowledgeorconsent

andresultsinactivitiessuchas:

2NotethetermComputerisusedheretorefertoallplatformsusedbyanaverageInternetusersurfingtheweb.Thiscouldbea

desktopcomputer,laptop,mobiledevice,smartphoneetc.ItisdistinctfromaServerwhichistheadvancedcomputingplatformusedto

hosttheWebapplication.

3http://en.wikipedia.org/wiki/Malware


6/34


6


Version1.0

February12,2010

Degradedcomputeroperations; Intrusivepopupwindowsthatmayormaynotsolicitpaymentforgoodsandservices; Spamemailpromotingunwantedproducts,servicesoractivitiesdeemeddistastefulorevenillegal; Theftofpersonal,financialorcorporateinformation;or Installationofremotecontrolsoftwarethatallowshackerstocontrolandmonitorcomputeractivities

8. Whatismaliciouscode?WebapplicationsarebuiltuponcodethatispresentedtoandrenderedintheWebbrowser.WhattheInternet

userseeswhentheyaccesstheirfavoritesocialnetworkingsiteissimplycodethathasbeenprocessedbythe

browsertoprovidethetext,graphics,forms,video,audio,etc.thatapplicationdeveloperwantspresented.

However,itispossiblethatthiscodecanbeusedtoadverselyaffecttheWebbrowser.Ifahackercaninserthis

owncodepriortothebrowserprocessingit,itispossiblethathecancontrolwhatthebrowserdoes.

Thus it can be said thatmalicious code in this context isWeb application code thatwhen processed by the

browsersomehowcompromisesorcontrolsthebrowseractions. Itshouldbenotedthatthis isaverygeneral

termandthatthespecificsofmaliciouscodewillbeexaminedinmoredetailthroughoutthisdocument.

9. InaWebapplicationcontext,whatisinjection?ManyWebapplicationsrequestuserinputthroughmechanismssuchasonlineforms,checkboxes,etc.Inan

adequatelysecured

Web

application,

there

will

be

filters

in

place

to

ensure

that

data

only

enters

through

these

interfacesinaformatthatactuallymatcheswhattheapplicationexpects.Forexample,iftheapplicationrequires

numbersintheformofabirthdate,itshouldnotacceptletters.

Injectioniswhendatathatenterstheapplicationbybypassingsecuritycontrolsandalteringtheapplications

behaviorinanunexpectedmanner.

Injectioniscommonlyusedbyhackerstoinsertmaliciouscodeintootherwiselegitimatewebpages. Common

injectionattacksinclude:

Codeinjectionwhichisthegeneralnamegiventoattackswhereadditionalcodeisinsertedintotheapplication

CommandInjectionwherethehackerinsertssystemcommandswiththeaimofhavingthewebserveracceptandprocessthosecommand

Databaseinjectionwherethehackerinsertsdatabasecommandsorqueries sothatthedatabaseprocessesthemandreturnsaresponse


7/34


7


Version1.0

February12,2010

10.Whereisthecodeinjectedto?

Whendiscussingcodeinjection,itisimportanttonotethattherearemanypossiblescenariosandattack

methodsasfollows:

Figure3:Maliciouscodeinjectionpaths

(a) Inthisscenario,thehackerutilizesapplicationformfieldstopassunfiltereddatabasequeriestodatabase.Heeithercircumventsdatabaseaccesscontrolsorgainsaccesstothepasswordsstoredintheaccount

database.Oncehehascontrolofthedatabase,hecanwritecontentthatisechoedbackwhenpagesare

requested.

(b) ThehackerexploitsadditionalvulnerableservicessuchasFTPorSMTP.Thismaybethroughspecificvulnerabilitiesorthroughpasswordsobtainedfromhackerforumsorthroughsocialengineering.Thisgives

thehackeraccesstotheserverandthustotheapplicationfilesandcode.

(c) ThehackergainsdirectaccesstotheserverOperatingSystem(OS)througheitheravulnerableserviceorwith

stolen

credentials.

Once

this

access

is

gained

the

hacker

can

direct

access

to

the

application

files

and

code.

(d) Insomecases,thehackermaybeabletodirectlycompromisethewebapplicationitself:


8/34


8


Version1.0

February12,2010

-Iftheapplicationrequiresuserinput,thehackermayprovidedatathatwritestoafileonthelocalhard

drive.

In

certain

cases,

it

may

be

possible

to

include

executable

data

in

this

input

which

in

turn

wouldeitherretrievepassworddataorcircumventaccesscontrols.

-Manyweb serversarevulnerablebydefault;either throughvulnerabilities that requirepatchingafterinstallationorthroughdefaultconfigurationandcredentials.Forexample,manywebservers

comewithawebbasedadministrationconsole.Ifahackercanexploitthiswebapplication,hecan

controltheentirewebserver.

-WebapplicationfilesaretypicallystoredwithintheOSfolderstructure. Incertainwebservers,itmay be possible to execute an attack such as Path Traversal

4to browse through the folder

structureandaccessfilesoutsidethewebapplication.

11.Whatis

drive

by

downloading?

Malwarecanbedownloadedtoendusercomputersfromcompromisedwebsitesthroughanumberofmethods.

Traditionally,someuser interactionwas requiredandpeoplewereoften luredtoawebsiteandpersuaded to

clickonalinkwhichresultedinmalwaredownloadingandexecutingontheircomputers.

However, the term driveby downloading specifically refers to the case where no enduser interaction is

required.Itisenoughtosimplyvisitthewebpagethathasbeeninjected.Thereisnorequirementtoclickonany

link.

Therealseverityofthisparticulartypeofattackisthatitisentirelysilent.Itquietlydownloadsmalwarewithout

theusers

knowledge

or

consent.

Generally,

website

owners

have

no

idea

that

this

attack

has

occurred

and

that

theirwebsiteisleadingtoseriouscompromiseoftheirowncustomerssecurity

Forexample, in2009amajorUSnewspaperwascompromisedthroughanadvertisement in itsonlineedition.

Internetusersbrowsing thewebpagehosting theadvertisementautomaticallyandunknowinglydownloaded

malwarewithouthavingtoclickonanylinks.

12.Whywasmalwareinjectioncreated?

Whenmalwarefirstcametothefore,theimpactwaslargelydisruptiveand/orembarrassing.Commonimpacts

includeautomated

mass

emailing

to

all

contacts

in

the

infected

computers

outlook

address

book

or

insertion

of

offensivefilestostoreddata.Inextremecases,filesweredeletedfrominfectedcomputerswhichimpacteduser

productivityanddamagedfaithininformationsystemsasacorporatetool.

4FormoreinformationonPathTraversalrefertotheOpenWebApplicationSecurityProject(OWASP)

http://www.owasp.org/index.php/Testing_for_Path_Traversal


9/34


9


Version1.0

February12,2010

Withthe

emergence

of

the

Internet,

hackers

have

focused

more

on

Web

applications

but

even

this

has

had

distinctphasesasoutlinedinFigure4.

Figure4:WebApplicationAttackComplexityvs.Goals

Initialwebsiteattacksweredirectedat the corporation itselfwith theprimary goalbeingprominentwebsite

defacementandthebraggingrightsthatcamewithit.

AstheInternetbecameanacceptedbusinesstool,attackerschangedtheirfocustoeCommercewebsiteswith

theintentionofstealinginformationsuchascreditcardnumbersfromcorporatedatabases.

HoweverwiththeadventofWeb2.0, improvements increditcardprotectionmechanismsandan increasingly

wiredgeneralpopulation,hackershaverealizedthatendusersPCsrepresentfareasiertargetsforprofitdriven

criminalenterprises.

Modern malware activities are typically designed to compromise information stored on Internet users

computerssuchaswebbankingcredentialsoremail,filesharingandsocialnetworksitepasswords.


10/34


10


Version1.0

February12,2010

Attackersaregenerallyaffiliatedwithorganizedcrimeandhaveestablishedabusinessmodelbasedonbuying

andselling

malicious

code

or

active

malware

with

guaranteed

antivirus

evasion

capability.

There

are

even

defined price structures for information such as credit card numbers, social networking credentials, social

securitynumbers,etc.

13.Whydoesmalwareinjectionutilizelegitimatewebsites?

Malwaredeveloperstargetvulnerablewebsitesasarouteformalwareinjectionforanumberofreasons.

Improvedperimetersecurity technologieshavemadetraditionalnetworkandsystemlevelattacksmoredifficult to execute. But system and network security is not the same as application security. With the

adventof

Web

2.0,

many

businesses,

in

arush

to

develop

an

online

presence,

have

failed

to

secure

their

Web

applicationsatthecodelevel.ThishasprovidedanewattackavenueforhackerswithSQLInjectionandCross

SiteScripting(XSS)capabilities.

AsWebapplicationsareaccessibletobothdesirable(customers)andundesirable(hackers)Internetusersbydesign, there is essentially an open channel between the untrusted Internet and corporate systems as

illustratedinFigure5.

Figure5:HackersexploitvulnerableWebapplicationthroughopenports


11/34


11


Version1.0

February12,2010

By leveragingvulnerablewebsites,hackerscansilentlydownloadandexecutemalwareonthecomputerofevery

user

who

accesses

the

site.

Vulnerable

websites

expose

their

entire

user

base

and

hackers

now

have

an

avenuefordistributingmalwaretothousands orevenmillions ofusers.

Astheinjectedwebsitemerelyservesasaconduitthatredirects Internetusercomputerstomalwaresites(oftenviamultiplehoppoints),itisharderforforensicanalysistoidentifytheactualmalwaresource.

14.WhyshouldwebsiteownerscareaboutmalwareInjection?

When a vulnerable website is injected in this manner, it becomes a conduit for malware delivery to all

computersbrowsingthesite.Thismalwareistypicallydesignedtostealinformationfromcomputersbrowsing

theinfected

sites.

Thecorporatewebsiterepresentsacompanyspublicface.Ifitisinfectingthecomputersoftheverypeopleitis

supposedtoserve,itcannotbetrusted.Withoutthistrust,websitetrafficwilldecreasewhichinturnwillleadto

areducedmarketingprofileandlostsalesopportunities.

Ifawebsitedevelopsa reputationasasourceofmalware,business reputationwillbeseverely impacted. In

addition,malware injectionwill lead tononcompliancewithstandardssuchasPCIandmayevenbring legal

consequencesifcustomerconfidentialityorprivacyhavebeenimpacted.

Inaddition, ifawebsite isdownloadingmalware tocomputersbrowsing it, itwillbe flaggedasmaliciousby

searchenginessuchasGoogleandmayeventuallybedroppedfromsearchqueryresults.

15.Whyissearchengineblacklistingaconcern?

WiththeadventofGoogleSafeBrowsingandGooglesabilitytoflagsitessuspectedofbeingmalwaresources,

malwareinjectionsimpactisgrowingevermoreimmediate.If,duringaGoogleindexcycle,awebsiteappearsto

behostingmalware,thesitewillbeflagged.ThismeansthatuserswhoaccessaflaggedsiteviaGooglewillbe

givenanominouswarningsimilartothatshowninFigure6.


12/34


12


Version1.0

February12,2010

Figure6:GoogleSafeBrowsingFlagsWebsiteswithMalware

Ifthewebsiteremainsinfected,itmayeventuallybedroppedcompletelyfromGooglessearchresults. Evenif

themalware is removed from thewebsite immediately,thesitewillstay flagged forasignificant timeperiod,

drivingcustomers

away.

In

order

to

remove

this

status,

website

owners

must

submit

proof

that

their

website

is

malwarefree. WebsitesflaggedbyGoogleasmaliciousaredocumentedathttp://www.stopbadware.org.

Given the importanceofSearchEngineOptimization (SEO)asamarketing tool,there isnodoubtthatGoogle

flaggingawebsiteasmaliciousordroppingitfromsearchresultsisnotgoodforbusiness.

16.IfmywebsiteisflaggedbyGoogleasmaliciouswhatisthenextstep?

OnceawebsitehasbeenflaggedasmaliciousbyasearchenginesuchasGoogle,itiscriticaltoremoveinjected

codeinordertostopthedrivebydownload.Fordetailsonidentifyinginjectedcodereferto(28). Forimmediate

mitigationsteps

as

well

as

more

thorough

remediation

refer

to

(45)

and

(46).

Oncetheinjectedcodehasbeenremovedandithasbeenverifiedthatmalwareisnolongerbeingpushedto

Internetusercomputers,itispossibletorequestanewwebsitereview.


13/34


13


Version1.0

February12,2010

SitesflaggedbyGoogleasmaliciousarelistedathttp://stopbadware.organdtheinstructionsonrequestinga

revieware

listed

at

http://stopbadware.org/home/reviewinfo

.

17.WhydoesmalwareinjectiontargetInternetusers?

Increasedpublicityandawarenesshasmade itdifficult tocompromisecorporateresources from the Internet

butanincreasinglywiredgeneralpublicissharingmoreandmoreinformationviatheInternet. TheseInternet

users:

Storepersonal,businessandothersensitivedataoncomputersconnectedtoInternet. Generallytrustanywebsitetheychoosetoaccesswhetherbrowsingdirectly,accessingviasearchengineor

clickingon

alink

sent

from

afriend.

Rely on commercial antivirus solutions for security. These are often outdated due to failure to updatesignatures. In addition, advances in obfuscation and packing techniques have resulted inmostmalware

beingundetectablebycommercialantivirusscanners.

Theresultisamassiveamountofcomputerswithpersonal/financialinformationliveontheInternet.Theyare

largelyprotectedby inadequatesecuritymechanismsandarepoweredbyuserswho implicitly trustwebsites

thatarevulnerabletomaliciouscodeinjection. Byleveragingvulnerablewebsites,hackersnowhaveanavenue

fordistributingmalwaretothousandsorevenmillionsofusers.

18.WhyshouldInternetuserscareaboutmalwareInjection?

When Internet users browse to a compromisedwebsite, the injected code causes hackercreated content to

executeintheirbrowseralongwiththelegitimatewebsitecontent.

Thehackersultimategoalistoforce theuserscomputertosilentlydownloadand installmalwarefromasite

that thehackerspecifies.Thismalware typicallygrants thehacker full controlover thePC includingaccess to

stored,processedortransmitteddata.

Theimpactofmalwareinjectionisstoleninformationsuchasonlinebankingcredentialsandcreditcarddetails.

Theftofpersonal information in thismanneralso leads to increased incidencesofemailhijacking, fraudulent

accesstosocialnetworksitesand,inmanycases,fullblownidentitytheft.

19.Whatissocialengineering?


14/34


14


Version1.0

February12,2010

Socialengineeringrevolvesaroundpersuadingormanipulatingpeopleintorevealinginformationorperforming

specificactions.

In

acomputer

security

context,

social

engineering

means

exploiting

people

through

deception

ratherthanfocusingoncircumventingtechnologicalcontrols.

20.WhatistheroleofSocialEngineeringinmalwareinjection?

IfInternetuserscanbeattractedtowebsitescontaininghypedcontentsuchascelebritysextapesoradvance

moviecopies,theybecometargetsformalwareinjection.

In2008,sexuallyexplicitphotosofHongKongmoviestarEdisonChenwithnumerousfemalecelebritieswere

releasedon the Internet.ArmorizeTechnologies,workingwith lawenforcementand cybersecurityagencies

throughoutthe

region

quickly

uncovered

numerous

websites

that

enticed

Internet

users

with

promises

of

the

photos in question but actually subjected them to malware injection. By taking advantage of the hype

surroundingthephotos,hackersfoundamassivetargetbaseforpersonaldatatheft.

In thisexample, therewasnorequirement foruserinteraction.Themalwaredownloadhappened invisiblyas

soonasthebrowserdisplayedtheexpectedpage.

21.Whatismalwareinjection(PartII)?

Havingreviewedsomeconceptscriticaltoanunderstandingofmalwareinjection,itistimetolookalittledeeper

athowmalwareinjectionworks.

Malware Injection alsoknownasdrivebydownloading isahackertechniquedesigned tosteal information

from Internetusersbyforcingthemtoautomaticallydownloadmalicioussoftwarewithout theirknowledgeor

consent.

Morespecifically,thehackerexploitsfundamentalWebapplicationvulnerabilitiessuchaspoorapplicationinput

filteringinordertoinjectamaliciousiframeorjavascriptintotheWebapplication.

Ataveryhighlevel,theconceptcanbeillustratedasinFigure7.Howeveritshouldbenotedthattheprocessis

actuallymorecomplexandthisispresentedfromtheperspectiveofanenduserwhohasbeencompromised.

Whilethe

injected

Web

application

may

also

be

on

the

server

hosting

the

malware

it

is

more

typical

for

it

to

act

merelyasaconduitformalwareinjectionbyensuringthebrowserprocessesmaliciouscodethatcompromisesit.


15/34


15


Version1.0

February12,2010

Figure7:BasicDrivebyDownloadConcept

22.Whatarethecomponentsofmalwareinjection?

Inatypicalmalwareinjectionscenario,thehackersendgoalistotakecontroloftheendusercomputer. Ata

highlevelandinthemosttypicalexample,malwareinjectionrequires3componentsasfollows:

Maliciouscode: Ifthewebsiteisvulnerabletoinjectionattacks,thehackerwillinsertcodethatwillbeprocessed

byanybrowserrequestingtheinjectedwebpage.Thiswillcausethebrowsertorequestcontentfromanother

websitecontrolledthehacker

Exploit: Theexploitiswhatactuallytakesadvantageofsecurityflawsintheenduserswebbrowser.Ifthe

exploitissuccessful,thehackerwillhavefullcontrolofthewebbrowser.Theexploitistypicallydownloaded

fromthewebsitethattheinjectedcoderedirectthebrowserto.

Malware: Oncethebrowserhasbeenexploited,itcanbeinstructedtocarryoutanyactionthehackerrequests.

Typicallythisincludesaccessinganotherhackercontrolledwebsiteorservertodownloadactivemalware.

Theoverall

process

can

be

summarized

as

follows:

Injectingavulnerablewebsitewithmaliciouscodethatwebbrowserswillprocess Usingthisinjectedcodetoexploitwebbrowserstotakecontrolofthem; ForcingtheexploitedwebbrowsertodownloadmalwaretoInternetuserscomputers;and Silentlyexecutingandinstallingthismalwareonendusercomputers


16/34


16


Version1.0

February12,2010

Thepayloadof thismalwaremay varybut it typically includes software that grants thehacker theability to

remotelycontrol

the

computer,

view

video

output,

capture

key

strokes

and

search

through

the

hard

disk

for

data

suchascreditcardnumbers,storedcredentialsforbanking,socialnetworkandwebmailsites.

Notethat this list is far fromexhaustive.Newmalware isreleasedweeklywithevermorecomplexbehavioral

characteristicsandgoals.

23.Howismaliciouscodeinjectedintoavulnerablewebpage?

ManyWebapplicationsrequestuser input through form fields.That input is thenprocessedwith the results

relayedbacktotheenduser.

Webapplicationdevelopersshouldensurethatdataisprocessedinaccordancewiththeapplicationsbusiness

rulesandthatserver,applicationordatabasecommandsarenotsuppliedtotheapplicationthroughthisavenue.

Thisrequiresfilteringapplicationinputtoensurethatonlydatadeemedvalidinaccordancewiththeapplication

expectations isaccepted.Forexample, if theapplicationexpectsnumericdata froman input field, thenany

othertypeofdatashouldeithergeneratearequestforproperlyformatteddata,bereplacedwithdefaultdata

orbeignored.

However, many Web applications are developed without these controls in place. It is common for poorly

securedWebapplicationstoacceptcommandsthroughformfieldswhicharethenpassedtotheotherbackend

systems powering the applications such as the web server, server operating system or database for

processing.

Withsuitablycraftedcommandspassingthroughtheweb form tothecoreapplication,serverordatabase,a

hackercanfreelyinjectthecontentrequiredforsuccessfulmalwareinjection. Typicalinjectionattacksinclude

thefollowing:

ArgumentInjectionorModification BlindSQLInjection BlindXPathInjection CodeInjection CommandInjection DirectStaticCodeInjection Formatstringattack

FullPathDisclosure LDAPinjection ParameterDelimiter ServerSideIncludes(SSI)Injection SpecialElementInjection WebParameterTampering XPATHInjection

For more information on Injection attacks refer to the Open Web Application Security Project (OWASP) at

http://www.owasp.org/index.php/Category:Injection


17/34


17


Version1.0

February12,2010

24.WhattypeofmaliciouscodeisinjectedintothevulnerableWebapplication?

In themost commonexample, thehacker injects code into theWeb application that is rendered in theweb

browser

Thehackersgoal is tohave thebrowserprocesshiscodewithouteither thewebapplicationadministratoror

endusersknowledgeorconsent. Thisiscommonlyachievedthroughinjectionofmaliciouscontentsuchas:

Iframes Javascript Objects Databasequeriesorcommands

25.Whatisaniframe?

An inlineframe or iframecausesanHTMLdocumentfromanexternaldomaintorender insidearequested

webpage.

Iframe syntax utilizes the HTML tag and allows specification of a number of

parameterssuchas:

Actualwebsitefromwhichiframecontentisretrieved

Position

of

the

Iframe

within

the

overall

webpage

Displaydimensionswhichcanbesettozero DisplaystatuswhichcanbesettononeThereforeitispossibletouseaniframetoembedcontentfroma3

rdpartywebsiteandhaveitrenderinvisiblyin

thewebbrowserwhenanotherwise legitimatewebpage isrequested.Atypicaliframeisshownbelow.Ifthis

was inserted into a corporatehome page, content from page.htmlwould renderwhen thehome pagewas

openedinthebrowser.

26.Whatisjavascript?


18/34


18


Version1.0

February12,2010

JavaScript isascripting languagethat is interpretedbyWebbrowsers.ItallowsWebapplicationdevelopersto

controland

augment

browser

functionality

and

to

add

dynamic

features

that

cannot

easily

be

achieved

through

HTML.

Typicallyjavascriptfunctionality includesvisualeffects,formfieldvalidationandthedynamiccreationofevent

dialogsandnewwindows.Itisalsopossibletousejavascripttodynamicallycreateiframes.Thiswouldmakethe

iframemoredifficulttofindthroughrudimentaryvisualinspection.

27.Whatistherelevanceofiframesandjavascriptinmalwareinjection?

Inmalwareinjectionscenarios,hackerstakeadvantageofvulnerableWebapplicationstoinjectmaliciousiframes

intootherwise

legitimate

and

typically

popular

web

pages.

The

injected

iframe

will

either

use

standard

HTML

syntaxorcanbeintheformofjavascriptwhichwilldynamicallycreatetheiframewhenthepageisdisplayedin

thebrowser.

Whatevertheinjectionmethod,thegoalisthesame.Theiframecausesa3rd

partywebpagetorenderinsidethe

requestedwebpage. This isusedtocallupanexternalexploitdesignedtocompromisethewebbrowserthat

requeststhatpage.

28.Whatdoesinjectedcodelooklike?

Themost

basic

form

of

injected

code

is

amalicious

iframe

such

as:

If this iframe is present in the HTML of a requested web page it would cause content from

http://www.example.com/page_with_malware.htmtorenderinaninvisible1pixelx1pixelwindow.

However,typicallywhenhackersinjectaniframeintoawebsitetheymaydisguisethecodebymakingitlooklike

somethingelse. Forexample, the injected iframecodecanbe scrambledorencodedso thatvisually it looks

nothingliketheoriginalsyntaxbutactsasnormalwhenexecutedasawebpage.

Notethat

this

does

not

protect

or

encrypt

HTML

code

but

simply

serves

to

hide

it

from

someone

looking

for

an

iframe. ForexampletheiframereferencedearliercanbeconvertedtoaJavaScriptUnicodestringusingafreely

availableencodingtool5. Theprocessofdisguisingcodethroughscramblingorencodingisgenericallyreferredto

asobfuscation.

5http://www.auditmypc.com/html-encoder.asp


19/34


19


Version1.0

February12,2010

29.Whathappenswhenuserrequestsawebpagewithinjectedcode?

In the above example, when an Internet user browses to the injected web page, thejavascript dynamically

generatesaniframe.Thiscausesmaliciouscontentfromawebsitecontrolledbythehackertoexecuteinsidethe

requested(andpresumedlegitimate)webpage.

ThishackercontrolledwebsiteisoftenreferredtoastheHopPointandcontainstheactualattackdirectedat

theWebbrowser. ThemalwareinjectionprocessisdescribedinmoredetailinFigure8.

Inthe

case

of

an

exploit

that

is

loaded

from

the

Hop

Point

through

the

iframe,

the

target

is

typically

the

web

browseritself. Inonecommonexample,theexploitengagesinaparticularattackcalledHeapSpraying6which

resultsininstallationofaspecificpiecesetofinstructionsthatthebrowserexecutes.

6 A discussion of Heap Spray attack is beyond the scope of this document. Refer tohttp://en.wikipedia.org/wiki/Heap_sprayingfor more information.


20/34


20


Version1.0

February12,2010

30.Whatismeantbyabrowserexploit

Theinitialgoaloftheinjectediframeistorendercontentfromawebsitecontrolledbythehackerinsidethe

requestedwebpage.

Theiframecontenttypicallycontainsawebbrowserexploit,i.e.,codethatexploitssoftwareflawsinaweb

browserinordertoforceittodosomethingunexpectedsuchascrashingorreading/writingdataonlocalhard

drive.

Appropriatelycraftedexploitcodewillcausethebrowsertofallundercontrolofthehacker.Itwillthenaccept

commandsembeddedintheexploitandwillcarryouttasksassignedittobythosecommands.

Alternatively,the

exploit

may

be

specific

to

any

number

of

browser

extensions

such

as

those

that

support

PDF,

Flash,etc. Ineithercase,thegoalistotakecontrolofthebrowser,forcingittoperformtasksspecifiedbythe

hacker.

31.Whathappensoncethebrowserhasbeenexploited?

Theprimarygoaloftheexploitistoforcethewebbrowsertoconnecttoamalicioussiteinordertodownload

malwaresuchasremotecontrolutilitiesandbackdoorsaswellasprogramsthatautomaticallycrawlthehard

diskinsearchofinformationsuchascreditcarddetailsorbankaccounts.

32.Whatis

malware

injection

(Part

III)?

Nowwehavereviewedbasicandintermediateconcepts,wecanlook inmoredetailatthemalware injection

process.AtypicalmalwareinjectionscenarioisillustratedinFigure8.


21/34


21


Version1.0

February12,2010

Figure8:MalwareInjectionProcessFlow

Step1 Maliciousiframeinjection

ThehackertakesadvantagesofWebapplicationvulnerabilitiestoinjectamaliciousiframeintooneormoreweb

pages. Theinjection istypicallyeitherinHTMLcode(orjavascriptthatdynamicallygeneratesthe iframewhen

thebrowser

requests

the

webpage).

In

addition,

the

injected

code

is

usually

scrambled

or

encoded

to

make

it

moredifficulttodiscoverbybothautomatedandmanualinspection.

Step2BrowserExploitplacedonHoppoint


22/34


22


Version1.0

February12,2010

Inparalleltostep1,thehackerplacestheexploitcodethatwillattackthebrowserontheHopPointwebsite.The

injectedcode

in

step

1causes

this

web

page

to

render

in

the

requested

web

page.

Step3Malwareplacement

Inparalleltostep1andstep2,thehackerplacesmalwareonaserverunderhiscontrol.Thismalwarecontains

theutilitiesthatwillbesilentlydownloadedtothecomputerofeveryuserthatbrowsestheinjectedwebsitein

Step1.

Step4LegitimateWebapplicationaccess

Internetusersbrowsetheinjectedwebsiteandrequestthepagethathasbeeninjectedwithamaliciousiframe.

Step5 Maliciousiframeexecution

When Internetusersrequestthecompromisedwebpage,the iframerenderscontentfromtheHopPoint.This

page contains the exploit code that directly targets the browser or takes advantage of vulnerable browser

extensionssuchasaPDFreader.

Step6 Exploit

TheexploitcodefromtheHopPointwebpageisexecutedintheWebbrowserviatheinjectediframe. Inone

example,theexploitcodeutilizestheHeapSpray7attacktotakecontrolofthebrowser.Oncetheexploithas

takencontrolofthebrowser,itprovidesasetofinstructionsforthebrowsertoexecute.

Step7MalwareRequest

Theexploitedbrowserexecutescommandsissuedtoitintheexploitcode. Thisincludesrequestingthemalware

fromaserverspecifiedbythehacker.

Step8 Malwaredownload

Thebrowsersilentlydownloadsthemalwarewhichiswrittentodiskandexecuted.

33.Howdo

Iknow

my

website

is

infecting

my

customers

with

malware?

Antivirusisnotadequate

7 A discussion of Heap Spray attack is beyond the scope of this document. Refer tohttp://en.wikipedia.org/wiki/Heap_sprayingfor more information.


23/34


23


Version1.0

February12,2010

Poorlywritten

malware

will

set

off

antivirus

alarms

on

end

user

PCs

accessing

the

injected

website.

While

this

is

embarrassinganddamagesthecorporatereputation,ultimatelyitwillnotcompromisethoseclientswhohave

enabledandproperlyconfiguredtheirbasicdesktopsecuritymechanisms.

However,thevastmajorityofmalwareiscraftedusingobfuscation,encodingandpackingtechniquesthatmake

itinvisibletoeventhemostuptodateAV.Whendealingwiththistypeofmalware,signaturebaseddetectionis

largelyineffective.

GoogleSafeBrowsingAPIisnotadequate

MalwareinjectioncausesInternetuserstodownloadandexecutemalwarewithouttheirknowledgeorconsent.

Withoutactive

malware

injection

monitoring,

business

owners

will

only

be

aware

that

their

website

is

initiating

drivebydownloadswhen it is flaggedby searchengines (suchasGoogle)as a sourceofmalware.Once this

happens,businessreputationwillbeseverelydamagedandwebsitetrafficwilldecrease,drivingdownbusiness

revenueandmarketingprofile.

Thereare technologiesthatconsolidatemalware threat feedsandsignatures fromGooglesmalwaresamples.

However,astheyarelargelyreliantonGooglesSafeBrowsingIndex,theywillrarelyalertbusinessesintimeto

preventGoogleflagging.

Behavioralanalysisdetectsmalwareinjectionimmediately

TheidealsolutionisanactivemalwareinjectionmonitoringservicesuchasHackAlert.Thisbehavioralanalysis

solutionscans

the

website

continuously,

generating

HTTP

requests

and

analyzing

HTTP

responses

for

parameters

thatexhibitpotentialmaliciousbehaviorsuchasobfuscatedredirectionto3rdpartywebsitesoractivemalware

downloads. FormoreinformationonHackAlertrefertoHackAlertFAQformoredetails.

34.WhenmanuallytestingforMalwareinjectionwhatprecautionsarenecessary?

ItisimportanttorememberthatsimplybrowsinganinfectedsiteisenoughtocompromiseaPC.Ifmanual

verificationisrequired,anumberofsafeguardsarerecommended.

Logonasanonprivilegeduser

MuchofthemalwarecirculatingontheInternetrequireslocaladministratorrightstorun.Simplybrowsingthe

Internetwhileloggedonasanonprivilegedregularuseraccountcanlimittheimpactofmalware.Forexample

malwarerunninginthecontextofadmincandothefollowing:

Installkernelmoderootkitsand/orkeyloggers(verydifficultimpossibletodetect)


24/34


24


Version1.0

February12,2010

Installandstartservices InstallActiveXcontrols,IEandshelladdins(commonwithspywareandadware) Accessdatabelongingtootherusers Causecodetorunwheneveranybodyelselogson CapturingpasswordsenteredintotheCtrlAltDellogondialog ReplaceOSandotherprogramfileswithtrojanhorses Accesssensitiveaccountinformation,includingaccountinfofordomainaccounts Disable/uninstallantivirus Coveritstracksintheeventlog Rendermachineunbootable

UseVirtualMachines

InsteadofbrowsingthewebsitefromtheOS,installsoftwaresuchasVMwaretocreateahardenedOSimage

accessedwithnonprivilegedaccountcredentials.Asanaddedsecuritymeasure,configurethisVMto

automaticallyresetaftereachuse.

Thirdpartytools

Insteadofbrowsingdirectlytoawebsiteuse3rd

partytoolssuchas:

cURL Commandlinetoolwritessourcecodetoscreenorfileoutput WGET Commandlinewebsitecrawlerwritestofile(http://daniel.haxx.se/docs/curlvswget.html)

Securethe

browser

Setbrowsersecuritytohightopreventunwantedjavascriptsfromrunning.NotethatthisisnotgoingtopreventexploitsindownloadedPDFsfromrunningthough.

UseFirefoxwithnoscripthttps://addons.mozilla.org/enUS/firefox/addon/722toonlyrunscriptsfromsitesthathavebeenmanuallyaddedtoawhitelist.

35.HowdoIknowmywebsitehasbeeninjected?

Inatypicalmalwareinjectionscenario,ahackerwilltakeadvantageofavulnerablewebsitetoinjectsomeform

ofmalicious

content

that

will

exploit

the

web

browser

when

the

page

is

displayed.

If

aweb

page

is

suspected

to

havebeeninjecteditwillbenecessarytoexaminetheapplicationcodeandwebserverforevidenceof:

InjectedIframes Injectedjavascript Injectedobjectssuchasflash,PDF


25/34


25


Version1.0

February12,2010

DatabaseInjection CompromiseofotherservicessuchasFTP

36.Isthereageneralformatforinjectedcode?

IngeneralinjectedWebapplicationcode(iframesorjavascript)willtakeaformatsimilarto

[obfuscated javascript that contains eval(xyz);]

37.HowcanItellifmywebsitehasinjectediframes?

Theremaybeaneedfor iframesintheapplicationso inmanualinspectionit isuptotheapplicationownerto

distinguish the legitimate code from injected. Automated tools suchasArmorizeHackAlertenable thisbut

evenwithmanualinspectiontherearesometelltalesignstolookfor. Refertothepreviouslydiscussediframe

whichisshownagainbelow.

Inparticular,

reference

to

3rd

party

websites

and

obvious

efforts

to

hide

it

(dimensions

set

to

zero,

visibility

set

to

hidden) would indicate injection. This iframewould typically be disguised (or obfuscated) using one of a

numberoffreelyavailableencoding8toolstoyieldthefollowing:

8http://www.auditmypc.com/html-encoder.asp


26/34


26


Version1.0

February12,2010

38.HowcanItellifmywebsitehasinjectedjavascript?

Initssimplestform,injectedjavascriptwillshowupbetweentagsas:

Howeveritisfarmorelikelythatjavascriptwillbeencodedorsomehowobfuscatedtomakeitlessnoticeableto

eitherhumanorautomateddetection:


Forexample,

the

following

code

snippet

is

apiece

of

drive

by

download

code

that

exploits

MS06

067,

aknown

MicrosoftInternetExplorervulnerability:


27/34


27


Version1.0

February12,2010

Thisappearsasmalicioustoautomatedmechanismaswellashumans.However,ifwerunthiscodethroughan

encodingutilitysuchasDeanEdward'sjavascriptcompressor9wegettheresultsbelow.

9http://dean.edwards.name/packer/


28/34


28


Version1.0

February12,2010

Theeval()iswhatiscarryingthe maliciouscodeandthepayloadiswhat'scontainedinsidetheeval()

function.Theeval()issuspiciousasarethevariablenamesthathavebeenrenamedandtheinclusionof

"shellcode".

Inreality,thehackerwouldrunhiscodethroughanumberofsimilarutilitiestoensurethatitwasundetectable

byboth

human

inspection

and

by

signature

based

malware

detection

tools.

Asarule,whenitcomestoassessingmaliciousjavascriptinjectionitisnecessaryto:

Ensureallcleartextjavascriptislegitimateandistherebydesign


29/34


29


Version1.0

February12,2010

QuestionandexamineALLscrambled,encodedorobfuscatedcodetodeterminewhyitisthereandwhyithas

been

obfuscated.

39.Aretheothermeansofmalwareinjectionbesidesiframes?

Malwareisaneverevolvingtechnology.Changesinattackgoalsandtechnologyimprovementshaveresultedin

manyiterationsandvariationsfromtypicalattackmethods. Insomecasesthemalwareinjectionmaynotrely

oniframesatall:

MalwareplaceddirectlyoncompromisedwebserverEarlier

examples

discussed

the

situation

where

a

web

server

is

compromised

with

the

intent

of

forcing

the

browsertodownloadmalwarefromawebsiteotherthantheonehostingthecompromisedapplication.Inthis

case,someformofredirectionisrequired.

However,iftheserverhostingthecompromisedWebapplicationalsohoststhebrowserexploitandtheactive

malwaredownload,thentherewillbenoneedtoforthehackertoredirectthebrowserandthereforethereisno

needforaniframe.

MaliciouscodeinsideanembeddedobjectRecenttrends

10indicatethatinsteadofinjectingmaliciouscodeintotheHTMLitself,hackersareinjectingobjects

suchasPDFdocumentsorFlashanimationwiththemaliciouscodeinsidethem. Theobjectsareembeddedusing

the

or

tags

and

thus

require

no

iframe.

When

the

browser

requests

the

web

page

with

the

maliciousobject,thebrowserextensionforthatobject(PDFreader,flashplayer,mediaplayer)processesthe

maliciouscodeandisexploited.

MaliciouscodeinjectedintothedatabaseItispossibletoinjectmaliciouscoderightintothedatabasebyinsertingcommandsorqueriesinuserinputform

fields.Itmaybepossibletoexploitpoorapplicationinputfilteringandthusinteractdirectlywiththedatabase.

Oncethisisachieved,databasecredentialscanberetrievedordatabaseoutputcanbemodifiedsoastoredirect

allbrowsersqueryingthedatabasetoawebsiteofthehackerschoosing.Again,iftheredirectionisdynamically

specifiedin

database

output,

there

may

not

be

any

evidence

in

the

web

page

code

itself.

10Adobe Reader Zero-Day Exploit, Dec 2009http://www.pcworld.com/businesscenter/article/184704/adobe_reader_zeroday_exploit_protecting_your_pc.html


30/34


30


Version1.0

February12,2010

40.HowcanItellifmywebsitehasinjectedobjectssuchasflashorPDFs?

ObjectssuchPDFs,Images,iframes,etc.canbeembeddedintheHTMLcodeusingthetagasfollows:

Inaddition,Flashanimationwillalsorelyontheortags.

Hackerscanembedcodeinthesecomponentstocompromisethebrowserextensionsthathandlesthem. Ifthe

objectsthemselvesaremalicious,examinationoftheHTMLcodewillnotrevealanythingotherthanthepresence

oftheobject.Withoutattacksignaturesfromthepluginvendors,itmaybedifficulttoidentifythese

componentsasmalicious.Inthiscaseitisrecommendedtoquestionalltagsrelatedtoobjectembeddingto

ensurethat

they

are

legitimate.

41.HowdoIknowmydatabasehasbeeninjected?

Webapplicationsrelyheavilyondatabases.Theyareoftenreferredtoasbeingdynamicduetothefactthat

muchofwhatisdisplayedinthebrowserisnotaresultofthewebcodeitselfbutisinsteaddynamically

generatedbythedatabaseinresponsetouserinput.

Ifahackerhasmanagedtosuccessfullyinjectcommandsdirectlyintothedatabase,theymaybeabletocontrolit

andthusgovernwhatisreturnedtowebbrowsers.Thismayincludeiframesorothermaliciouscontentthat

seekstoexploitthebrowser.

Insomecases,theremaybelittleevidenceinthesourcecode.Amoreeffectivestrategyatthisstageisto

analyzetheHTTPlogswithaspecificfocusontheapplicationformfields.Inthiswayitmaybepossibleisolate

SQLquerysyntaxthatpassedthroughtheformfields.

QuerieswithparametersthatwillalwaysbetruearegeneralindicatorsofSQLinjectionattemptsasinthe

exampleshowbelow.

SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'

FormoreinformationongeneralSQLinjectiontestingstepsrefertoOWASPsSQLInjectingtestingguide11.

11Testing for SQL Injection (OWASP-DV-005)

http://www.owasp.org/index.php/Testing_for_SQL_Injection_%28OWASP-DV-005%29


31/34


31


Version1.0

February12,2010

42.Whatotherservicesmightahackerexploitforinjection?

TherearenumerousinjectionpathsintothebesidestheWebapplicationandthedatabase.

WebServer

IftheWebserveritselfisvulnerablethehackermaybeabletogainaccesstoitinordertocontrolit.Forexample

iftheserverconfigurationhasnotbeenchangedfromthedefaults,thehackermaybeabletoaccessthe

administrationwebsiteviaknownpasswords.Alternatively,ifthewebsitehasnotbeenpatchedagainstattacks

suchaspathtraversal,thehackermaybeabletonavigatefromthewebsitetotheserverfilesystem.

OtherServices

IfotherservicessuchasFTP,SMTP,etcarerunningontheserver,itmaybepossibletogainelevatedprivilege

throughanassociatedvulnerabilityorcommonlyknownpassword.Forexampleitisverycommonforhackersto

shareFTPpasswordsforhostingservers.Thesepasswordsaretypicallysuppliedtowebsiteownerstofacilitate

contentuploadsbuttheyarerarelychangedandeventuallyleakout.

OperatingSystem

Iftheoperatingsystemitselfisvulnerable,ahackermaybeabletoinjectOSlevelcommandsviathewebsiteor

anotherrunningservice.TherearemanyTrojanapplicationsthatarespecificallydesignedtotrawlinfected

computerharddriveslookingforpasswordsthatcanbeusedtoexploitserversinthesamedomain.Forexample

ifaTrojanisplacedonaworkstationinthecompany.comdomain,itwillreportbackallpasswordsstoredonthat

computer.OncethewriteroftheTrojangetsthese,hewillattempttousethemtobreakintopublicfacing

servers.Iftheinfectedcomputerbelongedtoanadministrator,itishighlylikelythattherewillbesomevaluable

passwordsstored.

43.Ifmywebsiteisinjected,ismywebserverorOperatingSystemalsocompromised?

Malwareinjectiontakesadvantageofvulnerablewebapplicationstoinjectcodethatexploitsandcontrolsweb

browsersaccessingtheapplication.Inatypicalscenarioboththebrowserexploitandthemalwareitselfresides

onserversotherthantheonehostingthewebsite.ThisisillustratedinFigure8.

Therefore,malicious

code

injected

into

asingle

website

does

not

necessarily

indicate

acompromise

of

the

web

serveritself.Itisimportanttonotehowever,thatifthewebsiteisvulnerabletoinjectionitmaybepossiblefora

hackertoleveragethistoinjectdatabaseoroperatingsystemcommandswhichmayresultintotalserver

compromise.


32/34


32


Version1.0

February12,2010

Thisleadstotheothermalwareinjectionscenariowherethebrowserexploitandmalwareresideontheserver

hostingthe

website.

In

this

case,

the

hacker

does

not

use

any

iframes

or

javascript

but

instead

ensures

that

browsersaccessingthewebsitearecompromiseddirectly.

Thisisalesscommonscenarioaswebsiteshostingandservingupactuallivemalwarearemucheasiertofind

thansimpleiframes.

44.Ifawebserverhostsmultiplewebsites,aretheyallaffectedbyasingleinjection?

Malwareinjectiontakesadvantageofvulnerablewebapplicationstoinjectcodeexploitsandcontrolsweb

browsersaccessingtheapplication.Inatypicalscenario,boththebrowserexploitandthemalwareitselfreside

on

servers

other

than

the

one

hosting

the

website.

This

is

illustrated

in

Figure

8.

Therefore,maliciouscodeinjectedintoasinglewebsitedoesnotnecessarilyindicateacompromiseofallthe

websiteshostedontheserver.Itisimportanttonotehowever,thatifthewebsiteisvulnerabletoinjectionandif

theattackergainedentryviatheOSorotherservicesthatarevulnerableitishighlylikelythattheycan

compromisetheotherwebsitesontheserveraswell.

45.IfmywebsiteisdownloadingmalwaretousershowdoImitigate?

It is critical to stop thedrivebydownloadas soon aspossible inorder toprotect clientsand toensure that

websiteis

not

flagged

as

malicious

by

search

engines

such

as

Google12.

However

mitigation

only

addresses

the

immediateproblem.Itdoesnotdealwiththerootcause.

CodeIdentification

Inordertoremovetheinjectedcode,itwillbenecessarytoexaminethewebpageforsyntaxsuchas:


Itisalsonecessarytoreviewalljavascriptstatementstodetermine:

Whethertheylegitimateorhavetheybeeninjectedbyahacker12Note that immediate mitigation steps may have the effect of destroying evidence which could be of use in subsequent investigation.


33/34


33


Version1.0

February12,2010

Whytheyarescrambled,encodedorobfuscated Whatthesyntaxisoncetheyaredecoded Whethertheactualdecodedjavascriptcallsupaniframeorredirectto3rdpartywebsite

Ifthejavascriptcodeisnotalegitimatepartoftheapplicationthenitmustberemoved

It isalsonecessarytoexamineembeddedobjects(usingthe and tags)suchasFlash,

PDF and images. It is possible for hackers to embed code in these components to compromise the browser

extension that handles them. In general, it is recommended to review all objects to be sure they serve a

legitimatefunction.

Removeinjectedcode

Removinginjectedcodefromthecompromisedwebpagewillprovideinstantmitigationbutwillnotresolvethe

underlyingissue.Thisisbecausethevulnerabilitythatallowedinjectioninthefirstplacemostlikelyresulting

fromfailuretofilterapplicationinputoroutputwillcontinuetoexist.Thismeansthatthehackerisfreetocome

backtocarryoutinjectionagain.Formoreinformationonrootcauseremediationseequestion46.

Restorefrombackup

Iftheinjectedcodecannotbeidentifiedandthereisaknowngoodbackupofthewebapplicationsourcecode,

thentheapplicationcanbereinstalled.However,iftherestoredapplicationhasthesamevulnerabilities,itisonly

amatteroftimebeforetheinjectionhappensagain.

Removalthroughegressfiltering

ItisalsopossibletoenableautomatedremovalofmaliciouselementsfromoutboundHTTPresponses.Thiswill

requireintegrationbetweenthemalwaredetectionprocessandperimeteregresscontrolsworkingatapplication

layer.

Iftheactualexploitcodebeingdownloadedtowebbrowserscanbeidentified,itmaybepossibletoutilizethe

outboundHTTP(response)analysiscapabilitiesofthewebserverortheWebApplicationFirewall(WAF)tofilter

outtrafficwiththosepatterns. Forexample,ArmorizeHackAlertsupportsawebserverpluginthatreceives

HackAlertnotificationsandautomaticallyfiltersmaliciouselementsoutofHTTPresponsesinrealtime.

46.IfmywebsiteisdownloadingmalwaretousershowdoIremediate?


34/34

2010 Armorize Technologies Inc All Rights Reserved


Version1.0

February12,2010

ShiftingsecurityfocustoWebapplicationsdoesnotmeanthattriedandtrustedsecuritymechanismsshouldbe

castaside.

Practices

such

as

OS

and

Web

server

patching

as

well

as

network

access

controls

and

Firewalls

continuetobecriticalsecuritysteps.

Howeverwiththefundamentalopenchannel(referenceFigure5)thatexistsbetweenthepublicfacingwebsite

andtheInternet,additionalprotectionhigherintheprotocolstackisrequired.Inordertosecurethewebsiteitis

necessaryto:

SecuretheWebapplicationitself

Secure codinganddevelopmentpracticeswillensure thatWebapplication security is implemented from the

outset.Typicallyagreatdealcanbeachievedbyensuringappropriateinputandoutputfiltering.Thiswillensure

thatno

unexpected

or

malicious

parameters

are

passed

to

the

Web

application

or

back

to

the

users.

However,

whilefairlysimpletoimplementduringdevelopment,inalargecodebase,locationofallpotentialentrypoints

requiringsuchfilteringisbestachievedbyanautomatedsourcecodeanalysisorasoftwareverificationtoolsuch

asArmorizeCodeSecure.

Blackboxtesting

Alsoknownaspenetrationtestingorvulnerabilityassessmentthistestingtechniqueisusedtoemulatehacker

activityontherunningapplication.Implementedthroughspecializedscanningsoftwareorasmanualtesting,the

goalistolocateapplicationentrypointsvulnerabletothesortofattacksthatwouldallowinjection.

BlockattacksininboundHTTPrequests

Web Application Firewalls (WAF) such asArmorize SmartWAF will inspect inbound HTTP traffic analysis to

ensurethattherearenoattacksembeddedinHTTPrequests.Notethatwiththedynamicandevolvingnatureof

attackssimplyblacklistingpotentialattackpatternsmaynotbeveryeffective.

MonitorandfilteroutboundHTTPresponses

Ifawebsiteisinjected,themostobviousindicatorismalwaredrivebydownloadspresentintheHTTPresponse

traffic.ArmorizeHackAlertmonitorsoutboundHTTPtraffictoensurethattherearenomaliciouselementsthat

would signifydrivebydownloading. Additionally,HackAlertwillworkwith itswebservermodule toensure

thatmaliciouselementsareautomaticallyremovedfromHTTPresponsesinrealtime.

malware injection faq gs

Documents