Recent reporting has indicated that malicious hackers are turning away from typical attack vectors like infected e-mail attachments. Instead, attackers are increasingly relying on ‘Drive-by download’ as a method of exploit delivery.
According to research recently published by Google, approximately one in 10 websites contained ‘drive-by downloads.’ ‘Drive-by downloads’ are malicious programs designed to exploit vulnerabilities in the users web browser and commandeer the exposed computer for inclusion into a botnet – a network of compromised personal computers used for key-logging, data theft, spam, and click-fraud.
There are two main reasons why cyber criminals have increasingly turned to ‘drive-by downloads’ as a vector of attack.
• As users have become more adept at combating infected email attachments, the traditional route of infection, cyber criminals have turned to ‘Drive-by downloads’ as a route to continue dissemination of malicious programs.
• The expansion of Web 2.0 in the form of user-driven communities such as social networking sites, blogs, and wikis allows for increased user generated content, and therefore increases the possibility that malicious users can utilize otherwise legitimate websites to surreptitiously install ‘Drive-by downloads’ onto unsuspecting users computers.
According to Finjan, a software security vendor, “Web 2.0 platforms enable anyone to upload content, these sites are easily susceptible to hackers wishing to upload malicious content. Once the malicious content has been uploaded, innocent visitors to these sites can also be infected, and the site owners could be potentially responsible for damages incurred.” As such, many cyber security experts believe that by the middle of 2008 ‘Drive-by downloads’ will surpass e-mail as a vector of attack.
Example Attacks
A recent Web 2.0 worm that exploited a feature of Quicktime and spread via MySpace is an example of the new generation threats. The worm in question, labeled JS/Quickspace.A by F-Secure, exploits a feature of Quicktime that allows Quicktime media files to execute JavaScript functions. Once executed the JavaScript worm modified the infected users’ MySpace page and included links to a phishing website designed to steal personal information. In addition, the worm posted additional links to the original infected Quicktime media file on the infected MySpace users page in an attempt to further spread the worm to other MySpace users.
Web 2.0 need not be as complex as the attack described above. An even more simplistic attack may involve a malicious user posting a comment to a popular blog with a link to a site containing ‘Drive-by downloads.’ The attacker can then simply lay in wait for unsuspecting users to visit the ‘trusted’ blog to click on the infected link in the comments section.
These attacks are especially difficult to guard against because Internet users typically bestow a level of trust to popular and well-known sites like MySpace or other well-known online brands and are therefore more willing to click on links posted to these sites.
Old Wine in New Bottles
While malicious hackers have updated their tactics and made use of Web 2.0 as a vector for attack, it is important to note that these malicious hackers have for the most part not changed their goals. The overwhelming goal of most Web 2.0 attacks is still the infection and hijacking of networked personal computers.
Simply stated, malicious hackers are still interested in creating and maintaining as many compromised computers, or bots, as possible. Botnets have become the Swiss Army Knife of the malicious hacker who utilized their network of hijacked computers to steal identities, steal data, send out spam, engage in click-fraud, and execute denial-of-service attacks.