Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Wednesday, August 20, 2008

Hidden Malware in Popular Sites

The prevalence of hidden malware in popular websites continues to increase. Active script injections are infiltrating popular web sites, and these scripts are making dynamic download requests to malware stored on separate hosts, and often the payload uses a custom encryption wrapper to try and avoid proxy and gateway detection.

These advanced attacks have led many proxy and gateway vendors to develop large honey grids (like Webpulse by Blue Coat Systems) to utilize multiple threat detection engines on clients within a cloud service.

This provides several key benefits for malware host blocking on platforms using existing URL databases. First the cloud service off-loads the web gateway from threat detection processing, next it uses clients within the cloud so attacks uncloak themselves for detection, and finally the cloud service uses multiple threat detection engines, (Blue Coat claims to use as many as 10 engines) whereas a web gateway has one threat detection engine, or in many cases none.

A great example of the effectiveness of this honey grid was during some recent attacks against the UN website and some UK websites, which ended up affecting thousands of websites. Those using a Blue Coat proxy were protected, as the Blue Coat solution required only two entries in their WebFilter, both detected by theiur WebPulse (one malware source three weeks before the attack, the second several days before the attack). This allowed users to visit popular sites that would have been over blocked due to script injections (using some less sophisticated gateways that identified the main site as the infected site), as Blue Coat's solution made sure the true malware download sources were transparently blocked for the users (using Blue Coat's embedded URL blocking capability).

Interestingly enough, URL filtering has become an important first layer of malware defense in these hidden malware attacks. Reputation while interesting, would not have made any difference in these popular sites that had embedded malware.

No comments: