Comments on: Distributing Malware Through Trusted Websites http://www.veracode.com/blog/2008/09/distributing-malware-through-trusted-websites/ Application security testing, analysis, and metrics Wed, 07 Jan 2009 02:16:24 +0000 http://wordpress.org/?v=2.6.5 By: kurt wismer http://www.veracode.com/blog/2008/09/distributing-malware-through-trusted-websites/#comment-2066 kurt wismer Wed, 17 Sep 2008 15:21:23 +0000 http://www.veracode.com/blog/?p=271#comment-2066 do they really care about server-side polymorphism? some do, yes... as for why they use external .js files instead of instead of inline document.write() calls? the footprint on the legitimate site's content is smaller and better obscured if there's just a reference to some outside js file as opposed to putting the malicious document.write() calls right in their system... it's not *really* obscured, of course, but a lazy webmaster might not check the contents of that external file and for complex sites that have a lot of people developing them there's a good chance that no single person is familiar enough with the the entire code to know that an external reference should or shouldn't be there... in short, it raises the amount of work necessary to stumble across the problem unknowingly... do they really care about server-side polymorphism? some do, yes…

as for why they use external .js files instead of instead of inline document.write() calls? the footprint on the legitimate site’s content is smaller and better obscured if there’s just a reference to some outside js file as opposed to putting the malicious document.write() calls right in their system… it’s not *really* obscured, of course, but a lazy webmaster might not check the contents of that external file and for complex sites that have a lot of people developing them there’s a good chance that no single person is familiar enough with the the entire code to know that an external reference should or shouldn’t be there…

in short, it raises the amount of work necessary to stumble across the problem unknowingly…

]]> By: Cody http://www.veracode.com/blog/2008/09/distributing-malware-through-trusted-websites/#comment-2064 Cody Tue, 16 Sep 2008 17:02:55 +0000 http://www.veracode.com/blog/?p=271#comment-2064 This problem will never be solved with current technology in my opinion (ignoring the source of the problem being sql injection). It seems very difficult, if not impossible, to block javascript originating from the same host as legitimate code. We need to move to a system of content validation for the web. Whether that is a signature the database can use to verify integrity of data, or web server content validation before serving pages. This problem will never be solved with current technology in my opinion (ignoring the source of the problem being sql injection). It seems very difficult, if not impossible, to block javascript originating from the same host as legitimate code.

We need to move to a system of content validation for the web. Whether that is a signature the database can use to verify integrity of data, or web server content validation before serving pages.

]]> By: Chris Eng http://www.veracode.com/blog/2008/09/distributing-malware-through-trusted-websites/#comment-2063 Chris Eng Tue, 16 Sep 2008 04:32:54 +0000 http://www.veracode.com/blog/?p=271#comment-2063 @Andre: Probably right about the low occurrence of NoScript. @Kurt: 1) Oops, I must've missed that. 2) Do they really care about polymorphism? 3) The mass SQL injection attack just loaded some .js that injected a bunch of IFRAMEs attacking client-side vulns, so I wouldn't call it a particularly complicated attack. Why not just document.write() those IFRAMEs rather than add the extra hoop of loading .js from an external site? I don't really follow the malware space that much so I am fully expecting to be called out for asking ridiculous questions! @Andre: Probably right about the low occurrence of NoScript.

@Kurt: 1) Oops, I must’ve missed that. 2) Do they really care about polymorphism? 3) The mass SQL injection attack just loaded some .js that injected a bunch of IFRAMEs attacking client-side vulns, so I wouldn’t call it a particularly complicated attack. Why not just document.write() those IFRAMEs rather than add the extra hoop of loading .js from an external site?

I don’t really follow the malware space that much so I am fully expecting to be called out for asking ridiculous questions!

]]> By: kurt wismer http://www.veracode.com/blog/2008/09/distributing-malware-through-trusted-websites/#comment-2062 kurt wismer Tue, 16 Sep 2008 03:39:18 +0000 http://www.veracode.com/blog/?p=271#comment-2062 1) cnn has already been a victim... 2) it's hard to implement any kind of server-side polymorphism with such tenuous influence over the server... 3) the scripts are usually part of a multi-stage attack (rare that an attack would end with just javascript) and the other stages are likely not nearly as easy to inject into vulnerable databases - so, since an external malicious content host is probably going to be needed anyways why not use it for the javascript too... 1) cnn has already been a victim…
2) it’s hard to implement any kind of server-side polymorphism with such tenuous influence over the server…
3) the scripts are usually part of a multi-stage attack (rare that an attack would end with just javascript) and the other stages are likely not nearly as easy to inject into vulnerable databases - so, since an external malicious content host is probably going to be needed anyways why not use it for the javascript too…

]]> By: Andre Gironda http://www.veracode.com/blog/2008/09/distributing-malware-through-trusted-websites/#comment-2061 Andre Gironda Tue, 16 Sep 2008 00:37:48 +0000 http://www.veracode.com/blog/?p=271#comment-2061 Probably for analytics. Combine the fact that about 0.2 percent of web browsers roll NoScript Probably for analytics. Combine the fact that about 0.2 percent of web browsers roll NoScript

]]>