Preventing & Detecting Malware: A Multifaceted Approach

by Paul Asadoorian
April 5, 2011

Successful Attacks from Automated Malware

Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news:

Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center.

From LizaMoon SQL Injection Attack Hits Websites

LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:


  1. An automated scanner, likely being launched from a botnet (though there is no confirmation of this just yet) searches for web sites that could be vulnerable. The method of identification of targets is unknown as well, however the scanner is likely using Google to identify sites that use a certain technology, such as ASP pages, and even certain parameters, such as "categoryname".
  2. Once the vulnerable page is identified, the scanner attempts to inject SQL code into the database via a SQL injection vulnerability. Some scanners will just attempt to blast SQL code into every possible field, while others will search the database for fields that contain HTML tags and only inject into those fields. This slightly increases chances that the injected code will be included in web pages rendered by users browsing to the site.
  3. The HTML or JavaScript code included on the site typically redirects users to a 3rd party web site that loads malicious content. This could be any number of potential attacks, such as JavaScript, Adobe Flash or Java. In the case of LizaMoon, the standard anti-virus scam is implemented, prompting the user that their computer has a virus and they need to download anti-virus software, which is of course malware.
  4. Once the malware is installed on the end user's computer, it’s used for any number of evil purposes, such as to send SPAM, host more malware and steal sensitive information.

More details can be found in the follow articles: Update on LizaMoon mass-injection and Q&A and Lizamoon SQL Injection Campaign Compared

Tenable has several tools and techniques available to help detect, prevent and react to this type of attack:

Prevention

  • Nessus can detect many SQL injection vulnerabilities - Using the Web Application Tests Nessus can detect SQL injection vulnerabilities via fuzzing techniques. Nessus also has several plugins that will detect known SQL injection vulnerabilities in published web applications (For example, plugin 43160 - CGI Generic SQL Injection (blind, time based).
  • Configuration Auditing - You can use configuration auditing techniques, such as the ones in the article Configuration Auditing php.ini To Help Prevent Web Application Attacks to harden your web server (and even database) to be more resilient to web application attacks.

Detection

  • PVS can identify pages that are including scripts from third party web sites - The article "Event Analysis: Detecting Compromises, JavaScript, Backdoors, and more!" has a great example of PVS detecting this condition.
  • PVS can detect SQL queries between the Web server and database - The article "PVS 3.2 SQL Query Detection" describes how to use PVS to monitor database traffic.
  • PVS detects SQL injection - If PVS sees SQL statements inside the HTTP protocol stream, it will fire an alert. The article titled "Passively Detecting SQL Injection" contains examples of this being detected.
  • Recently Added Nessus Plugins for Botnet Detection - Two new Nessus plugins have been added to detect hosts on your network participating in a botnet: plugin 52670 (Web Site Links to malicious Content) and plugin 52669 (Host is listed in Known Bot Database).
  • The LCE can detect DNS queries that are attempting to resolve to domain names known to be associated with specific types of malware. For example, the following article describes how a TASL script was created to detect Fast Flux hosts.

Reaction

  • LCE Detects Botnet Activity in Your Logs - A TASL script, recently re-written and dubbed "threatlist.tasl", will detect connections to and from known botnet infected hosts

Conclusion

As "LizaMoon" has shown us, several sites are still not implementing basic measures of detection. Several of these sites are likely small to medium size businesses, possibly outsourcing their web site maintenance and creation (I guess I should use the term "maintenance" loosely). Of course, prevention is but one phase of your defenses (and perhaps the most difficult). At some point you have to face facts and realize that you cannot possibly prevent every attack against your networks and systems. Detection is important to help identify vulnerabilities across your systems and applications. The reaction phase typically kicks into high gear once you've found a compromised host on your network and want to identify other systems that may have also become compromised.