Legitimate websites face new threats: More viruses spread through trusted

"Legitimate websites face new threats: More viruses spread through trusted hosts"

Active content and so called "Web 2.0" sites are a very rich medium for attack. The sites make heavy use of distributed program code, which is given increasing access to Windows desktops. "Active Content" is the name given to programs that automatically execute (in some limited container) on user's PCs.

Most "sites " today deliver content from many 3rd party destinations. This trend began with ad servers in the late 90s. The type of content being served is also changing. Animated GIFs have long given way to Flash, ActiveX , Java and Javascript. This has more recently extended to 3rd party applications designed to plug into, and pushed by Facebook and similar functionality sites.

The gravity of the threat of active content is exacerbated by browsers allowing users to grant omnibus trust relationships between the remote web site and the local browser, by the vulnerabilities in the container and finally by the deftly-constructed nefarious code. Users are unintentionally and naively extending trust to unknown content. In the chain of trust, very little inspection or approval is performed of the code to be executed remotely. The main driver is deriving advertising revenue dollars derived from a user's subliminal feline desire to click on those flashy moving objects.

The Setup: Application Layer Attacks on "Trusted" Servers

On the server side, my own FHLSim.com Forum site has been hit with a few of these automated application attacks in the past couple of years, and with increasing sophistication. They do not "infect" the host; they manifest inside the application which resides on the host.

In my case, they were able to subvert the stock captcha supplied with PHPBB, eliminating the Forum's ability to differentiate robots from humans. The threat created hundreds of fake accounts and posted spam on the message board. The spam linked to all kinds of exotic sites designed to entice visitors, increase page-rank counts on Google and ultimately make more money. This was fairly benign payload but involved a lot of cleanup, patching, and some custom modifications to the stock software -- including switching to recaptcha. In the worst instances, the message board is compromised, administrator access to the application (NOT the HOST OS) and messages, users and data are deleted from the database in behind the website. None of this can be prevented by widely-deployed omnibus safeguards such as firewalls or intrusion detection systems.

The Problem: Transitive Trust

Back to application exploits at the client site. Malicious active content is happily executed in most browsers since the site is "trusted". The root cause is the issues of transitive trust. Essentially, a user's implied-and-absolute trust in a remote site is re-delegated to a 3rd party site. This site re-delegates that trust again to an unscrupulous or ignorant author and his code. The absolute trust delegated downward does not necessarily diminish in each re-delegation. The last party is motivated by money, and often ignores writing code in a secure fashion because it delays the speed with which they can "get to the money".

The Defense: Knowledge, Awareness and Tools

There are effective safeguards available to reduce the risk to web users:

• Use a browser that can provide fine-grained control over what Active content runs within the browser is the first.
  
• Mozilla Firefox, equipped with the popular "NoScript" plugin is one example. Given a bit of self-education, users can control with high precision the active content executed from website.
  
• This allows one to visit a blog without having the blog site serve up malicious content. It is also handy as an ad-blocker!
  
• Windows Internet Explorer 7.0 also has some inherent permission limitations that prevent some threat manifestations. The biggest advancement is decoupling the browser from the Microsoft Windows OS itself.
  
• Ensure your antivirus software is enabled with on-access scanning. While they won't catch everything, they will catch most of the really bad stuff before it manifests.
  
• Enterprises should use Microsoft Windows Active Directory to enforce security templates, prohibiting or limiting the privileges available to active content from websites.
• Implement effective patch management settings to reduce the vulnerabilities exploited by these sites. Today's "release early, release often" paradigm of rapid software development make regular patching an imperative.
  

With 4 PCs and 5 non-expert web surfers (ranging in age from seven to 30-something), education about what sites should be trusted, supervision to police use and Mozilla Firefox with NoScript has kept the bad stuff off our machines.

W