Don’t let Your Website Spread Malware – a New Approach to Web App Security

Cecilia Zuvic Jason Kent

Will Bechtel

Webcast Series – May 2013

Don’t let Your Website Spread Malware – a New Approach to Web App Security

Transforming IT Security & Compliance

Agenda

• Website Malware Risk

• Detecting Website Malware

• How Malware is Different

• Better Website Security

• Summary

2

Identifying Malware with Web Application Scanning Website Malware Risk

• 2012 Verizon Data Breach Investigations Report (DBIR)

– Involvement of Malware in Data Breaches is increasing

– 2011 - 69% incorporated malware (+20%)

– 2011 - Associated with breaches that involved 95% of records compromised

• 2013 Symantec Internet Security Threat Report (ISTR)

– Web-based Malware Attacks on the Rise: “We have seen the number of Web-based attacks increase by almost a third. “

– Lurking Danger: “silently infect enterprise and consumer users when they visit a compromised website”

– Hard to Detect: “rendering enterprises that rely on signature-based antivirus

– protection unable to protect themselves against these silent attacks”

3

Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches

4 *Verizon 2012 Data Breach Investigations Report

Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches

5 *Verizon 2012 Data Breach Investigations Report

Identifying Malware with Web Application Scanning Malware Involvement in Data Breaches

6 *Verizon 2012 Data Breach Investigations Report

Identifying Malware with Web Application Scanning What happens if your site and users are infected?

Users are infected, and blame your organization

Your organization website is blacklisted.

You spend time trying to get off the blacklist

Reputation Damage &

Lost Revenue

7

Identifying Malware with Web Application Scanning How does an attacker get malware on a website?

Victim Website

Web Application or Indirect Vulnerability • Known vulnerability in an

app or platform component

• Discovered vulnerability in developed application (XSS, etc)

Phishing, spyware or social engineering • Steal password or execute

other attack to gain access

Paying to host an advertisement that contains the infection • Malvertizing - legitimate

websites can infect users without being directly compromised

8

Identifying Malware with Web Application Scanning Detecting Website Malware – Traditional Approach

Signature Based Detection on systems/web gateways

9

Malware is identified and

Analyzed (typically after

many infections)

Signature is created

Signature is distributed to end points/gateways

Zero Day Protection Gap

Identifying Malware with Web Application Scanning Detecting Website Malware – Traditional Approach

Advantage Disadvantage

10

Identifying Malware with Web Application Scanning Detecting Website Malware – a Better Approach

• Identify reference to site that is known to host malware

• Instrument a system- watch for exploitation

• detect zero day

• For common scripting techniques, etc.

• For downloadable documents like PDFs

Antivirus Heuristic

Reputation Check

Behavioral Analysis

11

Identifying Malware with Web Application Scanning Detecting Website Malware – a Better Approach

12

Setup a vulnerable browsing platform on

a VM

Instrument the browser using API

hooking

Input parameters, return values, and

data logged in various points within the browser and OS.

Watch for exploitation

When done scanning or when

compromised, destroy VM and start another

Identifying Malware with Web Application Scanning How Malware is Different

• Malware Distribution

– Unlike vulnerabilities which are accidental software flaws, attackers try to place malware in high traffic areas

– OWASP type vulnerabilities should be distributed randomly (XSS, SQLi)

– Malware will typically be positioned to infect all users (not just authenticated)

• Malware detection does not have the impact

– Detection uses ‘passive’ and not ‘active’ techniques

– Safe for daily scans

13

Identifying Malware with Web Application Scanning Better Website Security

• Detect both OWASP vulnerabilities and website malware

– Run daily passive scans on websites to identify malware, notify immediately

– Perform active scans on a regular basis to identify OWASP vulnerabilities

• How you benefit

– Identify and fix vulnerabilities hackers could exploit or malware distributors could use to infect your site and other users

– Protect your revenue, brand reputation and users from malware impact

– Ensure you are covered from both threats, making it hard for attackers to exploit

14

Thank You

[email protected] [email protected]

Transforming IT Security & Compliance