TARGETS

In our study on malicious web servers, we interacted with web servers using older versions of the browsers Mozilla Firefox, Opera and Microsoft Internet Explorer. We didn't configure any plug-ins other than the ones provided by a clean Windows XP SP2 installation. The results of our study yielded only observed attacks on Internet Explorer, but did not observe any attacks on Firefox and/or Opera. However, just because we didn't observe any attacks on these clients, we couldn't conclude whether they are not targeted at all, because our configuration/versions might have simply been too bare or old.

The web exploitation kits provides us with a specific answer to this question. Other browsers and operating systems are certainly targeted as well. The following attacks are currently supported by the web exploitation kits. They first assess which browser and operating system are being used before delivering an attack to foster a high success rate:

Target WebAttacker (as of September 2006) MPack V0.94 IcePack [8] (as of September 2007)
IE Microsoft Data Access Component Vulnerability
( CVE-2006-0003 )

Windows VML Vulnerability ( CVE-2006-4868 )
Microsoft Virtual Machine Vulnerability
( CVE-2003-0111 )

Microsoft Data Access Component Vulnerability

( CVE-2006-0003 )
Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability
( CVE-2007-0015 )
WinZip FileView ActiveX Control Multiple Vulnerabilities
( CVE-2006-6884 )

Microsoft WebViewFolderIcon ActiveX Control Buffer Overflow Vulnerability
( CVE-2006-3730 )
Microsoft Management Console Vulnerability
( CVE-2006-3643 )

Microsoft Data Access Component Vulnerability
( CVE-2006-0003 )
WebViewFolderIcon ActiveX Control Buffer Overflow Vulnerability
( CVE-2006-3730 )
Microsoft Management Console Vulnerability

( CVE-2006-3643 )
Vector Markup Language Vulnerability
( CVE-2007-0024 )
Microsoft DirectX Media 6.0 Live Picture Corporation DirectTransform FlashPix ActiveX
( CVE-2007-4336 )

Yahoo! Messenger Webcam ActiveX Remote Buffer Overflow Vulnerability
( CVE-2007-3147 , CVE-2007-3148 )
Yahoo! Widgets YDP ActiveX Control Buffer Overflow Vulnerability
( CVE-2007-4034 )

Opera Windows Media Player Plug-In with Non-Microsoft Internet Explorer Vulnerability
( CVE-2006-0005 )
Windows Media Player Plug-In with Non-Microsoft Internet Explorer Vulnerability
( CVE-2006-0005 )
Windows Media Player Plug-In with Non-Microsoft Internet Explorer Vulnerability
( CVE-2006-0005 )
Firefox Exploitable crash in InstallVersion.compareTo vulnerability
( CVE-2005-2265 )
Windows Media Player Plug-In with Non-Microsoft Internet Explorer Vulnerability
( CVE-2006-0005 )
Windows Media Player Plug-In with Non-Microsoft Internet Explorer Vulnerability
( CVE-2006-0005 )
Windows Media Player Plug-In with Non-Microsoft Internet Explorer Vulnerability
( CVE-2006-0005 )

JavaScript Navigator Object Vulnerability
( CVE-2006-3677 )

While the set of attacks supported is rather small, it does show that multiple browsers are targeted. Many attacks utilize attack vectors that make use of plug-ins. Firefox and Opera are being attacked via a Microsoft Windows Media Player plug-in and Internet Explorer is attacked via some older vulnerabilities of the browser (MDAC attack), but also some more recent vulnerabilities in browser plug-ins, such as QuickTime and Winzip. (Note that this the attack sequence we encountered on the Italian Keith Jarrett web site.) In September 2007, a vulnerability was discovered that allows an attacker to execute arbitrary code on Internet Explorer 7 via crafted PDF files ( CVE-2007-5020 ); another dangerous potential candidate for inclusion in one of the kits. How quickly new releases with new attacks are actually unleashed is still not well understood and will be answered as part of future work.

If we look at these three web exploitation kits as evolutionary successions, however, there seems to be a trend towards attacking plug-ins. Browsers nowadays have some sort of automated update mechanism that would result in a closure of the attack window for these web exploitation kits fairly quickly. However, third-party plug-ins, such as Flash or Yahoo! Widgets, do not have such update mechanisms and remain unpatched on the system even when patches are available. Targeting these plug-ins ensures that the web exploitation kits remain effective.

MPack has an additional feature that we haven't considered so far: geolocation-dependent triggering via the freely available MaxMind Geolocation Technology. MPack determines in what country the user is located and can be configured to only trigger on certain countries. A copy of MPack that we obtained was configured to trigger only on users from Russia, Ukraine and the United States. A user located in New Zealand that navigates to the malicious page would not be attacked. The PandaLabs Report shows an MPack installation that doesn't seem to be as selective triggering on users from different countries. Their statistic page shows successful attacks on users from Japan, Germany, Spain, United States, Romania, UK, Italy, France, China, Mexico and Canada.

The geolocation-dependent triggering could easily be extended into a more fine grained triggering mechanism to avoid specific networks. Web exploitation kits could create the illusion of a malicious server in a sheep skin for entities that find and assess malicious web servers (AV and securtity companies), but could continue to exhibit malicious behavior when accessed from outside these specific networks . For the attacker, it would lead to a greatly reduced risk of detection, while at the same time increasing the likelihood of continued operation of the malicious web server and therefore lead to continued financial gain for the attacker.

All web exploitation kits record information about the clients in a statistics database. An example of the effects statistics, shown in Figure 3 , makes targeting easier. It provides attackers with information to determine whether their attacks are still successful. Do old attacks, such as the MDAC attack on Windows 2000, still lead to successful exploitations? If so, an attacker might refrain from upgrading to newer and more expensive exploits. If the success rate of an exploit suddenly drops, the attacker can react accordingly. Browser statistics and the subsequent trends allow the attacker to purchase exploits that provide the highest return on investment.

Geolocation information could potentially be used for follow-up attacks in the regions that were most successful. Successful rates in a specific region indicate that users are less security aware, do not use the latest patches, etc. and therefore will be prone to future attacks. These attacks are not limited to drive-by-downloads, but could be in the area of phishing, attacks on servers, SPAM, etc. These are the low hanging fruits attackers will go for first.