Web Browser Exploitation : 2007 : Frequency-X Blog : Blog : Home | ||
|
Web Browser Exploitation The last couple of years have seen some major increases in Web browser attacks – both in frequency and sophistication. The reasons behind the increases are many, but some of the most significant in my mind are:
The combination of these factors has meant that compromising a computer through the Web browser has a higher probability of success than the more traditional techniques (such as email attachments, file downloads, etc.). “Progress” From Heap-spraying I guess Web browser exploitation started to get exciting back in 2004 when SkyLined introduced everyone to the concept of heap-spraying. All of a sudden, several years worth of DoS vulnerabilities in Microsoft’s Internet Explorer looked ripe for some real exploitation. Since then, we’ve observed a lot of bug hunting in the major Web browsers - and just about every ActiveX control that could be called via a browser appears to come under the crosshairs of an automated fuzzer. While these bug-hunting frenzies were being conducted, a parallel research path resulted in the marrying of multiple Web browser exploits into a single scripted attack. These malicious scripted attacks were quickly adopted by malware purveyors for the distribution of their wares – giving birth to the concept of “drive-by installs” and “drive-by exploitation”. Now, as Robert Freeman mentioned in his recent post about mPack activity, the tools being used to conduct the most recent round of Web browser attacks aren’t exactly new – nor are they particularly cutting edge. What makes one tool more valuable over another at the moment is the compromise success rate – i.e. what percentage of visitors to a malicious Web page can be exploited and will have the nominated malware package successfully installed. Predicting Web Exploitation How do I see the Web exploitation techniques
developing over the next few years? Well, it doesn’t take
a genius to predict that the sophistication of the tools will
continue to increase and that the popularity of this infection
vector will similarly increase.
Here I’m calling out three groupings of techniques:
A couple of years ago, these “classic” techniques accounted for almost all Web browser exploitation – with only a small percentage making use of scripting to obfuscate their attack. Today, the “classic” techniques are still most prevalent. However “script” techniques have increased and will shortly surpass them. We are also observing the first generation of “blended” techniques and their dedicated delivery tools. In the future I expect the “blended” techniques to overtake both the “classic” and “script” categories. A factor in that success will likely be the continued development and sophistication of x-morphic exploitation engines designed to thwart evolutionary protection systems. [Details on X-morphic exploitation can be found in my recent whitepaper.] Money for tools A point worth noting is that tools with reliable infection rates already command higher prices on the underground market. For example, current versions of the mPack tool are worth a premium due to (provable) claims by the author of 12-35 percent efficiency. Again, looking in to my crystal ball,
competition between groups that develop these Web browser
exploitation toolkits will continue to grow. This
competition will likely result in more sophisticated tools and
the continued development of semi-commercial services – such as
those now typically coined as “Managed Exploit Providers” (MEP). |
|