Exploiting modern Web apps to deliver malicious drive-by downloads to users often requires multiple steps. In a presentation at the RSA security conference in San Francisco, security vendors Dasient and Cenzic are teaming up to show how their respective solutions sets can be used to find, exploit and ultimately defend websites against drive-by download attacks.
"We're coming in and looking at root causes of vulnerabilities," Lars Ewe, CTO at Cenzic, told InternetNews.com. "While we're working on root cause analysis we often find that customers have become victims of malware."
Neil Daswani,co-founder and CTO at Dasient noted that it has become increasingly easy to conduct drive-by attacks in recent years. To prove his point, Daswani and Ewe are showing how they found a persistent Cross Site Scripting (XSS) vulnerability on a website that enabled an attacker to put drive-by malware on the site.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
According to Ewe, the XSS issue is not browser specific, and is directly related to a Web application flaw. He did indicate that the execution of the flaw relies on a specific plug-in being available in the browser. Ewe did not specifically identify the plug-in or the specific website that they were targeting.
"The way these attacks work in the wild is the attacker has an online exploit kit that fingerprints the user's browser, operating system, plug-ins and what anti-virus software they're using," Daswani said. "The kit then figures out which piece of software to take advantage of."
Ewe added that the exploitation is a multi-step process. The first step is dependent on a server side vulnerability and the second depends on client side vulnerability. Ewe and Daswani believe in responsible disclosure and as such have been in discussions with the server application vendor for patching.
In Daswani's view, it's critical to patch the server side, as by fixing the server vulnerability hundreds of thousands of potential victims can be saved.
"I think that client side defenses are a good defense in depth measure but I think that companies that run servers need to take more responsibility," Daswani said. "Server side vulnerabilities can be used as a launching pad for Web-based malware injection."
There are a number of ways to help mitigate the risk of drive-by download attacks. Web Application Firewalls (WAFs), for example, can be used as a frontline defense for Web servers. A
WAFs however are not a silver bullet and in the RSA demonstration case, Ewe said that a WAF wouldn't protect the website against the specific XSS issue. Daswani added that a WAF doesn't have the malware scanning capabilities that his firm's anti-malware server tech offers either.
What is needed is scanning for Web application vulnerabilities as well as server malware. To that end, Dasient and Cenzic are now building out a solution that will help site owners to scan their web servers for both application vulnerabilities as well as malware. Both Ewe and Daswani said that further research is still needed to both identify and lock down vulnerabilities in Web applications.
"For me this is one of the spaces where we still have ways to go," Ewe said. "There is still a lack of understanding, especially in the SMB market about the risks and the possibilities that exist to protect them."
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.