Faster Delivery = Happy Users
Automated Process = Fewer Errors
Standards = Cost Reduction
Order Visibility = Confidence
Linking Systems = Efficiency
Over 83% of endpoint infections come from hijacked websites. Have you ever seen those crazy popups that look like a real anti-virus program AntiVirus Plus, System Tools 2011 that look just like Windows Security Center? This is some pretty nasty malware. Why is this so successful? These are the threats we discussed in previous posts. Combine that with a little social engineering and we’re on our way.
For example, a popular news or social media website is compromised so that when a user even places their mouse over one of the banner ads the attacker’s malware page also loads on the end users system. A small piece of java is run that makes it look like Windows Security Center is running on their system (which it is not) and that it found a whole bunch of malware (which it did not).
Often times another pop-up will launch that tells the user that the system is infected. Often clicking the X at the top, the cancel button, or anything else will actually lead to the program installing the rogue AV software. Further social engineering is launched against the user as the program asks for $40 to resolve the issues. In the meantime it is often dropping keyloggers and backdoors on the system to get passwords, credit card, social security, health care numbers, and remote access. Remote access is key. Attackers can’t have their malware unmanaged now can we? So all the user has done is visited one of their favorite websites.
Traditional content filtering solutions make a decision that says “is a news site ok?” or “is a social networking site ok?” and blindly allow the page to load. This makes sense for malware distributors. Why should I try and shove 100,000 emails into your network when I can compromise a popular website that gets hundreds of thousands of hits every day, and have all of the victims come to me?!
Anti-malware vendors are having a difficult time detecting these. Because the attacks are being targeted this way and difficult to notice (apparently), the attackers are changing the footprint of the malware enough that the signature detection doesn’t catch it. They are not really even launching buffer overflow type attacks against the system, they are just installing software which is still malicious but not really what the endpoint security software is looking for.
As the endpoint anti-malware companies integrate technologies into their solutions to prevent attacks like this from happening, there is another area we can effectively provide defense for users. I mean really, why are we relying on the endpoint anti-malware software to catch this? That software is the very last line of defense. If some bad software hits the endpoint our network based systems have failed us.
One area of the network that is getting a lot of attention on this is the Content filtering server. Traditionally this system would categorically permit and deny access to websites. For example gambling and dating sites may be blocked from the corporate LAN to increase productivity (not sure this is the silver bullet for low productivity but that’s another story). Since these servers are already monitoring all of the outgoing and incoming web traffic, why not look for threats in that traffic?
Using a Secure Web Gateway we get a lot more value from the same web content filtering server. We can scan for malware live as the responses from trusted websites are coming back to users and drop the malware before it gets to the endpoint. We can detect anonymizing proxies proactively to ensure that users are not bypassing our controls. In the event that an endpoint does get compromised they typically will call host with HTTP Posts to get updates or dump information like passwords and credit card numbers. A Secure Web Gateway can block the calls back home. With so many sites that keep popping up on the Internet many of the websites are uncategorized anyways. A Secure Web Gateway can identify which category the site falls into and take appropriate action.