Web attacks slip under the radar

IP tracking and geographic awareness throwing security researchers off the scent

The latest innovations in Web attack kits have forced security researchers to admit that many malicious websites are slipping under the radar.

Recent web attack kits such as WebAttacker, MPack and IcePack are using features such as IP tracking and geographic awareness to throw security researchers off the scent, according to a new report from the Honeynet Project. Web attack kits are standardized tool sets for adding malicious code into websites, often without the knowledge of the sites themselves.

The Honeynet Project collects its information on threats by using dummy systems to visit large numbers of websites.

But in its most recent report, released last week, the project's researchers found that attack kits such as MPack had learned how to evade high-interaction client honeypots such as Capture-HPC.

Researchers found that after an initial visit, a website would often stop showing signs of infection. This turned out to be due to IP tracking features, something researchers aren't yet equipped to handle - meaning that current research is likely to wrongly label many sites as "safe".

"It is likely that distributed client honeypots will become a necessity in the near future," researchers said in the report, called Know your enemy: behind the scenes of malicious web servers."

Even more disturbingly, attackers are starting to deploy "geolocation-dependent triggering", which allows malicious code to attack only systems from a particular geographic region -- for instance, well-off neighborhoods.

Besides the increased effectiveness of such attacks, geographic filtering could make it extremely difficult for researchers to know whether a site is infected or not. "Geolocation-dependent triggering is something we had not yet considered. Depending on what countries are prime targets, it might also result in a large number of false negatives," researchers said in the report.

Finally, attackers are broadening the number of applications and particularly plug-ins they target. That means that instead of simply attacking web browsers such as IE, Firefox and Opera, attack kits are seeking out vulnerabilities in those browsers' plug-ins, which are often updated less frequently, if at all.

"This is bad news for the end user whose many client vulnerabilities are now being actively attacked and comparing supported attacks of WebAttacker, MPack and IcePack seems to indicate a trend," the report said.

Previous studies - which already found the web to be rife with attack code - are likely to have missed many infected sites because they didn't deploy a broad enough range of plug-ins, the project said.

On the positive side, the study found that the deployment of standardized attack kits is homogenizing the landscape of malicious web servers, making them more easily identified.

"Characteristics about the tool and the malicious content it serves can currently be identified and matched upon," the report said.

The project's last report, in August, found that even seemingly safe web addresses were rife with attack code aiming at vulnerable clients. That study also found that methods such as blacklists can be surprisingly successful in stopping client-side attacks.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?