Boost PC performance: How more available memory can improve productivity
Don't let Your Website Spread Malware
1. Cecilia Zuvic
Jason Kent
Will Bechtel
Webcast Series – May 2013
Don’t let Your Website Spread Malware –
a New Approach to Web App Security
Transforming IT Security & Compliance
2. Agenda
• Website Malware Risk
• Detecting Website Malware
• How Malware is Different
• Better Website Security
• Summary
2
3. Identifying Malware with Web Application Scanning
Website Malware Risk
• 2012 Verizon Data Breach Investigations Report (DBIR)
– Involvement of Malware in Data Breaches is increasing
– 2011 - 69% incorporated malware (+20%)
– 2011 - Associated with breaches that involved 95% of records
compromised
• 2013 Symantec Internet Security Threat Report (ISTR)
– Web-based Malware Attacks on the Rise: “We have seen the
number of Web-based attacks increase by almost a third. “
– Lurking Danger: “silently infect enterprise and consumer users when
they visit a compromised website”
– Hard to Detect: “rendering enterprises that rely on signature-based
antivirus
– protection unable to protect themselves against these silent attacks”
3
4. Identifying Malware with Web Application Scanning
Malware Involvement in Data Breaches
4
*Verizon 2012 Data Breach Investigations Report
5. Identifying Malware with Web Application Scanning
Malware Involvement in Data Breaches
5
*Verizon 2012 Data Breach Investigations Report
6. Identifying Malware with Web Application Scanning
Malware Involvement in Data Breaches
6
*Verizon 2012 Data Breach Investigations Report
7. Identifying Malware with Web Application Scanning
What happens if your site and users are infected?
Users are infected, and
blame your organization
Your organization
website is blacklisted.
You spend time trying
to get off the blacklist
Reputation
Damage &
Lost Revenue
7
8. Identifying Malware with Web Application Scanning
How does an attacker get malware on a website?
Victim
Website
Web Application or
Indirect Vulnerability
• Known vulnerability in an
app or platform
component
• Discovered vulnerability in
developed application
(XSS, etc)
Phishing, spyware or
social engineering
• Steal password or execute
other attack to gain access
Paying to host an
advertisement that
contains the infection
• Malvertizing - legitimate
websites can infect users
without being directly
compromised
8
9. Identifying Malware with Web Application Scanning
Detecting Website Malware – Traditional Approach
Signature Based Detection on systems/web gateways
9
Malware is
identified and
Analyzed
(typically after
many infections)
Signature is
created
Signature is
distributed to end
points/gateways
Zero Day Protection Gap
10. Identifying Malware with Web Application Scanning
Detecting Website Malware – Traditional Approach
Advantage Disadvantage
10
11. Identifying Malware with Web Application Scanning
Detecting Website Malware – a Better Approach
• Identify reference
to site that is
known to host
malware
• Instrument a
system- watch for
exploitation
• detect zero day
• For common
scripting
techniques, etc.
• For
downloadable
documents like
PDFs
Antivirus Heuristic
Reputation
Check
Behavioral
Analysis
11
12. Identifying Malware with Web Application Scanning
Detecting Website Malware – a Better Approach
12
Setup a vulnerable
browsing platform on
a VM
Instrument the
browser using API
hooking
Input parameters,
return values, and
data logged in various
points within the
browser and OS.
Watch for exploitation
When done scanning
or when
compromised, destroy
VM and start another
13. Identifying Malware with Web Application Scanning
How Malware is Different
• Malware Distribution
– Unlike vulnerabilities which are accidental software flaws, attackers
try to place malware in high traffic areas
– OWASP type vulnerabilities should be distributed randomly (XSS, SQLi)
– Malware will typically be positioned to infect all users (not just
authenticated)
• Malware detection does not have the impact
– Detection uses ‘passive’ and not ‘active’ techniques
– Safe for daily scans
13
14. Identifying Malware with Web Application Scanning
Better Website Security
• Detect both OWASP vulnerabilities and website malware
– Run daily passive scans on websites to identify malware, notify
immediately
– Perform active scans on a regular basis to identify OWASP
vulnerabilities
• How you benefit
– Identify and fix vulnerabilities hackers could exploit or malware
distributors could use to infect your site and other users
– Protect your revenue, brand reputation and users from malware
impact
– Ensure you are covered from both threats, making it hard for
attackers to exploit
14