AFFILIATE WEB-BASED MALWARE - Sophos

5 downloads 140 Views 205KB Size Report
Most web attacks are fairly simple and straightforward, though the components of ... networks, with more detailed analysis of some affiliate malware delivery ...
AFFILIATE WEB-BASED MALWARE BACCAS

AFFILIATE WEB-BASED MALWARE Paul Baccas SophosLabs, The Pentagon, Abingdon Science Park, Abingdon, Oxon OX14 3YP, UK Email [email protected]

ABSTRACT For the past year at SophosLabs we have been tracking malicious websites with our technology partners via product-based reporting and internal web spidering. Most web attacks are fairly simple and straightforward, though the components of these simple attacks are arbitrarily complex. Some attacks, however, are more complex in nature and include the passing of information to ‘grey’ sites as well as installing malware. These complex attacks are reminiscent of the type of links we would see were we to analyse a revenue-generating/ advertising/pop-up network. These affiliate-based links look to all intents and purposes like a ‘legitimate’ network with the added bonus of delivering malware. This paper will attempt to show some straightforward affiliate networks, with more detailed analysis of some affiliate malware delivery systems.

INTRODUCTION Affiliated websites are those that are connected via links for the purpose of generating revenue. Often the affiliated websites will connect to each other, forming large networks of links to drive up the revenue potential of the affiliated websites. Both legitimate and illegitimate affiliate websites do business in the same way. The business models of each differ only in the final transaction, in that illegitimate websites ultimately will install malware or potentially unwanted applications (PUAs). In real life there is contextual data to ascertain the legitimacy of a business e.g. buying goods from the back of a truck is likely to be illegitimate; a shop on 5th Avenue, legitimate. A buy-one-getone-free offer at Walmart is different from a buy-one-get-onefree from an unknown individual in the Walmart car park. On the web, business practices lose that contextual data. Legitimate and illegitimate sites can look very similar, so the average surfer’s context for making a judgement becomes more difficult. Consider: • An Amazon link that earns the referrer fractions of a penny is legitimate. • A spamvertised link to a pharmacy site that earns the referrer fractions of a penny is illegitimate. While a human might be able to find sufficient context in the above case, an automated system will find it more difficult but can glean context. As the ‘offer’ becomes more complex a human can often miss the context information. An automated system can fully analyse a complex ‘offer’ and find the context information.

Also, a large number of web pages use some form of web-tracking software. Some tracking software is more transparent than others. A number of people have expressed concern about this trend and are either actively or passively against the use of such software [1]. Most tracked data is anonymous, which means that while sites know that someone searched for X, they don’t know who the person is; for example, the BBC’s website presents a list of links to the ‘most popular stories now’ [2] which has been generated using the X but not the who. However, in other cases the tracked data may not be anonymous. This has meant that several people have come up with solutions to counter tracking software. Due to web owner demand, web-tracking software vendors have come up with more complex tracking methods. These complex tracking methods are often used by legitimate and not so legitimate websites. Consider: • Legitimate: an invisible image (one whose presence is not noticeable when viewing the page) in a web page where the load time is used to track which sites/pages you have visited. • Illegitimate: an invisible image in a web page that causes a buffer overflow that subsequently loads other software. When presented with an image link within a web page, a human will have to manually download the image. An automated system can do this by default and has the ability to fully analyse the file. Most web pages contain some form of revenue generation, whether by direct or syndicated advertisements. These adverts can range from simple text to streaming banners, from a single picture to a Shockwave Flash file. Again, some people have taken umbrage at this form of blandishment and have created software for blocking adverts. Advertisers and web administrators have fought back and created more complex adverts. Many of these complex adverts are predicated on the need to accept all JavaScript or Flash content on a website in order to view even just the text. Consider: • A website with streaming adverts used to pay for the free content hosted. • A website with poisoned adverts designed to install scareware [3]. SophosLabs and other security professionals have been tracking the numerous examples of poisoned adverts. These poisoned adverts are injected into the advertising feeds of legitimate websites. The adverts use features of Shockwave Flash files to run ECMA Script (Java Script) and redirect web users to another website. This other website will eventually lead to a website that advertises and attempts to download scareware (programs that claim to detect ‘compromising files’ on your computer, and encourage users to purchase a full version of the package to remove them). When faced with a modern website containing dozens of links, a human finds it increasingly difficult to analyse the links statically. The only difficulties an automated system has in analysing the list of links are resources. The human analyst has to resort to stepping through the web page on a live system. Not only is automation quicker than a human, but it can also remember hundreds of past results.

VIRUS BULLETIN CONFERENCE OCTOBER 2008

1

AFFILIATE WEB-BASED MALWARE BACCAS

a user visits a website on the top tier a cascade of websites is then opened (iframes are automatically loaded). The graphs are centred on the yellow nodes. When the graph is generated, the parent nodes of the yellow node are drawn plus all their parent nodes. Also the child nodes of the yellow nodes are drawn with their parent nodes (to one level) and their child nodes. In Figure 1 the first tier of websites are respectively a Russian website, a Chinese government website and two Spanish PTP (paid-to-promote) sites. The Spanish sites are part of the same domain and differ only by query strings. All the sites have links to a PPC (pay-per-click) network that is notorious for attempting to install malware [4]. Figure 2 shows the same network with a different centre. The two Spanish PTP sites are the parents of the yellow node. This shows that each child in the network can have more than one parent. Figure 1: A simple affiliate-based system.

Figure 2: A more complex system.

In Figure 3 the first-tier nodes are all Czech PTP sites. The middle tier are Spanish sites and the lower tiers are US sites. In the middle tier, the two Spanish sites from Figures 1 and 2 are co-parents (parents of the same children) of the yellow node.

RESULTS Though the system was designed to help track and analyse malicious web attacks, it also gives insight into how websites are connected. The system tracks links between websites paying particular attention to links that are: • loaded automatically by a browser (malicious iframes) • loaded through Visual Basic or Java Script that uses a browser exploit to load other malware • loaded multiple times These insights help SophosLabs classify sites to enhance the Sophos product range and provide new samples for malware and PUA detection. When we see websites that are heavily interconnected, we often find that the sites are passing revenue-raising links or are being used for search engine optimization (SEO). In Figures 1–3, we see parts of an affiliate network of websites. The websites are connected via iframes (the green lines). When

CONCLUSION Malware authors are increasingly using affiliate schemes for a variety of reasons: • To increase the number of people they potentially infect. • To obscure what they are doing. • To generate revenue in addition to revenue generated by the malware. If a malware author manages to abuse a popular affiliate scheme, then the number of users they have access to is greater, and less obvious, than other methods (spam and direct hacking). The complexity of affiliate schemes means that it is often difficult to track which links are bad. The malware author is generating a steady income stream even if no-one is affected by their malware. There are affiliate schemes out there that exist just for the purpose of installing malware. The majority of affiliate schemes are being abused by malware authors, and schemes without clear terms of use should be avoided by webmasters.

REFERENCES

Figure 3: A typical affiliate system.

2

VIRUS BULLETIN CONFERENCE OCTOBER 2008

[1]

http://news.bbc.co.uk/1/hi/technology/7299875.stm.

[2]

http://news.bbc.co.uk/1/shared/bsp/hi/live_stats/html/map.stm.

[3]

http://www.sophos.com/pressoffice/news/ articles/2008/02/poisoned-adverts.html.

[4]

http://ddanchev.blogspot.com/2008/02/serving-malwarethrough-advertising.htm.