The hidden cost of compromise

Web-based malware is not a new phenomenon; the Internet as a whole has historically been the single largest factor enabling the global spread of malware and the web has increasingly proven a particularly successful vector. What is new is the overwhelming number of compromises of known, legitimate websites as a means to distribute web-hosted malware. Obviously these website compromises pose serious risks to the site owners and their visitors, but what of the less obvious threat they pose?

Widespread compromises of known, legitimate websites were first reported in October 2007. While initial reports were largely confined to webmaster forums and newsgroups, by January 2008 the compromises had become numerous enough to attract international attention. By early spring 2008, the attacks had reached epidemic proportions – impacting hundreds of millions of pages across the web.

In a comparative study of May 2007 and May 2008, ScanSafe STAT looked at the increase in risk exposure due to web-based malware (focusing on customers that were common to both periods to preclude any bias related to changes in customer base). It was discovered that the risk of exposure to web-based malware had increased 220% in May 2008 compared to May 2007. Demonstrating the exponential growth of these attacks, ScanSafe STAT repeated the study, calculating the risk exposure the same customers faced in July 2008 compared to the previous May-to-May comparison. In July 2008, the risk of exposure to web-based malware had increased by 443% compared to May 2008 and by 1636% compared to May 2007.

Web-based malware distributors face the same challenge as any other web property owner – how to drive traffic to their domain. As a result, today’s attackers have less in common with traditional malware authors/distributors than with marketing pros specialized in search engine optimization (SEO).

By providing a means to monetize websites, advertising plays a key role in the economic viability and continued expansion of the web. Virtual landlords are effectively able to charge rent for their space, subleasing the attention spans of their hard-earned visitors in exchange for revenues from the advertising giants.

To embed third-party advertising (or other third-party content), web pages are coded with hidden iframes and external JavaScript references – components as crucial to the web’s connectivity, growth and ongoing success as hyperlinks themselves. To deliver the ads, these external references load content from designated ad servers, enabling advertisers to reach multiple sites simultaneously.

To shortcut their SEO efforts, attackers initially leveraged the popularity of existing websites by inserting malicious advertising somewhere within a participating ad network. Rogue advertisers and poorly policed affiliate networks caught even legitimate advertisers off guard.

From 2003 through to 2005, malicious pop-ups delivering adware and spyware proliferated, leading to ‘drive by download’ and ‘browser hijacking’ becoming common household terms. Public outcry and consequent legal sanctions and improved technologies helped to stem the flow, though rogue advertising does still occur. During 2007, ScanSafe blocked malicious advertising foisted through the Miami Dolphins stadium website, TomsHardware.com, Photobucket, MySpace and hundreds of other sites. Attackers even targeted advertising on parked domains hosted by NameDrive, which, thanks to pre-existing links on non-parked sites, enjoyed considerable traffic despite no longer being active.

Today’s attackers have taken an even greater shortcut, cutting out the middleman altogether. Rather than inserting a malicious ad in the advertising network, these attackers have gone straight to the source code of the target website. This direct form of compromise began largely as a manual effort. While successful, it was time-consuming for the attackers. To solve this problem, the attackers did what any development firm might do – they introduced automation. In an evolutionary sense, it was the introduction of automated tools and their subsequent availability that enabled website compromises to be rendered repeatedly en masse on a global scale.

The most predominant of these compromises have been those rendered through automated SQL injection attacks, the majority of which are currently carried out via the Asprox botnet. But while the SQL injection attacks have understandably been the headline grabbers, all forms of website compromise have been on the increase.

The ‘butterfly effect’ is a term whose origins lie in chaos theory and which is often used to refer to the way in which even the smallest of events (such as the flap of a butterfly’s wings) can set in motion a series of events that have far-reaching and often unexpected consequences – or at least consequences that appear far removed from the original action.

While the immediate risks posed by infection via website compromises are well established, thanks to the butterfly effect there are far-reaching consequences which aren’t nearly as obvious. Chief among these are changes in user habits and the subsequent impact those changes may have on Internet advertising revenues in the long term.

According to the 2007 IAB Internet Advertising Revenue Report (published in May 2008) [1], Internet advertising revenues outpaced cable television, radio, broadcast television, as well as consumer and trade magazines in 2007, reaching $21.2 billion. At 41% of the total, search revenue was reportedly the single largest contributor. A Nielsen Online study [2] reports that in January 2006 there were 64.3 billion sponsored link advertising impressions on Google and Yahoo (including their extended advertising networks).

With 64.3 billion sponsored link advertising impressions and 41% of the Internet advertising revenues at stake, even the most subtle of ripples can have an impact.

It is virtually impossible to gauge web browser usage stats reliably. Sources that claim to do so are in fact merely reporting on the user agents presented by the browsers used by their own site visitors. There are many limitations to this approach. First, user agents can lie and the site itself may exert its own influence by optimizing the code in favour of one browser over another. Depending on the topic, a particular site might attract a particular demographic – an audience that is not necessarily reflective of the web as a whole.

Different browsers also access pages in different ways, which can skew browser usage statistics. For example, web pages consisting of multiple elements may, depending on the browser, be reloaded multiple times, thus resulting in an over count of page visits. Statistics-gathering challenges are also introduced by the use of proxies, shared IP addresses, and a host of other factors related to origin and relay that may artificially increase one browser’s popularity over another.

Despite limitations in browser usage stats, there are still interesting trends to be found within the captured data. One example of useful browser usage stats is reported by w3schools.com which provides tutorials for website developers. The w3schools stats are taken from the site’s own logs and thus are reflective only of a specific user base – i.e. the visitors to the w3schools site, who can be expected predominantly to be website developers and thus to be more technically savvy than the average web user.

According to the w3schools data, the use of Firefox increased 20% between January 2008 and August 2008. The largest growth occurred between February and May 2008 and thus cannot be contributed to the concerted marketing efforts surrounding the release of Firefox v3.0 in June 2008. If the more technical, web-savvy visitors to w3schools are adopting Firefox over Internet Explorer, is it possible that this is due at least in part to heightened awareness of risk exposure brought upon by the mass website compromises?

It is not simply the browser but rather how it is configured that impacts on web usage. Ask most computer security gurus what steps home users can take to protect themselves while surfing online, and most will likely recommend using Firefox with the NoScript add-on. According to the Mozilla add-ons site, the NoScript add-on for Firefox has reached 27.3 million downloads, at an estimated 378 thousand downloads per week. There are multiple distribution points for this add-on, thus the numbers are not reflective of total downloads but are high enough to suggest widespread adoption.

As its name suggests, the NoScript add-on blocks JavaScript and other active content by default, enabling users to allow or deny scripts on a per-site basis. While users can elect to allow scripts globally, that option is labelled as dangerous (rightfully so) and thus it is unlikely to be selected. (Besides which, doing so would defeat the purpose of the NoScript add-on.) Other more viable choices include: ‘Temporarily allow all on this page’, ‘Temporarily allow <visited site domain>’, and ‘Temporarily allow <third party domain>’.

Given these choices, how many users will elect to globally allow all scripts, or allow scripts from third-party providers (particularly advertising-related ones)? It doesn’t seem far fetched to assume that the use of NoScript encourages the allowance of JavaScript only from the visited site while not allowing scripts from third parties which provide other content (including advertising) to the site.

As an example, in a DSLReports thread [3] regarding the Firefox NoScript add-on, the responses overwhelmingly favoured blocking all third-party content. As one poster commented ‘… I still block any third-party stuff. If I trust a site, I trust that site and not all third-party sites whose content the (sic) might use.’

NoScript is not the only add-on that Firefox users are adding to their protective arsenal. The Mozilla add-on site lists the ten most popular add-ons for Firefox, three of which are: AdBlock Plus, NoScript and CustomizeGoogle – all of which have either the express purpose of blocking advertising or include features that will, as a side effect, block advertising. Collectively, these add-ons have been downloaded by 60.8 million users.

The recently debuted Internet Explorer 8 (beta) also gets in on the act, providing a feature dubbed ‘InPrivate Blocking’, which has a similar effect. According to Microsoft, ‘Users are often not aware that some content, images, ads and analytics are being provided from third-party websites or that these websites have the ability potentially to track their behaviour across multiple websites.’ If the ‘InPrivate Blocking’ feature is enabled, Internet Explorer will automatically block third-party content that it has observed across multiple sites.

InPrivate Blocking also ‘helps prevent your browsing history, temporary Internet files, form data, cookies, and usernames and passwords from being retained by the browser, leaving no evidence of your browsing or search history.’ While stopping short of blocking all JavaScript outright, by design, InPrivate Blocking would block the most widely deployed third-party advertising as well as third-party website analytics, examples of which include both Google AdSense and Google Analytics.

Google Chrome’s ‘Incognito’ feature [4] is similar in spirit to Microsoft’s InPrivate Blocking feature – with one notable exception: omitted from the Chrome browser is the ability to block third-party content. Additionally, while Chrome uses virtual machine technology to sandbox JavaScript and other active content, it does not provide a means to disable it altogether, casting some doubt on its ability to fend off web-based malware attacks. Within days of Chrome’s release, researchers discovered two buffer overflow conditions which could enable the remote execution of arbitrary code and an out-of-bounds memory read error that left the browser in an unstable state.

Not all users will lament the inability to block JavaScript, regardless of the security implications. A browser that doesn’t supply script blocking will likely be welcomed by members of traffic exchange networks, which rely on members to click through to other member websites to inflate page views. Administrators of some of those networks have gone so far as to forbid Firefox use among members. Their reasoning is concern that users will elect not to allow third-party advertising and thus click their way into higher referral benefits without contributing to ad impressions for the other members. But while fringe users may eschew ad blocking, with 60 million downloads and counting, it is hard to discount the notion that many normal web surfers are in favour of it.

Certainly it’s too early to tell what sort of lasting impact the ongoing website compromises will have on browser adoption but it does seem likely that for many users security will be a deciding factor. It is impossible to say whether the increase of web-based malware (and subsequent increases of script-blocking technologies) played any role in Google’s decision two years ago to begin crafting a new browser. But it is certain that disabling JavaScript protects against the ill-tended effects of website compromise and equally certain that the $21.2 billion in Internet advertising revenues are largely dependent on the continued use of JavaScript.

Clearly, legitimate Internet advertising plays a critical role in the ongoing health and viability of the web, and has a significant impact on the global economy as a whole. Technologies and services that protect both the user and the advertiser should be viewed as imperative. And if Internet advertising revenues do take a downturn, ask yourself – is it due to recessionary conditions, or is it because the web is under attack?