Why Regular Malware Scanning is important for your customers...

Tuesday, December 15, 2009

Jason Remillard


As part of my inaugural post on infosecisland, I figured I would revisit a topic that is near and dear to my heart.

The path to website security is littered with good intensions of course, however, the intensions need a revamp in order to prove good.  In this case, the good ol' days of giving your clients an ssl cert, a simple firewall on there server are NOT GOOD ENOUGH.

The threats out there are much more complicated.  Call it an arms race or what have you, the simple fact of the matter is that our clients requirements are increasing on a daily basis.  These requirements involve 3rd party extensions, rss-feeders, cross-posting and linking, news scraping, etc.

Anyone in technology knows that the more interconnects you have, the more you have to manage, and thus, the more exposures or attack vectors you gain.  In some cases (Wordpress specifically), the vectors increase exponentially with each plugin.

In this post, we'll revisit the effect, impacts and ultimate benefits of scanning your customers' sites for the dreaded malware.  As you know, this can come from both compromised servers/applications, AND the ad networks that your customers are hosting.

Its a complex business, but one thing that reasonates clearly is that a regular test, one that is automated, repeatable and reported on is one of the cornerstones of a good security posture.

Cross posted from: http://blog.54f3.com/2009/12/02/why-malware-scanning-is-imperative-to-your-business/

Malware…  Yes, its been around for many years.  However the attack vector has changed.  Long ago the primary distribution method was by sharing dirty data (yes, exchanging floppy disks….remember those days?!

Then it went onwards into distributing viruses and malware via email (this is the early days of outlook express!).  Then, came the solutions to block this (antivirus on your email, desktop solutions that block installs on your PC, etc.)

Now however, it is much more sophisticated.  As unfortunately some of you have experienced, the hackers are now cracking PCs and websites to inject malware.  Hence the term ‘drive-by malware’.  By infecting your website the hackers are now able to enjoy a free distribution method for their wares – your website.  Target any sized website, inject your bad code, and watch the infections grow by the minute!

Consider this scenario…  we have a customer who came to us (name not mentioned of course), that had been injected my malware.  The alerts went up in Google HQ.  His site was dropped from search engine rankings immediately.  So, boom – there goes all of his google traffic (in this case, responsible for about 2,000 unique visitors a day).

Worse yet, now that Google was aware to his sites problems, the browser vendors now pick up on this and start warning ALL people visiting his site with this nice little alert:

Malware Reported Attack Site

So now, he has -0- traffic from Google.  ALL of his users are now getting told this is ‘an attack’ site.  All bookmarked entries, links from other sites, etc. ALL reflect that this site is now worse than the worse of worse!  You are evil!  You are spreading the scourge of the earth!  How could you!

Now, this guy is in a panic.  He’d just started a major campaign (offline and online), and had paid for alot of advertising that was non refundable.  He was loosing 1000’s of dollars a day, and his business was evaporating before his eyes.

Personnally, I don’t like to scare monger my customers into solutions.  I think it is a disservice that many of our competitors do.  However, I do like to highlight true to life stories, and their true impacts.

In this case, we were able to quickly shut down his site to stop the spread.  Taking the site offline also minimized any infections he was spreading (because, in reality, he was).  After stripping out the hacked code, we scanned all of his site (100’s of pages) and plugged up any holes the web vulnerability scanner found (there were more than one in his shopping cart and forum systems).  Turns out, some of the lovely little hit counters and subscriber forms he had on his site were wide open as well.

Anyways, after the cleanup, and a few runs through our malware scanner to ensure we were clean, we stood the site backup and asked please, please please! Google, please allow his site to be back in your good graces…

After about 36 hours, Google’s scanners had verified that he was now indeed clean, and reincluded him in the indexes.  Luckily, since we caught it quick enough, this did not affect his PR rankings and his SEO work he’d invested so much into was saved.

Now, the browser alerts were another problem.  Firefox released their warnings within a few hours of Google.  Microsoft IE shortly thereafter.  Safari and a few other smaller footprint browsers took a few days.

All in all, this attack cost him well over $10,000 in immediate losses due to his PPC campaign and offline media buy losses.  Of course, now he had a perception problem with his customers (yes you are safe, no I’m not a hacker, etc.), and on top of that, one very long, long weekend on the phone with customers.

How to protect from these effects?  Well, since nothing is 100%, regular scanning is your best defense, since you’ll know before the hackers do that there is a problem with your site.  Even more important, since we now test each and every URL on your site with over 120,000 attack patterns (yes, that many!), you are getting great coverage and risk mitigation from the standpoint that you know more, on a daily basis, about what the outside knows about your site.

This, all told, allows him to sleep better at night


Possibly Related Articles:
Vulnerabilities Webappsec->General
Google Browser Security malware
Post Rating I Like this!
Fred Williams I like this article - gives really good insights and a dollar amount to potential losses.
Fred Williams Kind of points to a solution of defense in depth. When you find customers like this, are you recommending additional security measures like installing an IDS and adding packet filtering routers in front of the firewalls? Or just recommending regular scanning?
Jason Remillard Good questions Fred...

We're finding great amounts of variability out there..some have firewalls, some don't... Few have IDS's.

Explaining defense in depth to a web newbie is quite a challenge, however as part of our scanning offering we offer a consult with each scan.

In most cases, it involves a general cleanup, including closing off ports, putting Captchas on forms, and perhaps an upgrade of PHP, Wordpress or Apache.

To be honest, a regular scan is the only way to be 'sure', since the exploits change every day, and vulnerabilities are found constantly in software like Wordpress, Joomla, and infrastructure components like apache, open MySQL ports, etc.

We are proud to say though, after we've cleaned up a customer, we are 100% hackfree afterwards... For some of these customers, they were being injected DAILY on their sites, so they are usually very happy with the protection they are afforded. The regular ongoing scanning gives them daily statistics on their current issues, and thus if there is a large jump, or change in the vulnerability numbers, there is a 'call to action' immediately.

As well, our Malware scanning service operates independently and offers an immediate direct notification of the malware that is in place, thus hopefully catching it before our friends at Google do, so as to save their SEO ranking and keyword positioning.

Nothing worse than having your site being SEO poisoned! :)
Clyde Johnson I like your perspective, however you don't state 'how' and 'what'an organisation can do to protect themselves proactively without blindly buying a bunch of software and services. I think as a profession we have a responsibility to educate and share awareness amongst those who are truly unaware of the issues you've highlighted.

Jason Remillard Clyde... you are correct...

If I had more space, I'd go deeper :)

We've found the awareness factor actually starts higher than the enduser. In fact, you can't expect an end-user to know, learn and absorb all of this. To this end, we've taken our messaging a little higher and are now starting to education the hosters, application developers and others that are perhaps unwitting conveyors of this risk. More importantly, is to get some of these security implications documented, statistically, and produce that information in a better risk scenario. Instead of 'scaring' everyone with 'yet another major hack', we're approaching it with initial risk/benefits to everyone, not just the enduser. We feel the 'responsibility' chain goes further than just the poor guy who installed wordpress 2 years ago. No one wants to touch this stuff (hosters especially), but at the end of the day, its everyone's responsibility.
Fred Williams Good information Jason. Thanks for the reply.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.