Loaded pages: How your website can infect visitors with malware

A developer's introduction to malicious websites

Google claims that 9,500 websites per day are infected with malware meant to harm the site's visitors. Understanding how malware infects a website and what can be done to stop it can help keep your visitors' computers free of malware.

Jeff Orloff, Technology Coordinator/Consultant, Sequoia Media Services Inc.

Jeff Orloff is a freelance technology writer who also works as a technology coordinator with the School District of Palm Beach County, Florida. Throughout his career, he has worked with web technologies, specializing in security. He has served as the director of technology for SafeWave, as a security evangelist for Applicure Technologies, and as the editor of Developer Drive, a blog dedicated to website development tutorials.


developerWorks Contributing author
        level

15 January 2013

Also available in Chinese Japanese

Over the years, the term malware has been used to describe any type of malicious software, including viruses, Trojan horses, worms, spyware, scareware, and adware. In the early days of computers, malware was considered more a prank used to annoy people through destructive behavior or to show off programming skills. Basically, the more people your malicious program could infect, the greater your status in certain circles. The malicious programs were often delivered to their intended victims as email attachments, shared through removable storage media or through file-sharing services.

Although malware of this sort caused a wealth of problems for its victims, the driving force behind it did not motivate as many people to get involved because the payoff wasn't as lucrative to a wide base. Today, the driving force behind malware has shifted to money. Because these attacks are driven by financial rewards, there is more malware in the wild than ever before. Not only are more people involved in the creation and distribution of malware, but the attacks have grown more sophisticated. Cyber-criminals have learned how to use malware to turn large profits by:

  • Displaying and clicking ads
  • Stealing confidential data
  • Hijacking user sessions
  • Compromising user login credentials
  • Stealing financial information
  • Making fraudulent purchases
  • Creating spam
  • Launching denial-of-service attacks

To deliver their malicious software to as many victims as possible, cyber-criminals have turned to websites as one of their primary sources of distribution.

Why websites?

People have learned not to download files attached to emails, and they have stayed away from popular file-sharing services because so many files are infected with malware. One thing that people have not stopped doing, though, is surfing the Web. According to Internet World Stats (see Resources for a link), in 2011 there were 2,279,709,629 active Internet users, and that number continues to grow.

With an attack landscape this large and with so many users not being suspicious, it's no wonder that websites have become the favorite media used to infect users with malware. In fact, malicious websites have become so prevalent that Google blacklists roughly 6,000 websites every day because they carry some sort of malicious software that is dangerous to visitors.

How malware spreads through websites

Those responsible for infecting websites with malware do so in one of three ways:

  • They create a malicious website of their own.
  • They exploit a vulnerability on the web server or in its configuration.
  • They exploit a vulnerability in the applications the website relies on.

Because this article focuses on what you can do to prevent your websites from falling victim to these attacks, I address only the latter two methods.

After an attacker has found a vulnerability that he or she can successfully exploit, the attacker needs to determine how he or she will deliver malware to the website's visitors. Table 1 lists some of the common methods.

Table 1. Common ways websites distribute malware
MethodDescription
DownloadsThe user is tricked into downloading the malicious code. A common tactic used is to tell the visitor that he or she needs to update multimedia software to view a video, or a victim is tricked into downloading a PDF or other type of file that actually contains malware.
Banner adsUsers are tricked into downloading malicious files when they click infected ads that appear on the website.
Drive-by downloads When this method is used, the visitor does not need to perform any action on a website other than simply visit. Malware can be hidden inside invisible elements on the site, such as iframes or unobfuscated JavaScript code; it can even be embedded in multimedia files, such as images, videos, or Adobe Flash animations. When the page loads, the malware infects the visitor's computer using vulnerabilities in the browser or plug-ins.

Infecting websites through server vulnerabilities

In addressing server-based vulnerabilities, I look at two of the more popular web server applications on the market: Apache and Microsoft® Internet Information Services (IIS). These two servers power 78.65 percent of all websites.

Both Apache and IIS—or any other web server—have vulnerabilities that malicious attackers can exploit. When attackers are able to compromise the server software or the server itself, they are able to upload malicious code or even entire web pages that deliver malware to the site's visitors. Examples of vulnerabilities that allow this type of attack to take place come from two primary sources.

Vulnerabilities found in the default installation

When web server software is installed, the default configuration is usually set up to make publishing a website easy, not secure. Unnecessary modules and services may also be part of a web server's default installation. These extras may give an attacker unrestricted access to your website's files.

Each operating system, web server software, and version has unique vulnerabilities that can be found with a simple web search. Before a website goes live, any known vulnerabilities should be addressed.

Broken authentication and session management

This source encompasses all aspects of user authentication and the management of active sessions. According to the Open Web Application Security Project (OWASP), "A wide array of account and session management flaws can result in the compromise of user or system administration accounts. Development teams frequently underestimate the complexity of designing an authentication and session management scheme that adequately protects credentials in all aspects of the site."

To mitigate against this type of vulnerability, those responsible for the administration of the web server and site need to adhere to password policies that determine the strength, storage, and change controls of all passwords. Furthermore, remote management capabilities for the web server should be secured or even turned off so that user credentials are not compromised through transit.


Uploading malware through vulnerabilities in the website

If websites were still static text and images, it would be much more difficult for the bad guys to use a legitimate website to serve up malicious software. However, today's websites are powered by databases, complex code, and third-party applications that make the user experience much richer while opening the site to any number of vulnerabilities.

Take WordPress, for example. This blogging application has changed how websites are created by making it easy for anyone with a bit of technical knowledge to create a multimedia-rich, interactive website. It is so popular that it powers more than 50 million websites. WordPress's ease of use, however, was also the cause of a recent outbreak, in which between 30,000 and 100,000 sites running the application redirected victims to malicious sites.

Sites that installed a particular plug-in found their pages infected with code that redirected visitors to another site. This site would then infect the victim's computer with malware based on the operating system and applications that the computer was running. The Flashback Trojan that infected more than 500,000 Macs was one of the malicious programs that spread through this exploit.

Examples like this are not limited to WordPress, however. Applications like Joomla!, Drupal, MediaWiki, Magento, Zen Cart, and many others have all had vulnerabilities in them that allow malicious hackers to upload malware to these sites to be distributed to visitors.


Preventing attacks against web applications

For attackers to exploit a web application, they must find some type of vulnerability. Unfortunately for the owners of websites, there are so many different types of known vulnerabilities that they can't all be listed here. Some you may be familiar with, however:

  • Cross-site scripting (XSS)
  • Structured Query Language injections
  • Cross-site request forgery injections
  • URL redirects
  • Code execution
  • Cookie manipulation

And the list goes on.

Mitigating web application threats

Fortunately, there are ways to find out if your site is vulnerable to any of the known exploits by using web application-penetration techniques. By thoroughly testing a website for known vulnerabilities, you can address these threats before an attack is able to manipulate them to distribute malware to your visitors. You can do so using a variety of open source or commercial tools, or you can outsource the service to companies that specialize in this.

Although penetration testing will help identify problems that need to be fixed in your website's code, web application firewalls can help stop threats before they reach your site. By identifying known attack patterns, you can thwart the efforts of malicious hackers before they are able to cause damage to your site. More advanced web application firewalls can even provide protection against unknown, zero-day threats by identifying illicit traffic.


Limiting vulnerabilities in Apache

Whenever a server is configured, it is a best practice to install only the modules and applications that are necessary. By now, this is not only a best practice but a common practice.

There are other basic steps that you should take to limit the vulnerabilities that exist in Apache's web server. Throughout the course of this article, I use the commands relevant to the Ubuntu distribution of Linux®. For Apache running on other operating systems or distributions, simply search for the steps required to perform each task.

Disable the banner

By default, Apache shows its name and version number upon a web request, announcing to any potential attackers what exactly the website is running. Disabling that banner makes it more difficult to pinpoint any other vulnerabilities. You can do so by navigating to /etc/apache2/apache2.conf and disabling the ServerSignature and ServerTokens entries.

Disable directory indexing

Another default is the ability to print a list of files found in the web site directories. This feature lets an attacker map your server and identify potentially vulnerable files. To mitigate against this issue, you need to disable the autoindex module. Simply open the terminal and use the following commands:

  • rm -f /etc/apache2/mods-enabled/autoindex.load
  • rm -f /etc/apache2/mods-enabled/autoindex.conf

Disable WebDAV

Web-based Distributed Authoring and Versioning (WebDAV) is the file-access protocol of HTTP that allows for the uploading, downloading, and changing of file contents on a website. In any production website, WebDAV should be disabled so that an attacker cannot change your files to upload malicious code.

Using the terminal, you disable the dav, dav_fs, and dav_lock files by removing them with the following:

  • rm -f /etc/apache2/mods-enabled/dav.load
  • rm -f /etc/apache2/mods-enabled/dav_fs.conf
  • rm -f /etc/apache2/mods-enabled/dav_fs.load
  • rm -f /etc/apache2/mods-enabled/dav_lock.load

Turn off the TRACE HTTP request

The HTTP TRACE request can be tricked into printing session cookies and this information used to hijack a user session to launch an XSS attack. You can disable this trace by navigating to the /etc/apache2/apache2.conf file and making sure that TraceEnable reads TraceEnable off.


Limiting vulnerabilities in IIS

One thing that makes Windows Server® products so attractive to the consumer market is their ease of installation. Using IIS, a company can get a web server up and running with a few clicks. When the server software is installed out of the box, there is little need for configuration: It's done for you.

To address security issues in its web server product, Microsoft has made significant changes to how IIS is configured and what is installed by default. There are, however, some steps that you can take to better protect against threats.

Install antimalware software

Code Red and Nimda were both worms that attacked the Windows Server operating system, and both did a great deal of damage. Without adequate antimalware protection on the host operating system itself, a website quickly becomes vulnerable to attack. Using keystroke loggers, Trojans, and other malware, attackers can not only easily compromise the web administrator's login credentials, but they also have the ability to insert malicious code into the files that are served up to people visiting the site.

After antimalware software is installed, it should be immediately updated and then run before any website files are uploaded. If anything is found, all passwords should immediately be changed.

Update everything else

Before a web server running IIS goes live, be sure to update the operating system software and web server software with the latest updates from Microsoft. These updates usually contain patches that address vulnerabilities specific to Microsoft products.


Cleaning up after an attack

When a website is guilty of causing harm to its visitors, you must take steps immediately. To begin with, take down and quarantine your site. If you need to have your site up and running so as to avoid interrupting your business, rely on a backup that is verified malware free.

When your web presence is taken care of, it's time to clean the infected files. Some infections require only the removal of a few lines of code, while more sophisticated attacks might require that you rewrite the entire file. Whatever steps are necessary to remove malware from a site need to be taken at this point.


Repair your reputation

When Google and the other search engines find a site that is serving malware, they can pull it from their results. This can have devastating effects on a business.

After all malware has been removed and any vulnerabilities patched, submit the site to the search engines for review. If they determine that it is no longer a threat to any visitors, the website can be re-listed and traffic from the search engine can be restored.

If the malware infection has compromised user account information, all users should be notified immediately so that they can deal with any ramifications. In addition, an organization will need to see whether any laws or regulations have been violated as a result of the breach and take appropriate measures to mitigate any negative effects and keep them in compliance.


Conclusion

In a report by Dasient, approximately 1.1 million websites were found to have some type of malware in the fourth quarter of 2010. Other studies show that 85 percent of all malware comes from the Web. Now, it would be easy to write this off if the sites that were causing all the problems had a malicious intent from the beginning. Unfortunately, it is the small business website, the church website, or even the well-respected news website that is responsible for infecting so many computers.

The responsibility for protecting websites against attack is falling on the shoulders of the web developer. The days of sitting back and writing awesome code are over. Now, the developer needs to make sure that his or her code is functional and secure.

The techniques listed in this article will certainly help the developer who doesn't understand web site security build a foundation for his or her knowledge, but it shouldn't stop here. The threat landscape changes daily. As zero-day exploits emerge and cyber-criminals adapt to countermeasures, web developers too need to adapt and be on the lookout for how they can better secure their sites.

Resources

Learn

Get products and technologies

Discuss

  • The developerWorks community : Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Web development on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Web development, Security
ArticleID=854915
ArticleTitle=Loaded pages: How your website can infect visitors with malware
publish-date=01152013