Malware Scanner extension for IBM Security AppScan

The Malware Scanner extension analyzes the pages and links discovered by IBM Security AppScan to determine whether they appear to be malicious or otherwise unwanted.

21 April 2009

The Malware Scanner extension analyzes the pages and links discovered by IBM Security AppScan to determine whether they appear to be malicious or otherwise unwanted.

System requirements

Security AppScan v7.8 or later

Background

Malicious software (known as malware) is a big and rapidly growing problem. Today, it is primarily delivered through Web applications, either through malicious content that exploits client-side vulnerabilities (such as security holes in the browser, image rendering services, or Microsoft® ActiveX® controls) or by "socially engineering" (tricking) users into downloading software that contains hidden, malicious code.

To make things worse, 70% or more of malware is served or linked from legitimate sites. These applications have been compromised through 0-day vulnerabilities, user-posted content and links, internal attackers, or through many other possible ways and are now attacking computers of those who browse them.

This means that even security-conscious users can easily be attacked and compromised, and it also means that all Web site owners must ensure that their applications are not inadvertently serving or linking to malware. Failing to do so may lead to brand damage, loss of customer trust, legal problems, and more.

The Malware Scanner helps you verify that your application is not hosting or linking to malware. The extension couples the deep-scanning capabilities of IBM Security AppScan with ISS X-Force technology that is used to identify malicious content and links.

What it does

The Malware Scanner checks these conditions:

  • Files hosted on your application are malicious or not
  • Files that are "one click" away from your application are malicious or not
  • Links on your site lead to malicious domains (malware sites or phishing sites, for example)
  • Links on your site lead to unwanted content (illegal sites, hate sites, adult content, and so forth).

How it works

The Malware Scanner works in two phases:

  1. It passes all of the visited links through the ISS Virus Prevention System (VPS) engine, to determine whether they are malicious or not. This is similar to browsing every page in your application, including clicking every button and downloading every file, using a machine with updated antivirus software.
  2. It passes all of the links that lead to external domains through the ISS WebFilter SDK. This SDK then fetches the classification of each link (news site, porn site, malware site, illegal site, and so forth), based on the constantly updated online classification database. Links that are deemed malicious or unwanted are flagged for your attention.

When something needs to be brought to your attention, a security issue is created in Security AppScan so that you can benefit from the strength of Security AppScan results management capabilities, such as creating reports, saving and loading scans, and so forth.

How to run the scanner

After installing the Malware Scanner extension, a new Scan for Malware item will appear on the toolbar, as Figure 1 shows.

Figure 1. Item added to the toolbar
Image of toolbar with Scan for Malware highlighted

After exploring an application, just click the Scan for Malware button, and a dialog box will appear.

Note:
You can experiment by scanning this demo site:

http://demo.testfire.net/default.aspx?content=../malware/malware.htm

This demo site does not actually serve malicious content, but rather a file called Eicar, which is an antivirus test file and causes no harm.

  • Optionally you can open the configuration dialog through File > Configuration to tune the scanner's behavior within these areas as Figure 2 shows:
    • Content analysis
    • Link analysis
    • Malicious categories
    • Unwanted categories

All configuration changes will persist for future scans, as well.

Figure 2. Configuration options
Malware Scanning Configuration dialog box

Run the scan simply by clicking the Play button.

The scanner analyzes the content and links and displays a log of actions during the scan (see Figure 3). You can click the Pause icon to stop the scan at any time and then click it again to resume when you are ready.

Figure 3. Screen output of log actions and scan progress indicator
Image showing log actions and scan progress

All problems found during the scan are reported in Security AppScan in order of severity, along with detailed Advisory, Fix Recommendation, and Issue Information tabs.

Figure 4. AppScan report

Recommendations and known issues

  • At the end of a scan, the Malware Scanner will save the scan file to a temporary location and reload it. This can be turned off in the configuration, but doing so might result in some inaccurate content in the Issue Information tab.
  • When you check the Analyzer External Links option, remember these limitations:
    • The pages will be retrieved using the proxy configuration setup in the local Internet Explorer rather than the AppScan scan configuration
    • Scanning of external SSL pages is not currently supported.
  • Direct (no proxy) Internet connectivity is required to perform the link analysis.
    Because the Malware Scanner does not require access to the scanned application, a workaround for this limitation is to save the scan, load it in a machine that has Internet connectivity, and then scan for malware.
  • The Request/Response tab "Test" data shows some irrelevant data. That tab is not really needed for this type of testing, so it can be ignored.
  • Links that are not recognized by the ISS WebFilter are flagged as Low Severity issues, because the Malware Scanner cannot verify that they are benign, and malicious links often use short-lived domains. These links should be manually verified by domain. If the domain is known and trusted, simply mark all of the links to it as noise.
  • Given that the analysis will be performed only on links that were actually explored (and possibly links from the application), it is sometimes useful to modify the default exclusions in AppScan. For instance, if you'd like to analyze images in your application, be sure to remove the related file extension exclusions for those images in the Scan Configuration.

Installation

  1. Download the Malware Scanner extension zipped package (see Downloads).
  2. Launch Security AppScan, and select Tools > Extensions > Extension Manager.
  3. Choose Install, and then click the zipped file.

Support

Please post any questions, feedback, or other comments to the Security AppScan Forum.

Download

DescriptionNameSize
eXtensionMalwareScannerExtension-v1.0.zip6830KB

Resources

Learn

Get products and technologies

Discuss

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Rational,
ArticleID=383355
SummaryTitle=Malware Scanner extension for IBM Security AppScan
publish-date=04212009