ModSecurity Advanced Topic of the Week: Malware Link Detection

Planting of Malware

Planting of malware links into legitimate websites in order to conduct "Drive-by-Downloads" attacks against end-users is a serious concern. Check out the WASC WHID entries for "Planting of Malware" for some real-world examples. Unfortunately for web site owners, there are a myriad of avenues that malicious code and links can be served from their sites. While there are some direct web application methods (e.g. spam links posted to user forums), there are also a number of other attack vectors such as Malvertising (which consists of attackers adding malicious links or code to affiliate data that is included within an organization site context).

A big challenge for web site owners is that, often times, the malware links added to web sites are not overtly malicious. Here are two examples of real malware links that have been detected in web pages:

  • Javascript link
<script type="text/javascript" src="http://addonrock.ru/Gigahertz.js"> 
  • Iframe link
<iframe width='140' height='150' src='http://statur.co.cc' frameborder='0' scrolling='no'>

This is a big differentiation between malware links and many types of XSS payloads. These links are not attempting to exploit a browser-based flaws themselves, but rather are pointers to off site locations where the attacker's actual exploit code will run. These links are merely the first step that send an unsuspecting user down the waterslide of getting pwned...

Malware Link Detection

What web site owners need is a reputation/validation-based mechanism to verify the potential maliciousness of links that are either submitted to their site and/or to inspect outbound pages before sending them to clients. There are a number of commercial vendors that have capitalized on this niche area, however there is another huge player in this game - Google. I am sure that most of you have seen the "This site may harm your computer" messages returned in Google results.

This_site_may_harm_your_computer_google_warning
What you might not be aware of is that Google has released an API so that web sites can query thier database to verify if links/web pages are malicious.

Google's Safe Browsing (GSB) API

You can read more about Google's Safe Browsing API here. Web sites can query the GSB API dynamically from their own site, however there is an obvoius latency hit involved with trying to do this in real-time against live HTTP transactions. It is possible, however, to download the GSB database to your local system so that you can do local lookups which is much faster.

ModSecurity v2.6 - @gsbLookup operator

ModSecurity v2.6 (which is available in the SourceForce SVN trunk) has a new operator called @gsbLookup which has the capability to extract URLs from HTTP requests/responses and query a local GSB database as defined by the new SecGsbLookupDb directive. After downloading the GSB DB (you would want to set this up to auto-update every day by using cron and wget, etc...), I can then use this basic config:

SecGsbLookupDB GsbMalware.datSecRule ARGS "@gsbLookup =\"https?\:\/\/(.*?)\"" "phase:2,capture,log,redirect:http://www.example.com/,msg:'Bad url detected in ARGS (Google Safe Browsing Check)',logdata:'http://www.google.com/safebrowsing/diagnostic?site=%{tx.0}'"SecRule RESPONSE_BODY "@gsbLookup =\"https?\:\/\/(.*?)\"" "phase:4,capture,log,redirect:http://www.example.com/,msg:'Bad url detected in RESPONSE_BODY (Google Safe Browsing Check)',logdata:'http://www.google.com/safebrowsing/diagnostic?site=%{tx.0}'"

With these rules in place, all links will be extracted from both inbound request parameters and from outbound response bodies.

Example GSB Alert

Let's say that a web page on your site has somehow become infected with the following malware link:

<iframe src="http://karatepacan.co.cc/up/go.php?sid=2" width="0" height="0" frameborder="0">

With these new GSB rules in place, ModSecurity would send the user a 302 Redirect back to the home page and generate the following alert message:

[Thu Mar 17 17:02:14 2011] [error] [client ::1] ModSecurity: Warning. Gsb lookup for "karatepacan.co.cc/" succeeded. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_15_customrules.conf"] [line "4"] [msg "Bad url detected in RESPONSE_BODY (Google Safe Browsing Check)"] [data "http://www.google.com/safebrowsing/diagnostic?site=karatepacan.co.cc/"] [hostname "localhost"] [uri "/malware.html"] [unique_id "TYJ21sCoqAEAAUvzFfcAAAAE"]

Not only does the message tell you which URL was the problem, but it also includes a link so that you can check out the GSB diagnostics page for details on why this URL was flagged by Google.

Screen shot 2011-03-17 at 5.05.37 PM

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.