CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

ModSecurity Advanced Topic of the Week: Malware Link Detection

Planting of Malware

Planting of malware links into legitimate websites in order to conduct "Drive-by-Downloads" attacks against end-users is a serious concern. Check out the WASC WHID entries for "Planting of Malware" for some real-world examples. Unfortunately for web site owners, there are a myriad of avenues that malicious code and links can be served from their sites. While there are some direct web application methods (e.g. spam links posted to user forums), there are also a number of other attack vectors such as Malvertising (which consists of attackers adding malicious links or code to affiliate data that is included within an organization site context).

A big challenge for web site owners is that, often times, the malware links added to web sites are not overtly malicious. Here are two examples of real malware links that have been detected in web pages:

  • Javascript link
<script type="text/javascript" src="http://addonrock.ru/Gigahertz.js"> 
  • Iframe link
<iframe width='140' height='150' src='http://statur.co.cc' frameborder='0' scrolling='no'>

This is a big differentiation between malware links and many types of XSS payloads. These links are not attempting to exploit a browser-based flaws themselves, but rather are pointers to off site locations where the attacker's actual exploit code will run. These links are merely the first step that send an unsuspecting user down the waterslide of getting pwned...

Malware Link Detection

What web site owners need is a reputation/validation-based mechanism to verify the potential maliciousness of links that are either submitted to their site and/or to inspect outbound pages before sending them to clients. There are a number of commercial vendors that have capitalized on this niche area, however there is another huge player in this game - Google. I am sure that most of you have seen the "This site may harm your computer" messages returned in Google results.

8993_44f72c66-356b-4914-b98c-8a125bfd3ba7
What you might not be aware of is that Google has released an API so that web sites can query thier database to verify if links/web pages are malicious.

Google's Safe Browsing (GSB) API

You can read more about Google's Safe Browsing API here. Web sites can query the GSB API dynamically from their own site, however there is an obvoius latency hit involved with trying to do this in real-time against live HTTP transactions. It is possible, however, to download the GSB database to your local system so that you can do local lookups which is much faster.

ModSecurity v2.6 - @gsbLookup operator

ModSecurity v2.6 (which is available in the SourceForce SVN trunk) has a new operator called @gsbLookup which has the capability to extract URLs from HTTP requests/responses and query a local GSB database as defined by the new SecGsbLookupDb directive. After downloading the GSB DB (you would want to set this up to auto-update every day by using cron and wget, etc...), I can then use this basic config:

SecGsbLookupDB GsbMalware.datSecRule ARGS "@gsbLookup =\"https?\:\/\/(.*?)\"" "phase:2,capture,log,redirect:http://www.example.com/,msg:'Bad url detected in ARGS (Google Safe Browsing Check)',logdata:'http://www.google.com/safebrowsing/diagnostic?site=%{tx.0}'"SecRule RESPONSE_BODY "@gsbLookup =\"https?\:\/\/(.*?)\"" "phase:4,capture,log,redirect:http://www.example.com/,msg:'Bad url detected in RESPONSE_BODY (Google Safe Browsing Check)',logdata:'http://www.google.com/safebrowsing/diagnostic?site=%{tx.0}'"

With these rules in place, all links will be extracted from both inbound request parameters and from outbound response bodies.

Example GSB Alert

Let's say that a web page on your site has somehow become infected with the following malware link:

<iframe src="http://karatepacan.co.cc/up/go.php?sid=2" width="0" height="0" frameborder="0">

With these new GSB rules in place, ModSecurity would send the user a 302 Redirect back to the home page and generate the following alert message:

[Thu Mar 17 17:02:14 2011] [error] [client ::1] ModSecurity: Warning. Gsb lookup for "karatepacan.co.cc/" succeeded. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_15_customrules.conf"] [line "4"] [msg "Bad url detected in RESPONSE_BODY (Google Safe Browsing Check)"] [data "http://www.google.com/safebrowsing/diagnostic?site=karatepacan.co.cc/"] [hostname "localhost"] [uri "/malware.html"] [unique_id "TYJ21sCoqAEAAUvzFfcAAAAE"]

Not only does the message tell you which URL was the problem, but it also includes a link so that you can check out the GSB diagnostics page for details on why this URL was flagged by Google.

8517_2d7af69a-f9a0-4eef-b3ab-bf276d5302e4

 

 

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More