The bad guys behind malicious Websites are starting to apply geographic intelligence to better target and make money from their victims, according to a soon-to-be released report by the Honeynet Project.
Honeynet researchers studied three popular Web exploitation kits -- WebAttacker, MPack, and IcePack -- and found that some attackers are using a feature in MPack called "geolocation-dependent triggering," which makes it possible for malware to pick up geographic clues and to infect only the users from a certain country or region.
What scares Honeynet researchers is that this feature could easily be used to avoid specific networks, such as those of known antivirus companies or research firms, making it harder for the good guys to discover the malware.
"I think this is a concerning development," says Christian Seifert, author of the report and a researcher from Victoria University in New Zealand and a member of the New Zealand Honeynet Alliance, a Honeynet Project affiliate. "It will prevent these vendors and institutions from discovering malicious servers and therefore won't allow them to effectively protect their customers."
Seifert and his colleagues also studied the use of Web exploitation kits, which allow an attacker to gain control of a user's machine from a malicious Web page. Such kits also maintain statistics databases that record information about infected client machines, whether the attack was successful, and how effective certain exploits are proving to be. This intelligence helps the attacker replace an ineffective exploit with another, more lucrative one.
"This is a sniper, not a shotgun" approach, says Ralph Logan, vice president of the Honeynet Project and principal with The Logan Group. "What's scary is that they can [drill down and] look at an Internet service provider that mostly provides services in a financially secure geo-location, for example. They can then take the largest ISP in the U.S. and break it down by geo-location and attack users in Beverly Hills, instead of Topeka, Kansas."
Logan says an attacker would combine this approach with social engineering and phishing methods to become more efficient in his attacks, and to earn a better return on his investment. "This ability to geo-locate for focused attacks, and to track attack history, is the type of attack scenario that is on the horizon," he says.
The report is a follow-up to the Honeynet Project's August "Know Your Enemy: Malicious Web Servers" paper, which concluded that even seemingly "safe" sites can infect users' PCs. (See Report: Web 'Mean Streets' Pervasive).
The latest report states that many kits target weaknesses in Web browser plug-ins. "This makes sense from an attacker's perspective; defenses of OS -- and even client applications such as browsers -- are becoming stronger" and more regularly patched, Seifert says. "Plug-ins are more static vulnerable entities on a computer system. Many do not have automated update mechanisms and, if vulnerable, will remain vulnerable on a computer system -- leaving a successful attack path."
The researchers also found that they could identify Web pages that were infected with specific Web exploitation tools, based on their behaviors and signatures. "This is something I haven't seen done before," Seifert says. "We were able to assess that 4.24 percent of the malicious URLs we encountered made use of the MPack Web exploitation kit. I think this is a promising technique to track these servers."
Seifert says the detection capability could allow users to blacklist malicious Web servers that contain those kits. "However, this technique will only be successful if security vendors are able to continue to effectively find these malicious Web servers," he says. "[But] with techniques like IP tracking, targeting plug-ins, and network specific triggering, this might not be ensured for the future."
The new Honeynet Project report also dispelled one finding from its previous malicious Web servers report. Seifert and his colleagues concluded in the August report that Internet Explorer 6 SP2 was the most likely browser to get infected by these malicious Web server attacks.
Not so, says the new report: The researchers had used older versions of Mozilla Firerfox, Opera, and IE, and didn't include the latest plug-ins, which may have skewed their results. Firefox and Opera are also being attacked via plug-ins such as Microsoft Windows Media Player, the report says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.