Security Series: 3 Tips on How to Prevent an Attack on the User Environment

By Chad Wilson, Security Engineer

Securing your development and deployment environment is equally as important as securing your web server. Over the past few years, the attack vector has shifted away from attacking and compromising servers and is now focused heavily on client side vulnerabilities via code injection and cross-site scripting tactics.

This post serves to provide awareness and recommend actions that can be taken to prevent the outcome of the scenario attack as seen below.

Scenario of an Attack on the User Environment

This is a scenario of an attack targeted at end users resulting in the compromise of their web site. The attack might start when the victim is browsing a legitimate web site that contains hidden iframes, preventing the site owner or visitor from noticing that the site has actually been compromised. The hidden iframe may contain JavaScript logic that determines the victim’s browser version, OS version, etc. to launch an exploit intelligently. In this example, the JavaScript determines that the victim might be vulnerable to an exploit in the Adobe Acrobat browser plug-in. This exploit will lead to arbitrary execution of code. In this case, shellcode is executed that installs a backdoor and registers itself as part of the botnet.

[Click to to see how you can prevent an attack such as this one]

Once the backdoor/rootkit is in place, it registers with the Command and Control (CnC) server. The CnC server pushes a key logger and a program that searches for stored FTP user credentials.

Anything that is found is sent back to the CnC server.  The CnC server stores the credentials from the zombie computer and uses them to connect to the Victims FTP server. If only the FTP server name and user name is collected, brute force password guessing can be used to break into accounts with weak and predictable passwords. Once an account is validated it can be loaded into a program that connects and recursively infects all web site content by inserting hidden malicious code.

After infecting the victim’s computer and web site, the attacker now has one more computer in its botnet, and one more web site helping spread the malware. It doesn’t take long before thousands of websites and computers are compromised. These botnets are being rented and sold on black-markets for pay-per-click advertising and other profitable usage.

Here are 3 Quick Tips on How to Prevent this Attack:

1) Turn on automatic updates for your browser and plug-ins

Drive-by downloads and other variants of cross site scripting (XSS) attacks are commonly the first stage of an attack on end users, not servers, in an attempt to infect their computers with malware. In the example above, the victim simply visited a legitimate, but compromised, web site. Due to an unpatched browser plug-in, the victim’s computer and web site became compromised.

The popular browsers offer the ability to integrate add-ons and plug-ins. A browser plug-in is a handler for a media type that the browser itself cannot render, such as Adobe Flash or Apple Quicktime. Browsers usually have an “auto update” option or annoying pop-ups to help alert users about new patches and updates. Historically, plug-ins have been less “active” in notifying the end user about upgrades and updates. Not being regularly patched and updated, yet being common to most all browsers, makes plug-ins attractive targets for attackers.

Client side interpreters like Javascript, ActiveX, and Java all add significant security risk. Be cautious when browsing sites that require them. Although these interpreters are limited in what they can do outside of the browser environment, it is trivial for attackers to write exploits that steal cookie and session data. Also, as in the example provided, these languages are commonly used to trigger and event that can be exploited.

Bottom line: Turn on automatic updates for your browser and plug-ins. Only use trusted plug-ins, and only allow client side execution from trusted sites.

2)    Install Anti-Malware

Client side protection is more important now than before, but the reason why is slightly different. Traditionally, people installed anti-virus software to protect their computers from destructive viruses that resulted in loss of services and/or data. These types of viruses and worms have not completely disappeared, but attackers have found that the same methods of propagation can be used for profit by partnering with pay-per-click advertising and such. Rogue software, like spyware and adware, can be delivered with the virus that can open pop-up ads when a user browses certain sites or types key words, for example.

Early spyware and adware collected browsing trends and sent it off to marketing agencies. This malware was usually bundled other software that a user willingly installed. Today, the malware that infects a host usually comes from browsing a web site that was forced on the end user. Instead of creating benign tracking cookies, the malicious sites now aim to exploit a vulnerability in the browser or one of the plug-ins to allow arbitrary execution of attackers choice.  Once exploited, the workstation is compromised. Rootkits, key loggers, and trojans help maintain control over the host. Attackers have been using browser add-ons (not plug-ins) to conceal their rogue applications. Browser add-ons load when the browser starts. Staying hidden inside the browser executable, attackers can hide rogue programs from the view of processes running on the host.

Some anti-malware can warn the user about web sites that are suspected to perform malicious activity.  Black lists created by Google Safe Browsing, Norton Safeweb, and McAfee Site Advisor often identify these websites.

Bottom Line: Anti-malware software protects your computer from being compromised by malware. Once compromised, it is easy to harvest information from the host about FTP credentials, CMS credentials, stored passwords, etc. All this information could be used to compromise your website.
Extra: Anti-malware products are often the target of attackers. Anti-malware software is common, and in exploiting it, the attacker can bypass all detection. It is this reason that some people run two different brands of anti-malware software.

3) Secure FTP

FTP credentials are the primary target of many new malware attacks. After harvesting FTP credentials, the malware sends them off to a command and control server. The CnC server connects periodically to the FTP server and executes a search-and-inject routine finding all HTML documents and injecting malicious content. This aids in infecting other hosts, steadily recruiting more zombies for a botnet. (see illustration above)

Key loggers or similar daemons can be trojaned on a compromised/infected host so that updates can be sent to the CnC server when passwords are changed or added. Changing the passwords would be futile in this case as long as the host is compromised.

Malware is not the only concern with FTP. Attackers constantly hammer away brute-force password attacks at FTP servers that discover through various non-malicious methods. This is why choosing a strong password is important.

Finally, the FTP protocol is in itself insecure. Login credentials are passed over the Internet un-encrypted. Attackers that have access to the same subnet that this data traverses can deploy packet sniffers and trivially harvest FTP credentials.  Always use a secure channel for FTP, such as SFTP. This protects you from such attacks.

Bottom Line: Choose strong passwords for FTP. If you are unsure about what qualifies as a strong password, use publically available password strength analysis tools or password generators, but make sure it’s from a trusted site. Configure your FTP client to always use SFTP instead of plain FTP. Do not store/save your FTP password in your FTP client unless you are positive that it is stored using strong encryption.

This completes this security series post. Look for more security series posts in the near future. If you have comments, questions, or suggestions, please comment here and I will respond quickly.

As always, our support team is available 24/7 via live chat, phone and email so please don’t hesitate to contact us to ask questions specific to your set up.

Before leaving in 2016, Angela ran integrated marketing campaigns for Rackspace. She started in 2003 and did everything from Linux support, account management, sales, product marketing and marketing. She left Rackspace in 2005 to work for PEER 1 Hosting but returned in 2009 because she was interested in the cloud computing movement. Angela is a strong believer in the power of storytelling.


Please enter your comment!
Please enter your name here