Web Browser Exploitation
Posted by Gunter Ollmann on June 24, 2007 at 6:54 PM EDT.

The last couple of years have seen some major increases in Web browser attacks – both in frequency and sophistication.

The reasons behind the increases are many, but some of the most significant in my mind are:

  1. It’s become easier.  A lot of people have been researching Web browser exploitation techniques and many of them are now in the public domain.  It requires relatively little effort to incorporate the latest techniques into an existing malicious Web page.
  2. Web browser extensions are more popular.  The ability to add additional functionality to the Web browser and access other application components via the browser has increased.  The ubiquity of components such as Flash, QuickTime, etc. has spread.
  3. Component patching is poor.  Whilst most users have learnt to apply their operating system patches, other application components accessible through the Web browser are rarely patched.
  4. Protection is more difficult. Compared to traditional signature-based anti-virus detection of malicious downloads and attachments, Web browser protection is more difficult due to scripting languages and an endless range of obfuscation techniques.

The combination of these factors has meant that compromising a computer through the Web browser has a higher probability of success than the more traditional techniques (such as email attachments, file downloads, etc.).

“Progress” From Heap-spraying

I guess Web browser exploitation started to get exciting back in 2004 when SkyLined introduced everyone to the concept of heap-spraying.  All of a sudden, several years worth of DoS vulnerabilities in Microsoft’s Internet Explorer looked ripe for some real exploitation.

Since then, we’ve observed a lot of bug hunting in the major Web browsers - and just about every ActiveX control that could be called via a browser appears to come under the crosshairs of an automated fuzzer.

While these bug-hunting frenzies were being conducted, a parallel research path resulted in the marrying of multiple Web browser exploits into a single scripted attack.  These malicious scripted attacks were quickly adopted by malware purveyors for the distribution of their wares – giving birth to the concept of “drive-by installs” and “drive-by exploitation”.

Now, as Robert Freeman mentioned in his recent post about mPack activity, the tools being used to conduct the most recent round of Web browser attacks aren’t exactly new – nor are they particularly cutting edge.  What makes one tool more valuable over another at the moment is the compromise success rate – i.e. what percentage of visitors to a malicious Web page can be exploited and will have the nominated malware package successfully installed.

Predicting Web Exploitation

How do I see the Web exploitation techniques developing over the next few years?  Well, it doesn’t take a genius to predict that the sophistication of the tools will continue to increase and that the popularity of this infection vector will similarly increase.
To better understand what the future of Web exploitation probably holds, I thought it would be helpful to draw a simple chart (below).

Here I’m calling out three groupings of techniques:

  • “Classic” – These are Web pages that contain either a single or small handful of simply-coded exploits designed to install a standard malware payload.
  • “Script” – These are Web pages (or components of pages) that selectively cycle through multiple exploits in order to compromise the browser.  They also tend to use script-based obfuscation techniques in order to bypass signature-based protection systems.
  • “Blended” – These Web pages are served by dedicated attack ‘engines’ or deployable modules and make use of multiple levels of obfuscation to disguise and deliver their malicious payload.

A couple of years ago, these “classic” techniques accounted for almost all Web browser exploitation – with only a small percentage making use of scripting to obfuscate their attack. 

Today, the “classic” techniques are still most prevalent.  However “script” techniques have increased and will shortly surpass them.  We are also observing the first generation of “blended” techniques and their dedicated delivery tools.

In the future I expect the “blended” techniques to overtake both the “classic” and “script” categories.  A factor in that success will likely be the continued development and sophistication of x-morphic exploitation engines designed to thwart evolutionary protection systems. [Details on X-morphic exploitation can be found in my recent whitepaper.]

Money for tools

A point worth noting is that tools with reliable infection rates already command higher prices on the underground market.  For example, current versions of the mPack tool are worth a premium due to (provable) claims by the author of 12-35 percent efficiency.

Again, looking in to my crystal ball, competition between groups that develop these Web browser exploitation toolkits will continue to grow.  This competition will likely result in more sophisticated tools and the continued development of semi-commercial services – such as those now typically coined as “Managed Exploit Providers” (MEP).
While the copying and resale of existing toolkits are rampant at the moment, I expect their evolution to quickly incorporate techniques that make discovery and cloning more difficult.  Attackers want to protect their intellectual property too!

    Copyright 2001-2007 © Gunter Ollmann