Browser-Based Cyberthreats: How They Attack, and How to Protect Against Them
Browser-based cyberthreats have become one of the biggest concerns facing cybersecurity professionals today. It’s critical for organizations to implement effective protection from these hard-to-detect attacks.
Of all the software in use, browsers are the most exposed. They are constantly connecting to the outside world, and frequently interacting with websites and applications that cybercriminals have infected with malware. Browsers are powerful, data-rich tools that if compromised, can provide an attacker with a vast amount of information about you, including your personal address, phone number, credit card data, emails, IDs, passwords, browsing history, bookmarks etc.
During the past year or so, we’ve seen a sharp increase in web threats that are specifically designed to leverage browser-based vulnerabilities. This increase in popularity is not only because browsers are strategically desirable as hacking targets, but because browser-based web threats are difficult to detect. Most malware detection and prevention technologies work by examining files such as downloads or attachments. However, browser-based threats don’t necessarily use files, so conventional security controls have nothing to analyze. Unless organizations implement advanced tools that don’t rely on analyzing files, browser-based attacks will likely go undetected.
Given that browser-based attacks are powerful and difficult to discover, it’s easy to understand why they have become so prominent. They simply work.
How Browser-Based Cyberthreats Operate
- The Flash code invokes PowerShell, a powerful OS tool that can perform administrative operations and exists on every Windows machine.
- Flash feeds instructions to PowerShell through its command line interface.
- PowerShell connects to a stealth command and control server owned by the attackers.
- The command and control server downloads a malicious PowerShell script to the victim’s device that captures or finds sensitive data and sends it back to the attacker.
Combatting Browser-Based Cyberthreats
Static – Structural Abnormalities
- Unusual shellcode existing within arrays or character strings
- Missing or added segments
- Embedded files
- Suspicious function arguments
- Evidence of code injection like hidden iframes or unusual tags
- Indications of exploit – structural similarities, signatures
Dynamic – Behavioral Abnormalities
- Abnormal process behaviors – the code may not be dropping files but might make abnormal network connections, or attempt to start abnormal processes
- Heap spraying – inserting code into predetermined locations by exploiting browser vulnerabilities
- Attempts to modify system files or components
- Connections to known malicious sites or command and control centers
- Evasion tactics such as stalling
Filtered Approach Makes Evaluating Browser-Based Threats Feasible
In those cases where the malware detection engine encounters abnormalities during the initial static analysis phase, it can examine the code more closely. The most rigorous and time-consuming tests need only happen in those rare situations where all previous tests indicate a substantial risk of malware.
For example, static analysis might identify capabilities that could potentially be malicious, like data encryption. Code that can encrypt data could be ransomware. In this case, the system will also perform dynamic analysis to determine if the code does, in fact, behave maliciously, or if it uses the encryption capabilities in benign and appropriate ways.
Static analysis efficiently detects a wide variety of anomalies such as abnormal macros, missing or added structures or segments, correspondence with command and control servers used by cybercriminals, and more. Some of these capabilities are very indicative of malicious intent and the system can immediately score the object as high-risk. If there’s any doubt, the system also performs dynamic analysis to test what the code actually does when it executes.
If static analysis uncovers nothing suspicious, the system can, with a high rate of accuracy, score the object as low-risk and bypass dynamic analysis.
Malware Evolves, and So Must We
Cybercriminals are constantly working to find new and more effective ways to infiltrate our computers, devices, and networks. The recent evolution in browser-based cyberthreats is a poignant example of malicious new techniques that are both difficult to detect and effective.
Latest posts by Dr. Christopher Kruegel (see all)
- Browser-Based Cyberthreats: How They Attack, and How to Protect Against Them - January 3, 2018
- How To Build An Effective Malware Analysis Sandbox - March 27, 2014