Bypassing Web Antiviruses

English Ukrainian

Eugene Dokukin aka MustLive

At beginning of April 2010 I’ve made the testing of systems for searching of viruses at web sites [1]. In my research I have examined different systems for searching of viruses at web sites, as standalone, as built-in the search engines - these systems can be called as web antiviruses. And later I have presented my results of testing of web antiviruses on conference UISG and ISACA Kiev Chapter #6 [2].

I’ve examined the next web antiviruses: Web Virus Detection System, Google, Yahoo, Yandex, Norton Safe Web, McAfee SiteAdvisor, StopBadware. And every web antivirus can face with malware’s attempts to hide from it (so malware will left undetected and continue to infect visitors of web sites). In this article I’ll describe methods of bypassing of web antiviruses, which developers of such systems need to take into account to prevent possibilities of malware to hide from them.

Bypassing of systems for searching viruses at web sites.

In May 2010 I’ve published the article to The Web Security Mailing List Archives [3] about bypassing systems for searching of viruses at web sites. This concerns all systems for searching of viruses at web sites, including search engines with built-in antiviruses, which have no counter-measures against it.

Bypassing systems for searching of viruses at web sites is possible with using of cloaking (which is known from 90s and is used for hiding from search engines bots for SEO purposes). When User-Agent is analyzing and if it’s a search engine, then malicious code is not shown, if it’s a browser - then shown. So the same cloaking which used for SEO, can be used for malware spreading and hiding from systems for searching of viruses at web sites. Particularly from search engines with built-in antivirus systems, because they are using bots of search engines with known user agents.

I saw the using of cloaking method in malicious scripts many times during my researches since 2008. Particularly I saw checking of Referer (and similar approach can be used for User-Agent). And these method of protection of malicious code from systems for searching of viruses create serious challenge for these systems.

Antivirus companies and other security researchers are also sometimes finding cases of using cloaking against search engines with built-in antiviruses. E.g. in May 2010 many web sites on shared-hosting at DreamHost and other hosting providers were hacked and infected with malicious code, and the code for distributing of malware was using a cloaking for hiding itself from built-in antiviruses in search engines Google and Yahoo.

Effective use of cloaking against web antiviruses.

In the end of August 2011 I’ve found that Google became using of User-Agent spoofing for his bots. Which can be concerned with desire to improve of their system for searching viruses at web sites - so with using of cloaking (UA spoofing is type of it) to decloak viruses at web sites.

But he uses spoofing ineffectively and with considered use of cloaking the malware can effectively hide from the Google’s bots and from bots of any search engine, including those systems, which have built-in antiviruses. Now these are Google, Yahoo, Bing and Yandex.

If earlier Google’s bot named itself in User-Agent header as “Googlebot” (i.e. “Googlebot/2.1″), then I’ve found that it became sometimes name itself as “MOZILLA 5.0″. From one side it can help to decloak hidden malware at the sites, but from other side this is not enough. Because advanced malware can check not only User-Agent, but also check IP and do reverse DNS lookup.

Particularly for this bot the IP was equal 66.249.66.102, and domain - crawl-66-249-66-102.googlebot.com. Which allows via IP resolving to determinate that it’s exactly Googlebot. And even if to made another domain name, but in WHOIS records will be mentioned, that this IP belongs to Google, then malware can use this information to create of IP list (or to make request to WHOIS in real-time) by which it will be hidding itself from these bots.

So effective cloaking is going simultaneously on three parameters: User-Agent, IP and DNS. And these are well known things in world of cloaking, about which security vendors should know.

Conclusion.

In the article I have described different methods, which allow to bypass web antiviruses. And web antiviruses should take them into account for opposition to malware.

For effective cloaking at web sites malware can analyze User-Agent, IP and DNS. So developers of web antiviruses, including search engines with built-in antiviruses, need to take it into account to effectively fight with malware. Because in this Game of Masking only well hidden web antivirus can reveal hidden malware.

References:

1. Testing of systems for searching of viruses at web sites (http://websecurity.com.ua/articles/test_webvds/).
2. Systems for revealing of infected web sites (http://websecurity.com.ua/uploads/articles/speech-2011.swf).
3. New vulnerability in bots of search engines (for security bypass) (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-May/006512.html).