Monday, May 30, 2011

Lenny Zeltser on Information Security — Tracking Known Malicious Websites by ETag Identifiers

Tracking Known Malicious Websites by ETag Identifiers

Anti-malware companies as well as organizations that protect their own networks benefit from keeping track of known malicious systems on the Internet. The goal is often to block inbound access from known malicious hosts and also to restrict outbound connections to them. The undesirable systems are typically identified using IP address, domain names and URLs. Research by CompuCom’s Ramece Cave suggests adding ETags to the list of identifiers of malicious websites.

ETag is an optional HTTP header that was designed to make it easier for web browsers to cache website contents, thus improving the pages’ load time by avoiding downloading content that the user retrieved earlier. ETag acts as a fingerprint of the web server’s content; if the content changes, the server will generate a new ETag, indicating that the browser’s prior copy of the content should no longer be used.

Attackers sometimes use the same instance of the malicious page and web server, but expose it using different domain or server names. Ramece found it effective to use ETag as the unique identifier of a malicious page. This seems more efficient than keeping track of the numerous domain or server names the attacker might use. CompuCom’s research team:

“Identified a single ETag associated with malware which could be used to filter 12 domains as well as identify compromised hosts trying to reach command and control domains.”

Based on this information, the team created an IPS rule to flag web traffic that included the malicious ETag.

While there are several sources of known malicious IPs and domains, I haven’t seen the inforsec community discuss the use of ETags to track known malicious websites. Is this a promising approach or is does some limitation make it impractical? Perhaps time will tell.

If this interests you, check out the 2-day Combating Malware in the Enterprise class I’ll teach in DC in July; code COINS-LZ gets you a 10% discount. Also, I’ll teach a more in-depth Reverse-Engineering Malware class on-line this summer; get a free iPad 2 if you sign up by June 22.

Lenny Zeltser

This is really interesting and I'm surprised to not see it being discussed by the IPS, NGFW, Network Forensics and Threat feed vendors more extensively. Shouldn't we be putting up some sort of public database of malicious ETags to be used by those tools?

No comments:

Post a Comment