Uncovering Malware in Your Website

Jason Kent

Fri, 12th September 2014


Speaker Bio 1:
Jason is a seasoned infosec professional and currently works for Qualys where he provides technical training for their products. As a proven and highly competent global instructor, public speaker, information security advocate and evangelist, we are delghted to have Jason on the show.

Here are some of Jason's specialities and skills: Web Application Security, Vulnerability Management, Policy Compliance, PCI, WAN, LAN, Wireless LAN, IPv4, IPv6, Blue Coat ProxySG/WanOp, PacketShaper, QualysGuard, 802.11a/b/g/n/i, Cisco Routers and Switches. Jason also numerous infosec certs such as CISSP, Cisco Certified Networking Associate (CCNA), Cisco Certified Networking Professional (CCNP), Aruba Certified Mobility eXpert #8 (ACMX) and Certified Ethical Hacker.

Learning Objectives:

Jason will explain:

  • You might have Malware on your website, maybe you don’t, do you know? Would you like to?
  • What happens if you do have Malware on your website and how to detect it.

Questions and answers

Max, Concise Courses:
19:30 You mentioned Zeus, how is that typically installed by the hacker?

Jason Kent:
Zeus is a real pain lately. What we are seeing is that [the hackers] tend to install it on financial related websites that have flaws. It is also a prolific client-to-client attacker so if it is in your network it will install via backdoors.

Zeus has a pile of ways to get installed. One of the ways is ‘drive-by’ installation through something like an iFrame injection if possible. Anti-iframing is how you avoid that. The thing is that if it is installed somewhere else in your network it is going to look for a backdoor. Having your patches up to date on your systems and operating system is really a good way to avoid that.


Max, Concise Courses:
20:20 Is having your entire site HTTPS better for security? Thing is that our site is all HTTP and has been indexed by Search Engines so we have a concern about losing our rankings so I guess there is now a trade-off?

Jason Kent:
HTTPS only secures data ‘in flight’, so if you think about what you are trying to do with HTTPS is simply ‘me encrypting data between a client and a server.’ It does not have anything to do with availability inside of browsing a website, and nothing to do with securing things like malware. In fact, a malware infected HTTPS site just means that the malware is going to fly through your firewalls easier. What you have to do is look at ‘am I concerned with encrypting the data in flight or am I keeping someone safe as they visit my site?’ The encryption of data ‘in flight’ is simply a mechanism to do things like hide passwords as they travel.


Max, Concise Courses:
21:38 What is the main purpose of Reputation Services? Are they giving opinions on a security profile?

Jason Kent:
Reputation protection is realistically to protect end-users from getting infected when they visit the site. A little while back the New York Times got infected and if you tried to visit their site and you were running Blue Coat you were stopped from visiting their site because you had a poor reputation as far as security went. What you want to try and do is try and stay at the top of that list, as far as your reputation goes. So when people visit your site they know that they are safe. The other piece of it is is that [for example] IE 10 starting monitoring that reputation and they would tell you as you approach the site that you are about to see something dangerous. So, if you have a Business to Consumer site and you want the consumer to visit you don’t want them to see a pop-up box telling that says, ‘hey this site is dangerous and has a security problem.’


Max, Concise Courses:
23:06 Do you think an organization has an obligation to let customers know that they have been infected because they might have infected their users?

Jason Kent:
Yes I really honestly think that if you find that you have infected your end users you should tell them, but how do you do that for a site that just has static pages or a site that you wouldn’t have any idea who came by. Certainly you could have something on there that says, ‘hey in the past we had some sort of problem’ but it is really hard to figure out who you have infected once they have been infected.