Since the emergence of the zero-day vulnerability in Internet Explorer over the Christmas period, I have seen a new term become more and more used.
The concept of a ‘watering hole' attack is malware that is delivered by an infected web page or something within that page, most likely put there by someone acting maliciously. I first learned about the concept from the Websense security report from the end of 2012, where senior security research manager Carl Leonard explained about how the ‘waiting' concept was replacing direct messaging when it came to infection.
He said: “The attacker doesn't do any emails at all; they are waiting like an alligator to jump out. We see this being used in the last six months and it is efficient to me, as people can be targeted with spear phishing messages and social engineering techniques are used in these ‘watering hole' attacks. The user sees something and thinks it is for them and clicks on it.”
Some may have thought that this was not particularly widespread and would not snare many victims, and you would be able to include me in that thinking. However in recent days, it seems that the zero-day affecting IE was spread via such a method.
Symantec said: “First, the attack checked that the browser accessing the page was Internet Explorer 8. Next, it checked if Flash was installed, and finally it checked the system language (specifically looking for Chinese, Taiwan Chinese, United States English, Russian, Japanese or Korean). If any of the checks failed, the victim was redirected to a blank page.
“If all of the above checks passed, the attack then proceeded to load a cookie to indicate a compromised system. Next, an additional check was performed on the installed version of Java. Specifically, the attack looked for Java version 6 and, if found, a Flash object was loaded using a CLSID. This loaded malicious Shockwave Flash File — today.swf — was responsible for the heap-spray. An iFrame was also created that linked to a news.html page and contained the exploit code for Internet Explorer 8.”
Speaking to Leonard this week, he confirmed that this method is the same as that discussed last October. “Waterhole attacks can be extremely effective (for the malware author) as their intended victims are likely to visit the website chosen by the malware author. Once the malicious code has been deployed on the chosen website the malware author simply lets his code lie in wait,” he said.
“Bear in mind the concept of the ‘malware adoption lifecycle'. This Internet Explorer zero-day is relevant to all of us as no sooner has the code been deployed in small volume waterhole attacks, then that same code will be used in exploit kits. This is how the dangers of code used in waterhole techniques quickly become widespread.”
Jacques Erasmus, chief information security officer at Webroot, told SC Magazine that he had been tracking these attacks, and while he thought that the exploit was sophisticated, watering hole attacks were much more 'random' than depicted.
He said: “The amount of time it would take to target and successfully exploit a well secured and reputable site for a watering hole campaign is questionable and risky. For example your zero-day may get discovered before you manage to infect the targeted victim.
Erasmus said that while watering hole attacks are real and have been for a long time, he felt that there were more efficient ways that attackers could use to target their victims, such as social engineering via email or attachments.
Luis Corrons, technical director of PandaLabs, said that while this is not a new concept, what is new is the polished technique in order to perform targeted attacks and the fact that the way of targeting the user can vary.
“In the old way (which still goes on with more advanced kits, such as Blackhole, etc.) you try to infect as many users as you can. Of course you can filter them, targeting only users from a specific country, using certain browsers, applications or operating systems, but still the goal is to infect a high number of people, completely different to what a targeted attack is, where you want to infect just a small group of people, or even a single user,” he said.
I asked a number of people if there was evidence of or statistics on detections. This drew a blank, but Corrons said that 90 per cent of the infections it sees come from the use of some exploit through a website. “Out of this 90 per cent, around 80 per cent use some Java-related vulnerability, but I cannot know which ones (if any) are waterhole related,” he said.
According to Avast's CommunityIQ, there were detections on infected sites in December, and the CFR website was one of the most prominent.
Often concepts are discussed without any real evidence on how they are seen on the dark side of the internet. So how seriously is this being taken by the attacker community?
Erasmus said: “If the attacker is just trying to target a large amount of people without any focus on any particular demographic, I think it doesn't matter too much.
“If the attacker wants to target a specific individual from a company or government, it matters a lot. You will want to be sure that when you do infect that person they do not suspect that they are being targeted as you risk your exploit being discovered. In this scenario, the methods used to target the person is critical.”
In terms of protection, it seems that the general consensus is to keep your browser up-to-date and be careful what you click on if possible.
While some may think that this will result in low numbers of infection, consider that this is possibly a new form of attack resulting in much less work in delivering attacks and a new form of bypassing security defences.
Perhaps the best advice is to not get too close to the water, you never know what is waiting for you.