In the same way some e-commerce sites serve up customized content based on a user's profile, cybercriminals are increasingly using personalization techniques to more effectively attack those who visit their Web sites.
Over the past year or so, the number of malicious sites using personalization techniques has mushroomed and today represents a new and disturbing trend, according to IBM's Internet Security Systems X-Force threat analysis group.
Unlike older sites that simply served up the same exploit code over and over, the new ones are loaded with multiple exploits and payloads, said Gunter Ollmann, director of security strategies at IBM's ISS X-Force team. The sites are crafted to first probe a visitor's browser for specific information, which it then uses to craft a customized attack, he said.
"We're seeing a large number of malicious Web sites that make use of IP address and browser information before they start to create an attack," Ollmann said
For instance, a user who visited a malicious Web site using Internet Explorer would be targeted with exploits seeking to take advantage of specific IE flaws, while those running Firefox or Netscape would be targeted with attacks specific to their browser types. The typical payloads include spyware programs and keystroke logging software, he said.
Each Web site can host literally "dozens and dozens of exploits" targeted at old and new flaws in browsers such as IE, Firefox and Netscape, Ollmann said. "We have seen a lot of zero-day exploits being used on such sites."
Very often, the exploits are secured from organized "managed exploit providers" who, for a monthly subscription fee -- sometimes as low as US$20 per month -- provide a virtually unlimited number of exploits, he said.
According to the X-Force 2006 report on security trends, about 30 percent of malicious Web sites at the end of 2006 were using personalization techniques. That number is growing at the rate of about 1,000 new sites every week, Ollmann said. Many of the sites are live for about four or five days before disappearing, he said.
Cybercriminals typically lure users to such sites by using spam mail or by hijacking and using domains that appear to be legitimate sites, he said. Sometimes, users can also get directed to such sites when they click on shared objects within a Web page, such as a banner advertisement or a visitor counter, he said.
Often such sites use IP addresses to ensure that they deliver the malicious code just once in order to minimize the chance of being detected, Ollmann said. Some are even beginning to compile lists of IP addresses of Web sites belonging to security vendors to ensure that visitors from such sites are not targeted with malicious content at all, he said.
Many of these Web sites use sophisticated obfuscation techniques to evade detection, he said. Java scripts, for instance, are often used to "basically encrypt the contents within a page" to hide information from signature-based detection technologies, Ollmann said. A malicious program might also be sometimes truncated into two or more innocuous looking bits, which can then be later reassembled when needed.
Many sites also deliver the payload in two phases. First, a so-called dropper or a downloader program is installed on a system. This program is then later activated to download the malicious payload.