I'll start with a short personal angle -
I have a friend that works as a freelance web site developer and webmaster. Once in a few weeks he gives me a call, telling me that one of the sites he manages seems to be serving malicious JavaScript code to its users. It appears to me that this problem is getting out of hand these days, sites are getting (silently) hacked into, and JavaScript code is injected and later on served to users.
From what I hear and read, more than 70% of the Malware today is being served or linked from legitimate web sites.
Take a look at this article from InformationWeek, which was posted in January 2009:
Seventy percent of the top 100 Web sites either hosted malicious content or contained a link designed to redirect site visitors to a malicious Web site during the second half of 2008
The common approach to Malware protection and Malware scanning today, puts the (security) responsibility on the end users (browser protections, A/V, etc.) or the organizations (content filtering gateways, A/V gateways) from which the end users browse the web from.
I think that web site owners should start taking responsibility for the contents they are serving to users, and a simple way to do that, is to constantly monitor or scan your own web application for malicious contents.
About two years ago, I had an interesting thought - if you are already scanning your web application with an automated scanner, that has the capability to perform deep crawling and analysis (using automatic form filling, JavaScript and Flash execution, etc.), why not attempt to locate malicious code that is being served to your web users?!
BTW, malicious code can end up in your application in different ways such as -
- Someone hacked into your application and put it there
- You are including web contents (or application code) from a 3rd party. This is oftentimes the case in Web 2.0 scenarios
- You pissed off one of your web developers, and they decided to get back at you by infecting your users with Malware
Enter Malware Scanner AppScan eXtension
The Malware Scanner AppScan eXtension helps you verify that your application is not hosting or linking to malware. The extension couples the deep-scanning capabilities of IBM Rational AppScan with ISS X-Force technology that is used to identify malicious content and links.
The Malware Scanner checks these conditions:
- Files hosted on your application are malicious or not
- Files that are "one click" away from your application are malicious or not
- Links on your site lead to malicious domains (malware sites or phishing sites, for example)
- Links on your site lead to unwanted content (illegal sites, hate sites, adult content, and so forth).
The Malware Scanner works in two phases:
- It passes all of the visited links through the ISS Virus Prevention System (VPS) engine, to determine whether they are malicious or not. This is similar to browsing every page in your application, including clicking every button and downloading every file, using a machine with updated antivirus software.
- It passes all of the links that lead to external domains through the ISS WebFilter SDK. This SDK then fetches the classification of each link (news site, porn site, malware site, illegal site, and so forth), based on the constantly updated online classification database. Links that are deemed malicious or unwanted are flagged for your attention.
When something needs to be brought to your attention, a security issue is created in Rational AppScan so that you can benefit from the strength of Rational AppScan results management capabilities, such as creating reports, saving and loading scans, and so forth.
You can read more about the Malware Scanner eXtension and download it from our eXtensions web site (you need to have AppScan installed to run it).
