It’s estimated that 86% of all websites had at least a serious vulnerability during 2012. Attackers either manually or automatically (via botnets) deploy C&C servers and malware droppers within exploited websites to infect clients. When such an intrusion is not detected by the owner, the website can deliver malware for long periods until somebody either privately or publicly notices it and maybe an investigation starts.
To tackle this, we have developed a web monitoring tool called WebDetector, that can be scheduled to run periodically over a list of domain names and to produce a score that indicates how malicious a page is.
The tool is currently written in python and relies on several open source components for mirroring, file tracking and indexing plus a set of heuristics to detect harmful components like javascripts, PDF, shockwaves, form spoofing and link redirection. The framework can be expanded with modular signatures to detect in future more types of attacks with the help of the community.
We have tested the efficacy of WebDetector by deliberately adding common malicious behaviour in a controlled Wordpress installation. More sophisticated malware strategies needs refined heuristics for detection that will be addressed in future.
