17 May, 2021

How Quttera's Enhanced Detection Helps Avoid Malware Redirects

When your website falls prey to malware redirects, visitors to your site get redirected to a third-party website that can install malware and steal data. Quttera can help you detect problems before they do damage.
When it comes to your website security, you may not know what malicious traffic direction systems (or malicious/malware redirects) are, but you should. They have the potential to significantly damage the online experience of your website's visitors. They use something known as code obfuscation to move your website's visitors from one server to another without notice. The most frustrating part about it is that without the right tools in place, you'll never be able to tell it's going on.

Quttera recently enhanced its detection capabilities to help combat this growing problem. Let's take a closer look at what malware redirects are, how they work, and what Quttera is doing to help you stop the problem in its tracks.
Code obfuscation: What is it?
Code may seem complicated to someone not well versed in IT or computers, but it really represents a simple idea. Written code is a series of instructions sent to the system to achieve the desired result. One missed keystroke could result in a faulty code. Typically, when code is altered, that forces the code to have an issue. Not so with code obfuscation.

Code obfuscation is when code is transferred to a human-incomprehensible format while still maintaining the same functionality. It's generated by a specific algorithm. From time to time, some of these algorithms may also require the user to enter a decoding hash that makes code obfuscation nearly impossible. The code has redirection instructions buried deep inside it. This enables it to live on for much longer without detection.

That means that any issues the algorithm may cause have the potential to go undetected and dealt with for much too long. By the time the administrator finds it, it may be too late to fix the damage.
What is a malware redirect?
There are numerous ways that malware can infiltrate a device or network. One major problem is malicious redirects. This is when a website falls prey to an attack where its visitors are sent - or redirected - to a third-party site that contains malware. The original, unsuspecting site loses 100% of its audience as they are sent to another site. Another problem with these redirections is that they often lead to a problem known as a "drive-by download." This is where the redirection causes the user to install malicious software.

There are numerous stages in which malware redirects can be snuck in. One is on the HTTP level. That's where the server prompts an HTTP error code to appear with the redirected location. The visitor is then sent to this site, bypassing the initial site altogether. Another kind is HTML redirection. HTML-level redirection involves metatags.

Redirection can also occur with JavaScript. While the page is loading, the JavaScript components are installed. The programming language sends the browser to another address. These redirections aren't necessarily hard to catch, particularly when you have the right software in place to assist. The problems arise when these redirects are masked by an intricately designed JavaScript code or module brought in from another website.
Using JavaScript from a third-party source
When a site relies on JavaScript to function, some developers tend to simply transfer the modules from their original home without actually copying them to their own website. Take this example of an HTTP request to download a JavaScript file from an external server. The intended third-party server was a well-known source: Google.com. The request was then redirected to another server: GStatic.com.
  • The required URL: https://google.com/jsapi
  • The required IP: 142.250.185.228 United States
  • The redirect URL: https://www.gstatic.com/charts/loader.js
Here's the problem with this sort of deception: when well-hidden, obfuscated JavaScript files are buried, they lead to redirection that prohibits the user from locating the code and redirection instructions. This makes removal much more difficult and time-consuming.

Another way of looking at it:
  • Website A loads and executes a JavaScript module from a third-party site: Website B
  • The JavaScript module is then infected
  • The infected module redirects to a download from a third location, Website C, that has malicious intent
Redirection causes a problem without the user even knowing it. Even worse, it leaves them without the ability to address the issue even if they do become aware of suspicious activity. So, what can you do to protect your website?
Quttera's enhanced detection capability addresses advanced malware redirects
At Quttera, we're always seeking new ways to keep our users safer online. That means developing new means and capabilities to protect their devices and systems. One goal we always strive for? Find ways to detect malware infection, remove it from websites, and enable website owners to maintain their online business with minimal interruption or inconvenience.

We've developed and implemented a new behavior algorithm that helps with redirection. The algorithm allows you to load and execute a website as a single block. This collects website behavior metrics. Beginning immediately, several of our products have enhanced detection capabilities, including:

From here on out, these products will have a new feature called Sandbox Requests. This will list all HTTP requests received from the scanned domain, as well as all redirects from an external resource.

In addition, Quttera's website malware scanner API will have a "sandbox request" component added to its detailed investigative report. This will report on all HTTP requests and redirects. What these changes mean for you, the end-user, is that you'll have access to more metrics related to your website's behavior.
But why are these metrics valuable?
Because they allow for a deeper level of investigation and analysis of performed malicious redirects. Knowing there's an issue isn't nearly enough - you also need to understand the root cause and how to address it. Quttera has the mechanisms in place to take a deeper look into every element of your website's code. You can help avoid malicious redirects by having a better understanding of potential disruptions throughout your system. Quttera continuously enhances its malware detection algorithms which allow you to detect the most advanced malware.

Use Quttera products such as ThreatSign or API to detect advanced malware redirects and other malware with our new sandbox module added to the engine. Find out how our suite of solutions can help improve your website security — contact us today at sales@quttera.com.