Web threats continue to be cybercriminals’ preferred approach for delivering malware. Sophos currently sees 6,000 new infected webpages each day – one infected page every 14 seconds. Only about 1 in 5 of these sites is a hacker site, i.e. malicious in intent; 83 percent are hacked
sites, or legitimate websites that have been compromised by an unauthorized third-party.
Surfers are often lured to these compromised webpages via emails which use social engineering tactics to attract unsuspecting users1. In other examples, hackers place their malicious code on sites which they know have a high number of visitors. Once the site is infected, unwary visitors
without web security, firewall or patches on their PCs, can themselves be infected.
The content of these sites varies dramatically. Just some examples of the wide variety of sites that SophosLabs has seen hacked to host malware in a typical month are:
- Art galleries
- Christian ministry
- Computer network cabling
- Escort agencies
- Holiday property rental
- Ice-cream making
- Landscape gardening
- Museums
- Organic produce
- Oven cleaning
- Pilates
- Poker event organization
- Political activism
- Printing and graphics
- Tyre supply
- Web design.
Because of the range of subjects that hacked sites cover, blocking sites by content is not sufficient to protect users against these threats. A security solution to protect innocent computer users can help block web access to sites hosting malware.
Accounting for over half of all web-based threats in January to December 2007, was Mal/Iframe, which has dominated the charts from April. Particularly rampant in China, although also seen affecting websites hosted elsewhere, a growing number of web-based attacks look for
vulnerabilities on legitimate hosted websites and injecting malicious code onto the site.
In June 2007, Mal/Iframe was found to have infected more than 10,000 legitimate Italian websites, including sites belonging to high-profile organizations like city councils, employment services and tourism sites. Most of the affected pages appeared to be hosted by one of the largest ISPs in Italy2.
Mal/ObfJS, an obfuscated malicious script, has also affected many legitimate websites, for example the US Consulate General’s in St Petersburg, Russia in October3 (despite the fact that protection had been available in anti-virus products since May 2007).
The US Consulate General removed the malicious code quickly and efficiently, but the fact that such a knowledgeable and security-conscious organization could become infected highlights the seriousness of the web threat.
Where is malware hosted?
The results of research into which countries contain the most malware-hosting websites reveal some significant changes over last year’s top ten list.
Top ten malware hosting countries in 2007:
China 51.4%
United States 23.4%
Russia 9.6%
Ukraine 3.0%
Germany 2.3%
Poland 0.9%
United Kingdom 0.7%
France 0.7%
Canada 0.7%
Netherlands 0.7%
Others 6.6%
China has moved from second place in 2006, when it accounted for just over 30 percent of infected websites, and now dominates the chart, with more than 50 percent of infected websites. Unfortunately whether a website is based in China is not necessarily obvious from its domain name, and so just avoiding websites ending in .cn will not significantly reduce your chances of being attacked by a China-hosted website.
The US has dropped from the top position, where it accounted for 34 percent of malware-infected websites in 2006, and accounts for less than a quarter this past year.
Poland is a new addition to this list, with 1 in 100 malicious webpages being hosted there. The Netherlands, which held fourth position in 2006, has managed to drop to tenth place, but still accounts for unusually large number of malicious sites, given its population and infrastructure. Sophos worked with computer crime authorities in The Netherlands last year to help them identify websites hosting malware so that they could be dealt with.
Making your web server more secure
- Don’t install any unnecessary components on the server – more code means more vulnerabilities for hackers to exploit.
- Sign up to your operating system security notifications.
- Patch all operating systems and any applications with official security fixes.
- Run up-to-date anti-virus software on the web server, regardless of what operating system you
- are using.
IIS users:
- Do not enable directory browsing unless you really need it –why show visitors (malicious or legitimate) all the files on your system?
- Disable any FrontPage server extensions that are not being used.
Apache users:
- Deny “all resources” by default and only allow the necessary functionality to each specific resource.
- Log all web requests to allow you to spot suspicious activity.
Writing safer code:
- Always initialize global variables (avoiding the danger of them being initialized by a fake GET or POST request).
- Turn off error reporting and log to file instead (making it more difficult for hackers to get the information they need).
- Never trust any user input or output, so use filter functions to strip out special SQL characters and escape sequences.
For further advice on securing your web server read the SophosLabs technical paper Securing Websites.
What web servers are being infected?
At the end of 2007, SophosLabs looked at a snapshot of the millions of web servers infected worldwide, closely examining over 50,000 to see what operating system they were running. The findings are in line with research done by Sophos in the first half of 2007, with almost 50 percent of the malware found on servers running Apache, and about 40 percent running Microsoft IIS.
As evidenced in other areas, malware affecting web servers is not just a Windows problem. A large number of Apache servers are hosted on Linux or some flavor of UNIX, and many administrators consider these systems to be much less vulnerable to attacks. While it is true that there is less malware written to target Linux and UNIX, the websites are not necessarily safe from attack. This is because the attacks target the website – not just the server – and often attempt to embed secret scripts or redirection malicious code.
No comments:
Post a Comment