Your Cyber Intelligence Source

There has been no shortage of press regarding malware on the Internet over the past several months. Malware continues to grow in volume and evolve in complexity. As security companies continue to address the problem, the number of Web sites that distribute the unwanted downloads is growing out of control.

What classifies a malware download as a drive-by download? While there is no one standard definition, the problem can be described simply as a file downloaded to a user’s computer without permission or user action when visiting a Web site. This feat is typically accomplished by exploiting a vulnerability in the web browser or operating system.

So, with the exploding growth of malware on the Internet, how many malicious web sites distribute malware via drive-by downloads? Based on a sample of hundreds of thousands of malware distribution web sites discovered in the past 60 days, sixty-eight percent of malware distribution sites deliver malware via drive-by downloads.

Think about it, there are millions of malicious web sites on the Internet. Not only do you have the fear of your AV software not detecting malware on your computer as described in an earlier Cyveillance report (http://www.cyveillance.com/web/forms/request.asp?getFile=111), but simply visiting a web site could infect your computer.

Users can minimize the risk of being infected by a drive by download through several ways. One of the most effective protective measures is to use the more secure settings on your web browser. This action may cause some inconvenience by requiring users to respond to security prompts when visiting feature rich web sites, but it will reduce potential malware infections. Another common sense protective measure is simply to avoid going to unfamiliar or disreputable Websites.

Additionally, security companies that provide user protection through desktop clients can significantly improve protection against drive-by downloads through the use of Cyveillance Malware Protection™. The service evaluates web sites by both signature-based and behavioral-based technologies. This multi-pronged approach to detecting online threats allows Cyveillance to collect the most comprehensive and up-to-date intelligence regarding new malware and attack methods

Fueled by scalability and ease of use, it is not surprising that malware attacks delivered via the Web have more than doubled in frequency. What is interesting is the creativity taken by malware writers to evade detection and mitigation through technical means and wider geographical distribution.

So the question remains, how safe is it to surf the Internet? The answer is not one people want to hear.

The reality – the majority of active malware attacks go undetected, with leading anti-virus (AV) solutions detecting only 50% of instances or less. These results came to light when we recently test-sampled malware that we routinely uncover against several of the top AV products. The findings were released in our “1H 2008 Online Fraud Report” and can be seen in the table below.

The fact that these results are based on a 30-day period, only further emphasizes the dynamic nature and scalability of today’s malware attacks. Given the reactive nature of today’s malware and AV detection technology, traditional AV solutions are inherently at a disadvantage when it comes to keeping up with these constantly changing and emerging threats. Now granted, no solution will ever be 100% effective against all real-time and zero-day threats, but by adding proactive intelligence gathering techniques to reactive AV solutions, the gap between infection and protection can be greatly reduced.

Online criminals are using any and every means available to maliciously infect computers and evade detection. Online security solutions should take heed and implement a truly comprehensive approach to security that includes both defensive and offensive elements, or online criminals will remain one step ahead.

It’s hardly newsworthy that security experts at the RSA Conference this week pointed to malware as the biggest threat facing the Internet today.  However, a more thought provoking, if not somewhat controversial idea about malware was put out there by a noted security expert who offered that “the most effective approach to tackling botnets would be to impose penalties on people who allow their computers to become infected, making users take more responsibility.”  Read the story here. 

While it’s critical that we explore new solutions, the idea of holding consumers responsible for becoming infected with malware is hard to imagine.   For starters, given that between 20 to 40 percent of malware is not detected by endpoint security software, is it reasonable to expect every day Internet users to protect themselves from a continual barrage of malware-based attacks?  Our best and brightest security experts have been unable to address the malware threat.  Will a largely non technical Internet audience significant reduce malware problems because of the threat of penalties?

Clearly, consumers have a responsibility to take reasonable precautions in order to protect themselves from online attacks. But it’ll take new approaches by businesses, security providers and government to really make a dent in the problem. Consumers are the weak link in the security chain. Social engineering combined with increasingly sophisticated technical attacks are too much for the average Internet user to overcome. A big part of the malware solution has to be hardening the consumer against human-based vulnerabilities. Otherwise, we’ll create an Internet that is not practical for use by the average Joe.

Yesterday’s revelation that certain Google search results contain tainted URLs that simultaneously take consumers to their intended site, as well as redirect them to a second site for the purpose of installing malware, shows the bad guys continue to get creative. Read about it here in USA Today Cross site scripting, phishing and web-delivered malware are not new threats, but the combination of these elements along with proven search engine optimization techniques poses a pretty lethal combination.

Hopefully, Google will take steps to protect its customers from these attacks. Web site operators can do their part, too. You can help protect your Web site from cross site scripting attacks by ensuring that your application performs validation of all headers, cookies, query strings, form fields and hidden fields.

The online ticket site EuroTicketShop.com was identified as distributing malware to visitors when they attempted to buy tickets for the upcoming soccer tournament. According to a security alert from Sophos, as reported in ComputerWorld, hackers were able to inject malicious code into the site which is downloaded to the computers of fans visiting the legitimate ticket site. The article points out that Google pay-per-click advertisements were being used to attract visitors to the hacked site as well.

(more…)

Byron Acohido and Jon Swartz report in USA TODAY that 40% of all computers connected to the Internet are part of a botnet.

(more…)

I am just seeing the summary data discovered by our malware crawlers during February. Sites hosted in the United States represent 52% of all the sites we detected distributing malware.

It’s important to note that just because the sites are hosted in the United States doesn’t mean they all represent the actions of U.S.-based individuals. It’s probably fair to assume that a significant portion of the site we discovered in February were:
(more…)