Web malware: Is the internet burning?
With malware signatures doubling every year since 2006, the problem of web-based attacks appears out of control, says Mary Landesman.
While discussing the rapid growth of web-delivered malware, an industry colleague commented that the internet is like a city where everyone lives in straw houses and 10 percent of inhabitants are arsonists.
That parallel is uncomfortably close to the truth. According to researchers at PandaLabs, an average of 37,000 new malware samples are discovered and processed each day.
Over half — 52 percent — of that malware will be reconfigured within 24 hours of its release in an effort to evade signature-based scanners.
Those who had their systems infected in the first 24 hours of the malware's existence will continue to have an active, functioning infection.
New variants
Those who encounter the same source after the initial 24 hours will be exposed to a new variant which may or may not share the same characteristics of the original, and may or may not be detectable via the signatures released the day before — assuming signatures were released that quickly.
What is most disturbing about these numbers is not the challenge they pose for security vendors. The really disturbing aspect is what these numbers tell us about the success of web-delivered malware.
Each year since 2006, the number of malware signatures has doubled, or more than doubled. That timeframe is significant, because its start coincides with the wide adoption of MPack and similar exploit frameworks, and the resulting continued mass compromises of legitimate websites.
Not only are the numbers of pieces of malware increasing, the numbers of distribution points, which are largely compromised websites, also continue to rise.
Sophisticated and insidious
At the same time, the malware itself has become far more sophisticated and insidious in both its payload and its intent. According to ScanSafe Stat research, web-delivered data-theft Trojans have increased 4,955 percent since 2007 and 1,424 percent just over the past year.
Today, data-theft Trojans form the second largest category of web malware detected via the web, outstripped only by blocks on the compromised websites and exploits designed to deliver that malware.
The distribution methods are evolving just as quickly. Today's cybercriminals have a deep understanding of web technologies and user behaviour. Given their ubiquitous use and operating system and browser independence, third-party plug-ins are now a common target for vulnerability exploit.
Adobe products have borne the brunt of the onslaught. In 2008, vulnerabilities in PDF and Flash were the most common exploits used to deliver malware via the web.
Indeed, the problem of vulnerabilities in Adobe products has risen to such an extreme, it prompted Stephen Northcutt, director of the Sans Technology Institute, to deliver this warning: "I think organisations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organisation at risk.
"Try to minimise your attack surface. Limit the use of Adobe products whenever you can."
As further example of attackers' awareness and the evolution of their attacks, the web is now proving valuable for backdoor management. Most recently, Twitter, Tumblr, Jaiku and similar social messaging platforms were discovered to be used for botnet command and control.
Clearly, whatever the latest and greatest internet fad, chances are the criminals are already there — whether to distribute more malware or to control their existing infections.
Mary Landesman is the senior security researcher for ScanSafe.