Malware finds a new home

Commentary--Compromised Web pages are now rapidly emerging as the replacement vehicle of choice for mass malware distribution. Let's keep up with the virus writers, says Secure Computing's Paul Henry.
Written by Paul Henry, Contributor
Commentary--Conventional wisdom says e-mail systems are the pipeline of choice for malware distribution. But times have changed, and so too have Internet attack patterns.

In many cases, mass-mailing malware is now inefficient due to the noise it generates as it traverses the Internet. Similar to a sonic boom, the noisy e-mail attacks send echoes across the Web, giving administrators ample time to alert users, lock down networks and mitigate new threats.

Sure, targeted e-mail attacks will continue. But compromised Web pages are now rapidly emerging as the replacement vehicle of choice for mass malware distribution. Multiple layers of exploit code targeting Web systems have found a blind spot in safeguards such as traditional Anti-Virus and Intrusion Detection Systems (IDS). Malware code using everything from simple UU encoding techniques to elaborate self-decoding Java scripts is currently wreaking havoc on the Internet. The methodology has become so popular that a security term has been coined to represent the act of Web-based malware distribution--drive-by-downloads.

The attack trends are undeniable:

• E-mail based malware today is running at a rate that is less then half of that seen on 2006.
• At the same time Web-based malware is seeing explosive growth, up over 150 percent in the same time period.
• On average more then 5,000 new Web sites hosting malware are discovered daily with China leading the way as the top malware hosting country in the world.

With these trends in mind, Web-based malware has caught the attention of security researchers. Google, for instance, recently disclosed that 450,000 out of 4.5 million URLs (1 in 10) were successfully launching malware binaries and another 700,000 URLs were found to have suspicious activity. Google published its findings in a report entitled "The Ghost in the Browser" (Click here).

A recent posting on the SANS Internet Storm Center (a security blog) revealed how quickly one bad site can turn into a Web of problems. Specifically, the blog revealed that a single malware-hosting Web site contained a list of more than 600 other suspected malware sites. (See details here)

Hybrid attacks are also becoming commonplace. In a hybrid attack, malicious banner ads can be posted across multiple Web sites. When an unsuspecting user clicks on the malicious ad, he or she is redirected to a compromised Web site that installs key loggers on to the user's PC.

The spread of malware onto more and more Web sites is undeniable. Numerous high profile Web sites have been compromised, including:

The Web-based malware explosion continues to evolve. In the recent weeks we’ve seen an increased circulation of links to videos that are supposedly hosted on YouTube, but are in fact links to malicious files hosted on third-party sites. The infamous Zlob adware has masqueraded as a YouTube video object on a third-party Web site that looked very similar to the actual YouTube site.

When a user selects the Zlob-compromised video on the masquerading Web site they are bombarded with advertisements.

Alas, masquerading Malware hosted on "look-a-like" Web sites wasn't a one-time problem for YouTube. In another earlier example, a video on a third-party Web site masquerading as YouTube called "After World Episode 6" caused a file with a movie icon to be downloaded to users' PCs. When users clicked on the icon, two different Trojan horses were installed on their PCs. The Trojans stole the users' personal information and then sent it to a server in the former Soviet Union.

The total solution
The situation sounds dire. Until you begin to examine a more modern approach to IT security known as a reputation-based defense systems, that is. One solution, known as TrustedSource, combats both spam and Web-borne malware.

TrustedSource leverages thousands of intelligent security outposts across the Web to develop reputation scores for specific IP addresses, networks, domains and other Internet entities, as well as message content and images. Similar to your financial credit score, It also ranks Internet entities according to their associated risk, and then takes the appropriate action to either permit or block traffic from that entity.

The TrustedSource system examines dozens of variables, including:

• When was the domain registered?
• Who owns the domain and what other domains are owned by that entity?
• From where are URLs accessed and at what times?
• How many IPs host a domain and what did we learn about them?

Reputation defense data now augments the capabilities of a URL filter, providing the ability to effectively defend against Web-borne malware. Simply put, the dynamic reputation information is combined with the URL filtering information within the URL filters database. Users are transparently protected from Web-borne malware by the incorporation of reputation scores within traditional URL filtering.

Paul Henry is vice president, Technology Evangelism, at Secure Computing Corporation. He can be reached at paul_henry@securecomputing.com.

Editorial standards