Sophos sees huge increase in web-borne attacks
In June criminals infected almost 30,000 web sites per day with malware, Sophos states in its security threat report for the first half of 2007. This is a massive increase compared to the 5,000 per day at the start of the year. In its analysis of one million sites blocked by Sophos, almost 29 per cent were hosting malicious code. The breakdown of the remainder was: adult material (28%), spam (19%), illegal content (4%) and 20% unspecified. Interestingly, about 80 per cent of infected web pages are hosted unwittingly by legitimate sites, such as travel agencies or web shops. More than half of these are currently sited in China.
Graham Cluley, senior technology consultant with Sophos emphasised in an interview that just over half of the total number are Apache servers, many of which are running on Unix. He suggested that generally slack security contributes more to this position than any specific software or platform vulnerability. He also commented that quite a lot of malware currently active in the wild is several years old and well represented in anti-virus signature databases, suggesting that failure to manage countermeasures properly again contributes significantly to the continuing problem. The tools are available and competent, but are not being used effectively.
The preferred malware vector is now the use of links in email attachments to entice victims to visit an infected web page rather than delivery of malware directly in the email attachments themselves. The latter represented just over a quarter of one per cent of emails detected by Sophos, whereas emails containing links to malware sources are generally reckoned to constitute around five per cent of total spam. The nature of the attachments used for enticement is also changing. Whereas previously image file formats were used directly to evade spam filters, perpetrators are now resorting more often to images within PDF files or even in some cases to Excel spreadsheet files. As these are less immediately appealing to the typical user/victim, this suggests to Sophos that spam filters are coming to grips with the problem; forcing spammers to use less optimised enticement methods to evade them.
According to Cluley the craft quality and variety of much current malware has declined dramatically as its incidence has increased, to the point where Sophos is able to perform much of its analysis using automated methods. This is probably symptomatic of the increasing use of toolkits such as MPack and Pinch Builder that allow malware assembly by relatively (or even completely) non-technical persons, but which can be expected to produce relatively predictable output. These declines are however associated with much greater potential for rapid changes: an example site Cluley quoted changed the detail of its malware content several hundred times in 24 hours, which strongly suggests automated dynamic malware generation. If, as it now seems, such automation proves to be the way forward, we could potentially move towards a robot wars situation where machines on both sides slug it out without much human intervention. Nevertheless, and automation notwithstanding, the mail/Iframe attack vector, which dominated the half-year figures at 49 per cent of total attacks, relies on the ability to suborn a poorly protected web server. Much still needs to be done to raise the general security management standards of such resources.
Another interesting departure demonstrated to heise Security was a trace from the Sophos real-time feed, showing a malicious site forwarding from the initial contaminated server to a host in Brazil via intermediate hosts in Poland, Eastern USA and Russia. Among other things, this multi-hop technique helps to thwart law enforcement by driving the requirement for trans-national co-operation to impracticable limits. However, the perceived need for such a technique suggests that enforcement within individual jurisdictions is improving.
It appears therefore that, despite some high profile but relatively small scale highly targeted attacks such as those discovered by Message Labs at the end of June, attackers now seem to be going for mass coverage of the internet space, possibly with the expectation of quite small proportional returns, and resorting to more complex methods than hitherto in order to circumvent increasingly effective countermeasures, particularly in the area of spam management.