The report shows that, for the second consecutive month, Web malware and particularly Web viruses increased significantly.
According to the company, Web viruses increased 36 per cent in May following an increase of 26 per cent in April. Spyware increased 10 per cent in May, following an 8 per cent increase the previous month.
This is the second consecutive month of a meaningful increase in Web viruses, said Dan Nadir, vice president, product strategy, ScanSafe. The ANI (animated cursor) vulnerability, reported in late March, may be responsible for part of this increase. While a patch has been available since early April, millions of PCs remain unpatched and vulnerable to ANI exploits. We expect to see ANI exploits for months to come.
The company also cautioned that it is increasingly seeing legitimate websites unknowingly host malware as the result of malicious content provided to sites by third parties or through compromised servers. This includes content from ad servers, user contributed content, and widgets interesting content from third party sites embedded into the Web page. Even more troubling, when hosting companies are compromised, all of their customers websites are at risk.
Many websites today do not have one single content owner, said Nadir. In addition to content provided and controlled by the website owner, it might also contain third party content provided from advertisements, blogs and other sources. This decentralization of content ownership and the increase in moving parts has made it easier for malware authors to seed malware on legitimate, trusted sites without the website owners knowledge. Its a growing problem.
In recent weeks, ScanSafe has identified two instances of malware being spread on legitimate sites via content that came from a source outside of the website owners control:
1. In early June, hackers gained access to passwords for FTP accounts for 3,500 websites hosted by DreamHost. ScanSafe identified two high profile U.K. music industry sites that were then compromised to unknowingly host an iFrame (inline frame a floating frame inserted within a Web page), that loaded Trojan-Downloader.JS.Psyme.fq. It then redirected to a malicious website, where a second piece of malware, Trojan-Downloader.Win32.Small.mi, was executed. The entire attack was completely invisible to usersincluding the iFrame which was only one pixel wide.
The sites were www.clintons.co.uk, a well known law firm that has represented musicians including Paul McCartney, The Who, Jimi Hendrix and U2 and www.nationwidemercurys.com the prestigious Mercury music awards site sponsored by Nationwide, whose previous winners have included Coldplay and the Arctic Monkeys.
2. In early May, a compromised ad server was used to distribute an ANI exploit on www.tomshardware.com, a popular technical product review site. An ad redirected users to an infected site which hosted the Trojandownloader.ani.gen. Over the past three months, ScanSafe has observed various mainstream ad servers being used to spread malware.
The recent attacks highlight the necessity of anti-malware solutions that scan Web traffic in real-time.
We believe that malware authors are starting to leverage obfuscation techniques to avoid detection by Web filtering solutions that rely on crawling the Web to identify malware, Nadir said. Traditional Web filtering solutions that rely on periodically updated URL databases and honeypots to identify threats can leave users exposed to these anti-Web crawling attacks. In addition, they cannot keep up with the dynamic, user-generated content that characterizes todays sites, particularly Web 2.0 sites.
The ScanSafe Global Threat Report is based on real-time analysis of more than 7 billion Web requests scanned and more than 12 million Web threats blocked by the company in May on behalf of its corporate customers. It is the largest analysis of Web security threats based on real-world traffic.
[We have seen similar reports from a number of other sources, and they are quite worrying. The anti-malware industry doesn't appear quite ready for Web 2.0 yet. And where do the liabilities lie? --Ed].
Related links: (Open in a new window.)
www.scansafe.com/__data/assets/pdf_file/4344/gtr_may2007_v4.pdf
View printable version (opens in new window)
Back