Topic: Over half new applications in ’07 malicious says Symantec

[Samker]

Email, once the cyber criminals’ favourite method of delivering malware to your computer, has been replaced by the web as the primary conduit of attack says internet security firm Symantec.

In its latest Internet Security Threat Report, Symantec says that in the past, users had to intentionally visit malicious sites or click on malicious email attachments to become a victim of malcode. “Today, hackers are compromising legitimate websites and using them as a distribution medium to attack home and enterprise computers. Symantec noticed that attackers are particularly targeting sites that are likely to be trusted by end users, such as social networking sites.”

The company says it detected 11,253 instances where cyber criminals used cross-site scripting vulnerabilities - where attackers inject malicious code into web pages - in the last six months of 2007. However, it says only 473 (about 4 per cent) of those were patched and that typically took 50 days to happen.

The result is that cross-site scripting has become a key propagation vector for cyber criminals, says Symantec New Zealand systems engineer Rogan Mallon.

One of the first examples seen in the wild was the attack kit MPack37, observed in May 2007. This compromises web pages, typically through the insertion of iframes, to redirect users to an MPack server that attempted to exploit browser and plug-in vulnerabilities, and install malicious code. It took advantage of users visiting legitimate, trusted web pages that had been compromised.

Symantec adds that over the last six months of 2007, 18 per cent of malicious code samples in the APJ region had the ability to modify web pages. This is significantly more than the 7 per cent observed globally, and a substantial increase from the 5 per cent recorded in the APJ region during the first half of 2007, the company says.

One explanation for the greater percentage is that three of the top malicious code samples and three of the top new malicious code families in the region modify HTML code as a means of propagation.

Fujacks was the second most common sample causing potential infections in the region. Symantec says this malicious code is interesting for two reasons: First, it attempts to modify HTML files on a local file system by seeking out common web format files (.html, .aspx, etc), which are appended with an invisible iframe. Second, if and when a browser views that HTML content, locally or remotely, the browser will be redirected to a malicious website where a code download is attempted.

The Symantec report also says that in 2007, 711,912 new threats were detected compared to 125,243 in 2006 - an increase of 468 per cent. More than half of those codes appeared in the second half of 2007.

Mallon says another important security development for 2007, that of the 54,609 unique applications released to the public, 65 per cent were malicious - the first time the company had observed malicious software outpacing legitimate applications.

This means, according Mallon, that in the future security firms will start releasing “white lists” of safe applications rather than blacklists.

“Traditionally, security companies have relied on issuing blacklists of malicious code to protect users. But if there is now more malicious code being released than good code, there is a real business case to create and release white lists instead.”

This becomes even more valid in light of a new type of malcode that turns traditional attack techniques on its head. Instead of attempting to infect as many computers as quickly as possible, this code is developed to infect as few as five machines. “This is so it can fly under the radar of security companies and their blacklists,” says Mallon.

Cyber criminals then sit on infected machines, either to selectively harvest very lucrative personal or financial details, or to launch a wider attack at a later date, he explained.

(Copyright by Techachino)