Trusted Web Sites Attract Malicious Activity, Symantec Report Reveals

The Global Internet Security Threat Report shows that as networks are more strongly protected, attackers have shifted tactics and targets.

End-users' computers are no longer the focus of attacks; that distinction is now the Web site visitor. That's one of the highlights from Symantec's latest Internet Security Threat Report Volume XIII, released last week. The company also points to an unprecedented professionalism by attackers. No longer content to do mischief, attackers are focusing on Web sites users trust by using plug-ins on the client side and creating malware that launches multi-stage attacks. Worse, only 4 percent of identified vulnerabilities on Web sites have been patched during the six months surveyed.

"It's no surprise that trusted Web sites are the focus of activity," Wayne Periman, director of operations of Symantec Security Response, told Enterprise Systems. "It's where they'll have the greatest likelihood of success. In the past they've targeted lots of computer systems; now they just move through victims in social network sites."

Periman said the company found over 11,000 site-specific vulnerabilities compared to 2000 "traditional" vulnerabilities during the same period. "What makes this even more remarkable," he admits, "is that at the time of the report, only 473 of these vulnerabilities had been patched." Administrators didn't react quickly: it took an average of 52 days to patch Web sites. The apps might be home-grown, written or maintained by developers unfamiliar with the latest code-securing techniques, which could explain the lengthy time-to-patch. However, giving administrators more time didn't improve security. Symantec found that only 330 of the 6,691 site-specific vulnerabilities reported from the previous report (covering the first half of 2007) had been fixed by early 2008.

Of the top 50 malicious code samples Symantec examined, seven percent modified Web pages; just three percent of samples from the first half of 2007 did so. (Trojans, at 71 percent, and worms, at 22 percent, still top the list of vulnerabilities.)

Malicious activity is also increasing within ActiveX plug-ins. "The plug-ins can be easily used to download more malware on the user's system. Of 239 browser-based vulnerabilities, 79 percent affected ActiveX." The company detected several zero-day exploits using ActiveX files, including on Real Networks' RealPlayer application and a December 2007 attack on HP laptops.

As reported in previous issues of Enterprise Systems, a healthy underground economy is spurring growth in vulnerabilities. "Attackers are seeking information, not the computers the data is stored on," Periman notes..

Financial sites have long been a popular target of direct attacks, but the increased security measures taken at those sites have led attackers to turn their attention to social networking sites to get their information. Credit card companies have also become more diligent in preventing fraud. Instead of direct hits, the financial services sector remains the largest target of phishing Web sites (66 percent), down from 72 percent in the first half of 2007. Symantec attributes the drop to a rise in phishing attacks targeting ISPs (18 percent, up from 3 percent in the first half of 2007).

Symantec defines a trusted Web site as a site where the users trust the content of the page, of which social networking sites make up a large segment. "Social networking sites are easy to spoof, profiles have lots of useful information on them, and harvesting the information is easy," Periman explains. Users expect that messages from their friends are genuine. Attackers target the vulnerabilities within the applications running on these Web sites or use plug-ins or exploit malware from these sites.

To no one's surprise, attacks are motivated by financial gain. "Malicious code threats are now designed to steal information. In fact, 68 percent of the top threats were designed to get confidential information." That's not a significant increase from the first half of 2007, when the rate was 65 percent. However, the nature of the code has changed. "We found that 86 percent of confidential information threats had remote-access components, and 76 percent used keystroke-logging components."

Underground trading of information and malware-creation components is growing, highlighting what Periman calls the professionalism of the attackers. "It's almost as though they've received their MBAs. They're following all the market rules, from supply-and-demand (such as bulk pricing, which is now commonplace) to adjusting how threats are developed based on customer demand."

They're also moving quickly and understand international markets. Outsourcers are turning to Romania (the country is third behind the U.S. and China of all malicious sites hosted) to host phishing Web sites. Peru, while having a low number of broadband users, had the highest per-capita volume of malicious activity during the reporting period. Symantec says there is a nine percent probability that an attack occurring in one of the top 25 countries originated from Peru. (Peru didn't even register in the previous reporting period.) Because 80 percent of computers in that country are located in public places and may not be adequately protected, they're a ripe target for misuse, Symantec's report points out.

"Furthermore, we found that when malicious business activities rose in Russia, upstream ISPs started clamping down, so attackers moved to China instead," Periman says.

Of all malicious activity ever tracked, Symantec found that two-thirds of the vulnerabilities were created in 2007. Older techniques (such as key logging and Trojans) remain popular, but many existing threat agents, such as bots, continue to evolve. Although the number of bots dropped by 17 percent in the latest Symantec report, "traditionally bots would go back to command and control for instructions, that's less the case now. Today's bots are starting to hide themselves in an attempt to be far more difficult to detect," Periman reports.

Symantec draws information from many sources, including more than 40,000 sensors in Symantec products and services that monitor networks in more than 180 counties, third-party sources, forums such as BugTraq, and decoy accounts set up in over 30 countries to attract e-mail vulnerabilities and spam.

The report can be downloaded here.

Must Read Articles