Security Watch | Matt Hines » Web-based malware marches on

April 24, 2007 | Comments: (0)

Web-based malware marches on

TAGS: Security

Two new research reports conclude that Web-borne malware programs continue to proliferate rapidly, with some experts citing "dramatic" growth of online threats.

According to AV specialists Sophos, the sheer volume of Web-based malware more than doubled during Q1 of 2007 when compared to the same period last year. The Boston-based company tracked some 23,864 new threats over the first three months of '07, while Sophos saw 9,450 Web malware threats during Q1 '06.

Spam e-mail also continues to prove a troublesome nuisance, with many threats being delivered by the time-honored channel. The total amount of spam observed by Sophos rose by 4.2 percent during Q1 '07, compared to Q1 '06.

Despite the increase, Sophos reported that there was a noticeable decline in the number of malware-laden e-mails it processed, with attack messages accounting for only .4 percent of all traffic, compared to 1.3 percent of all messages during the same timeframe last year.

Sophos said that it was able to identify an average of 5,000 newly infected Web sites each day, and said that China has become the leading host of malware-hosting URLs, accounting for 41 percent of all online attacks.

According to the company, the top ten malware families hosted on websites in Q1 2007 were:

1. Troj/Fujif
2. Troj/Ifradv
3. Troj/Decdec
4. Mal/Packer
5. JS/EncIFra
6. Mal/FunDF
7. Mal/Psyme
8. Troj/Zlob
9. Mal/Behav
10. Mal/DelpBanc

Most of the infected sites tracked by Sophos during the quarter were legitimate URLs that have been compromised by attackers. Some 70 percent of all malware-hosting sites fell into this category, according to the report.

"When comparing this quarter to the same period last year, it's very clear that cybercrimals are again changing the way they operate," Ron O’Brien, senior security analyst at Sophos, said in an e-mail.

"It's shocking that such a high percentage of web sites are vulnerable to hackers - this is definitely a big concern," O'Brien said. "Web site owners need to step up to bat, put more emphasis on safeguarding their sites, and if needed, allocate more resources to ensure that the proper security is in place."

The top ten countries hosting web-based malware in Q1 2007 were:

1. China
2. United States
3. Russia
4. Germany
5. Ukraine
6. United Kingdom
7. France
8. Netherlands
9. South Korea
10. Taiwan

In addition to the continued rise of China as a source of malware, Sophos' native home the U.K. made the list for the first time ever. China displaced the U.S. atop the study for the first time.

In a separate report, Atlanta-based Exploit Prevention Labs released its March '07 Exploit Prevalence Survey.

According to the study, the top five most widely-reported Web exploits for the month were:

1. Modified MDAC
2. Q406 Roll-up package
3. Trojan Fake Codec
4. ANI
5. WMF

The security company specifically highlighted the impact of the ANI vulnerability in multiple Windows operating systems as interesting.

The exploit was able to successfully attack fully-patched Windows XP SP2 computers running on Microsoft's IE 6 or 7 browsing software and landed the fourth spot on the rankings with only four days of distribution in the month.

"The ANI exploit is a sophisticated attack," Roger Thompson, co-founder of Exploit, said in an e-mail. "We believe it first originated in China, with the relatively benign goal of stealing World of Warcraft (WoW) passwords. But within days, bad guys from around the world had picked it up and begun enhancing it for more nefarious purposes."

In another trend, China's roll in the security exploit world appears to be growing. The modified MDAC exploit taking leading the prevalence survey originated in China. This supports Thompson's belief -- and others including Trend Micro CEO Eva Chen and FaceTime botnet researcher Chris Boyd -- that a global shift is taking place with China becoming a center for suspicious activity.

"We're now seeing a rapid rise in the number of active cybercriminal groups in China looking to profit from exploits," Thompson said. "The technical sophistication of Chinese exploit code is easily on a par with code coming out of the U.S. and Russia."

Posted by Matt Hines on April 24, 2007 11:34 AM

RATE THIS ARTICLE: