Security Watch | Matt Hines » Malware moves from scattershot to honeypot

September 17, 2007 | Comments: (0)

Malware moves from scattershot to honeypot

TAGS: Security

End users were far less likely to receive malware programs in their in-boxes and far more likely to get attacked as they visited legitimate Web sites over the first six months of 2007, as threats continue to shift from widespread campaigns to distribution via targeted outlets, according to researchers at Symantec.

Whereas attackers have traditionally utilized far-ranging schemes that sought to find their way onto as many desktops as possible through ubiquitous communications channels including e-mail and IM, hackers and cyber-thieves are rapidly transitioning to socially-driven threats that seek to use news events or popular topics to reel-in their victims online.

While the shift has been happening for the last several years, authors of Symantec's latest Internet Security Threat Report, published on Monday, said that the move was more evident during the first six months of 2007 than ever before.

"I think this truly represents a big change, we've started to see attacks shifting away from going after the end users to the use of targeted outlets as the primary infection point," said Dean Turner, senior manager of Symantec's Security Response Team and executive editor of the report, which is published twice annually.

"Almost all the malware code we're seeing is on the Web, and much of it on trusted sites, so the victims are coming to the bad guys versus the old days where it mostly went the other way around," he said.

Overall, Symantec observed some 212,101 new malware attacks during the first half of 2007, a dramatic 185 percent increase over the second half of 2006. Of those threats, the company said that Trojan viruses accounted for 73 percent of the top 50 malicious code samples, a 60 percent increase compared to the previous six months.

A growing number of attackers are also utilizing widely-available and increasingly-sophisticated malware-authoring toolkits such as MPack -- which has been used to assail large numbers of financial services companies and their customers, and is believed to be supported by Russian cyber-thieves -- to stay on top of the latest browser vulnerabilities and find new legions of victims, Turner said.

The professionalism of the toolkits is making for a subsequent increase in the complexity of common attacks and making it harder for webmasters to keep their sites from being hijacked, according to the expert. The expense of the code is also heading downward, with MPack widely-sold on underground markets for roughly $1,000, the company said.

Turner said that browser plug-ins remain a popular format for sneaking code onto people's PCs, with ActiveX-based plug-ins representing the lion's share of the infected applications being doled out to unsuspecting Internet users. Over the first half of 2007, Symantec documented 237 vulnerabilities in Web browser plug-ins, a significant gain over the 74 it discovered during in the second half of 2006, and the 34 it unearthed in the first half of 2006.

Some 89 percent of all the nefarious plug-ins observed by Symantec over the first two quarters of 2007 involved ActiveX exploits. By comparison, ActiveX threats accounted for only 58 percent of plug-in vulnerabilities in the second half of 2006.

"The toolkit development is becoming a real industry with all the money that is being made, and the Web browser remains the biggest security hole for most end users and organizations," Turner said. "It's simply easier for the criminals to do business this way; if they can take over a site and redirect all the users to a malware server, they can't be caught by intrusion detection or intrusion prevention systems."

In addition to tricking specific types of people, attackers are also being more aggressive about watching out for those that might be pursuing them, said the researcher. The criminals are also using techniques to avoid serving their exploits to machines or IP addresses that are known to be used by security companies and law enforcement officials.

Another ongoing shift in malware activity involves the increasing regionalization of threats, Turner said. A larger number of threats are being written in languages including Chinese and German to help lure victims in those regions, according to the report.

In Asia, for instance, more attacks are being written that are aimed to break into massive multiplayer online role-playing games and steal users' information since the Web-based networks have become so popular with people in the region.

"Instead of focusing on a global attack pattern, these people know they can focus on specific regions," said Turner. "We're seeing a particular increase in regionalization in areas where broadband use is growing and there are whole new groups of potential targets coming online all the time."

However, according to Symantec, the United States was the leading location for "underground economy servers," or those controlled by known criminals, during the first six months of 2007, accounting for 64 percent of all systems tracked by the firm.

On those sites, credit card data was the most commonly-seen asset for sale, making up 22 percent of all goods advertised on the underground markets. Symantec said that it found 8,011 distinct credit cards being advertised for exchange on underground servers, with 85 percent of those accounts issued by U.S. banks.

Symantec said that the regionalization of threat activity was particularly evident in the distribution of certain types of malicious code.

For instance, 44 percent of all Trojan attacks tracked by the company were reported from North America, while 37 percent were reported from Europe, the Middle East and Asia (EMEA). By contrast, the EMEA region harbored 43 percent of all worms, while North America only accounted for 23 percent.

Posted by Matt Hines on September 17, 2007 02:15 PM

RATE THIS ARTICLE: