The rise of web application and Web 2.0 innovations such as social networking sites has provided malicious internet attackers with a new strategy, security vendor Symantec says in its latest threat report. Instead of seeking out vulnerable users individually, the attacker compromises a website that thousands of users trust and waits for potential victims to come to them.
Typically these victims will be looking to execute a useful application remotely through web protocols, or looking to socialise with others and upload their own thoughts, pictures, videos and other content through a social networking site. They could pick up an infection and transmit it to others who read or view their contributions on the site, or those who re-use it as part of a “mash-up”.
“Over the past several years, as web applications have been more widely deployed, they have been increasingly targeted by attackers as a simple means to circumvent network security measures, such as [intrusion detection/prevention systems] and firewalls,” says Symantec.
“Social networking sites have proven fruitful for attackers because they give access to large numbers of people, many of whom implicitly trust that the site — and the content on it — are secure.” The attackers are catching out users who have learned to be wary of infected email.
Compounding the danger is the fact that web applications are vulnerable to attack. “During the current reporting period (January to June 2007), 61 per cent of all vulnerabilities disclosed were web application vulnerabilities,” says Symantec — though this represents a slight drop on the 66 per cent recorded in the previous six months.
“Many Trojans are now being installed via web pages that exploit web browser vulnerabilities and browser plug-in vulnerabilities,” says the report. “In the first half of 2007, Symantec documented 237 vulnerabilities in web browser plug-ins, over three times the number of plug-in vulnerabilities from the previous reporting period.
The multi-phased attack or “staged downloader”, typically led by a Trojan, is becoming more common, says Symantec. The Trojan, having penetrated the user’s computer, will then download more malicious files from a remote location, or change browser settings to direct the user to a malicious website.
The multi-stage structure of the attack means while the first stage is common to all sites attacked, subsequent stages can be tailored according to the damage the attacker wishes to do or the information they wish to extract. The latter is a rapidly increasing motive. “Most attacks are now driven by a quest for data or information that can be used directly for fraud or theft — such as credit card numbers or bank account information — or that can be used indirectly to create the necessary conditions for fraudulent activities. The most obvious example of the latter is identity theft.”
Attacks by region is another notable trend. Recent worm attacks have been couched in email worded in specific languages aimed at a limited population — and the people with whom they do business, and to whom they may pass the infection.
Increased penetration of broadband into a territory often brings an increased volume of attacks, says the report. This may be partly due to users not realising the upgraded security measures necessary to protect an always-on, high-speed connection in contrast to a dial-up link; but it may also be due in part to ISPs. A provider with a new broadband offering is “likely to focus resources on meeting growing demand at the expense of implementing adequate security measures, such as port blocking and ingress and egress filtering”, says Symantec. “As a result, these ISPs may have security infrastructures that are underdeveloped relative to their needs.”
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.