* Several visitors to the website of the embassy of Portugal in India were infected with malware last month. Other victims of embassy malware attacks include the US Consulate in St Petersburg and The Netherlands Embassy in Russia
* Official website of Rajshri Productions, India, was compromised last month and infected the machines of site visitors with malicious code
* One of the top 500 most-trafficked websites, Businessweek, suffered an attack in September when hackers hit hundreds of its pages with a SQL injection attack
* Malicious scripts consisting of password-stealing Trojans were found on computers of visitors to nature.com
Internet is not just our window to the world. It is being used to look back at us too. These Web attacks might not make it to headlines like the alleged Chinese cyber espionage programme, used to spy on computers in more than 100 countries. But these are growing fast to become a big menace.
Even more alarming is the fact that the divide between the good and the bad websites is blurring. Malware and spyware is spreading to legitimate and reputed websites. About 70% of the 718 security incidents reported in India in February were related to spreading of malware through compromised websites, according to Indian Computer Emergency Response Team (CERT-In). Globally, Web attacks were launched from 8,08,000 unique domains last year. Many of these, according to the security software vendor, are mainstream websites, including news, travel, online retail, games, real estate and government.
You can no longer safely assume that non-legitimate sites are the sole repositories of Web-based attacks. ?Today, any website can be compromised by attackers and used to attack your computer. The notion of being safe if one only visits good sites no longer holds true,? confirms Symantec India products operations head, Shantanu Ghosh.
Globally, more than 18 million drive-by download attacks and more than 23 million misleading application attacks were launched on websites last year alone, according to latest reports from Symantec. ?On an average, over 2,000 new, unique malware threats hit the internet every hour. It now takes less than a week to produce the entire malware output of 2005,? agrees Trend Micro country manager (India and Saarc), Amit Nath.
The reasons are not hard to find. Foremost is the increasing complexity of websites. Modern day websites are a combination of many different Web content sources, dynamically constructed using many different scripting technologies, plug-in components and databases. Some content like advertisements may come from an entirely different site under a third party?s control. Sometimes, websites have 10 to 20 different domains from which website content is pulled to make up one single webpage that a user views. ?The task of keeping such Web servers secure has not kept up with the growth and the complexity of building out a website,? explains Ghosh.
Browsers are getting complicated and risky too. About 600 million browsers are estimated to have been insecure last year without taking into account the impact of vulnerable third party plug ins, ActiveX controls and multimedia plug-ins. ?Every CIO today looks for a tighter control over their corporate environment. Browser is the single biggest window for malware to enter your corporate environment,? says Ramesh Gopalakrishna, director?Windows Client Business Group, Microsoft India.
And many new techniques of compromising legitimate websites are emerging. Two popular techniques, according to Symantec, are SQL injection and malvertisement. SQL injection involves compromising databases of high traffic websites and works by finding flaws in websites that have databases running behind them. Malvertisements deliver the attack through an ad content provider supplying content to the legitimate website and not directly from the website itself. Single malicious advertisement may only appear once every 1,000 page views or only to viewers from a certain geographic region, thus making it more challenging to detect and eradicate.
Popular attack techniques also include obfuscation to conceal an attack by making its operations more complex and thus harder to detect. Attacker has polymorphing software running on the Web server that dynamically generates a new variant of the malware every few minutes or hours. Clickjacking is a new technique where the attacker is able to hijack clicks on a webpage. Attacker puts an invisible layer over a webpage. When the user clicks on what appears to be an innocuous button or link, the attacker?s code is automatically executed, often leading to a malicious website or another misleading application.
Social engineering techniques are also being deployed to trick people into performing actions they would not otherwise want to perform. Legitimate blogs, for instance, can be frequently infected with URL links pointing to pages that use social engineering tricks or browser-based exploitation techniques in order to infect a user?s computer. Attackers often use blog comment fields to post such links.
It is not unusual for malware authors to prompt users to download the latest version of a new layer or plug to be able to access the site?s content. However, instead of a codec, the executable content is really a piece of malware that the user is authorising to be downloaded and installed on their computer.
Prominent miscreants are misleading applications. These intentionally misrepresent the security status of a computer. Their goal is to convince the user that they have been infected with malware and should take immediate action to remove potentially unwanted programmes or security risks (usually non-existent or fake) from the computer. Symantec, for one, claims to have detected more than 23 million misleading application infected attempts. ?If only 1% of the 23 million endusers were to fall for such an extortion scheme, that would result in over $11 million of revenue for the misleading application authors,? points out Shantanu Ghosh.
The security industry has, so far, reacted to the increasing number of malware by issuing more frequent updates. Some vendors switched from weekly updates to daily or even half-hourly updates. The consequent volume of updates has significantly impacted the system and network resources required to manage pattern downloads, often leading to critical performance and cost issues. ?Imagine the bandwidth required to issue frequent updates to users? machines in a company with 2,50,000 global employees. A single pattern file update requires at least five hours for deployment throughout the company, and some companies receive updates as often as eight times per day to ensure the latest threat protection, points out Amit Nath. And as Ghosh warns, one can not stop drive by downloads slipping malware into your system and malvertisements with traditional signature-based antivirus solutions.
And as the threat landscape changes, industry seems to be preparing itself for a paradigm shift in protection strategy.