Are Legitimate Sites the Next Malware Threat?


We all know that opening e-mail from unknown senders is a major security no-no. But how about visiting your bank’s Web site? Or your favorite online business magazine?

According to a new study from IBM, even those activities pose growing danger to Web surfers. The company’s latest X-Force Trend and Risk report found that businesses’ sites are increasingly likely to expose customers to security threats because they fail to keep them properly updated with the latest software patches. That failure makes it easy for hackers to sneak malware onto legitimate sites that steals personal information or takes over visitors’ PCs to create botnets.

“Web applications, in particular, are increasingly vulnerable and highly profitable targets for helping the criminal underground build botnet armies,” the report said.

IBM’s (NYSE: IBM) findings come as the latest sign that attackers and information thieves are pursuing increasingly sophisticated tactics for growing their botnets and harvesting user data. In recent months especially, hackers have stepped up efforts to spread malware by trading on legitimate sites’ good names.

For instance, suffered an attack in September when hackers hit hundreds of its pages with a SQL injection attack, which works by injecting malicious code into the database behind a Web site. In’s case, that code led users to a Russian Web site from which malware could be downloaded.

According to IBM’s report, such problems may be on the rise, thanks to tools in widespread use without adequate patches. Nearly 55 percent of all vulnerability disclosures in 2008 involved off-the-shelf Web applications, and 74 percent of all Web application vulnerabilities disclosed did not have an available patch by the end of the year, according to the report.

The X-Force report said SQL injection has become the most common form of attack, jumping 134 percent and replacing Cross-Site Scripting as the predominant type of Web application vulnerability. Exploitation of Web sites vulnerable to SQL injection has increased from an average of a few thousand
per day in early 2008, to several hundred thousand per day by the end of the year, it added.

IBM’s findings echo the warnings of Web and e-mail security vendor Marshal 8e6, which predicted that cybercriminals will increasingly target legitimate Web sites, impacting the notion of trusted sites on which the Internet depends.

The spammers do not stick around for very long, either. Researchers have found that malware authors hijack pages for short periods of time, with greater than 97 percent of spam URLs up for only one week or less. This short lifespan makes tracking and stopping the malware authors more difficult, antivirus vendor AVG Research found.

A multitude of attack vectors

While hackers find it relatively easy to hijack legitimate sites because vendors are not issuing patches for Web vulnerabilities, that’s only part of the problem, IBM found.

Increasingly, attackers are turning to entirely new ways of penetrating users’ security: leveraging downloadable documents, multimedia, Java and ActiveX applications, all of which are easy to host and share on the Web.

Hackers used a malicious Microsoft (NASDAQ: MSFT) Word document to customize attacks on an Internet Explorer browser flaw shortly after the flaw was reported. In one case, an attacker e-mailed victims a Microsoft Word document containing an embedded ActiveX control that activated when the recipient opened the Word document.

“Many Web sites request the use of known vulnerable ActiveX controls, which leave Web site visitors who do not have updated browsers in a compromised position,” the report said.

[cob:Special_Report]Adopting multimedia isn’t the only way hackers are ramping up their tactics. They are writing new subject lines to target victims more accurately than bulk spam e-mails that all use the same subject line.

Not surprisingly, most efforts by hackers remain aimed at getting at your money, IBM found. Nearly 99 percent of phishing — when an attacker tries to get a victim to divulge personal and financial information — is targeted at financial institutions, the study found. More than 99 percent of all financial phishing targets are in North America or Europe, with 58.4 percent of the targets in North America.

The study also found that 46 percent of all malware in 2008 consisted of Trojans, and that a majority of these Trojans will continue to target users of online banking and Internet gaming applications.

In addition to taking a close look at hackers’ strategies, IBM X-Force, which has been studying vulnerability disclosures since 1997 and claims claimed to have the world’s largest vulnerability database, with nearly 40,000 entries, also dug up a number of other security insights. For one thing, it said most vulnerabilities surface on Tuesdays because many vendors regularly release vulnerability advisories and patches on the day. (Microsoft’s monthly “Patch Tuesdays,” for instance, have become a hotly anticipated happening for IT managers, consumers and security experts.)

The IBM study also found that operating systems from Apple and the base Linux kernel have dominated the top spots for vulnerability disclosures over the past three years.

News Around the Web