Malware authors eyeing Web-based applications

By Bill Brenner, Senior News Writer 22 Jun 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Malware attacks against search giants Yahoo and Google this past week show online outlaws are working overtime to exploit any security hole they can find in Web applications. As Web-based services grow increasingly popular, industry experts say users should brace for more of these threats.

Last week, Yahoo Mail was targeted by a JavaScript worm called JS.Yamanner, which spread through Yahoo email contacts when end-users opened emails infected by the malware.

Also in recent days, Google Inc. has tried to fight off malware targeting its Google Page Creator Web site hosting service as well as its Orkut social networking service. The attacks illustrate a growing trend where the digital underground has shifted its attention away from assaults against network perimeters and operating systems in favor of those exploiting application flaws.

Peter Firstbrook, an analyst with Stamford, Conn.-based Gartner Inc., said that while Microsoft has developed a "very good" patching mechanism for its programs, most application providers, in contrast, have not. That being the case, he said, these recent Web-based application attacks could be the mere tip of the iceberg.

"The [malware authors'] focus has been on Microsoft, but now we have to look at all these applications where the patching track record isn't as good," Firstbrook said.

More on application attacks Malware targets Google programs JavaScript worm spreads through Yahoo Mail Microsoft zero-day Excel flaw discovered

While that may be the case for other application providers, Yahoo spokeswoman Kelley Podboy said the Yamanner experience shows that her company does have a good handle on the threat. She said that upon discovery of the worm, Yahoo was able to protect all its users within a day.

Podboy added that the incident affected a "very small fraction" of Yahoo users. "We have taken steps to resolve the issue and protect our users from further attacks of this worm. The solution has been automatically distributed to all Yahoo Mail customers and requires no additional action on the part of the user."

Google did not respond to an interview request regarding the recent malware threats against its programs.

CSOs are worried
Doug Goodall, vice president of global security solutions for Getronics NV, a provider of workspace management IT services based in Amsterdam with U.S. offices in Tewksbury, Mass., said the Yahoo and Google attacks in particular show that the bad guys are getting far more sophisticated and that their assaults are far more targeted.

"It used to be that we had these big worms that were designed to hit whatever they could hit," Goodall said. "Now we see this very focused application targeting, like what we're seeing against Web mail applications. It's just amazing how accurate these guys are getting."

Getronics runs the International Information Integrity Institute (I-4), a consortium of about 75 multinational organizations in which CSOs meet behind closed doors several times a year to trade notes on their biggest challenges. By meeting in secret, CSOs are comfortable speaking candidly about their pain points. Goodall said those CSOs are increasing concerned about the Web application threats.

"At one of our I-4 forums, people talked about how they're putting a lot more of their focus on patching," he said. "But they all acknowledged that flaws in applications are a lot harder to deal with. They've gotten good at patching the operating systems, but you have so many legacy applications and new applications, it's a lot for them to get their arms around."

He said the bad guys know this, which is why they are increasingly seeing application flaws as a goldmine waiting to be plundered.

A challenge to corporate computing policies
Dan Blum, an analyst with Midvale, Utah-based Burton Group, said the growing Web application threat also poses a challenge to the Internet-browsing policies of many companies.

Security Wire Weekly To listen to Burton Group's Dan Blum discuss how Microsoft's security strategy may change in the post-Bill Gates era, listen to our Security Wire Weekly podcast (.mp3).

"Businesses have a permissive policy toward outbound browsing," Blum said. "It's like using the phone for personal calls." However, he added, Web-based mail services and other hosted applications have become another vector through which malware can enter a company.

Theoretically, Blum said, companies could take a hard line and restrict much of this activity, but there's a big downside to that.

"Users would end up using their company email to do these things and could expose company information that way," Blum said. "I think it's probably better to keep letting employees use Web mail, but educating them on things they should beware of." He said end-users should be taught to use the Firefox Web browser and to avoid giving out sensitive information.

Firstbrook recommended that companies monitor their threat environments and make use of automatic defenses like antivirus and proactive tools like host-based intrusion defense systems (IDS). "Shield your infrastructure so you can get the patches out," he said.

No place for FUD
While the growing threat against Web-based applications is cause for concern, people shouldn't be alarmed or surprised, said Shane Coursen, senior technical consultant for Russian antivirus firm Kaspersky Lab.

"I don't think we should make a bigger deal out of this than it's worth," he said. "It's perfectly natural and normal to see malware writers taking advantage of Web applications." He added that the ubiquitous nature of Web-based applications make them the perfect platform to spread malware.

In spite of that, Goodall said companies like Yahoo and Google have a big advantage Microsoft didn't have when it began to face a steady stream of attacks.

"They've grown up in a period where the whole industry has been focused on security," he said. "They didn't start with this big legacy infrastructure. Much of what they've deployed has been in the last five years, in an environment with more security awareness." But if these companies aren't careful, he said, they could end up wearing as big a bull's-eye as Microsoft has in recent years.

"They're growing so fast, light years faster compared to Microsoft's growth in the 1980s," Goodall said. "When you add new services at their speed, it opens the door for a lot of chaos."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Application Security,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe ColdFusion websites being compromised PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks Security Awareness Training and Internal Threats Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence Tabletop exercises sharpen security and business continuity Security policies need simplifying, expert says Microsoft IE 8 security only benefits educated users Security book chapter: The Truth About Identity Theft How to integrate the security of both physical and virtual machines Laid off workers likely to steal company data, survey warns

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary