IBM finds sharp spike in malicious content on trusted sites

By Robert Westervelt, News Editor 26 Aug 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The most trusted websites, such as search engines, mainstream news sites and some blogs, are increasingly at risk of hosting malicious links that pass malicious code to their visitors, according to the latest data collected by researchers with IBM's X-Force security team.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Big Blue's "X-Force 2009 Mid-Year Trend and Risk Report" outlines a sharp increase in new malicious Web links and consistent attacks against Web applications that could undermine the security of some database servers.

Kris Lamb. director of IBM's X-Force team, said users who stay away from "red light district" sites are still at risk, as more trusted sites have been found to host malicious code used in drive-by attacks.

"We've reached a tipping point where every website should be viewed as suspicious and every user is at risk," Lamb said in a statement. "The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity."

Trusted websites hosting links that lead to malicious webpages could be linked to a rise in Web exploit toolkits, IBM said. Once a person browses to a site hosting the toolkit, it can deliver all the exploits at once to them or select specific exploits based on a person's referring URL, browser cookies or geographic location.

Latest security threat news: Trojan downloaders, droppers skyrocket, Microsoft says The spread of Trojan horses via downloaders and droppers is multiplying rapidly, infecting nearly 19 million computer users in the second half of 2007. Twitter, Facebook hit by denial-of-service attacks: Twitter was shut down for more than two hours and Facebook service slowed as the ubiquitous social networking websites were hit by denial-of-service attacks. IT pros can detect, prevent website vulnerabilities, thwart attacks: Until vendors release a cohesive set of tools to protect against website attacks, IT security pros have a number of ways to detect vulnerabilities. Trojan stealing FTP credentials, attacking FTP websites: A Trojan has collected up to 80,000 unique FTP server logins and is injecting malicious code into thousands of FTP websites.

The Internet security threat report noted a 508% increase in the number of new malicious Web links discovered in the first half of 2009. The number of countries hosting malicious URLs has also risen sharply since 2006. While gambling and pornography websites continue to harbor the most malicious content, they are followed closely by personal homepages and search engines.

Attackers are also increasingly targeting trusted news sites, blogs, bulletin boards and education websites, which were also identified as favorite spots for attackers to plant malicious code.

"The [malicious links] distribution is probably more representative of the types of websites that attackers like to frequent in hopes of finding a loop-hole (like a vulnerability or an area that allows user-supplied content) in which they can incorporate these malicious links in hopes of compromising an unsuspecting victim," IBM said in its report.

Although vulnerability disclosures of SQL injection and ActiveX vulnerabilities are declining, according to IBM, attackers are still targeting the flaws in increasing numbers. SQL injection attacks -- the method used by hackers suspected in the Heartland Payment Systems Inc. breach -- rose 50% from the final quarter of 2008 to the first quarter of 2009. IBM said SQL injection attacks spiked again this spring, jumping 46% in April and 76% in May.

Many SQL injection vulnerabilities were discovered in 2008 when attackers turned to automated tools to discover flaws and exploit them on live websites, IBM said. The Trojan Asprox used search engines to automatically test websites for the vulnerabilities.

"For many security administrators and researchers, these automated tools put increased pressure on them to find SQL injection vulnerabilities before the attackers do," IBM said in its report.

SearchSecurity radio:

Trojans, designed to steal data, log key strokes and download additional malware, continue to dominate all new malware, according to the report. In the first half of 2009, Trojans comprised 55% of all new malware, a 9% increase over the first half of 2008. Information-stealing Trojans are the most prevalent malware category, IBM said. Backdoors, which enable a remote attacker to log on and execute commands on an affected system, ranked second at 21%.

The IBM security researchers said publicly available toolkits could be fueling the increase in Trojans and backdoors.

"This trend is expected to continue since these toolkits are very easy to use, and from a malicious user's perspective, he/she just needs to get the "job" done without much technical investment on their part," IBM said.

Tags: Security Industry Market Trends, Predictions and Forecasts,  Web Application and Web 2.0 Threats,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows How to use Internet security threat reports M86 buys Web security gateway vendor Finjan Security Industry Market Trends, Predictions and Forecasts Research Web Application and Web 2.0 Threats New Facebook worm propagates using sexy model Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary