Malicious code is beginning to make its way onto storage and caching servers, according to a security vendor tracking what it calls a new wave of attacks using Web 2.0 platforms and technologies.
San Jose, Calif.-based Finjan Inc. released its third quarter report highlighting the latest trends, including a series of attacks using storage and caching servers, more sophisticated assaults using Ajax and an update on the sale of software toolkits for creating malicious Web sites. The trends were identified by a team of researchers at Finjan's Malicious Code Research Center.
Storage and caching servers used by businesses, ISPs and search engine companies are being used by attackers to exploit end users' machines. "Since the malicious code is duplicated and stored on such servers, even if the original malicious site is taken down, its malicious content still remains and is served by these storage and caching servers until removed," according to the report. The result is the installation of spyware, Trojans and other malware used to acquire personal information, said Finjan chief technology officer Yuval Ben-Itzhak.
"We're seeing attackers writing their own Web site that will cache content directly from the caching servers," Ben-Itzhak said. "We started to see sites being used with this type of framework to get the malicious code loaded."
Antivirus scans and URL filtering software are not effective against these new threats, because malicious content can bypass reactive antivirus technology, Ben-Itzhak said. Proactive, behavior-based security tools can be used to scan and analyze servers and block a site completely if it appears to be uploading malicious code, he said.
"We recognized this trend this year and in the last quarter or two we're starting to see a rise in number of events we see," Ben-Itzhak said.
Finjan found Ajax being used to silently request malicious code without a user's knowledge. To protect users from these new attacks, enterprises should actively analyze each Web request and reply. Behavior-based analysis of web content, performed on the gateway between the browser and web servers, is one effective method for doing this, according to Finjan.
Finjan researchers also uncovered a scheme in July in which a company looks for flaws in security software and seeks to sell the information back to the software vendor. If the vendor chooses to purchase the information, the details are protected for 30 days. If not, they are sold immediately on the open market. The prices for a full analysis range from $650 to $1,950, Finjan said.
But now security vendors are being bypassed altogether, Ben-Itzhak said.
"They're no longer reporting it to the vendors," he said. "They're selling it on the black market using mailing lists or their own Web sites."