Attackers are finding new ways to stay one step ahead of security, exploiting ubiquitous Adobe Flash applications and PDF files, which many organizations and end users incorrectly assume are safe against compromise.
In its Q4 Web Security Trends Report, Finjan Inc. says its Malicious Code Research Center (MCRC) has found that millions of PCs have been compromised by either Flash- or PDF-borne Web exploits, as crimeware writers widen their attack vectors and find new ways to evade detection and snare user machines.
Flash, of course, is widely used to add animations in ads and other Web page components. The report says Adobe has done a good job of addressing known Flash vulnerabilities -- they're not the problem. The Flash exploits rely on basic Adobe ActionScript functionality to exploit browser vulnerabilities.
Flash malware is commonly delivered through malicious banner ads, which ad content networks serve up. Although most networks inspect the ads for security risks, their efforts are often insufficient. Adobe recommends a simple remedy, but it's often ignored in practice, allowing Flash exploits. A parameter, "AllowScriptAccess," should be set to "never," but is more typically set to "always." This allows ActionScript to inject an IFRAME, which can then pull in malicious content and infect the end-user machine.
"When Finjan looked at some of the top ad networks on the internet, we realized they didn't follow Adobe guidelines," said Yuval Ben-Itzhak, chief technology officer of Finjan. "Leaving the door open letting this interface between flash and the hosting page remain active."
Web app attacks grow, but developers may fight back: Web application security expert Ryan Barnett explains why Web servers are under attack, whether developers will create more secure code and the benefits of virtual patching.
Spam declines, Web-based attacks rise, says MessageLabs: Spam was down 3.4% in 2008, but attacks on social networks and flaws in websites are rising, according to an annual report from Symantec's MessageLabs.
Hacker server contains thousands of sensitive business, healthcare files: A rogue server controlled by an unsophisticated hacker contained email and web-based data stolen from thousands of personal and business computers.
The problem is exacerbated by the availability of cheap, easy-to-use crimeware toolkits, such as Neosploit and Fiesta, which now include PDF components that enable attackers to obfuscate scripts within PDF files to execute Web exploits.
Signature-based detection is not generally effective against these attacks, so antimalware engines must rely on real-time detection. Finjan recommends updating Adobe Reader with the PDF fixes, and training users not to assume that PDF files are always safe.
Organized crime expands
In general observations, the Finjan report says that organized crime continues to expand its Internet business, using what Finjan calls a criminal-to-criminal model (C2C) using Trojans, silent installations and drive-by downloads. Those $100-$200 off-the-shelf toolkits help make cybercrime more accessible and pervasive. Finjan observed a trend of unemployed IT workers purchasing these toolkits, and expects this trend to grow as the weak global economy persists in 2009.
"We believe that having layoffs in the U.S. and other parts of the world, more people will at least give it a try," Ben-Itzhak said. "More people will become cybercriminals. You don't need to be a professional hacker: These toolkits have really changed the way people are turning to cybercrime."