New Sophos Security Threat Report Reveals Record Number of Web-Borne Attacks During 2007

New Sophos Security Threat Report Reveals Record Number of Web-Borne Attacks During 2007

Sophos Reveals Sharp Rise in Web Threats, and Uncovers Latest Trends in Viruses, Spyware and Spam

Sophos, a world leader in IT security and control, has published new research on the first six months of cybercrime in 2007. The Sophos Security Threat Report examines existing and emerging security trends and has identified a sharp increase in the number of web threats, as well as the countries and server types hosting the most infected sites.

The first half of 2007 has seen a significant increase in threats spread via the web, which has surpassed email as the preferred method of attack for financially motivated cybercriminals. In June alone, Sophos’s global network of monitoring stations uncovered a record number of infected web pages – approximately 29,700 – each day. In contrast, earlier in 2007, only as few as 5,000 malicious pages per day were detected.

Sophos blocks access to millions of web pages to protect customers from malware and inappropriate content. Taking a snapshot of just one million of those web pages, experts found that 28.8 percent were hosting malware. An additional 28 percent were blocked due to the adult nature of their content, most commonly because they were pornography or gambling sites. Pages created by spammers accounted for 19.4 percent and 4.3 percent were classed as illegal sites, including phishing sites or those peddling pirated software. Of the websites containing malicious code, just one in five had been designed specifically for malicious activity, with the remaining 80 percent made up of legitimate sites that have fallen victim to hackers.

APACHE IS THE MOST COMPROMISED SERVER

By compromising a single file on a web server, cybercriminals can easily and quickly cross-contaminate a huge number of websites, as the infected file may form part of a plethora of unrelated pages, all of which are published from the same server.

The breakdown of the world’s top server types affected by web threats in the first six months of 2007 reads as follows:
1. Apache 51.0%
2. Microsoft IIS 6 34.0%
3. Microsoft IIS 5 9.0%
5. nginx 3.0%

Other 3.0%

The fact that more than half of all infected web pages were hosted on Apache servers demonstrates that infection is not simply a Windows problem. Earlier this year, during a global ObfJS attack, in which legitimate sites were compromised so that they could serve up a malicious code, 98 percent of affected servers were running Apache – many of which were hosted on UNIX rather than Windows platforms.

“Website infections have increased significantly in the past six months. The number of infected sites has grown more than five times since January,” said Ron O’Brien, Boston-based Sophos senior security analyst. “As 80 percent of those sites are legitimate, it makes you wonder why more action is not taken to help prevent such attacks. Simple measures such as keeping up to date with security patches are one of the most effective ways to prevent infections on servers.”

TOP WEB-BASED THREATS OF 2007 – SO FAR

The top 10 list of web-based malware hosted on these infected sites during the first six months of 2007 reads as follows:
1. Mal/Iframe 49.2%
2. Troj/Fujif 7.9%
3. JS/EncIFra 7.3%
4. Troj/Psyme 8.3%
5. Troj/Decdec 6.9%
6. Troj/Ifradv 4.1%
7. Mal/ObfJS 2.5%
8. Mal/Packer 1.5%
9. VBS/Redlof 1.1%
10. Mal/FunDF 0.9%

Other 10.3%

Mal/Iframe, which works by injecting malicious code onto web pages, dominates this chart, accounting for almost half of the world’s infected URLs. Furthermore, it shows no sign of abating – in a recent potent attack, more than 10,000 web pages were infected, the majority of which were on legitimate web pages hosted by one of Italy’s largest ISPs.

MOST INFECTED WEB PAGES HOSTED IN CHINA

The top 10 list of countries hosting malware-infected web pages during the first half of 2007 reads as follows:
1. China 53.9%
2. United States 27.2%
3. Russia 4.5%
4. Germany 3.5%
5. Ukraine 1.2%
6. France 1.1%
7. Canada 0.8%
8. United Kingdom 0.7%
9= Taiwan 0.6%
9= South Korea 0.6%

Other 5.9%

China, which at the end of 2006 hosted just over a third of all malware, has now overtaken the U.S., and in the first six months of 2007 was responsible for hosting more than half of all web threats reported to Sophos. China’s dramatic rise in the chart is primarily due to widespread Mal/Iframe infections on Chinese hosted web pages. In fact, more than 80 percent of the country’s compromised web pages are infected with this malware.

HACKERS TURN TO PDFS AND REMOVABLE DRIVES TO COMMIT CYBERCRIMES

The first half of 2007 has seen cybercriminals using attachments in spam messages. To avoid detection by less sophisticated gateway filtering products, there is a growing trend for spammers to use PDF files carrying a graphical version of their marketing message, in their attempt to reach potential customers.

Hackers have also taken advantage of users who have “auto-run” enabled on their Windows PC to automatically execute malicious code as soon as an infected removable flash drive is attached to the computer. Notable examples this year were the LiarVB-A worm, which spread information about AIDS and HIV via USB keys, and the Hairy worm, which claimed that teen wizard Harry Potter was dead. However, neither threat became widespread and both could be protected against by using up-to-date anti-virus software at the desktop.

”Using attachments to spread malware has decreased in the last few years, however, because PDF attachments are so trusted, they will remain high on the list for spammers looking for the file type most likely to be opened,” said O’Brien.

EMAIL STILL A CAUSE FOR CONCERN

Email threats continue to cause concern for businesses and, although they have become eclipsed by web-based threats, the actual amount of email-borne malware has remained constant during the past year. The proportion of infected email during the first half of 2007 was 1 in 337, or 0.29 percent of all messages. More than 8,000 new versions of the Mal/HckPk threat were seen during 2007, as it was used to disguise widespread email attacks like Dref and Dorf.

More information about the latest trends in malware, spyware and spam can be found in the complete version of the latest Sophos Security Threat Report, which can be downloaded from: http://www.sophos.com/securityreport

A journalist-specific edition is available from: http://www.sophos.com/securityreportjul2007

To listen to the latest Sophos podcast, which discusses the report and the threat landscape for 2007, please visit: http://www.sophos.com/podcasts

About Sophos

Sophos is a world leader in IT security and control. Sophos offers complete protection and control to business, education and government organizations – defending against known and unknown malware, spyware, intrusions, unwanted applications, spam, policy abuse and uncontrolled network access (NAC). Sophos’s reliably engineered, easy-to-operate products protect more than 100 million users in more than 150 countries and are procured exclusively through channel partners. Through over 20 years’ experience and a global network of threat analysis centers, the company responds rapidly to emerging threats and achieves the highest levels of customer satisfaction in the industry. Sophos is a global company with headquarters in Boston, Mass., and Oxford, UK. For more information on Sophos, visit www.sophos.com.

Contacts

Racepoint Group
Heather Ailara, 781-487-4650
hailara {at} racepointgroup(.)com
or
Sophos
Jennifer Torode, 781-494-5885
jennifer.torode {at} sophos(.)com