New Threat Report reveals infected websites remain active longer 2 April, 2008 By Vanessa Ho

ScanSafe scanned more than 80 billion web requests and blocked 800 million web threats in 2007 on behalf of corporate customers in more than 50 countries across five continents.

ScanSafe's analysis found a 61 percent increase in malware during the second half of 2007. 21 per cent of all the malware blocked by ScanSafe in 2007 was zero-day malware --new malware for which there is no existing patch or anti-virus signature.

According to Mary Landesman, senior security researcher with ScanSafe, the biggest reason why malware increased by 61 percent was its move to the web.

"The web allows this sort of thing," said Landesman. "In the past, the web was a one-way medium but Web 2.0 has become widely adopted to make it [more] dynamic with third-party content."

She added that web applications required to drive this interaction often have vulnerabilities or lack of validation. As well, there are not enough security conscious web developers out there to write more secure code.

In addition to viruses, Trojans, password stealers and other forms of malware becoming more prevalent, ScanSafe noted that an increasing number of legitimate sites are unknowingly hosting malware and compromised sites are remaining infected longer -- in some cases more than two months.

The most frequently encountered malware is designed to steal passwords and other sensitive financial information from bank accounts and even online games -- putting corporate and personal financial information at greater risk and opening businesses to legal liability and compliance risks.

"Malware is now a criminal business and with any business they are looking for an ROI. If they compromise a legitimate website, they can get millions of potential victims. That's why the web is a favored medium," Landesman noted.

ScanSafe also noted that there has been a significant increase in the amount of time a site is delivering malware. In the second half of 2007, malware on infected sites remained live for an average of 29 days, a 62 per cent increase from 18 days during the first half of the year.

Additionally, zero-day threats have an even longer shelf life once they compromise a website. Websites infected with zero-day malware remained live an average of 61 days in the second half of 2007, up 190 per cent from 21 days during the first half of 2007.

"This goes towards the amount of effort these attackers are putting in new threats and points to perhaps the need for signatures to be delivered in a timely fashion," said Landesman.

The average time to life for all malware blocks over the course of the year was 24 days.

The report also noted that the complex network of advertising providers and advertising affiliates has made it increasingly easier for attackers to surreptitiously insert malicious advertising. One rogue partner and a large number of sites can begin delivering malware, potentially exposing millions. In 2007 several high profile sports sites unwittingly served malicious ads, including the websites for the National Hockey League, Major League Baseball, TheSun.co.uk, MySpace.com and PhotoBucket.com.

Landesman added that it would be difficult to shut down websites that are known to be compromised as there are legal and jurisdiction issues, and some ISPs may not be on board with this.

She stressed that the best protection from compromised websites is for users to do real-time scanning of web traffic as well as keep security patches up-to-date and use traditional solutions like anti-virus.

"There is not enough awareness of the move of threats to the web and not enough awareness that this is another vector that enterprises need to be concerned about more than any of the other traditional malware."