ScanSafe: Global Threat Report for october 2008
November 2008 by ScanSafe
The August and September flattening in the rate of Web-delivered mal-ware abruptly reversed direction in October 2008. Not only did the rate of Web-delivered malware increase sharply in October, the month ended as the single highest month of 2008. This distinction is chilling as 2008 has been the highest year on record for Web-delivered malware. The Web threat continues to be fueled largely by mass compromise of legitimate known websites. In October 2008, 65% of all ScanSafe Web malware blocks were the result of compromised sites.
Accompanying the marked increase in Web malware volume was an increase in encounters with password stealers and backdoors. In October 2008, 13% of all Web malware blocks were from encounters with backdoors and password stealers. These numbers are particularly concerning given that the vast major-ity of all Web-based malware is blocked at the initial stage of encounter and thus indicates attackers are increasingly employing methods that allow them to engage more directly with users.
The risk of Web malware encounters via search engine results pages (SERPs) was also heightened in October 2008, at 9.3% of encounters. Webmall expo-sures were decreased, accounting for just 0.8% of all Web malware blocks, down from 7% in August 2008. Facebook and MySpace users continued to be plagued with variants of the Koobface worm targeting those social networks. Attacks specifically targeting Facebook users represented 1.5% of all Web malware blocks.
For the second month in a row, the rate of Web-delivered Adobe Reader PDF exploits outpaced Adobe Flash (SWF) exploits. PDF exploits represented 5.1% of all Web malware exposures, compared to 3.8% for Adobe Flash (SWF) exploits. The most frequently encountered exploits were malformed image files, of which JPEG were the most prevalent. In total, image exploits resulted in 9.8% of all Web malware encounters in October 2008.
ScanSafe customers were and continue to be protected from the attacks discussed herein. Global Threat ReportKey Highlights
65% of all malware blocks in October resulted from visits to compromised websites;
16% blocked by ScanSafe were zero-day Web threats; on 2nd and 11th, the rate was 67% 59%, respectively.
13% for backdoors password stealing Trojans, indicating that attackers may be finding more effective means directly interacting with intended victims;
Adobe PDF exploits outpaced Flash (SWF) exploits, at 5.1% 3.8% blocks, - Signature vs. Zero-Day, October 2008 Web Malware Blocks
The combined rate of zero-day malware decreased in October to 16% of all Web malware blocks, compared to 31% in September 2008. The median rate of zero-day Web malware in 2008 is 18%. The median rate for October 2009 was 24%. The highest rates of zero-day malware blocks in October 2008 took place on October 2nd (67% of all Web malware blocks on that date), followed by October 11th with a rate of 59% zero-day Web malware blocks for the day.
The rate of Web-delivered malware encounters in October 2008 outpaced all other months of the year. Encounters with compromised websites led to 65% of the Web malware blocks, followed by direct encounters with backdoors and password stealers at 13%. Direct encounters typically result from some form of social engineering, generally via email but also occurring from tainted blog comments and malicious forum posts. Facebook users were a direct target in 1.5% of October Web malware blocks.
Downloader and dropper trojans were the third most frequently encountered category of Web malware encounters, at 9% of October Web malware blocks. Installed malware resulting from downloaders and droppers is unpredict-able, and can range from rootkit-enabled backdoors and password stealers to rogue scanner software typically referred to as ‘scareware’.
Redirectors, though still a much smaller percentage of total blocks compared to other categories, continue to in-crease in prevalence. As their name suggests, redirector trojans forcibly cause the user to unintentionally visit a site other than they intended. In many cases, the redirector trojans are planted directly on legitimate sites that have been compromised. The results of the redirect can range from visits to malicious attacker owned sites that attempt to install malware to redirects designed to fraudulently inflate page views for the visited site. Redirector trojans can also be employed in phishing-style attacks, in which case the site to which the user is forcibly redirected cosmeti-cally appears nearly identical to the legitimate intended site. For the first time, redirector trojans were the 4th largest category of Web malware blocks, representing 3% of all Web malware blocks in October 2008.
Encounters resulting from links to malicious sites appearing in search engine results pages (SERPs) were responsi-ble for 9.2% of all Web malware blocks performed by ScanSafe on behalf of our customers in October 2008. The majority of the SERPs Web malware encounters resulted from vertical searches performed on sites other than traditional search engines.