(WEB HOST INDUSTRY REVIEW) — Vulnerabilities are constantly being uncovered in the code that underlies the Internet – more so now than ever – as more hackers deploy sophisticated methods of attacks, and as Web servers are increasingly seen as a means of distributing malicious code.
According to a recent study by anti-malware tool developer Dasient, the number of reported infected websites increased from 560,000 in the final quarter of 2009 to more than 720,000 in the first quarter of 2010. The study went on to note that 97 percent of Fortune 500 websites are at a high risk of malware infection partly due to a combination external factors such as JavaScript widget providers, ad networks, and packaged applications.
For the past four years, Taipei, Taiwan-based online security solutions provider Armorize Technologies (www.armorize.com) has been offering security solutions designed to keep businesses safe from hackers looking to exploit vulnerable Web applications.
Recently, the company expanded into the US, which closely coincided with the unveiling of HackAlert 3.0, its first cloud-based service that provides real-time identification and alarms for Zero Day malware threats hidden in websites and online advertisements.
Able to provide comprehensive website security, drive-by download defense and protection against being flagged by Google as a malware-infected site, HackAlert 3.0 also offers new features including a cloud-based API that lets channel partners, VARs and resellers improve and expand their Web application security services with the addition of malware monitoring, alerting and remediation.
In an email Interview with the WHIR, Armorize chief executive officer Caleb Sima explains the latest malware threats and the dangers they pose to Web hosts, as well as some steps that can help prevent their services from being hijacked.
WHIR: Can you run me through the latest malware injection and drive-by downloads that have been seen to impact Google, LinkedIn, and Web hosts such as Go daddy?
Caleb Sima: The attack vector of the latest malware attacks is broken into the following broad categories:
1. Infection through third-party content inclusion (e.g. malvertisements, obfuscated links, etc.)
2. Mass outbreaks by datacenter compromises (e.g. mass infection through SQL Injection and Cross Site Scripting or XSS, etc.)
3. Exploiting trust in social networks.
The biggest problem with malware nowadays is third-party content inclusion from various sources on the Internet. Primarily, a well-activated website renders content from different websites and uses that content as a centralized point for information-sharing. Even if the prime website is secured, unfortunately, the door is always open to infection from the shared content of the secondary websites. Since most of the content from these secondary sites is not scrutinized carefully enough prior to its inclusion on the prime website, it certainly increases the risk of triggering malware in the prime website. Furthermore, vulnerabilities in the code always play a critical role in the spreading of malware.
Also, data center infection, where data centers are primarily controlled by botnets, is a problematic situation where one vulnerable website leads to the infection of the others. My continuous analysis has shown that admin scripts are exploited at a large scale for the purpose of infecting servers.
Finally, rogue profiles in social networks are being generated to spread malware.
These are the biggest ongoing infection attack vectors that exploit the trust of online social connections. Furthermore, URL shorteners, such as the ones commonly used in Twitter, are helping malware writers to hide the malicious content in a URL, compress it, and effectively give it an anonymous and seemingly innocuous link.
WHIR: How can these malware threats be discovered before they are unknowingly downloaded?
CS: There are a few basic steps that should be fundamental in the avoidance of malware:
- Keep your servers patched
- Rid yourself of SQL Injection and XSS vulnerabilities in the code of your application
- Monitor your website on a continuous basis using a solution, like HackAlert, that identifies zero day web malware.
WHIR: What are the dangers of a virus spreading on shared or cloud-based infrastructure?
CS: The dangers are actually quite high. The most critical point in cloud-based infrastructure infection or shared hosting is that a single infected website can impact security at a large scale. In a cloud computing environment, a single compromised website is a good enough conduit for the virus to overtake and control the whole of the cloud computing environment. An example of this type of situation is the most recent attack of the Zeus botnet on Amazon.com’s cloud computing servers. This kind of setup virus impacts the environment in a robust manner and the infection increases tremendously.
WHIR: In what ways can hosting providers ensure that their services are not compromised?
CS: The best possible solution is scanning and monitoring religiously. I recommend the following:
1. Assess your existing web properties using a proper web malware discovery tool and take note of anything that is already infected.
2. Implement a network monitoring tool that specializes in identifying malware/bot traffic.
3. Start focusing on server-based security/change control solutions that help you identify ‘unknown’ changes when they are occurring.
4. Log monitoring and analysis is a good practice to look into malicious data.
Server-based solutions offer a high degree of protection against internal issues by catching infections that spread from legitimate clients on the network. But keep in mind that poorly written server-based solutions may lower the reliability and availability of the software they are supposed to protect.
WHIR: Is there anything else that you think is important for Web hosts to consider in terms of their malware strategy?
CS: Practice the fundamentals of network and application security. Furthermore, perimeter-level security is a part of network infrastructure. Security practices should follow the basic principles and benchmarks of securing configuration and patch management, in order to combat against a number of threats. Additional security, through network appliances and perimeter devices, is also a good step to consider. Lastly, there is no patch for ignorance. So users and administrators should be well trained to handle the security outbreaks proactively.
No related posts.
