In research performed during 2005, Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy of the Department of Computer Science & Engineering at the University of Washington where 18 million URLs were crawled, spyware was found in 13.4% of the 21,100 executables discovered, and scripted “drive-by-downloads” in 5.9% of web pages processed. You can read the research paper, entitled “A Crawler-based Study of Spyware on the Web” on the web here: http://www.cs.washington.edu/homes/tbragin/spycrawler.pdf.
Interestingly their research noted a reduction in drive-by-downloads when they ran the same tests again 6 months later however, they still found that “14% of the spyware contained potentially malicious functions, such as Trojan downloaders and dialers.” I’d be interested to see what the results would be of performing a similar web crawl now. I suspect they would find a higher percentage of both malicious spyware and drive-by’s. Research performed by Provos, McNamee et al in their 2007 paper “The Ghost In The Browser, Analysis of Web-based Malware” would seem to support this, stating that 450,000 out of 4.5million sampled URL’s “that were successfully launching drive-by-downloads of malware binaries and
another 700, 000 URLs that seemed malicous but had lower confidence.”
More worrying is the conclusion that malware binaries frequently change to “thwart detection by anti-virus engines.” Simply stated, this means that if you’re relying solely on anti-virus software for protection, then you are not protected.
So, what is the purpose of all this malware? According to The Honeynet Project, the “goal is to deploy malware on a victim’s machine and to start collecting sensitive data, such as online account credentials and credit card numbers.” In the paper “Know Your Enemy”, presented on that same site, research was performed into actual real-life drive-by malware and it’s impact.
One cited example looked at a fan site set up for the popular Jazz musician, Keith Jarrett. Firstly, it’s important to note that the exploit code contained on the webpage was obfuscated to evade detection by IDS systems and anti-malware software. “Once the exploit was successful, malware was downloaded and executed on the client machine. All of this, of course, happens in the background and is not noticeable by the user. ”
The malware then sniffs network traffic, recording URLs, usernames, passwords and anything else that happens on the infected machine and, in this example, sends the data to a server in the Republic of Moldavia.
The research ends on an interesting note.
Finally, we make a recommendation on the software to use. Attackers are criminals that would like to attack as many people as possible in order to get the largest return on their investment. As such, they target popular, homogenous systems. The tests we conducted show that a simple but effective way to remove yourself as a targeted user is to use a non-mainstream application, such as Opera. As mentioned above, despite the existence of vulnerabilities, this browser didn’t seem to be a target.
There’s no doubt, from all the research we’ve looked at that malware continues to pose a signficant threat . Attacks are also becoming more targeted, as evidenced by this story about attacks aimed specifically at senior executives.
I think the next thing we need to do is try to ascertain the affinity of our available controls towards mitigating the risks. Anyone want to offer up some views on that?