Drive-by and XXS attacks will increase in 2013 – but why?

Drive-by download and cross-site scripting attacks (XSS) will remain top hacking methods in 2013. But what is their enduring appeal for hackers?

Drive-by download attacks and cross-site scripting attacks (XSS) are set to remain top attack methods in 2013, according to the latest threat report from the European Union (EU) cyber security agency, Enisa. But why do they continue to grow in popularity with attackers?

Perhaps the most obvious reason is that they are invisible and can be launched through links and malicious code on compromised legitimate websites unlikely to figure on any corporate watch lists.

But beyond that, drive-by attacks are becoming easier to carry out because of the increasing availability of exploit kits, according to Tim Rains, director of Microsoft Trustworthy Computing.

These exploit kits – of which blacole or blackhole is the best-known – make it easy for attackers to exploit vulnerabilities in popular software installed on most consumer and enterprise computers.

In particular, attackers use this exploitation technique to target browser plug-ins such as Java. Enisa reports that Java exploits represent the biggest cross-platform threat.

Read more about cyber threats in 2013

The link with ubiquitous software demonstrates what is probably the biggest reason these attack methods remain effective and popular, said Rains, who lists drive-by attacks and XSS among his top five threat predictions for 2013.

Enterprises struggle to keep up to date

“For large enterprise, it has always been a challenge to keep all software and systems up to date to ensure they have all the latest security improvements,” he said.

On top of this challenge, few organisations are able to say if all versions of a targeted piece of software have been patched.

“While they may understand the need to keep Java up to date, they may not realise they have several versions of Java running in their environment that need to be updated continually,” said Rains.

Attackers are taking advantage of these gaps around the world, including the UK where drive-by attacks have crept into the top 10 threats in the past two years.

Top 10 UK cyber threats

In data for the second quarter or 2012 published in the Microsoft Security Intelligence Report volume 13, half the top 10 threats for the UK were exploits delivered through drive-by downloads as well as spam and phishing.

“That is a high percentage, considering the UK did not have a single exploit in its top 10 threat list two years ago,” said Rains.

The key for enterprises to guard against this kind of threat is to keep all software and systems up to date, he told Computer Weekly.

“In 2013, enterprises should look at what popular software they have in their environment and assess how likely each is likely to become the next target,” said Rains.

Hackers use video and audio for malware

Enterprises should also pay at10tion to trends such as attackers using video and audio files to install malware, he said.

Microsoft threat analysis has identified a Trojan downloader family that uses this tactic, called ASX/Wimad. This has crept into the top 10 lists of threats in several locations around the world.

The Trojan takes advantage of the fact that many video formats allow scripts to be run, so attackers simply have to add malicious scripts to popular films designed to download more malware.

“I suspect this upward trend will continue in 2013 as attackers continue to take advantage of people’s desire for free entertainment and software,” said Rains.

Data drawn from a range of Microsoft security tools on 600 million systems worldwide shows that in the second quarter of 2012, 5.5% of systems in the UK that were infected with malware were infected with the ASX/Wimad Trojan.

Consumerisation exacerbates cyber threats

But if attackers are targeting video and audio, why is this relevant to enterprise security?

It is not uncommon for employees to use business computers and systems to search for and store such content, said Rains.

“In the past, when attackers have targeted computer games, this type of infected content turned up regularly on corporate systems where you would not expect it to be,” he said.

The likelihood of finding such content is even greater now with the proliferation of consumer devices in the corporate environment.

“Consumerisation of IT is making keeping track of this kind of threat even more challenging because of the growing number of almost completely unmanaged and unmanageable devices that are accessing corporate data such as email and surfing the internet without restriction,” said Rains.

CISOs manage data access and security risk

In an attempt to get the situation under control, he said many CISOs are not trying to manage the device, but instead are focusing on managing access to data and the security of data.

“We are seeing a change in how CISOs are trying to manage the risk around corporate data to enable the benefits of consumerisation,” said Rains.

Threats such as the ASX/Wimad Trojan underline the importance of having information security policies in place as well as the technologies and processes to enforce them,” he said.

Malware rootkits set to evolve in 2013

Technology developments is another key area enterprise should keep an eye on according to Rains. He predicts rootkits will evolve in 2013 due to the recent introduction of the Unified Extensible Firmware Interface (UEFI) and secure boot, two new technologies designed to provide more protection against rootkits and other boot loader attacks. 

“As systems that use these technologies, such as Windows 8, become more pervasive, I expect to see purveyors of rootkits attempt to innovate and evolve their malware because the bar has been raised significantly,” said Rains.

He believes the technologies provide significant protection against rootkits and will provide much value in terms of risk management and security to Microsoft customers looking to move off Windows XP SP3 before the products reaches the end of its life in April 2014.

“Features like secure boot and UEFI help get to a point where we have a trusted platform because when the machine boots up, rootkits are unable to run before the OS and anti-malware kicks in,” said Rains.

Keeping all software up-to-date, running anti-malware software from a trusted source, and demanding software that has been developed using a security development lifecycle will continue to be best practices in 2013, said Rains.

“These are among the best measures enterprises and consumers can take in light of how the threat landscape is evolving. If all software is kept up to date, it makes it harder for attackers to be successful,” he said.

Video: iFrame drive-by attack demo


Read more on Hackers and cybercrime prevention