Java Attacks Spiking

Researchers see increase in malicious Trojans favoring built-in Java functionality over application-related vulnerabilities.
Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010
Attackers are increasingly relying on Java to execute drive-by attacks.

According to a recently released report from Kaspersky Lab, "in the latter stages of a drive-by attack" a fast-growing class of Trojan applications are using Java functionality, rather than operating system or application vulnerabilities, to help infect computers with more malicious code.

In particular, attackers "employ the OpenConnection method of a URL class" to deliver an Internet connection to their Trojan application, according to Kaspersky's Vyacheslav Zakorzhevsky. "Instead of exploiting vulnerabilities, [they] use standard Java functionality to download and run files from the Web. This is currently one of the prime download methods for malicious programs written in Java."

It's also quite prevalent, with two OpenConnection Trojans placing among the top 10 most-seen malicious programs last month. "At the height of their activity the number of computers on which these programs were detected in a 24-hour period exceeded 40,000," he said.

Attackers have also recently been polishing the TDSS rootkit, which Zakorzhevsky describes as "one of today's most complex malicious programs." Last month, its creators modified it to take advantage of a task scheduler vulnerability in Microsoft Windows 7, Vista, and Server 2008, which was discovered by security researchers who were analyzing Stuxnet. The related vulnerability was patched by Microsoft in December.

If some attackers continue to push the envelope with Java and cutting-edge rootkits, others are still relying on what's tried and true, such as attacks against social networks and e-mail spam.

On the spam front, a report released by Sophos on Tuesday found that the United States continues to lead the world when it comes to relaying spam. In fact, from October to December 2010, 19% of all spam was relayed via the United States.

Interestingly, global spam volumes uncharacteristically dipped at Christmastime, with some industry watchers reporting that the normally prolific Rustock botnet appeared to be spewing less spam than usual.

But the dip suggests that "the bad guys are now using the botnet for other activities," said Graham Cluley, senior technology consultant at Sophos. "For instance, installing revenue-generating pop-up adverts or [practicing] identity theft [on] unsuspecting home users."

Furthermore, the dip was short-lived. As of Monday, said Cluley, the volume of spam being served by Rustock had returned to its pre-holiday levels.