Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Guest Blog // Selected Security Content Provided By Sophos
What's This?
12/31/2013
11:01 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

When Websites Attack

Windows threats like Cryptolocker and ZeroAccess get all of the attention, but malware targeting (Linux) Web servers continues to evolve

Malware became even smarter, stealthier, and shadier in 2013, according to the latest Sophos Threat Report. Nowhere was this more evident than in the use of the Web as a vector for spreading malware to unsuspecting users. Sure, the payloads -- from the disruptive Cryptolocker ransomware to the silent but deadly ZeroAccess botnet -- were more sophisticated this past year, but the unsung "heroes" of cybercrime are the 20,000 to 30,000 new malicious URLs that come online each day.

Those malicious URLs -- 80 percent of which are on compromised, legitimate websites, according to a SophosLabs estimate -- can serve a number of purposes. Some deliver the payload, of course, usually through drive-by downloads, malvertising, or social engineering. But those are just a small handful of the total. The rest serve as the funnel to get users to the payload delivery sites. That includes generating SEO spam that increases exposure to dangerous URLs and shuffling users from the legitimate sites they were viewing through a series of traffic redirectors to the ultimate payload. Recently, Sophos researchers have seen that some compromised sites are centrally controlled like a botnet, allowing them to serve up DDoS and other coordinated attacks.

That coordination, and the delivery of the payloads, is handled by exploit kits. While Blackhole has been on the decline, especially after the arrest of its alleged creator, Paunch, plenty of others have stepped up to take its place. Names like Neutrino and Glazunov have become familiar to security researchers, along with Redkit, which wreaked havoc this spring on high profile sites like NBC.com and lesser-known URLs advertised by tasteless spam exploiting the Boston Marathon bombings. These new exploit kits build on the leaked source code of Blackhole, while adding new features and capabilities, like the aforementioned bot-like behavior.

Hosting the exploit kits are infected Web servers. This past year saw a rise in the use of malicious modules for the Apache Web server, such as Darkleech. This nasty bugger is capable of using all kinds of tricks to avoid detection and analysis, such as only responding with malicious behavior once per IP address or triggering randomly one in every 10 times a page is accessed.

It's notable that most of the compromised Web servers out there are running Linux, which should give pause to those who think of the OS as immune from malware. Attackers continue to infect Linux Web servers through vulnerabilities in content management systems (e.g., WordPress and Joomla), plugins for those CMSes, control panels, and development platforms like PHP. Of course, passwords are also a weak link, as they can be stolen by malware, guessed based on defaults or common user choices, and purchased on the black market following data breaches (since many site owners use the same password in multiple places).

For organizations, the implications are clear. First, websites and other servers exposed to the Internet must be protected with defense in-depth. Web application firewalls, AV software, a robust patching strategy, and even specialized Web protection services may be warranted. Second, a thoughtful strategy for protecting users within the organization from Web-borne malware is critical. This includes robust perimeter protection, but also layered endpoint protection like Web filtering, Web threat detection, and HIPS, so users' machines are secure even when they're outside of your network perimeter.

For more information about the latest threat trends, check out Sophos Threat Report 2014 at sophos.com/threatreport. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
chny07
0%
100%
chny07,
User Rank: Apprentice
6/14/2014 | 3:55:08 AM
Great
Thanks for the great article. i really appreciate it. it will be a great guide for my en ucuz iphone fiyatları thesis
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...