Malware Epidemic Demands a United Front

Cybercriminals are a busy bunch these days: Stealing identities by the millions, grabbing credit and debit card account numbers, and waging a myriad of other attacks on unwitting users, businesses, and vulnerable websites. Their weapon of choice is the malware injection; every five seconds one page is infected, triple the infection rate in 2007.

Among the most vulnerable--and the most lucrative for cybercriminals due to the sites' enormous reach--are trusted, popular sites with un-patched vulnerabilities. About the middle of 2007, iFrame and SQL injections of malware began infecting legitimate websites, and the public started to heed the warnings of IT security analysts and pundits. The tone of their battle cry was calm but unequivocal: Web 2.0, and its defining features of social networking, RSS feeds, dynamic, user generated content, mash-up applications would open up new opportunities for cybercriminals. Cybercrime is now a roughly $100 billion market, surpassing the illegal drug trade.

Basic classification of websites is all fine and necessary. But the approach doesn't address the reality that good sites can turn bad in a matter of hours, or minutes. Or that criminals are using the entire internet as a computing grid for attacks, begging the question "Shouldn't we be doing the same to protect ourselves?"

Across the Internet, hijacked systems are continuously scanning legitimate websites for vulnerabilities; when a weakness is identified, an injection attack happens; often it can be a simple undetectable 1x1 white pixel at the bottom of a web page with an active script behind it to download malware from an obscure host. A user visits an infected web page and the code dynamically calls a malware host to infect the user's computer. In March of this year, a malware campaign relying on iFrame injections wreaked havoc on high-profile sites-among them USAToday.com, Target.com and Walmart.com.

Instead of the more common approach in which criminals hack into systems and create botnets to do their dirty work around the clock, the campaign leveraged internal search engines by injecting malicious code into search engine results. The result "poisoned" the search engine cache feature (sites often store internal searches to augment Google rankings).

On Google, when a user searches for a popular keyword, the poisoned cached page pops up. An HTML command tacked onto the end of popular keywords then opens an invisible iFrame in the user's browser that redirects the user to a malicious host where it tries to install bogus anti-spyware or a malware Trojan on the user's PC. More than a million web pages were infected, according to Dancho Danchev, a security analyst and blogger. With Google the point of entry, hackers were virtually guaranteed massive distribution. And in the cybercrime world, the more computers infected the better they can collect information for profit.

According to Sophos Labs' July 2008 threat report, 90 percent of web-based malware shows up on trusted and popular sites. The vast majority are categorized as such by security solutions, meaning static web gateway defenses allow users access to them. But good sites can go bad in a matter of minutes, calling for a community watch computing grid that has its eyes peeled on the entire web neighborhood millions of users' access, thus uniting users and providing protection in numbers. The "one against the web" security defense does not work against the well organized cyber crime computing grids working 24/7 to find vulnerabilities to expand and profit.

Enter web security cloud services that rely on millions of users to provide web requests for constant analysis to detect newly injected malware attacks. Community watch cloud services see more web traffic than any one organization, and can leverage more defenses than manageable for an organization, such as many as ten threat detection engines, as well as minute-by-minute machine analysis of web pages, and human reviewers to confirm detections. Every user request is analyzed against these cloud defenses, and this offloads the web gateway providing faster performance. Plus the cloud service is cost effective for small and large organizations.

The rapid spread of malware and the nimbleness of cybercriminals who set up and dismantle sites in minutes, demand that we band together as a Web community for protection by numbers often seen in nature. A hybrid security solution that leverages the cloud service and works hand-in-glove with security web gateways installed at the network's edge, provide better protection for today's malware attacks. Plus the cloud service can be leverage to protect remote users alike as they cannot drag traditional network defenses to airports, hotels and coffee shops.

The key to a cloud service community watch is volume and repetition--through dynamic, minute-by-minute analysis of web page elements by cloud services. The more enterprises and home users join the community watch these services represent, the better our chance of curbing the spread of malware.

For enterprise networks, the best approach is a web gateway combined with the protection of a community watch cloud service. Blue Coat's WebPulse cloud service analyzes over one billion web requests per week and extends web gateway security defenses. Blue Coat also provides a home user solution called K9 that utilizes the WebPulse cloud service to block malware hosts and rate web content to block objectionable or questionable web sites, which is a good idea for young students. AVG also provides an anti-virus solution that unites users into a computing grid to protect each other from malware and web threats. Trend Micro's Total Smart Network is another web security cloud service to block malware and web threats.

We must all add yet another layer of protection, except this time behind a united front out in the cloud.

Web Security Best Practice

The security measures most enterprises have adopted inside their networks must extend to the Internet at large. A layered approach is recommended.

1.     Use a cloud computing web-security solution to protect the community at large, and thus individuals and organizations

2.     Install Malware detection software at the web gateway

3.     Implement Web content controls that block downloading of inappropriate and malicious content from untrusted web sites.

4.     Make sure your security solution prevents corporate data leakage.

5.     Extend web security to the growing fleet of remote and mobile clients.