Sophos warns of web site malware spike

Annual report reveals almost 30,000 infected web pages blocked daily during June

Web site owners are being advised to lock down their web servers after anti-malware vendor Sophos reported a huge increase in the number of infected web pages from legitimate sites on the internet.

In its biannual Security Threat Report, the vendor found 49,629 new pieces of malware, 24 percent more than during the second half of 2006, and said it had blocked nearly 30,000 web pages daily during the month of June alone.

Of those infected web pages, the vast majority – around 80 percent – were legitimate sites injected with malicious code exploiting vulnerabilities in the web server, according to Sophos senior technology consultant, Graham Cluley. Simply visiting one of these pages is enough to infect a user's PC with Trojans, spyware, adware or other unwanted applications, he added.

"Hackers are trying to infect firms via the web browser because most companies are scanning emails for viruses now," explained Cluley. "It's no good for firms to block access based on category [or URL], they need to scan every site for malware as the user accesses it."

The report also found that Apache servers were the most likely to be compromised. Over half of the web-based vulnerabilities were discovered on sites running Apache, compared to 34 percent running Microsoft IIS 6. Cluley advised firms to ensure their servers are up-to-date with patches and to conduct regular scans of content on the site, especially if it allows a lot of user-generated content to be uploaded.

"We contact some of the more well-known sites we find that are infected, but some of them just get immediately re-infected and some don't know what we're talking about," Cluely said. "We think it could be in the public's interest to name the ones who aren't listening to us."

Graham Titterington of analyst firm Ovumargued that naming and shaming those sites which fail to take down known malware from their sites could work for a few high-profile web sites, as it may act as a warning to others. But he added that public apathy would mean a long-term campaign may have limited effect.

Titterington also argued that complacency with patch management may be the cause of the high number of Apache servers found to have been compromised. " They must lock down their sites as much as they can and monitor changes in the configuration files," he advised.

The Sophos report also found that hackers are trying to spread malware via removable USB devices, taking advantage of PCs which have auto-run enabled to automatically execute the code as soon as a removable device is attached.

"It's a boomerang back to the old days when PCs were infected by floppy disks," said Cluley.

Titterington added that it reinforces the need for protection at the endpoint as well as the gateway, as traditional web filtering technology would not be able to spot infection via USB.

"The volume and the speed at which USBs execute and run when plugged in make it quite potent, but it's still a relatively cumbersome channel [of infection], " Titterington argued. "It will only really work for targeted attacks, not mass mailers."

In related news, email security specialist Tumbleweed has reported that spammers are now expoliting Excel applications as a way of bypassing traditional filtering technology. The new trend follows a similar technique of using attached PDF documents containing embedded images, which was flagged up by several security vendors in recent weeks.