Thehas since continued unabated, most recently in the form of Web-based attacks. E-mails, socially engineered to look like electronic greeting cards and linked to a Web site containing malware, completely avoided traditional e-mail antivirus gateways. The Storm Worm's course change to the Web reflects a growing trend of malware Web-based attacks launched through e-mail.
The simple logic behind these e-mail-based blended threats is astoundingly effective: no attachment means no antivirus block. And when combined with a user-friendly invitation, it creates the opportunity for a high infection rate.
Blended threats easily lead people to Web sites where malware gets downloaded--often without user interaction or knowledge. The industry is just now realizing the severity of the problem,
Researchers at Google recently published a paper concluding that approximately 10 percent of reviewed URLs contained "drive-by downloads" of malware binaries (PDF) and many more that were flagged as suspicious.
Our research at Avinti examined URLs being "advertised" through e-mail by spammers, and we found similar results: 40 percent of all e-mails contain at least one URL, and of those, approximately 7 percent linked to a malware site.
Malware once lurked in the dark corners of the Internet, but recent hacks have shifted it to the places we all frequent. For evidence, look no further than this year's hacking of the Web site for Dolphin Stadium, home to Super Bowl. Or the Sydney Opera House. Even popular social-networking sites like MySpace and Facebook have been platforms for exploits. Yes, the sites we frequent daily and trust may be the biggest threats we face in the future and we may be lured there by an innocuous e-mail link to view a greeting, blog or video.
The new Web (2.0) is a fertile breeding ground for malware. Links, blog postings, shared applications and syndicated traffic are all backdoor opportunities for unknown exploits to invade legitimate sites.
At the same time, traditional tools such as Web filters, originally built for blocking objectionable content, struggle to catch these attacks as much as antivirus products do in keeping up with ever-changing e-mail-borne attacks. Spammers and hackers have automated the process so that these sites can be up and running and then down in a matter of hours long enough to carry out their attacks. Like the Storm Worm variants, these sites may be up, active and out of business before a bad URL or IP address is ever logged.
Given the frequency of hackers hijacking a legitimate Web site to insert malware, such as an attack spoofing the Better Business Bureau, blocking a domain or subdomain is becoming more problematic. What about linked pages? Are they blocked by association or if they serve up the malicious link? What if a single IP address hosts sites for both malware and non-malware sites? Without proper control, we may end up either blocking too much, or jeopardizing our trust in valid Web sites.
Fortunately, there is some light now that we have recognized the problem. Organizations like Stopbadware.org and Google are beginning to address ways to share information on malware sites. More vigilance by social sites and IT directors on patching and maintaining their Web sites is going to become more critical than ever.
In addition, there is a greater realization among vendors that since hackers and spammers don't look at e-mail, IM, or the Web independently, they can't afford to either. What we need now are proactive solutions that are as dynamic as the attacks they are trying to prevent; that can detect both known and unknown threats, whether on the Web, e-mail, or IM. Until then, beware the next time you get an e-mail greeting card.