ScanSafe Reports Web Viruses Increase 36 Percent; Warns of Hijacking of Legitimate Websites to Unknowingly Distribute Malware via Third Party Provided Content

June 19, 2007; 04:06 AM
ScanSafe, the pioneer and leading provider of Web Security-as-a-Service, today issued its latest monthly Global Threat Report. Among the report’s key findings, for the second consecutive month, Web malware and particularly Web viruses increased significantly.

According to the company, Web viruses increased 36 percent in May following an increase of 26 percent in April. Spyware increased 10 percent in May, following an 8 percent increase the previous month.

“This is the second consecutive month of a meaningful increase in Web viruses,” said Dan Nadir, vice president, product strategy, ScanSafe. “The ANI (animated cursor) vulnerability, reported in late March, may be responsible for part of this increase. While a patch has been available since early April, millions of PCs remain unpatched and vulnerable to ANI exploits. We expect to see ANI exploits for months to come.”

Hackers Leveraging Vulnerabilities in Decentralized Web Content to Spread Malware

The company also cautioned that it is increasingly seeing legitimate websites unknowingly host malware as the result of malicious content provided to sites by third parties or through compromised servers. This includes content from ad servers, user contributed content, and widgets – interesting content from third party sites embedded into the Web page. Even more troubling, when hosting companies are compromised, all of their customers’ websites are at risk.

“Many websites today do not have one single content owner,” said Nadir. “In addition to content provided and controlled by the website owner, it might also contain third party content provided from advertisements, blogs and other sources. This decentralization of content ownership and the increase in moving parts has made it easier for malware authors to seed malware on ‘legitimate,’ trusted sites without the website owner’s knowledge. It’s a growing problem.”

In recent weeks, ScanSafe has identified two instances of malware being spread on legitimate sites via content that came from a source outside of the website owner’s control:

1. In early June, hackers gained access to passwords for FTP accounts for 3,500 websites hosted by DreamHost. ScanSafe identified two high profile U.K. music industry sites that were then compromised to unknowingly host an iFrame (inline frame—a floating frame inserted within a Web page), that loaded Trojan-Downloader.JS.Psyme.fq. It then redirected to a malicious website, where a second piece of malware, Trojan-Downloader.Win32.Small.mi, was executed. The entire attack was completely invisible to users—including the iFrame which was only one pixel wide.

The sites were www.clintons.co.uk, a well known law firm that has represented musicians including Paul McCartney, The Who, Jimi Hendrix and U2; and www.nationwidemercurys.com the prestigious Mercury music awards site sponsored by Nationwide, whose previous winners have included Coldplay and the Arctic Monkeys.

2. In early May, a compromised ad server was used to distribute an ANI exploit on www.tomshardware.com, a popular technical product review site. An ad redirected users to an infected site which hosted the Trojandownloader.ani.gen. Over the past three months, ScanSafe has observed various mainstream ad servers being used to spread malware.

The recent attacks highlight the necessity of anti-malware solutions that scan Web traffic in real-time.

“We believe that malware authors are starting to leverage obfuscation techniques to avoid detection by Web filtering solutions that rely on ‘crawling’ the Web to identify malware,” Nadir said. “Traditional Web filtering solutions that rely on periodically updated URL databases and honeypots to identify threats can leave users exposed to these anti-Web crawling attacks. In addition, they cannot keep up with the dynamic, user-generated content that characterizes today’s sites, particularly Web 2.0 sites.”

The ScanSafe Global Threat Report is based on real-time analysis of more than 7 billion Web requests scanned and more than 12 million Web threats blocked by the company in May on behalf of its corporate customers. It is the largest analysis of Web security threats based on real-world traffic.

For a copy of the full Global Threat Report, please visit http://www.scansafe.com/__data/assets/pdf_file/4344/gtr_may2007_v4.pdf

About ScanSafe

ScanSafe is the largest global provider of Web Security-as-a-Service, ensuring a safe and productive Internet environment for businesses. ScanSafe solutions keep viruses and spyware off corporate networks and allow businesses to control and secure the use of the Web and instant messaging. As a fully managed service, ScanSafe's solutions require no hardware, upfront capital costs or maintenance and provide unparalleled real-time threat protection. Powered by its proactive, multilayered Outbreak Intelligence^TM threat detection technology, ScanSafe scans more than 7 billion Web requests and blocks 12 million threats each month for customers in over 30 countries.

Since pioneering the market for Web Security-as-a-Service, ScanSafe continues to deliver innovative Web security solutions, including the introduction of the world’s first early warning system which scans and classifies search engine results based on the presence of malware and unwanted content. In addition to being part of its corporate Web security service, the safe search technology is available to consumers as a free service at www.scandoo.com.

With offices in London and San Mateo, California, ScanSafe is privately owned and financed by Benchmark Capital and Scale Venture Partners. The company received a 2007 CODiE award for Best Software as a Service Solution, the Info Security Global Product Excellence Award for Best Managed Security Service and was named one of Red Herring’s Top 100 Technology companies. For more information, visit www.scansafe.com.