The World Wide Web not only helped to create the global village, it also produced a paradigm shift in the way people work. In the “old” offline computing environment, electronic information in most cases was pushed to the desktop, usually either by email or diskette. In today’s wired world, corporate users are always connected and use the Web to access information that they need to carry out their work activities.

 

The Web provides endless sources of information as well as exciting business opportunities for the modern corporation. This universal connectivity empowers corporate users to download and install new software from the web, without needing to bother an administrator. Since users deliberately search for and choose the information they want, this method can be described as “pull” rather than “push.”

 

However, while the Internet has become an indispensable part of our business and personal lives, the shift from pushing to pulling information has introduced a new dimension for the propagation of malicious content.

 

 

Today’s wired world has bred a new generation of e-criminals that exploit the very connectivity that has become so crucial to corporate business productivity. Driven by financial gain, e-criminals build their nasty schemes around the fact that users are always connected. Spyware/Adware, Trojans, and Rootkits are examples of malicious content aimed at serving the “new age” criminals’ business interests.

 

In addition, free software, toolbars and utilities downloaded by corporate users often include “invisible” malicious content that can compromise an entire corporate network.

 

Malicious content covers a wide range of web threats, including applications that display pop-up ads, applications that co-opt search results, keyloggers that intercept credit card numbers and send them to a remote machine, or even Trojan horses that expose corporate desktops to remote hacking.

 

The fact that desktops crash less often than in the days of the “I Love You” virus does not necessarily mean that corporate computers are healthier, or that the valuable data they hold is secure. The reason is that in today’s connected environment, a crashed or disconnected machine is useless. A corporate PC is much more valuable to an e-criminal when it is connected to the malicious site and available for “silent” downloads, remote execution, etc.

 

 

The evolution of web-based threats is being driven by commercial and financial interests. Adware alone is estimated to generate annual revenues in the hundreds of millions of dollars. Spyware and Trojan SDKs are available for sale, with warranties that if the exploited vulnerability will be patched by the vendor, the hacker will provide a new, unknown one.

 

Security research reveals that a real market exists for malicious code, including buyers, sellers and distributors. Motivated by the business opportunity, hackers continue to raise the technological bar to find new ways to exploit vulnerabilities. As the vulnerability market develops, many hackers prefer to sell new exploits for profit rather than disclosing them responsibly to the vendor whose product is affected.

 

Finjan’s Web Security Trends Report (Q2 2006) presented indisputable evidence of this growing market for malicious code, governed by the forces of supply and demand, and fueled by e-criminals who are willing to pay hackers handsome sums for their wares.

 

 

A number of these new trends are highlighted below.

The Vulnerability Market Continues to Grow

Taking advantage of the openness and anonymity offered by the Internet, hackers utilize the web to auction off ‘just discovered’ vulnerabilities to the highest bidder. Selling unpublished vulnerabilities on the black market represents a new source of revenue for hackers.

 

One example of such an auction can be found on the “Full Disclosure” website which is well known in the security community.

 

 

“Do It Yourself” Malware Toolkits

Products are available for sale which package exploits into easy-to-use toolkits. One such product, called Web Attacker Toolkit, was being offered for $300 via a Russian website. This toolkit enables individuals to create a malicious website that installs malicious code on the computer used to visit the site (utilizing the drive-by Spyware installation method).

 

Malicious Code in Spam Messages

Until fairly recently, spam was considered more of a nuisance than a danger. Spam messages have been found in the wild that contain malicious content or links to malicious websites and, as such, are being used as a vehicle for carrying out blended attacks. These complex blended attacks utilize Active Content, encoding and other techniques to bypass traditional Anti-Virus and email security solutions.

 

The example below was distributed in the wild in June 2006 and targeted the customers of National Australian Bank (NAB). The link in the spam message directs people to a malicious website which automatically installs a Trojan on the user’s machine.

 

 

The above examples clearly show that a new “battlefield” has been established, driven by new interests and monetary gain. New security methods are needed to protect corporations from threats that potentially expose them to identity theft, privacy liability issues and compromised intellectual property.

 

 

In order to address these new types of threats, and to ensure compliance with regulatory requirements, corporations require intelligent, proactive security solutions that complement their existing security infrastructure.

 

According to Gartner: “Traditional signature-based antivirus products can no longer protect companies from malicious code attacks. Vendors must execute product and business strategies to meet the new market requirements for broader malicious code protection.” (Gartner, Feb. 2005 Magic Quadrant)

 

Reactive, signature-based security solutions, e.g., Anti-Virus, require time to create and deliver a signature update to their databases, and thus cannot offer immediate protection against new, unknown attacks. This creates a Window-of-VulnerabilityTM, during which networks are exposed and vulnerable for hours and sometimes days to new attacks, until patches or signature updates are installed.

 

 

In order to protect themselves and their customers from today’s sophisticated web threats, corporations have started to implement proactive, behavior-based security solutions that scan web content for known and new potential threats before they reach the end user’s desktop.

 

Behavior-based security closes the Window-of-Vulnerability to safeguard networks from new and unknown types of malicious code. This technology inspects web content on the fly for suspicious or malicious computer operations, function calls, commands or operations.

 

Using these findings together with smart algorithms, behavior-based security builds the expected execution model of the content and looks for dangerous execution paths that might compromise the end-user machine. Then, in accordance with each organization’s specific security policy, the security engine decides whether to allow, block or neutralize the content.

 

In addition, behavior-based security analyzes each and every piece of content, regardless of its original source. Web pages from Myspace.com or Yahoo.com are analyzed in exactly the same way as pages from smaller or recently created websites.

 

This technology assures that malicious content will not enter the network even if its origin is a highly trusted site. This differentiates behavior-based security from URL Filtering solutions, which automatically mark well known websites as trusted despite the fact that hackers can upload malicious code to personal pages or ads to those domains, like in the recent Myspace.com case.

 

As behavior-based security analyzes code behavior and understands the context of its execution environment, this approach is highly effective in handling unknown and dynamic web content. Since it does not require signatures or pre-defined patterns to identify malicious content, it is the ideal solution for securing corporate networks from the new and emerging threats in today’s wired world.