The number of drive-by download attacks has tripled and they are beginning to affect government websites as well as small business operations.
Malicious downloads from compromised websites have replaced infected email attachment as the favourite tactic for malware authors. During the first half of 2008, web security firm Sophos detected 16,173 malicious webpages every day – or one every five seconds. The rate at which infected websites spring up is three times faster than during 2007.
Nine in 10 of these infected webpages are legitimate websites. Hackers use site vulnerabilities - typically SQL injection attacks - to plant malicious scripts on vulnerable targets. These scripts then serve up malware onto the machines of surfers by exploiting browser security holes.
Hackers crawl for victims using automated tools
Tools such as Asprox are used to search for vulnerable websites to use in these drive-by download attacks. The Asprox attack toolkit has been around for years but has become associated with a surge of mass web attacks that started around two months ago in May 2008, Finjan reports.
During the first two weeks of July Finjan detected more than a thousand compromised websites hit by the attack including the official site of the government of the City and County of San Francisco, Microsoft acquisition target atmdt.com, the Queensland government in Australia, BMW in Mexico and soft drink firm Snapple. Governmental (13 per cent) and healthcare (12 per cent) sites feature heavily in the list of compromised domains. UK sites compromised by the attack include an NHS website in Norfolk and 12 local council websites including Hackney Council.
Conventional advice that surfers are relatively safe providing they stay away from smut and warez sites has become redundant in the face of SQL injection attacks using tools like Asprox. The toolkit is programmed to search Google for vulnerable webpages. It then launches SQL injection attacks in order to add a reference to a malware file using the iFrame tag.
Asprox is one example of a tool used to carry out drive-by download attacks. It is not a virus as such, contrary to reports in the mainstream media. The Times, while incorrectly referring to Asprox as a virus, does shed light on the real impact of attacks made using the tool.
Detective Constable Bob Burls, of the Metropolitan Police computer crime unit, told the paper that the tool is associated with a sudden upswing in web-based infections. "The virus got into the job pages of a local council’s internet page," he said. "It’s a new thing that people who visit mainstream websites are clobbered. We’ve dealt with two major websites in as many weeks."
The effect of drive-by-download attacks is illustrated by cases where Trojans planted using the technique are used to compromise online bank accounts.
Ben Taylor, an engineer from South London, told The Times that £560 was fraudulently taken from his bank account this month by malware associated with Asprox. “I only use the internet a few times a week and didn’t look at anything dodgy,” he said. “It’s scary to think that a criminal was controlling my computer. I’ve got rid of it now.”
Sophos reports that firms which have been hit by SQL injection attacks purge the infected code from the database that runs their website but fail to address the underlying vulnerability. As a result they end up getting infected again only a few hours later. Seven in 10 website compromises are associated with SQL injection attacks, according to Graham Cluley, senior technology consultant at Sophos.
"Compromised websites are across the range from mom and pop shops to government websites. There are valid reasons for search engines to allow searches for terms associated with these attacks and it would be hard to eliminate at that end. It's up to firms to make their sites more secure but unfortunately this is not easy because organisation need to test before applying patches to sites," Cluley explained. ®