New Web Threat: Short-Lived, Stealthy Attacks
AVG Technologies, a developer of Internet security software, has released statistics that paint a scary picture of the way Web-borne threats are developing. Unlike viruses that make a point of being obvious and staying around for as long as they can, the primary characteristics of Web infections today are stealth and transience, meaning they are secretive, short-lived and fast-moving.
Today's online threats frequently appear briefly on an otherwise legitimate site, moving on to other sites before they can be identified and blocked. In other instances, the criminal element behind these threats simply sets up hundreds of seemingly legitimate Web sites with embedded infections, promotes them for a day or two and then shuts them down, never to be seen again.
The rate of appearance of these “here today, gone tomorrow” sites is increasing. In the past three months, AVG researchers have seen the average number of unique new infective sites that appear growing from 100,000 to 200,000 a day to 200,000 to 300,000 a day, a pattern that looks set to continue.
One example of a transient threat is malicious advertising, known as malverts. Online criminals simply create and submit a malvert to an advertising network that then unwittingly distributes the malicious advert to hundreds of sites. Computer users clicking on these ads, or even simply exposed to them accidentally, can become infected with data-stealing spyware.
There are plenty of other examples of threats where the user can be infected by simply visiting a Web site, without even clicking on a link. So-called “drive-by downloads” can steal passwords, bank account information and other valuable personal data without the user being any the wiser. AVG's research indicates that close to 60 percent of sites launching drive-by downloads are infective for one day or less.
This transience means that anyone relying on security software that provides protection using traditional virus signatures or by periodically scanning the millions of sites active on the Web at any given time is completely unprotected just when they need that protection most: that crucial time when they click a link to a site poisoned with one of these transient infections.
According to AVG Technologies' CEO J.R. Smith, "The hallmark of today's Web-borne infections is 'here today, gone tomorrow.' Any Web security product that relies on visiting and scanning Web sites to deliver a safety rating to its users would have to visit every one of the hundreds of millions of sites on the Internet every day to provide protection against these threats, a technological impossibility even with today's supercomputers. Our recent acquisition of Sana Security's behavioral analysis technology adds yet another layer of protection that will help us to keep users safe from new and unknown threats."
Transient, rapidly changing information is also a hallmark of social networks such as Facebook and MySpace, so it's not surprising cybercriminals have found fertile territory there. Messages from “friends” that direct users to malicious pages that then download infective malware in the background are all too easy for people to trust. Then there are links to music or video clips that ask users to download a seemingly innocent multimedia program — but which carry a hidden threat.
AVG takes a different approach to protecting users against these hidden threats. The company's LinkScanner Web security software brings together data from experts and users alike to provide a crucial layer of real-time protection for all AVG's security products.
Thompson believes this layered approach is vital given the nature of today's threats. "If a site contains one bad thing, it might easily contain multiple bad things — and usually does. By bring together data from multiple sources, we're able to build a very complete picture of individual threats and provide the appropriate protection.”