Malicious code is more covert, less recognisable and more targeted toward financial gain

SecureData, a member of the JSE-listed ERP.com Group and a Southern African distributor for Websense, today announced the latter's release of the Websense Security Labs 2006 Semi-Annual Web Security Trends Report, which summarises findings for the first half of 2006 and presents projections for the remainder of 2006. The report shows that the volume of attacks increased and malicious code became more covert, less recognisable and more targeted toward financial gain.

Not only has malicious code become more sophisticated, but the infrastructure supporting its creation and spread has also become more complex. Of the sites designed to steal credentials, almost 15% are derived from toolkits, an emerging tactic from the hacker community. These kits, made by professional malicious code writers, are often for sale on the internet and allow non-sophisticated users to launch sophisticated attacks against operating system exploits and vulnerabilities.

The criminal motive of attacks has also become more apparent as traditional hacking for fun has been replaced with activities designed to steal confidential data to reap financial rewards. The report notes a 100% increase in sites designed to install key loggers, screen scrapers and other forms of crimeware. Conversely, Websense has seen more than a 60% drop in Web sites designed merely to change user preferences, such as browser settings.

In the first half of 2006, Websense successfully identified and mitigated several new high-profile exploits and widespread Web attacks including the continued assault on the Microsoft Windows Metafile (WMF) vulnerability and the Internet Explorer 'zero-day' create text vulnerability.

"Websense Security Labs continues to be on the forefront of discovering advanced Web-based attacks and techniques. The growth of toolkits is allowing criminals, who may not be versed in writing malicious code, the ability to launch highly sophisticated attacks with minimal effort or expertise," commented Dan Hubbard, VP of security research for Websense. "In addition to protecting against Web-based threats such as key loggers or spyware, Websense profiles these attacker toolkits to proactively protect organisations from these kits before a wave of attacks is triggered."

"Websense software provides us with an added layer of security against the evolution of Web-based threats," added Scott Sibert, Network Administrator for Warsaw Community Schools. "The research expertise provided by Websense Security Labs ensures that our network and our students are protected against malicious attacks."

According to the report, Websense Security Labs has seen increased exploitation of both Web servers and Web browser/client technologies. Automated vulnerability scanning for server and client exploits is getting more intelligent, and attackers are taking full advantage of these exploits. During the first half of 2006, 35% of all malicious Web sites were hosted on Web servers that had been compromised.

"As new threats are discovered, Websense Web security software quickly protects an organisation's network infrastructure and employees via real-time security updates of malicious URLs and applications. This advanced level of protection closes a critical window of exposure left open by deployed security solutions such as host and network based signature anti-virus and firewalls while protecting organisations against potential attacks before they even happen," continued Hubbard.

Websense Security Labs was introduced in August 2004 with the primary objective of discovering and investigating today's advanced internet threats and publishing those findings to the security community and customers. Websense Security Labs research delivers precise depictions of current Web outbreaks as well as insight into new malicious threats before attacks are launched. Using patent-pending processes and technology, including a worldwide network of computers, data mining processes, customer feedback loops and malicious code categorisation expertise, Websense Security Labs scans more than 85 million Web sites daily to proactively discover and immediately defend customers against Web-based threats.

Additional Highlights from the First Half 2006 Security Trends Report
* Websense Security Labs has seen a 100% increase in sites designed to install keyloggers, screen scrapers and other forms of crimeware. Conversely, the organization has seen more than a 60% drop in Web sites designed merely to change user preferences, such as browser settings.
* Websense Security Labs saw a significant increase in the number of phishing targets. As many as eight to 10 new targets are being discovered every day. The Labs also notes that phishing toolkits are now being used to enable easy phishing. For example, one fraudulent Web site may target as many as 50 different banks under individual subdirectories.
* During the first six months of 2006, Websense Security Labs saw more cases - and more sophisticated use - of cyber-extortion. This form of cyber-extortion allows malicious hackers to keep data hostage on an end-users machine while demanding a monetary sum to unlock the data. Along with the higher numbers, the Labs noted better encryption, making it harder to recover the data and to reverse engineer and develop effective countermeasures.
* Websense Security Labs discovered more botnets (collections of compromised machines) using peer-to-peer (P2P) technologies to gain control, making it more difficult to disable them. The use of the Web to control botnets has also increased; allowing botnet owners to more easily control the machines via a Web page.

* 5 January 2006 - Websense Security Labs was the first to discover more than 1 100 URLs that were attempting to exploit users who had not installed the patch for the Microsoft Windows Metafile (WMF) vulnerability which was discovered by Websense Security Labs in mid-December 2005. Most attacks were Trojan horse downloaders which updated over HTTP and installed and ran other pieces of malicious code.
* 24 March 2006 - Websense Security Labs was the first to discover 200 unique URLs that were attacking a revealed Internet Explorer 'zero-day' vulnerability that could allow code to launch without end-user consent. The most common attack was the use of shellcode to run a Trojan horse downloader that downloaded additional payload code over HTTP. The additional payload was various forms of bots, spyware, backdoors, and other Trojan downloaders.
* 21 June 2006 - Websense Security Labs reported on end-users being lured to install malicious code via short message service (SMS) messages (also known as text messages). Victims received an SMS message on their mobile phone, thanking them for subscribing to a fictitious dating service. The message stated that the subscription fee of, for example, $2.00 per day will be automatically charged to their cell phone bill until their subscription is cancelled at the online site.
* 21 June 2006 - Websense Security Labs reported a new type of attack that used e-mail and voice over telephone, otherwise known as Vishing. The Vishing attack targeted customers of Santa Barbara Bank & Trust. In a similar way to traditional phishing attacks, users received a spoofed e-mail message. However, unlike the most popular forms of phishing, where users are lured to a fraudulent Web site, this lure directed users to a telephone number.

For further information, please contact Willem Barnard at tel. +27 11 257 8600; fax +27 11 257 8699; e-mail willemb@securedata.co.za