Rise of the Website as Malware haven and attacker!
We have been writing quite a lot about user machine malware like CyptoLocker and ZeroAccess over the past few months and have decided it is time to move our attention to a massive problem plaguing the Internet currently; Malicious URLS spawning at a terrifying rate of 10000-30000 per day by various estimates.
Malicious URLs, which exist predominately on legitimate web sites (compromised by exploit kits available to buy or download from the bad guys) are used for a number of nefarious purposes including delivering nasty payload (see above) to users machines as they are unsuspectingly redirected to a payload delivery site; a so called ‘drive-by download’. It is also understood (and documented by the Good Guys at Sophos) that some compromised servers can be controlled as a botnet to launch DDOS attacks. Great.
The exploit kits appear to be getting smarter and smarter and you will begin to see their names cropping up more and more in security bulletins. The original Blackhole kit appears to be superseded by new products like Redkit, Neutrino (known to spread Ransomware) and Glazunov (which is more about decomposing than composing and is known to be prevalent in Europe).
If you have the appetite to read about the details of the kits, we would recommend you visit nakedsecurity.sophos.com where many of them are picked apart in fantastic detail. A perfect way to spend your weekend, well we think so anyhow!
As we said at the start, most of the sites that are being used to host and deliver this nasty content are legitimate web sites, and may include your websites. It would seem that the proliferation of web technology has resulted in fairly lax security controls around patching and deployment standards.
At ITC we recommend the following strategies to understand and manage the risk of your websites becoming a malware breeding ground:
- Establish a rigorous patching schedule for all components from the OS upwards
- Be aware of known issues and bugs with your Content Management Systems. If these are in house, keep them patched
- Deploy Anti Virus software on your web servers and make sure it is up to date and running
- Use content delivery, and web application firewalls to protect your web sites. ITC recommends CloudFlare and Imperva technologies
- Use vulnerability management tools to regularly scan your websites – we recommend Qualys
- Bring security management of your websites into your Secure Operations Centre. ITC’s NetSure360° managed security platform powered by HP ArcSight plugs directly into Web servers and can alert on attempted attacks prioritised by the likelihood of a infection
If you would like us to discuss this or any other security issue, please contact us on: 020 7517 3900 or email [email protected]