Global Threat Report Reveals Malware on Infected Web Sites Remaining Active Longer

ScanSafe has released the results of a study of more than 80 billion Web requests it scanned and 800 million Web threats it blocked in 2007 on behalf of corporate customers in more than 50 countries across five continents. It represents the world's largest security analysis of real-world corporate Web traffic.

Among the study's key findings, Web threats including viruses, Trojans, password stealers and other forms of malware are becoming more prevalent, increasing numbers of legitimate sites are unknowingly hosting malware and compromised sites are remaining infected longer -- in some cases more than two months.

"The numbers speak for themselves," says Mary Landesman, senior security researcher, ScanSafe. "Not only has there been a significant increase in known malware, but on average, zero-day or ‘new' threats accounted for 21 percent of all the malware ScanSafe blocked. Further, this malware is remaining active on sites for weeks and in some cases months, leaving users exposed and representing a huge window of opportunity for cyber criminals."

The analysis found a 61 percent increase in malware during the second half of 2007. Twenty-one percent of all the malware blocked in 2007 was zero-day malware -- new malware for which there is no existing patch or anti-virus signature -- leaving businesses relying on signature updates vulnerable to exposure.

The most frequently encountered malware is designed to steal passwords and other sensitive financial information from bank accounts and even online games -- putting corporate and personal financial information at greater risk and opening businesses to legal liability and compliance risks. In particular, the most frequently blocked final stage malware were password-stealing Trojans targeting online gamers. Online gaming while at work, once thought to be just a productivity drain, is now a significant security risk. Quite often, game-targeting Trojans also harbor a backdoor or key logging feature that exposes other sensitive data unrelated to gaming.

Malware-Infected Web sites Remain Live Longer, Increasing Risk of Exposure to Attack
There has been a significant increase in the amount of time a site is delivering malware (also known as ‘time to life' or ‘TTL'):

• In the second half of 2007, malware on infected sites remained live for an average of 29 days, a 62 percent increase from 18 days during the first half of the year.
• Zero-day threats have an even longer shelf life once they compromise a Web site. Web sites infected with zero-day malware remained live an average of 61 days in the second half of 2007, up 190 percent from 21 days during the first half of 2007.
• The average TTL for all malware blocks over the course of the year was 24 days.

The report also notes that the complex network of advertising providers and advertising affiliates has made it increasingly easier for attackers to surreptitiously insert malicious advertising. One rogue partner and a large number of sites can begin delivering malware, potentially exposing millions. In 2007 several high profile sports sites unwittingly served malicious ads, including the Web sites for the National Hockey League, Major League Baseball, TheSun.co.uk, MySpace.com and PhotoBucket.com.