The most important findings from Finjan's research are:
- As commercial interests continue to drive e-crime, malicious code is more likely to be hosted on local servers in the US and UK than in countries with less developed e-crime law enforcement policies.
- A continuing evolution in the complexity of attacks, specifically the increasing use of code obfuscation using diverse randomization techniques. Over 80 percent of the malicious code detected was obfuscated, making it virtually invisible to pattern-matching/signature-based methods in use by anti-virus products.
- Increasing sophistication at embedding malicious code within legitimate content (e.g., ad delivery and translation services) and less dependence on outlaw servers in unregulated countries.
Finjan's research, based on information gathered by its real-time content inspection engines, clearly demonstrates that malicious code is not just an issue of outlaw servers in countries with weak laws and lax enforcement. Ninety percent of the URL's containing malicious code that were discovered in this UK-focused study resided on servers located in the US or UK.
"The results of this study shatter the myth that malicious code is primarily being hosted in countries where e-crime laws are less developed," stated Yuval Ben-Itzhak, CTO at Finjan.
"Our research shows that malicious content is much more likely to show up on a local server than one in Asia or Eastern Europe. Unfortunately this means that the traditional location-based reputation heuristics are decreasingly effective against modern attacks."
Advertising Is the Primary Vector for Delivering Malicious Code
Advertising is the leading category for URLs containing malicious code, representing 80 percent of all instances. Attackers have discovered that the multiple parties involved and the complex structure of business relationships involved in online advertising make it relatively easy to inject malicious content into generally legitimate ad delivery streams.
Similarly, when analyzing malicious content in terms of the URL Web site categories, Finjan found that malicious code is just as likely to be accessed through legitimate Web sites (e.g., Finance, Travel and Computing) as through what might be considered disreputable Web sites (e.g., adult content or free downloads). "The fact that malicious code is just as likely to be found in legitimate categories as in questionable categories means that security products that rely solely on URL categories to block access to malicious sites are no longer effective," said Ben-Itzhak.
Malicious Code via Translation Services
A new trend identified by Finjan researchers is the existence of malicious code on webpages served by automatic translation services, such as those offered by many leading Web sites and search engine companies. The report presents several instances of malicious code discovered by Finjan security researchers on translated webpages. This is another example of attackers' increasing creativity and sophistication, i.e., using the translation process to obscure the source of the malicious code behind the otherwise reputable translation service.
This scenario is quite similar to the use of malicious code on storage and caching servers, which can be referenced by third party Web pages to exploit an end user's machine.
