Finjan’s Latest Analysis of Web Security Threats Highlights Evolving Nature of Malware Attacks

Finjan’s Latest Analysis of Web Security Threats Highlights Evolving Nature of Malware Attacks

Finjan, a leader in web security products, today published the latest findings from its Malicious Code Research Center (MCRC). In its Web Security Trends Report (Q1 2007), Finjan summarizes the analysis of more than 10 million (>10,000,000) unique URLs based on live web traffic recorded in the UK. The most important findings from Finjan’s ongoing research are:

- As commercial interests continue to drive e-crime, malicious code is more likely to be hosted on local servers in the US and UK than in

countries with less developed e-crime law enforcement policies.

- A continuing evolution in the complexity of attacks, specifically the increasing use of code obfuscation using diverse randomization techniques. Over 80% of the malicious code detected by Finjan was obfuscated, making it virtually invisible to pattern-matching/signature-based methods in use by anti-virus products.

- Increasing sophistication at embedding malicious code within legitimate content (e.g., ad delivery and translation services) and less dependence on outlaw servers in unregulated countries.

Finjan’s detection and analysis is based on its unique and proprietary methods for analyzing executable code embedded in web content for malicious or dangerous intent. These methods excel in detecting malicious code without depending on location, reputation or a priori signature information.

The Worldwide Distribution of Content with Malicious Code

Finjan’s research, based on information gathered by its real-time content inspection engines, clearly demonstrates that malicious code is not just an issue of outlaw servers in countries with weak laws and lax enforcement. Ninety percent (90%) of the URL’s containing malicious code that were discovered in this UK-focused study resided on servers located in the US or UK.

“The results of this study shatter the myth that malicious code is primarily being hosted in countries where e-crime laws are less developed,” stated Yuval Ben-Itzhak, CTO at Finjan.

“Our research shows that malicious content is much more likely to show up on a local server than one in Asia or Eastern Europe. Unfortunately this means that the traditional location-based reputation heuristics are decreasingly effective against modern attacks.”

Advertising Is the Primary Vector for Delivering Malicious Code

Advertising is the leading category for URLs containing malicious code, representing 80% of all instances. Attackers have discovered that the multiple parties involved and the complex structure of business relationships involved in online advertising make it relatively easy to inject malicious content into generally legitimate ad delivery streams.

Similarly, when analyzing malicious content in terms of the URL website categories, Finjan found that malicious code is just as likely to be accessed through legitimate websites (e.g., Finance, Travel and Computing) as through what might be considered disreputable websites (e.g., adult content or free downloads). “The fact that malicious code is just as likely to be found in legitimate categories as in questionable categories means that security products that rely solely on URL categories to block access to malicious sites are no longer effective,” said Ben-Itzhak.

Malicious Code via Translation Services

A new trend identified by Finjan researchers is the existence of malicious code on webpages served by automatic translation services, such as those offered by many leading websites and search engine companies. The report presents several instances of malicious code discovered by Finjan security researchers on translated webpages. This is another example of attackers’ increasing creativity and sophistication, i.e., using the translation process to obscure the source of the malicious code behind the otherwise reputable translation service.

This scenario is quite similar to the use of malicious code on storage and caching servers, which can be referenced by third party webpages to exploit an end user’s machine (see Finjan’s Q3 2006 Web Security Trends Report).

“This latest research from Finjan parallels the work from other security companies and gives a fascinating but chilling view on the ongoing war against malicious code attacks,” said Peter Christy, Principal Analyst at the Internet Research Group. “In the past, attacks were dominated by worms and viruses designed to create a big and very visible disruption. Increasingly, modern attacks have criminal intent, and the attackers are becoming more proficient at obscuring the attacks and delivering them from otherwise reputable regions and website categories in order to circumvent many of the defenses that have been effective against earlier attacks. These trends are a clear call-to-action for better detection and prevention methods.”

To read the full report, please visit: http://www.finjan.com/Content.aspx?id=827.

About MCRC

Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet and email applications as well as other popular applications. MCRC’s goal is to continue to be steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as spyware, Trojans, phishing attacks, worm and viruses. MCRC researchers work with the world’s leading software vendors to help patch their security holes, as well as contribute to the development of next generation defense tools for Finjan’s proactive secure content management solutions. For more information, visit our MCRC subsite ( http://www.finjan.com/SecurityLab.aspx?id=547).

About Finjan

Finjan is a global provider of best-of-breed web security solutions for businesses and organizations. Our proactive, appliance-based solutions deliver the most effective shield against web-borne threats, freeing enterprises to harness the web for maximum commercial results. Finjan’s web security solutions utilize patented behavior-based technology to proactively repel all types of threats arriving via the web, such as Spyware, Phishing, Trojans and other malicious code, securing businesses against unknown and emerging threats, as well as known malware. Finjan’s security solutions have received industry awards and recognition from leading analyst houses and publications, including IDC, Butler Group, SC Magazine, CRN, PCPro, ITWeek, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential. For more information about Finjan, please visit: http://www.finjan.com/.

(c) Copyright 1996-2007. Finjan Software Inc. and its affiliates and subsidiaries. All rights reserved. All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced to in this material are protected by registered and/or pending patents including U.S. Patents No. 6092194, 6154844, 6167520, 6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662, 6965968, 7058822, 7076469, 7155743, 7155744, 7185358 and may be protected by other U.S. Patents, foreign patents, or pending applications.

Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability are trademarks or registered trademarks of Finjan Inc., and/or its affiliates and subsidiaries. Sophos is a registered trademark of Sophos plc. McAfee is a registered trademark of McAfee Inc. Kaspersky is a registered trademark of Kaspersky Lab. SurfControl is a registered trademark of SurfControl plc. Microsoft and Microsoft Office are registered trademarks of Microsoft Corporation. All other trademarks are the trademarks of their respective owners.

Media Contacts United States UK Jan Wiedrick-Kozlowski Neil Stinchcombe Activa PR Eskenzi PR Ltd. Tel. +1-585-392-7878 Tel: +44-(0)208-449-1007 jan {at} activapr(.)com neil {at} eskenzipr(.)com