trends

trends

Rise of Botwebs

Posted on July 23, 2009 - 10:26 by zeroday

 Botnets have been a fixture of the internet for many years. Their command and control structures have evolved greatly but their methods of propagation have largely gone unchanged. The recent advent of drive-by downloads have been part of a new transformation in badware, the botweb. This web-only cycle is a result of the profliferation of cheap turn key web hosting which led to massive adoption among novice computer users.  The huge population of consumer web masters, untrained in security matters, had the same effect as broadband adoption in the 1990s. Attackers are presented with a target rich environment with minimal security protection or monitoring.

As Maxim noted last week, recent threads on badwarebusters.org and various reports on the web show that Gumblar and similar attacks are perfecting a new propagation method that steals the FTP credentials from the webmasters themselves and spreads infections via the websites they control.  The infections often reside in more complex parts of the web server like an error code folder or an htaccess file.  As seen in the badwarebuster's thread even educated computer literate academics can be stumped for months due to their unfamiliarity with the minutiae of web server administration.

Administering a web server is a complex job that requires skills and training that need constant updating.  Consumer webmasters generally lack these skills and may decline to acquire them if offered.  This emerging threat will likely continue to grow as web hosts continue to sell turnkey web hosting to less and less sophisticated clientele providing an ever growing list of targets for attackers to exploit.  No single entity can solve this issue.  Various parties from security vendors to government agencies to hosting providers must work together to break ground in this problem.

Tags: 
botweb, emerging, gumblar, stopbadware, trends

Local malware causes infected websites

Over on BadwareBusters.org, we are seeing a trend of websites that have been infected because the webmaster's personal computer was infected. Specifically, the local malware seeks out saved usernames and passwords in popular FTP clients like CuteFTP and Filezilla and then uses the stolen information to upload modified code to the web server. This leads to a frustrating cycle for the unsuspecting website owner, who discovers bad code on his/her site, fixes the problem, and then finds the site infected again a day or two later.
The best thing that website owners can do to minimize this problem is to protect their computers from malware. An additional precaution is to decline the option of saving the account password in the FTP client software.
Web hosting companies can also help by educating their customers, both proactively and in response to customer complaints about malware on their sites, about this vector of infection.
 

Tags: 
ftp, stopbadware, trends

WordPress still a common entry point for bad code

The popular blogging platform WordPress, and its multi-user counterpart WordPress MU, continue to be common entry points for badware. In a typical scenario, a security vulnerability is discovered and patched, but many website owners running WordPress do not install the updated version of the WP software, leaving their sites open to the exploits that inevitably follow. Two examples have come up in the past week over on BadwareBusters.org. WordPress plug-ins are sometimes vulnerable, as well.
A new vulnerability was announced this week by Corelabs. Reportedly, WordPress 2.8.1 and WordPress MU 2.8.1 are safe, while prior versions are at risk.
What can the community collectively due to help with this ongoing pattern?
Site owners can keep up with updates through the WordPress blog or through WordPress's admin interface, and install the updates as quickly as possible. Similarly, the admin interface shows updates for plug-ins, which should also be installed quickly when the updates are security related.
WordPress and plug-in developers can ensure that security is a high priority in developing code and can make the upgrade process as seamless as possible for site owners. Providing a dedicated subscription e-mail list exclusively for notifying users of new security updates would also be helpful.
Web hosting companies that offer simple installation of WordPress can notify their customers when a new version is available and encourage them to update, ideally through a process as simple as the initial installation. Even hosting companies that do not offer installation may consider scanning their systems for outdated WordPress installs and notifying their customers of the need to update.
With a combined effort, we should be able to help WordPress to remain a popular blogging system while making it a less popular malware distribution system.

Tags: 
stopbadware, trends, wordpress