Embed Size (px)
Citation preview
THE POWER TO DESTROY: HOW MALWARE WORKS
p. 2The Power to Destroy: How Malware Works
At a glance 3
Web attacks on the rise 4
Prevention is better than a cure 5
Staying hidden pays off 6
Website visitors are ripe for the picking 7
What malware can do 8
What’s bad for clients is worse for you 9
Take responsibility 10
References 11
CONTENTS
p. 3The Power to Destroy: How Malware Works
Nearly a quarter of IT managers simply don’t know how secure their website is.1 However, with the number of web-attacks blocked per day rising from 190,370 to 247,350 between 2011 and 2012, it’s vital for businesses to understand the part their website plays in the distribution of malware to clients, customers and the wider online community.2
Malware takes many different forms. It can log keystrokes, lead to data breaches, lock down hardware and use infected systems to spread malware to other victims. As a website owner it’s your responsibility to not only protect your business and customers, but the safety of the Internet too. Consider the impact to your business and brand if you were the source of infection.
AT A glANCE
190,370 247,350
2011 2012
WEB-ATTACKS BlOCKED PER DAY BETWEEN 2011 AND 2012
p. 4The Power to Destroy: How Malware Works
‘Driven by attack toolkits, in 2012 the number of web-based attacks increased by one third and many of these attacks originated from the compromised website of small businesses.’ This was the finding of Symantec’s latest Website Security Threat Security Report (WSTR), which makes for sobering reading.
WEB ATTACKS ON THE RISE
93%87%
SMALLBUSINESS
LARGEORGANISATION
% OF UK BUSINESSES TO SUFFER A DATA BREACH lAST YEAR
Malware works to compromise the data and functionality
of your website server, and to exploit and extract
information and money from your clients and customers,
all of which damages your reputation and costs your
business money. In the worst cases it can even put your
very livelihood on the line.
The cost is criticalIn 2012 cybercrime cost businesses six percent more than
in 2011. The cost of security breaches alone has roughly
tripled in the last year and reaches into the billions.3 The
average recovery time from a cyber attack in 2012 was 24
days, which equates to a cost of $591,780.4
And these are just the direct costs of labour, hardware
and software repair and compensation. Take into
account lost business and damaged reputation and the
figure climbs even higher. Malware’s damaging ripple
effect is huge and criminals see websites as a way to
infect your servers, steal your information, infect visitors
with their malware and often times create havoc.
A common and costly crimeUnderstanding how malware works, and why criminals
use it, can help considerably in the prevention and
detection of threats. The most obvious point of danger
when it comes to malware is your website server and the
data it holds. In other words: data breaches.
Taking the UK as an example last year, 93 percent of
large organisations and 87 percent of small businesses
suffered a data breach.5 If a criminal can find a way to
get malicious code onto your server that can access files
or log information exchanges, they can get at customer
data, credit card information, passwords and more.
So far in 2013, 8.9 million identities have been exposed,
and 62 percent of those breaches included people’s real
names.6 Exposing client or customer data means you
are at risk from compensation costs, lost business and a
severely damaged reputation.
p. 5The Power to Destroy: How Malware Works
When it comes to data breaches there is a combination of things you can do to minimise your risk. Firstly, keeping your staff fully up to date on the risks of falling victim to social engineering and phishing attacks is key. It’s been found that companies with a poorly understood security policy are twice as likely to have a staff-related breach as those with a very well understood policy.7
It’s also important to regularly scan your website for
vulnerabilities and malware. Automatic scanning comes
as standard with many of Symantec’s SSL Certificates,
and not only helps you spot weaknesses before they are
exploited but also gives you an actionable threat report
so you know how to shore up your defences.
Scanning combats stealthAlthough prevention is best when it comes to malware,
regular scanning is vitally important in order to spot
stealthy malware that has been designed to stay hidden.
While some malware causes lots of disruption, and
takes down servers, often criminals want to keep their
malware running on your website server undetected so
they can continue to harvest information and maximise
their opportunity.
In July 2012, for example, a Trojan was discovered that
was being used to steal information from the Japanese
government. It turned out to have been in operation for
two years totally undetected.8
This is also why SSL Certificates are so important.
A lot of information is sent back and forth between
visitors to your website and your server, sometimes
highly confidential information like credit card details,
addresses and other personal identification points. By
configuring SSL to be ‘always on’ you can ensure that
all communication is encrypted from the moment a
visitor arrives on your site, reducing the risk of malware
being able to eavesdrop and undermine your customer’s
confidentiality. Using SSL like this can help to build trust
and keep confidential data safe. This is why sites such as
Twitter, Facebook, Google and LinkedIn do it.
PREvENTION IS BETTER THAN A CURE
p. 6The Power to Destroy: How Malware Works
Stealth also works in the criminals’ favour when the malware they have installed doesn’t attack your server, but instead sits on your website and attacks your customers and clients. In this case, you might not be the target, but your business is still the victim.
STAYINg HIDDEN PAYS OFF
OTHER
41%
37%
22%
The Blackhole Toolkit, was
responsible for 41 percent
of web attacksin 2012
The Sakura toolkit, which wasn’t even in the top ten in 2011, last year accounted for 22 percent of attacks
WEB ATTACKSIN 2012
Web attacks are on the rise, and the latest ISTR
highlights that 61 percent of malicious web sites are
actually legitimate sites that have been hacked or
compromised and had malicious code inserted without
the owner’s knowledge.
You can find out more about the different weaknesses
inherent in your website that criminals can use to
deploy malware, such as unpatched servers and cross-
site scripting, in our whitepaper, ‘Reducing the Cost
and Complexity of Web Vulnerability Management’
http://www.symantec.com/content/en/uk/enterprise/
white_papers/b-reducing-cost-complexity-of-web-
vulnerability-mgmt_WP.pdf
Toolkits: the master key for website vulnerabilities
The most common way for criminals to exploit your
website vulnerabilities is with toolkits. These are software
bundles that criminals can buy off-the-shelf, like you
would legitimate programs, which already have the right
code to exploit certain vulnerabilities and deploy the type
of malware the buyer wants to use.
Cybercriminals create and trade malware much like
legitimate companies buy and sell software. There are
even popular hit products and up-and-coming new
arrivals. In fact, a single toolkit, called Blackhole, was
responsible for 41 percent of web attacks in 2012. The
Sakura toolkit, which wasn’t even in the top ten in 2011,
last year accounted for 22 percent of attacks. This is
clearly a slick, organised and profitable venture.
The risk that your site will be infected by malware
is significantly increased thanks to the existence of
these toolkits. They allow cybercriminals, who are not
necessarily skilled enough to develop complex code
themselves, to still attack your site and its visitors.
p. 7The Power to Destroy: How Malware Works
One of the likely reasons toolkits are so popular is because of how often they are effective. Once on your site, malware searches for vulnerabilities in your visitor’s browser and if it finds one it will download a ‘dropper’, or malicious code that then searches their entire computer for vulnerabilities and takes advantage of what it finds.
WEBSITE vISITORS ARE RIPE FOR THE PICKINg
Attacker profiles victims and the kind of websites they go to.
1. Profile
Attacker then tests these websites for vulnerabilities.
2. Test2. Test
When attackers finds a website that can be compromised, they
inject JavaScript or HTML, redirecting the victim to a separate
site that hosts the exploit code for the chosen vulnerability.
3. Compromise
The compromised website is
now “waiting” to infect the
profiled victim with a zero-
day exploit, just like a lion waiting at a watering hole.
4. Wait
Reported vulnerabilities in browsers and plug-ins last
year fluctuated between 300 and 500 per month.
‘Criminals ability to quickly find and exploit new
vulnerabilities is not matched by software vendors’
ability to fix and release patches,’ states the WSTR.
Major software vendors regularly release urgent patches
for recently-discovered vulnerabilities.
Add to this many people’s lack of vigilance when it
comes to keeping their software up to date, and many
companies’ inability to upgrade without disruption to
business critical applications, and you can see why
criminals will take advantage of any path that leads to
such ripe pickings.
Watering hole attacks As well as inserting malicious code into your website
that will download malware to visitors’ vulnerable
devices, criminals also inject malware onto your site in
order to redirect visitors to another site. That site will
contain malware, which will infect the victim with a zero-
day exploit.
As explained in our ‘Website Vulnerabilities Guide’, this
is an exploit that takes advantage of a vulnerability that
no one yet knows about, which is why the criminals keep
the code on their own malicious site, to keep it secret.
This technique is known as a watering hole attack, and is
becoming increasingly popular with cybercriminals.
p. 8The Power to Destroy: How Malware Works
WHAT MAlWARE CAN DO
What it does How it earns criminals money
Ransomware locks a users’ computer and displays a
single warning screen. Support cannot even remote into
the device to try and remove the malware. Often the screen
will impersonate a local law enforcement agency and the
software can sometimes even use the victim’s own camera
to include a photo of them in the warning.
As the name indicates, criminals demand a ransom to
unlock the device. Usually they pretend it’s a fine for illegal
or illicit behaviour on the victim’s part, imposed by the
local law enforcement agency. Even when you pay, often
they don’t unlock your device. Last year it is thought three
percent of victims paid up.
Botnets are networks of dispersed computers and servers
that criminals use to distribute spam emails or generate
bogus clicks on pay-per-click advertising. The right malware
will silently incorporate a victim’s device into one of these
botnets.
Although the returns on this sort of malware are not
immediately high, it is hard to detect and difficult to
remove meaning it offers a long-term steady stream of
income for criminals.
Keystroke logging does exactly what it says on the tin.
This malware is able to record every key that is pressed
meaning it can look for 16-digit combinations that are
likely to be credit card details, 6-digit date-of-birth
sequences or unusual strings of characters that are likely
to be passwords.
This type of malware is used to gather information for
identity theft, credit card fraud and account hacking.
Information is a highly valuable commodity on the
black market, and malware that can gather this type of
intelligence can reap big rewards, especially if it’s one of
your big clients that happen to fall victim and criminals
bypass their more sophisticated and strongly protected
systems.
Further malware distribution. If the victim of this
malware is connected to a network, everyone in that
network, and all the servers connected to it, are at risk
as the malware distributes to every device placing data,
devices and operations at risk.
The rewards all depend on how far the malware is
distributed and what additional malware is triggered on
different machines as per their vulnerabilities. This type of
malware can paralyse an organisation, cause major data
breaches and cost hundreds of thousands to rectify.
There are a many different sorts of malware that look to turn a profit for criminals, or sometimes simply cause
disruption and disturbance. The type of malware that criminals are most likely to try and distribute using your website,
however, are those that make them money.
If your site has been infected, the following types of malware can be downloaded to a client or customer’s device
simply by them arriving on your site. All they will see is your brand, followed by either a warning from their anti-virus
software, or worse, the effects of an infection.
The Symantec ISTR also reported on the Shamoon attacks. In 2012, this malware, which targeted energy companies,
was able to wipe entire hard drives. This type of action is extremely sophisticated, and so far it has been limited to
high-value targets, but it indicates a trend: ‘if it is possible, someone will try it; if it is profitable, many people will
do it’.
p. 9The Power to Destroy: How Malware Works
WHAT’S BAD FOR ClIENTS IS WORSE FOR YOU
If your website is responsible for the infection of a client’s computer, or worse their entire network, it’s going to cost you more than just their lost business. In particular if you are a small business you need to prove to big clients that they are safe in their online interactions with your website.
Targeted attacks have increased considerably against
small businesses in the last year and at least part of
that is thought to be down to criminals thinking they
can take advantage of small companies’ often weak
defences to leapfrog the stronger defences of the
bigger businesses they interact with.
As a result, big clients are demanding more stringent
security from their third party providers and partners.
The Norton Secured Seal is one way of proving up front
that you take yours and their safety seriously. It is
displayed over 750 million times each day, and is the
most recognised trust mark on the Internet.9
The cost of customer trust
Putting individual customers at risk could cost you dearly
as well. The estimated loss of business cost for the
average security breach is £300-600 for small businesses
and £10,000-15,000 for large organisations.10
In addition, if a search engine crawls your site and finds
malicious code, you will be immediately blacklisted,
wiping out all your search engine rankings and credibility.
Warnings from a search engine or a customer’s own anti-
virus software about the safety of your site can destroy
your reputation in seconds. Not only is that thought to
cost £1,500-8000 for small businesses and £25,000-
115,000 to large organisations, but once trust is lost it is
also incredibly hard to regain.11
When a customer searches for your business you want
to start building trust from the very first click, not losing
it. The Norton Secured Seal, which is included with all
Symantec SSL Certificates, is displayed in search engine
results next to your site and proves that you monitor and
protect your website, you are who you say you are and you
take online security seriously. Symantec Seal-in-Search is
certainly a way that you can build trust from the very first
moment someone searches online.
£300 - £600FOR SMALL BUSINESS
£10,000 - £15,000FOR LARGE ORGANISATION
ESTIMATED lOSS OF BUSINESS COST FOR AvERAgE SECURITY BREACH
$500-1000
$1,800-10,000 for small businesses and $40,000-190,000
$15,000-25,000
p. 10The Power to Destroy: How Malware Works
Despite the scale of the threat from cybercriminals, over half of business owners have never carried out a website vulnerability assessment.12 You need to know your weak points before you can even begin to implement technology and processes to protect against them.
A Symantec vulnerability assessment provides you with
an actionable threat report to help you prevent the
malicious spread of malware through your website.
Ultimately when you fail to properly secure your website
you are putting your business, your customers and
clients at risk. With the increase in drive-by web attacks,
any number of people could fall victim to the malware
lurking on your site. It’s in the interests of everyone in
the wider online community for you to stay secure.
Partner with professionals
As you’ve read, cybercriminals see malware as part of a
serious, multi-million dollar industry. They invest time
and money in exploiting vulnerabilities and maximising
the impact of their malicious software.
You, on the other hand, need to focus on the growth
and success of your own business, therefore you need
a security partner that is as committed to keeping
websites secure as the criminals are to exploiting them.
Symantec has a full range of Website Security Solutions
to help you search for vulnerabilities, encrypt data, spot
malware and inspire confidence on your website. We are
the leading source of trust online and we protect all the
companies in the Fortune 500. We can help to protect
you too.
TAKE RESPONSIBIlITY
p. 11The Power to Destroy: How Malware Works
1. Symantec’sVulnerabilityAssessment–FeelingVulnerable?YouShouldBe,https://www.symantec-wss.com/campaigns/14601/uk/assets/VA-WhitePaper-UK.pdf
2. Symantec’sWebsiteSecurityThreatReport2013,https://www.symantec.com/content/en/us/enterprise/images/mktg/SOP/EMEA/14385_symantec_wstr_whitepaper_uk.pdfAllsubsequentInternetsecuritystatisticsaresourcedfromtheISTRunlessotherwisefootnoted.
3. DepartmentforBusinessSkillsandInnovation,2013InformationSecurityBreachesSurvey,https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200455/bis-13-p184-2013-information-security-breaches-survey-technical-report.pdf
4. http://www.symantec.com/connect/blogs/cost-cybercrime-2012
5. 2013InformationSecurityBreachesSurvey.
6. SymantecIntelligenceReport:July2013, http://www.symantec.com/security_response/publications/monthlythreatreport.jsp
7. 2013InformationSecurityBreachesSurvey.
8. http://www.theregister.co.uk/2012/07/25/japan_finance_ministry_trojan_attack/
9. InternationalOnlineConsumerResearch:US,Germany,UK,July2012
10. 2013InformationSecurityBreachesSurvey.
11. 2013InformationSecurityBreachesSurvey.
12. Symantec’sVulnerabilityAssessment–FeelingVulnerable?YouShouldBe, https://www.symantec-wss.com/campaigns/14601/uk/assets/VA-WhitePaper-UK.pdf
REFERENCES
Symantec Website Security SolutionsWebsite Security Threat Report 2013
ABOUT SYMANTEC
Symantec Website Security Solutions include industry leading SSL, certificate
management, vulnerability assessment and malware scanning. The Norton™
Secured Seal and Symantec Seal-in-Search assure your customers that they
are safe from search, to browse, to buy.
More information is available from��l�k�h�b�j�v�f�
The Power to Destroy: How Malware Works
