Computer & Internet Security News

28 March 2007
Web attacks get personal

By Matt Hines, InfoWorld
Malware makers are increasingly tailoring their attacks to specific classes of victim, according to researchers with the Internet Security Systems' X-Force team at IBM.
X-Force experts said that malware writers, phishers, and botnet herders are more frequently using so-called personalisation tools to make their attacks more effective.

Much like the online marketing companies that gather information to target advertising at individual web users, criminals are scanning readily-available details about people's computers to more easily find victims.

The approach uses any information that helps determine the right attack, based on factors like:
browseroperating systemlanguagecache level
security patch
IP address
By combining the more intelligent attack tactic with hard-to-detect Trojan, botnet, and cross-site scripting attacks, cutting-edge criminals are finding plenty of ways to take advantage of end users, said Gunter Ollman, director of security strategy for IBM ISS.

"With every web page request, people send out a header that describes their browser and also tells you what language the request is being made in and sometimes even the cache level of the host it is running on; there's a lot of information in there, including the IP address of the person making the request," Ollman said.

30 percent of malicious web sites were already using personalisation techniques by the end of last year.

"By combining the IP address and all the host details in the browser, we're seeing that attackers build sites that ensure they only use exploits that will work against a specific host," the expert said.

In addition to determining which version of browser or OS software someone is using, many of the attacks can assess what level of security patch a particular program has in place, according to the researcher.

Criminals are also loading malware-infected web pages with numerous exploits to assault many different sets of users, with dozens of pieces of code being served up on a single URL.

Many of the threats are hidden in individual elements of web pages, including Flash files, PDFs and images. Each may contain multiple attacks meant to take advantage of different vulnerabilities.

Most of the exploits do not deliver spyware, but instead pass along smaller files known as droppers that are less likely to be identified by anti-virus systems that sit quietly but then call out across the internet and draw-in real malware programs.