Websites that spread malware may be leveling off, but Web-borne malware encounters are still growing. According to a 2Q10 Global Threat Report published by Cisco, criminals are using search engine optimization and social engineering to become more efficient, luring more targeted victims to fewer URLs.

Using IronPort SenderBase, Cisco estimated that search engine queries lead to 74 percent of Web malware encounters in 1Q10. Fortunately, two-thirds of those encounters either did not deliver exploit code or were blocked. But that means 35 percent of Web-borne exploits are still reaching browsers, where they try to drop files, steal information, propagate themselves, or await further instructions.

Browser phishing filters, anti-malware engines, and up-to-date patches can play a huge role in defeating malware reaching the desktop. However, to find unguarded vectors and unpatched vulnerabilities, let's look at how today's most prevalent Web malware works.


#10: Last on Cisco's list of 2Q10 encounters is Backdoor.TDSSConf.A. This Trojan belongs to the TDSS family of kernel-mode rootkits, TDSS files are dropped by another Trojan (see Alureon, below). Once installed, TDSS conceals associated files and keys and disables anti-virus programs by using rootkit tactics. Removing TDSS from a PC is difficult; using up-to-date anti-malware to block the file drop is a better bet.

#9: Ninth place goes to an oldie but goodie, Mal/Iframe-F. Many variants use this popular technique: inserting an invisible HTML <iframe> tag into an otherwise legitimate Web page to surreptitiously redirect visitors to other Websites. Hidden iframes may elude detection by the human eye, but Web content scanners can spot them and Web URL filters can block redirects to blacklisted sites.

#8: In a dead heat with Iframe-F is JS.Redirector.BD, a JavaScript Trojan that also redirects users to Websites they had not intended to visit. Like some other members of the large JS.Redirector family, this Trojan tries to evade blacklist filters by using obfuscation techniques like dynamically-generated target URLs.

#7: Nosing past Redirector.BD is Backdoor.Win32.Alureon. Alureon refers to a family of dynamic, multi-faceted Trojans intended to generate revenue from a victim's Web activities. Malware components within each instance vary, but Alureon has been seen to alter DNS settings, hijack search requests, display malicious ads, intercept confidential data, download arbitrary files, and corrupt disk drivers. In fact, threat reports indicate that Alureon has been used to drop TDSS onto infected PCs.

#6: Tied for middle-of-the-pack is Worm.Win32.VBNA.b. VBNA implants itself in a user's Documents and Settings folder, adding a Run key to the registry. Thereafter, VBNA auto-launches and propagates itself to neighboring PCs via writable fileshares. VBNA also displays a fake virus infection warning to trick users into purchasing fake anti-malware (which is often just more malware). Scare tactics like this appear to be on the rise, preying upon uninformed users.

#5: Next up is JS.Redirector.AT, another member of this Trojan family famous for redirecting users to other Web sites. Destination sites reportedly have displayed porn, phished for confidential data, and implanted malware on the victim's PC. One way to inhibit these Trojans is to disable JavaScript execution – if not in the browser, then in Acrobat Reader to block JavaScript hidden in PDFs. Exploits targeting Adobe PDF, Flash, and Sun Java vulnerabilities were particularly hot in 1H10.

#4: Taking fourth place is Mal/GIFIframe-A, a sibling to the afore-mentioned Iframe-F. GIFIframe-A also uses <iframe> tags, but this family of malware exploits iframes that have been injected into files encoded using popular graphic formats like GIF and JPG. When a user visits an infected Website and attempts to load the graphic, the injected iframe is processed, executing attacker-supplied code.

#3: At third, representing three percent of 2Q10 encounters, is a keylogger called PSW.Win32.Infostealer.bnkb. Dozens of Infostealer variant Trojans exist, targeting a wide variety of institutions and their customers. All work by capturing keystrokes, scanning for specific Web transactions, and stealing usernames, passwords, account numbers – typically those associated with online banking.

#2: A new JS.Redirector variant took second place in 2Q10: JS.Redirector.cq. Like other family members, this Trojan uses malicious JavaScript to redirect users. In this case, users find themselves at Websites that pretend to scan for viruses, then download fake anti-virus code, no matter where the user clicks on the displayed window. But how do legitimate Websites get infected with JS.Redirector in the first place? One reportedly common vector: SQL injection.

#1: First place goes to the now infamous Trojan downloader Exploit.JS.Gumblar. According the Cisco, Gumblar represented 5 percent of all Web malware in 2Q10, down from 11 percent in 1Q10. Gumblar is a downloader that drops an encrypted file onto the victim's system. Gumblar runs that executable without user consent, injecting JavaScript into HTML pages to be returned by a Web server or displayed by a user's Web browser. The injected JavaScript usually contains an obfuscated exploit; early scripts downloaded more malware from gumblar.cn – thus giving this Trojan its name.

Cisco's 2Q10 list was generated by IronPort, which uses Sophos, Webroot, and McAfee malware detection engines. Other vendors use different naming conventions and publish slightly different lists that represent other monitored data sources. And next quarter there will be new lists -- probably composed largely of variants.

The purpose of such lists is not therefore to tell you which malwares to scan for. That job falls to continuously-updated anti-malware defenses, installed on desktops, servers, and gateways. Instead, use this list and others like it to identify and proactively fight trends that are likely to persist or grow and target your Web servers and users tomorrow.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.