“Over the last fourteen months,” Mark Patton, the general manager of the Security Business Unit at GFI Software, explained to Infosecurity, “we’ve seen an eightfold increase in the use of browser exploits to deliver malware. In fact, 75% of all the infections we find today have been contracted by this technique.”
It stems from the evolution of malware from a device to generate kudos and notoriety for the author, to one primarily used to generate money. Malware is now big business and is treated as such. Cyber criminals can buy their malware, or subcontract development to freelance authors. They can hire botnets to distribute phishing or drive-by enticing emails. They can host their malware on hired bullet-proof servers that are difficult to take down. They can monitor detection rates by the various AV systems, either modifying the malware they seek to deliver in order to beat signature engines or swapping the malware to a different trojan/virus. The result is that malware is sneaking onto computers via browser plug-ins and by-passing AV defenses in greater numbers than ever before.
The problem is not just the malware – it is the browser exploit in plug-ins such as Java and Flash and Adobe Reader being used to deliver the malware.
“Better AV won’t help the user,” said Patton. “The exploit authors are just too fast. The exploit websites move every two to three hours, the actual payload changes dynamically – AV’s just not enough anymore.” Rather than simply trying to catch the malware, Patton believes the solution must also include closing the exploit door that that the malware uses to get onto the computers. The easiest way to do that is by patching the plug-ins as soon as patches are available. But users simply do not patch fast enough.
There are several reasons for sluggard patching – and the industry itself is not without blame. “We’ve been telling users not to click on anything,” explained Patton. “So when a window pops-up urging the user to update a plug-in, the user ignores it.” Other reasons include over-worked sys admins and a lack of understanding in the importance of patching. But it is essential. Criminal coders can take a patch, reverse engineer it, and produce a new exploit within days if not hours of the patch release. In theory, and just briefly, the release of patches will make users more rather than less vulnerable – until the patch is applied.
GFI Software is tackling the problem by adding a silent and automated patch management module to its VIPRE Business product. “We monitor 27 different products,” explained Patton. “Using a proprietary scan engine, we discover which users have what product installed. Then, when a new patch is released, we quietly compare the installed version with the patched version, and where necessary and safe, we update the user’s version – silently and automatically.”