Stealthy Attacks Are The New Threat: AVG

Shedding light on a new model for malware production and distribution, Netherlands-based online security software developer AVG Technologies ( has released statistics that unlike viruses, which make a point of being obvious and staying around for as long as they can, today's web-borne threats use stealth and transience to hit their marks.

According to AVG's study released Tuesday, online threats frequently appear briefly on an otherwise legitimate site, moving on to other sites before they can be identified and blocked. While the take down of the notorious web host McColo, which curbed 50 to 75 percent of the world's spam, this only offered a short reprise, and while some were celebrating a new age without the threat of spam, others were bracing themselves for more sophisticated attacks.

For instance, a number of criminals set up hundreds of seemingly-legitimate web sites with embedded infections, promote them for a day or two, and then shuts them down before they are detected. AVG reports that rate of 'here today, gone tomorrow sites' has been increasing, with the average number of unique new infective sites that appear growing from 100,000 to 200,000 a day to 200,000 to 300,000 a day, in just the past three months.

AVG also reports a new trend that it calls 'malverts,' malicious advertising that criminals can submit to an advertising network, which is then distributed unwittingly to hundreds of sites, infecting those who click them with data-stealing spyware.

There are plenty of other examples of secretive, short-lived, and fast-moving threats that have become possible due to the possibility of infecting an end-user who simply visits a website - without even clicking a link. These "drive-by downloads' can steal passwords, bank account information, and other valuable personal data, and close to 60 percent of these sites are infective for one day or less according to AVG's research.

With transience at the core of these schemes, traditional security software, which relies on virus "signatures" or periodic scans of millions of websites, provides little protection at the increasingly short window of time when a user clicks a malicious link.

"Any web security product that relies on visiting and scanning websites to deliver a safety rating to its users would have to visit every one of the hundreds of millions of sites on the Internet every day to provide protection against these threats -- a technological impossibility even with today's supercomputers," AVG chief executive officer J.R. Smith said in a statement. "Our recent acquisition of Sana Security's behavioral analysis technology adds yet another layer of protection that will help us to keep users safe from new and unknown threats."

Transient, rapidly-changing information is also a hallmark of social networks like Facebook and MySpace, so it's not surprising that cybercriminals have found fertile territory there. Messages from "friends" that direct users to malicious pages, which then download infective malware in the background, are all-too-easy for people to mistakenly trust.

AVG chief research officer Roger Thompson noted three key factors that make it particularly difficult for security companies to track and detect these types of threats.

"Firstly, it takes a long time to detect and close down threats distributed randomly across thousands of different pages on a large social networking site," Thompson said in a statement. "Secondly, the threat is usually short-lived: a malicious program delivered through a popular site doesn't need to run for long to attract a large number of victims. And thirdly, the Internet is so large that scanning every web page for a threat that may only be present for a few hours or days is simply not feasible."

Using its LinkScanner software that provides real-time protection, Thompson said AVG's layered approach to protecting users is vital given the nature of today's threats. "If a site contains one bad thing, it might easily contain multiple bad things -- and usually does. By bring together data from multiple sources, we're able to build a very complete picture of individual threats and provide the appropriate protection."

Between 2005 and 2006 as spam was declining, some were predicting that the sophistication in anti-spam technology spelt the end of spam by the close of 2006 - a prediction that obviously never came true. With similar optimism surrounding the elimination of major spam hosts including McColo, instead of seeing the demise of spam, many security providers have been finding more sophisticated spam.

Last week, "Security as a Service" provider SecureWorks ( reported that since the take down McColo, the large old bots (Rustock and Srizbi) have been replaced by new botnets and are once again at large.

As security providers continue to keep users free of malware, criminals continue to find new ways to spread their viruses. For instance, IT security firm MessageLabs ( found in June 2008 that spammers were able to exploit hosted web tools such as Google Docs and Microsoft SkyDrive to spread malware using these services' unlimited bandwidth possibilities and ability to bypasses spam filters.

No responsibility can be taken for the content of external Internet sites.

print this article

Return to hosting news headlines
View Hosting News Archive

Share with: