154 JOURNAL OF EMERGING TECHNOLOGIES IN WEB INTELLIGENCE, VOL. 2, NO. 2, MAY 2010now enter via the <strong>Web</strong> and IBM Internet Security Systems(ISS) estimates that nearly 100% <strong>of</strong> <strong>Web</strong> attacks nowutilize obfuscated JavaScript as a very effective techniqueto bypass antivirus and <strong>in</strong>trusion prevention.Today, once a PC is <strong>in</strong>fected with stealth malware, ittypically opens two-way communications to a “commandand control” (C&C) server to establish a channel back tothe cyber crim<strong>in</strong>al. This allows the “bot” (as <strong>in</strong> “robotcomputer”) to report status as well as any valuable<strong>in</strong>formation that is immediately accessible. Groups <strong>of</strong>these remotely controlled, malware-<strong>in</strong>fected computersare commonly called botnets, and serve as the foundation<strong>of</strong> most cybercrime on the Internet.How do victims get <strong>in</strong>fected? A user may be drawn bya phish<strong>in</strong>g e-mail to a <strong>Web</strong> site hosted on a hijackedserver, which serves up a browser exploit; this downloadsand <strong>in</strong>stalls a bot on the user’s PC. The bot thendownloads more malware like “keyloggers” that silentlyrecord keyboard and mouse activities to execute furthercrim<strong>in</strong>al activities, such as steal<strong>in</strong>g user credentials andcaptur<strong>in</strong>g other sensitive <strong>in</strong>formation. All <strong>of</strong> this takesplace without the knowledge <strong>of</strong> the user or adm<strong>in</strong>istrator.As their prevalence has <strong>in</strong>creased, remote-controlmalware/botnets have become serious concerns forsecurity adm<strong>in</strong>istrators.The recent January, 2009 malware-related data thefts atHeartland Payment Systems and earlier malwareRecent Research[14] Has Found:11 % <strong>of</strong> the world’s computers are enmeshed <strong>in</strong> at leastone botnet23 % <strong>of</strong> home computers become <strong>in</strong>fected despite hav<strong>in</strong>gsecurity enabled72 % <strong>of</strong> corporate networks larger than 100 PC’s have an<strong>in</strong>fection<strong>in</strong>filtrations at Hannaford Supermarkets, University <strong>of</strong>Florida Medical Center, and NASA underscore theescalat<strong>in</strong>g threat <strong>of</strong> malware-related data breaches. TheIdentity Theft Resource Center, a nonpr<strong>of</strong>it group focusedon understand<strong>in</strong>g and prevent<strong>in</strong>g identity theft, reportedthat 656 known security breaches had taken place <strong>in</strong> 2008,reflect<strong>in</strong>g a 47 percent <strong>in</strong>crease over 2007’s total. As <strong>of</strong>March 17, 2009 the resource center had already reported110 breaches <strong>in</strong> 2009.V. STEALTH MALWARE ATTACKS ARE OUTMANEUVERINGCONVENTIONAL DEFENSESDefend<strong>in</strong>g corporate networks from today’s malwarerelateddata thefts requires modern protection that goesbeyond current signature- and heuristic-based detectiontechniques. Modern threats exploit the <strong>in</strong>ability <strong>of</strong>conventional network protection to provide a unifieddefense aga<strong>in</strong>st a crim<strong>in</strong>al who attacks on multiple fronts,from OS and browser vulnerabilities to social eng<strong>in</strong>eer<strong>in</strong>g.The anachronistic concept <strong>of</strong> detect<strong>in</strong>g <strong>in</strong>fections with as<strong>in</strong>gle technique, such as signatures, has left manybus<strong>in</strong>esses and consumers open to attack, despite theirdeployment <strong>of</strong> antivirus and IPS (<strong>in</strong>trusion preventionsystems). The sheer volume and escalat<strong>in</strong>g danger <strong>of</strong>modern attacks are overwhelm<strong>in</strong>g limited IT resourcesand outmaneuver<strong>in</strong>g conventional defenses that mayalready be <strong>in</strong> place. To enable a more efficient IT securityprocess, accurate and timely identification <strong>of</strong> <strong>in</strong>fectedmach<strong>in</strong>es is the first step <strong>in</strong> prevent<strong>in</strong>g malware-relateddata breaches. And, the only viable solutions are thosethat provide thorough coverage across the many vectorsthat are used <strong>in</strong> attacks.VI. CONVENTIONAL APPROACHES FAIL TO PROTECTAGAINST WEB THREATS<strong>Web</strong> threat scann<strong>in</strong>g has specific requirements that arenot met by the traditional approach to virus scann<strong>in</strong>g.Conventional antivirus s<strong>of</strong>tware <strong>in</strong>stalled on clientmach<strong>in</strong>es, for example, while crucial to the protection <strong>of</strong>these mach<strong>in</strong>es from a variety <strong>of</strong> threats, does notadequately protect aga<strong>in</strong>st the evolv<strong>in</strong>g set <strong>of</strong> <strong>Web</strong> threats.One reason is that the conventional approach to virusprotection <strong>in</strong>volves collect<strong>in</strong>g samples <strong>of</strong> viruses,develop<strong>in</strong>g patterns, and quickly distribut<strong>in</strong>g thesepatterns to users. Because many <strong>Web</strong> threats are targetedattacks and span many variants, collect<strong>in</strong>g samples isalmost impossible.The large numbers <strong>of</strong> variants use multiple deliveryvehicles (for example, spam, <strong>in</strong>stant messag<strong>in</strong>g, and <strong>Web</strong>sites), render<strong>in</strong>g the conventional sample collection,pattern creation, and deployment process <strong>in</strong>sufficient.Another reason that conventional virus detectionprocesses fall short <strong>in</strong>volves a fundamental differencebetween these viruses and evolv<strong>in</strong>g <strong>Web</strong> threats.Conventional viruses were fundamentally designed tospread as quickly as possible, and were therefore <strong>of</strong>teneasy to spot. With the advent <strong>of</strong> <strong>Web</strong> threats, malware hasevolved from this outbreak model to stealthy “sleeper”<strong>in</strong>fections that are therefore difficult to detect viaconventional antivirus techniques.Recover<strong>in</strong>g from <strong>in</strong>fections also presents newchallenges. In some cases, <strong>Web</strong> threats may result <strong>in</strong> asystem <strong>in</strong>fection that is so extensive (for example, via arootkit <strong>in</strong> which the system file is replaced) thatconventional un<strong>in</strong>stall or system clean<strong>in</strong>g approachesbecome useless. Infected systems <strong>of</strong>ten require a completesystem recovery, <strong>in</strong> which the hard drive is wiped and theoperat<strong>in</strong>g system, applications, and user data arere<strong>in</strong>stalled.VII. FUTURE WORKA New Approach Is Needed: Integrated, Multi-Layered Protection - Clearly, users need a newapproach to address<strong>in</strong>g <strong>Web</strong> threats that complementsexist<strong>in</strong>g techniques.The most effective approach willemploy multiple layers <strong>of</strong> protection and <strong>in</strong>corporate arange <strong>of</strong> protective measures. In addition, the evolv<strong>in</strong>gnature <strong>of</strong> the threat necessitates some form <strong>of</strong> <strong>in</strong>formationfeedback and <strong>in</strong>tegration, <strong>in</strong> which <strong>in</strong>formation gathered<strong>in</strong> one portion <strong>of</strong> the protection network is used to update<strong>in</strong>formation <strong>in</strong> other layers. Any effective approach© 2010 ACADEMY PUBLISHER
JOURNAL OF EMERGING TECHNOLOGIES IN WEB INTELLIGENCE, VOL. 2, NO. 2, MAY 2010 155should also address all relevant protocols, because <strong>Web</strong>threats leverage multiple protocols <strong>in</strong> their attacks, <strong>in</strong>particular email as the <strong>in</strong>itial delivery mechanism and the<strong>Web</strong> as the threat host. However, other mechanisms canalso help perpetrate attacks such as l<strong>in</strong>ks <strong>in</strong> IM and<strong>in</strong>fected files.Coord<strong>in</strong>at<strong>in</strong>g measures requires efficient, centralizedmanagement <strong>of</strong> region-specific expertise to help addressthe regional, and even localized nature <strong>of</strong> many <strong>of</strong> thethreats. The key to effectively address<strong>in</strong>g <strong>Web</strong> threats is amulti-layered approach. The network po<strong>in</strong>ts arecategorized <strong>in</strong> four different layers (see Figure 2): 1) “<strong>in</strong>the-cloud”(i.e. before the traffic reaches the Internetgateway), 2) at the Internet gateway, 3) across the networkservers, 4) and at the endpo<strong>in</strong>t (for example, the client). Inthe below example, the description uses the po<strong>in</strong>ts <strong>in</strong> thenetwork for high level organization and describes theprotocol protection and security technologies that can bedeployed at these po<strong>in</strong>ts. The subsections on protocolprotection and security technologies describe emailsolutions first, which is <strong>of</strong>ten the first step <strong>in</strong> a <strong>Web</strong> threatattack, followed by <strong>Web</strong> solutions that directly protect<strong>Web</strong> usage.A multi-layered approach is needed to protect aga<strong>in</strong>stthe broad range <strong>of</strong> <strong>Web</strong> threatsDNA <strong>of</strong> an Ideal Solution:Dynamic, real-time detection <strong>of</strong> threat: F<strong>in</strong>ds thelatest stealth, 0-day attacksAccurate detection: No false positives, and no falsenegativesReturn on security <strong>in</strong>vestment: Easy to <strong>in</strong>stall,manage, support and scaleVIII. CONCLUSION<strong>Web</strong> threats are prevalent today and are grow<strong>in</strong>g <strong>in</strong>numbers and impact. Their complexity, large number <strong>of</strong>variants, and use <strong>of</strong> multiple vectors, comb<strong>in</strong>ed with theirexploitation <strong>of</strong> the most commonly used medium today -the <strong>Web</strong> - make <strong>Web</strong> threats the most challeng<strong>in</strong>g threatthat consumers, bus<strong>in</strong>esses, and services providers, havefaced <strong>in</strong> a long time.Potential costs associated with these threats <strong>in</strong>cludeconfidential <strong>in</strong>formation leakage and theft <strong>of</strong> networkresources, with the adverse impact <strong>of</strong> erosion <strong>of</strong>customers, trust, and brand reputation; regulatory andlegal implications; negative public relations; and loss <strong>of</strong>competitive advantage. Because conventional approachesfail to protect aga<strong>in</strong>st <strong>Web</strong> threats, the <strong>in</strong>formationsecurity <strong>in</strong>dustry is at a crossroads. Bus<strong>in</strong>esses <strong>of</strong> all sizes,as well as service providers, need to deploy solutions viaan <strong>in</strong>tegrated, multi-layered approach to provide real-time,comprehensive protection aga<strong>in</strong>st these threats.REFERENCES1. Gregg Keizer, Computerworld, August 19, 2007, “Identityattack spreads; 1.6M records stolen from Monster.com,”http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9031418&pageNumber=1.2. Dan Kaplan, SC Magaz<strong>in</strong>e, October 30, 2007, “FTC SpamConta<strong>in</strong>s Keylogg<strong>in</strong>g Trojan”,http://www.scmagaz<strong>in</strong>eus.com/FTC-spam-conta<strong>in</strong>skeylogg<strong>in</strong>g-trojan/article/58273/3. Paul F. Roberts, eWeek.com, December 16, 2005, “SpearPhish<strong>in</strong>g Attack Targets Credit Unions,”http://www.eweek.com/article2/0,1895,1902896,00.asp.4. IDC, press release, July 18, 2006, “Private Internet Use byStaff Threatens IT Security <strong>in</strong> Danish Companies, SaysIDC,”http://www.idc.com/getdoc.jsp?conta<strong>in</strong>erId=pr2006_07_14_125434.5. Cara Garretson, NetworkWorld.com, January 11, 2006,“Spam that Delivers a P<strong>in</strong>k Slip”http://www.networkworld.com/news/2006/110106-spamspear-phish<strong>in</strong>g.html6. Gregg Keizer, Tech<strong>Web</strong> Technology News, January 24, 2006,“Botnet Creator Pleads Guilty, Faces 25 Years,”http://www.techweb.com/wire/security/177103378.7. Marius Oiaga, S<strong>of</strong>tpedia, October 4, 2006, “Hack<strong>in</strong>g RussianTrio Gets 24 Years <strong>in</strong> Prison,”http://news.s<strong>of</strong>tpedia.com/news/Hack<strong>in</strong>g-Russian-Trio-Gets-24-Years-<strong>in</strong>-Prison-37149.shtml.8. Byron Acohido and Jon Swartz, USA TODAY “Cybercrimeflourishes <strong>in</strong> onl<strong>in</strong>e hacker forums,” October 11, 2006,http://www.usatoday.com/tech/news/computersecurity/<strong>in</strong>fotheft/2006-10-11-cybercrime-hackerforums_x.htm.9. Police <strong>of</strong> the City <strong>of</strong> Munich, August 25, 2006,http://www.sueddeutsche.de/,tt3m3/muenchen/artikel/612/83529.10. Avivah Litan, “Phish<strong>in</strong>g Attacks Escalate, Morph, and CauseConsiderable Damage,” Gartner, December 12, 2007.11. Tom Krazit, Cnet, “Two <strong>in</strong> three retail PCs are notebooks,”December 20, 2006,http://news.com.com/Two+<strong>in</strong>+three+retail+PCs+are+notebooks/2100-1044_3-6144921.html.12. Niels Provos, Dean McNamee, Panayiotis Mavrommatis, KeWang, and Nagendra Modadugu: The Ghost <strong>in</strong> the BrowserAnalysis <strong>of</strong> <strong>Web</strong>-based Malware, May 2007.13 David Barroso, ENISA Position Paper No. 3: Botnets – TheSilent Threat, November 2007,http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_botnets.pdf.14 Panda Security,http://www.pandasecurity.com/homeusers/media/pressreleases/viewnews?noticia=9077© 2010 ACADEMY PUBLISHER