Just when it seems as though malware and Trojan attacks could not get much worse, along comes yet another to toss a monkey wrench into the works.  The latest Trojan horse program to be released on the Web is the URLzone Trojan that attacks banks.

Is that your bank?

The URLzone Trojan horse program was discovered by Finjan Software at the end of September, 2009 and has been reported as being extremely advanced.  The program rewrites bank pages in such a way that unsuspecting victims have no idea that their bank accounts are being emptied.  With an integrated command-and-control interface, nefarious types can set specific amounts they would like to remove from their victims accounts.

Slippery little bugger

Not only has this bit of malicious coding gathered the interest of Finjan but RSA Security has been tracking and researching URLzone.  Thus far the Trojan horse program has proven to be a bit of a slippery one to catch.  The malware uses several techniques to peg machines being used by law enforcement and investigators in attempts to catch URLzone.  The one good thing to come of is the creators of the program know they are now being watched and reacting.

Just how slippery is this Trojan?  Once it has detected it is being monitored, it continues to force a money transfer.  Instead of using one of its own people, it grabs a legitimate and innocent victim who has been part of legal money transfers in the past and makes it appear as though that person is generating the transaction.  The end result is a bunch of very confused investigators.

To date, over 400 unsuspecting accounts have been used as mules, over 6,400 computers have been infected with URLzone, and the total amount cleared on a daily basis has been in excess of $17,500.

How does it work?

How does URLzone work its way onto unsuspecting computers?  Once the malware executes, a copy is made of itself to c:\uninstall02.exe.  An ID is created and this is sent along with a version ID of URLzone to the command-and-control interface.  This effectively sends a confirmation that the machine in question is now infected with the Trojan.  The command-and-control interface then logs the information, downloads a new executable, and copies itself to the SYSTEM32 directory with a random and hidden name.  The program does not change any existing system files and needs to add itself to the startup registry each time the machine in question is rebooted.

At this point, URLzone hooks itself to the svchost.exe process and quietly checks with the command-and-control interface for new updates and commands while simultaneously watching for web browsers to open.  Once a web browser is opened, the Trojan horse program goes to work and the unsuspecting computer user is completely unaware anything is happening.

Final Thoughts

All in all, the URLzone Trojan horse program is one nasty piece of work.  The best defense any computer user can take is ensuring that their operating system is up to date with the latest security updates and their anti-virus protection software has been recently updated with all the latest information.

Recent statistics released by Dasient show there has been a rise in malware being hosted on web sites – many of these sites are unknowingly spreading the malicious software.  Dasient states that over  640,000 web sites are infected with malware.

Blacklisting by Google

As a result of this sudden rise, Google’s blacklist of infected sites has doubled over the past year.  How does a site end up on Google’s blacklist?  There are several reasons for Google to blacklist a site but in as far as how it pertains to malware, the culprit is doorway pages.

Parading as a doorway page

A doorway page is a page created specifically for search engines.  Anyone visiting a doorway page would be completely unaware of it as they are designed to be invisible to the regular visitor.  These doorway pages are keyword rich specifically targeting each search engine.  The malware being placed on unsuspecting web sites creates exactly this type of blacklisted action.

How malware is placed within the site

Exactly how are these pieces of malicious software being placed into unsuspecting web sites?  They are created using javascript and iframes and are inserted into web site advertisements or even widgets.  In the case of infected advertisements, the ads are designed in such a way as to fool the average user.  The usual modus operandi is to pop-up and flash a warning that the user’s computer might possibly be infected.  Once the unsuspecting user clicks on the ad in any way (either by clicking “OK” or “Cancel”), they are immediately redirected to a web site that sells anti-virus software.  The reality is the user’s computer is perfectly fine and they have been a victim of “scareware”.

How to prevent malware attacks

How can web site owners prevent their web sites from being attacked by malware creators?  One straight forward way to fend off possible attacks is to not use javascripting within the web site.  Another simple tactic is to remove any PHP scripting that requests user input.  This can often be used to use SQL injection tactics.  Placing tighter security rules within the server PHP.ini and htaccess files is also a very good step.

How to repair if already attacked

What if a web site has already been attacked?  If the web site is small, a file by file clean-up can be done.  A thorough search of each file for any unwanted javascript code or iframe coding will have to done.  However, if the web site in question is rather large and extensive, contracting a service that specializes in web site malware removal may be the best option.  There are a few places that can be found on the web that would be able to help should a web site already have this malware infection.

Conclusion

All told, it is a good practice to eliminate javascript and PHP coding that requests user input.  Continuous vigilance over the security of one’s web site, unfortunately, is a fact of life.

It seems as if everyday, a handful of new companies emerge onto the web hosting scene.  These newcomers have many challenges on their hands.  Not only must they find ways to provide customers with a quality service, but also keep them protected against the wide ranging list of security threats.   Any personal or business website is susceptible to being compromised by hackers seeking confidential information such as login credentials, account numbers, employee records, personal data and other valuable details.  Because all it takes is one successful breach to open up the doors of chaos, it is vital that website owners employ the most efficient security mechanisms and practices on a regular basis.

What Makes Web Hosting Such a Big Target?

Several reports reveal that the web hosting industry is among the biggest targets of internet hackers.  Why?  The answer is quite simple – the potential of a substantial payday.  The market is compromised of thousands of companies that provide services to millions of customers.  The hosting industry is at the forefront of e-commerce with monetary transactions being made everyday.  The robust networks and high-powered web servers used to enable internet access handle massive amounts of sensitive financial and personal information.  Naturally, these infrastructures are a prime target of criminals looking to thieve riches off the efforts of someone else.  If your website deals in mission-critical functions, meaning it is the way you survive and make a living, then security should be of paramount importance.  And while there are several measures you can take to keep your site protected, investing in a secure hosting solution is imperative as the host is in much better position to ensure security.

In recent times, a large number of companies have ramped up their efforts to help keep the hosting business protected from malware, DDoS attacks, SQL injection and other methods hackers use to perform their malicious deeds.  Numerous vendors who distribute the open-source Linux operating system are working in conjunction with other software and hardware companies to ensure their OS is protected against security threats.  Likewise, Microsoft, Apple and companies who distribute proprietary solutions are working diligently to support similar efforts.

Even though the number of security solutions providers seems to be increasing as well, hosting providers need to be aware that not all of these vendors can be trusted.  More and more, we are seeing rogue companies run by hackers and internet criminals who claim to have the solution for a great price, but are doing nothing but contributing to the problem.  Because of this, new hosts must be overly cautious in regard to what vendors are actually supplying.

Obtaining a Comfortably Secure Environment

Some website owners have many specialities but for most, security is not one of them.  While this is understandable, there is absolutely no excuse for a professional web hosting provider, new or established, to slack off in security to the point where all parties involved are left vulnerable.  Your hosting provider should indeed be an expert in this field, equipped with the knowledge and manpower needed to stay on top of security procedures and ensure the protection of your data.  If you have concerns regarding your current hosting arrangement, it might be time to consider a more secure solution.

It is very unsettling to know that well over 80% of the email coming through your corporate inbox is spam.  Even worse, many of these messages aren’t just annoying junk mail, but actually contain viruses and other types of malicious software.  In fact, the email system we all use so frequently is the number one delivery medium for malware.  While tons of anti-spam and anti-virus software solutions exist, many companies only utilize the latter defense, leaving themselves susceptible to catching an airborne infection.  Anti-virus software can be very effective but trying to update all the systems on your network can prove to be a tedious, time-consuming task.  Therefore, you may want to consider an anti-virus hardware solution as it makes a great first line of defense against malware and spam alike.

How Anti-Virus Devices Work

Anti-virus devices are installed at the network perimeter and are designed to scan email and web traffic on a continual basis.  Similar to traditional virus scanners and spam filters, a set of predefined rules such as blacklists, whitelists and heuristic analysis allows the appliance to easily identify viruses and malicious files.  Suspicious activities such as adware and spyware downloads typically generate a warning while potentially harmful email can either be deleted or marked as spam.  Blacklists, whitelists and virus definitions are updated frequently to make sure the device has the latest signature files and the ability to detect the most recent threats.  Updates can usually be configured on an automatic or scheduled basis.  Most anti-virus appliances offer web-based administration and some provide an integrated console that allows you to manage the filtering, update and reporting functions.

Hosted Solutions

Another option you have for anti-virus hardware is to choose a hosted service.  Many of the hosted services today have the ability to leverage cloud computing and typically require very little overhead with no software or hardware being necessary.  For you, there are no complex mechanisms to manage or upgrade.  This is the ultimate anti-virus outsourcing solution as the service provider handles all the updates, maintenance and technical challenges.

Choosing an Appliance

When selecting an anti-virus appliance for your computing environment, one of the main factors you must consider is the price.  However, you also need to think about performance as an insufficient product will leave you just as vulnerable as having nothing at all.  Throughput and storage capacity are also key factors, as well as the number of users or email accounts the device supports.  Finally, you might also want to take the track record of the manufacturer into account.  This includes technical support and the likelihood that company will be around for the duration of the device’s life span.

Conclusion

For a business, anti-virus software can be costly and time consuming to maintain.  A hosted service can be even more cost prohibitive.  A self-hosted anti-virus appliance on the other hand, can be very cost efficient for a business, costing as low as $1 per user depending in the structure of your network.  These devices require very little physical maintenance and can deliver invaluable protection against the spam and malicious software that pose as threats to your computer systems.

There are many aspects that goes into choosing a web hosting service and security is one you need to make a priority.  Threats are abound on the web and these exploits qualify as something every hosting provider and customer should be concerned about. Let’s discuss why security is such a major issue in the hosting industry and what you can do to make sure your website is protected.

Malicious Software

Numerous threats pose a direct risk to web hosting providers servers and networks. One of the most dangerous of all is a family of harmful applications known as malware.  A combination of the terms malicious and software, malware comes in many different forms and all can inflict major damage.  Though far more than a simple computer, a server is vulnerable to the same threats.  Before purchasing a hosting package, make sure your prospective host is equipped with technologies that defend against malware types such as viruses, Trojans, spyware and nasty, network disrupting worms.  If these malicious critters are able to infect the server, every piece of data on that machine can be compromised, your site included.

Bot Rings

Another huge problem faced by hosting networks is the dreaded DDoS attack, an exploit typically employed by criminals involved in botnets.  Short for Distributed Denial of Service, these attacks work by flooding the network with requests.  Once the network is flooded, it slows down dramatically until legitimate traffic is no longer able to pass. The DDOS attack is one of the oldest exploits around and still one of the most difficult to prevent.  This attack involves a hacker compromising a single server and making that unit the master slave.  The machine is then instructed to seek out other vulnerable servers, enslaving them to participate in the inevitable launch on a single targeted computer.  With so many requests originating from so many hosts, the unprotected network doesn’t have a chance.  A web host that doesn’t take DDoS attacks into account is leaving the network and all of its customers susceptible to a disaster.

Credit Card Fraud

Everyday, millions of transactions are conducted over the internet as e-commerce is thriving in numerous countries.  Of course the hackers are aware of this and desperately trying to get their hands on every dollar they possibly can.  The web can be a dangerous place and vulnerable websites make up some of the biggest targets.  Hackers are on the prowl, equipped with highly advanced tools and just waiting for you to make a mistake.  All they need for you to do is set up an online store and open the doors without the proper security applied.  As soon as customers attempt to make a purchase, their credit card details are stolen and this opens a world of trouble.  Leaving the customer vulnerable to such exploits could result in a huge blemish on your credibility, not to mention legal issues and the possible loss of your business.

Conclusion

You would expect a professional web hosting company to know the risks and take the necessary measures to mitigate them.  Unfortunately, it doesn’t always work out that way so you must be proactive to ensure that your hosting environment is secure.  The impact of a security breach varies but in most cases, the results are never good.