Symantec Global internet Security threat report
this metric will assess the top distinct Web-based attacks originating from compromised legitimate sites and intentionally malicious sites set up to target Web users. the increasing pervasiveness of Web browser applications along with increasingly common, easily exploited Web browser application security vulnerabilities (as noted in the “Vulnerabilities Trends” section) has resulted in the widespread growth of Web-based threats. Attackers wanting to take advantage of client-side vulnerabilities no longer need to actively compromise specific networks to gain access to those computers. instead, they can focus on attacking and compromising websites to mount additional, client-side attacks.
these attack types can be found globally and Symantec identifies each by an associated distinct detection signature. Most attack types target specific vulnerabilities or weaknesses in Web browsers or other client-
side applications that process content originating from the Web.
the most common Web-based attack observed in 2009 was related to malicious pDF activity,46
accounted for 49 percent of Web-based attacks (table 7). this is a sizeable increase from 11 percent in 2008. Specifically, this attack consists of attempts by attackers to distribute malicious pDF content to victims through the Web. the attack is not directly related to any specific vulnerability, although the contents of the malicious pDF file would be designed to exploit arbitrary vulnerabilities in applications that are able to process pDFs. Successful attacks could ultimately result in the compromise of the integrity and security of the affected computers.
this attack is assumed to be popular due to the common use and distribution of pDF documents on the Web. in addition, browsers can be set up to automatically render a pDF document. Specific exploit activity related to malicious pDF files was observed in 2009, including an attack that preyed on public concerns about the H1n1 virus,47 an attack against the Adobe reader Collab.geticon vulnerability,48 and an attack that exploits a vulnerability in Foxit reader.49
1 2 3 4 5 6 7 8 9 10
2 1 N/A 6 4 14 5 20 N/A N/A
PDF Suspicious File Download Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness Microsoft Internet Explorer 7 Uninitialized Memory Code Execution Microsoft Internet Explorer MS Snapshot ActiveX File Download Adobe SWF Remote Code Executable Microsoft Internet Explorer Malformed XML Buffer Overflow Microsoft Internet Explorer DHTML CreateControlRange Code Executable Microsoft Internet Explorer WPAD Spoofing Microsoft MPEG2TuneRequestControl ActiveX Buffer Overflow Microsoft MPEG2TuneRequestControl ActiveX Instantiation
49% 18% 6% 4% 3% 3% 3% 3% 2%
11% 30% N/A 5% 7% 1% 6% 1% N/A
Table 7. Top Web-based attacks Source: Symantec
46 47 48 49
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23153 See http://www.symantec.com/connect/blogs/malicious-code-authors-jump-swine-flu-bandwagon and http://www.securityfocus.com/bid/33751/info See http://www.symantec.com/connect/blogs/yet-another-pdf-vulnerability-exploited-collabgeticon and http://www.securityfocus.com/bid/34169 See http://www.symantec.com/connect/blogs/foxit-pdf-reader-being-exploited-wild-so-now-where-do-we-go#M192 and http://www.securityfocus.com/bid/34035