Australia no malware source but new security threats persist

Australia is the region’s fifth most-targeted country for malware attacks but tight local regulations have kept it off the leader boards in metrics such as the number of malware host servers, the latest security threat report from security firm Websense has found.

The Websense 2013 Threat Report, released this week and available for free online, found that despite growing user awareness of some kinds of security threats, malware authors were continuing to gain ground through a combination of brute-force attacks and subtle, below-the-radar activity through which their malicious code is able to evade technological security controls.

Noting that the number of malicious URLs was up 430% last year in the Asia-Pacific region compared with 2011, Bob Hansmann, senior product marketing manager with Websense, said organisations’ actual susceptibility to this risk profile varied widely and often related to user behaviour more than technological protections.

More than 7 out of 10 spam emails contain malicious URLs, Websense research has found. Source: Websense 2013 Threat Report

“Today’s attacks are multi-stage and start with email or phishing,” he told GTR. “The kinds of things Australia has done have prevented Australia from being a host for these kinds of attacks, but you’re still going to find yourselves targeted victims as [Australian] users are perhaps a little more open to clicking things” than users in other countries.

Concerted education campaigns can impact infection rates, as in the case of once-massive rogue antivirus malware, which tells users they’re infected with a virus and directs them to an infective URL to “fix” it.

“This had about an 18-month run,” Hansmann said, “and today there are still over 200,000 URLs that are active, fake antivirus or rogue antivirus. But the number of people that actually encounter and click on it is very, very low because users have become aware of it – and don’t fall for it anymore.”

Driving such change takes time, however, and the continuing significant threat profile around malware infections – particularly through the addition of new threats as Bring Your Own Device (BYOD) strategies kick in and mobile devices become more prevalent – is more than enough to keep even the most robust government security defences busy.

“Governments are struggling at pretty much the same level as commercial entities with mobile devices, WiFi access, and their use of the cloud,” he warned. “Users can be trained – but the trouble is that they can’t be trained to respond to a threat that won’t be around for two weeks. For things that are fast-moving, dynamic, and aggressive – that’s where you’ve got to have technology solutions.”

Websense analysis suggests that governments will face a growing threat risk from the threat of full-out cyberwarfare, particularly as new standards are adopted and hackers find ways to exploit their vulnerabilities.

HTML 5, for example, was providing an open and robust new platform for development that will help shift users away from risk-prone platforms like Adobe Flash and the Oracle-owned Java. But HTML 5 presents a new set of security challenges, and malware authors are continuing to poke and prod it and other platforms to dream up new ways of attacking their targets.

The use of ‘sandboxes’ to separate the malware’s activities from the rest of the server’s activities, for example, can hide malware vulnerabilities. Other code is designed to be innocuous so it can boldly march past perimeter defences that clear it as innocuous; after hibernating for some time, it can then spring into action and collect information from inside the departmental network.

“We’re expecting more along the lines of the mobile threat as more of these technologies, or batteries that will give devices longer battery life, make mobile more ubiquitous and therefore an easier target. If you’re a programmer you can pick these skills up, and start writing viruses.”

“IT needs to understand that since these threats are changing, if you’re using materials and defences that are based on plans from 4 years ago, you’re behind the times – and unprotected.”