2. p. 2
The Power to Destroy: How Malware Works
At a glance 3
Web attacks on the rise 4
Prevention is better than a cure 5
Staying hidden pays off 6
Website visitors are ripe for the picking 7
What malware can do 8
What’s bad for clients is worse for you 9
Take responsibility 10
References 11
CONTENTS
3. p. 3
The Power to Destroy: How Malware Works
Nearly a quarter of IT managers
simply don’t know how secure
their website is.1
However, with the
number of web-attacks blocked per
day rising from 190,370 to 247,350
between 2011 and 2012, it’s vital
for businesses to understand the
part their website plays in the
distribution of malware to clients,
customers and the wider online
community.2
Malware takes many different forms.
It can log keystrokes, lead to data
breaches, lock down hardware and
use infected systems to spread
malware to other victims. As a
website owner it’s your responsibility
to not only protect your business
and customers, but the safety of the
Internet too. Consider the impact to
your business and brand if you were
the source of infection.
At a glance
190,370 247,350
2011 2012
WEB-ATTACKS BLOCKED PER DAY BETWEEN 2011 AND 2012
4. p. 4
The Power to Destroy: How Malware Works
‘Driven by attack toolkits, in 2012 the number of web-based attacks increased
by one third and many of these attacks originated from the compromised
website of small businesses.’ This was the finding of Symantec’s latest Website
Security Threat Security Report (WSTR), which makes for sobering reading.
WEB ATTACKS ON THE RISE
93%87%
SMALL
BUSINESS
LARGE
ORGANISATION
% OF UK BUSINESSES TO SUFFER A DATA BREACH LAST YEAR
Malware works to compromise the data and functionality
of your website server, and to exploit and extract
information and money from your clients and customers,
all of which damages your reputation and costs your
business money. In the worst cases it can even put your
very livelihood on the line.
The cost is critical
In 2012 cybercrime cost businesses six percent more than
in 2011. The cost of security breaches alone has roughly
tripled in the last year and reaches into the billions.3
The
average recovery time from a cyber attack in 2012 was 24
days, which equates to a cost of $591,780.4
And these are just the direct costs of labour, hardware
and software repair and compensation. Take into
account lost business and damaged reputation and the
figure climbs even higher. Malware’s damaging ripple
effect is huge and criminals see websites as a way to
infect your servers, steal your information, infect visitors
with their malware and often times create havoc.
A common and costly crime
Understanding how malware works, and why criminals
use it, can help considerably in the prevention and
detection of threats. The most obvious point of danger
when it comes to malware is your website server and the
data it holds. In other words: data breaches.
Taking the UK as an example last year, 93 percent of
large organisations and 87 percent of small businesses
suffered a data breach.5
If a criminal can find a way to
get malicious code onto your server that can access files
or log information exchanges, they can get at customer
data, credit card information, passwords and more.
So far in 2013, 8.9 million identities have been exposed,
and 62 percent of those breaches included people’s real
names.6
Exposing client or customer data means you
are at risk from compensation costs, lost business and a
severely damaged reputation.
5. p. 5
The Power to Destroy: How Malware Works
When it comes to data breaches
there is a combination of things you
can do to minimise your risk. Firstly,
keeping your staff fully up to date
on the risks of falling victim to social
engineering and phishing attacks is
key. It’s been found that companies
with a poorly understood security
policy are twice as likely to have a
staff-related breach as those with a
very well understood policy.7
It’s also important to regularly scan your website for
vulnerabilities and malware. Automatic scanning comes
as standard with many of Symantec’s SSL Certificates,
and not only helps you spot weaknesses before they are
exploited but also gives you an actionable threat report
so you know how to shore up your defences.
Scanning combats stealth
Although prevention is best when it comes to malware,
regular scanning is vitally important in order to spot
stealthy malware that has been designed to stay hidden.
While some malware causes lots of disruption, and
takes down servers, often criminals want to keep their
malware running on your website server undetected so
they can continue to harvest information and maximise
their opportunity.
In July 2012, for example, a Trojan was discovered that
was being used to steal information from the Japanese
government. It turned out to have been in operation for
two years totally undetected.8
This is also why SSL Certificates are so important.
A lot of information is sent back and forth between
visitors to your website and your server, sometimes
highly confidential information like credit card details,
addresses and other personal identification points. By
configuring SSL to be ‘always on’ you can ensure that
all communication is encrypted from the moment a
visitor arrives on your site, reducing the risk of malware
being able to eavesdrop and undermine your customer’s
confidentiality. Using SSL like this can help to build trust
and keep confidential data safe. This is why sites such as
Twitter, Facebook, Google and LinkedIn do it.
Prevention is better than a cure
6. p. 6
The Power to Destroy: How Malware Works
Stealth also works in the criminals’ favour when the malware they have
installed doesn’t attack your server, but instead sits on your website and
attacks your customers and clients. In this case, you might not be the
target, but your business is still the victim.
STAYINg HIDDEN PAYS OFF
OTHER
41%
37%
22%
The Blackhole
Toolkit, was
responsible for
41 percent
of web attacks
in 2012
The Sakura toolkit,
which wasn’t even in the
top ten in 2011, last
year accounted for 22
percent of attacks
WEB ATTACKS
IN 2012
Web attacks are on the rise, and the latest ISTR
highlights that 61 percent of malicious web sites are
actually legitimate sites that have been hacked or
compromised and had malicious code inserted without
the owner’s knowledge.
You can find out more about the different weaknesses
inherent in your website that criminals can use to
deploy malware, such as unpatched servers and cross-
site scripting, in our whitepaper, ‘Reducing the Cost
and Complexity of Web Vulnerability Management’
http://www.symantec.com/content/en/uk/enterprise/
white_papers/b-reducing-cost-complexity-of-web-
vulnerability-mgmt_WP.pdf
Toolkits: the master key for
website vulnerabilities
The most common way for criminals to exploit your
website vulnerabilities is with toolkits. These are software
bundles that criminals can buy off-the-shelf, like you
would legitimate programs, which already have the right
code to exploit certain vulnerabilities and deploy the type
of malware the buyer wants to use.
Cybercriminals create and trade malware much like
legitimate companies buy and sell software. There are
even popular hit products and up-and-coming new
arrivals. In fact, a single toolkit, called Blackhole, was
responsible for 41 percent of web attacks in 2012. The
Sakura toolkit, which wasn’t even in the top ten in 2011,
last year accounted for 22 percent of attacks. This is
clearly a slick, organised and profitable venture.
The risk that your site will be infected by malware
is significantly increased thanks to the existence of
these toolkits. They allow cybercriminals, who are not
necessarily skilled enough to develop complex code
themselves, to still attack your site and its visitors.
7. p. 7
The Power to Destroy: How Malware Works
One of the likely reasons toolkits are so popular is because of how often they
are effective. Once on your site, malware searches for vulnerabilities in your
visitor’s browser and if it finds one it will download a ‘dropper’, or malicious
code that then searches their entire computer for vulnerabilities and takes
advantage of what it finds.
Website visitors are ripe for the picking
Attacker profiles victims and the kind of websites they go to.
1. Profile
Attacker then tests these websites for vulnerabilities.
2. Test2. Test
When attackers finds a website that can be compromised, they
inject JavaScript or HTML, redirecting the victim to a separate
site that hosts the exploit code for the chosen vulnerability.
3. Compromise
The compromised website is
now “waiting” to infect the
profiled victim with a zero-
day exploit, just like a lion
waiting at a watering hole.
4. Wait
Reported vulnerabilities in browsers and plug-ins last
year fluctuated between 300 and 500 per month.
‘Criminals ability to quickly find and exploit new
vulnerabilities is not matched by software vendors’
ability to fix and release patches,’ states the WSTR.
Major software vendors regularly release urgent patches
for recently-discovered vulnerabilities.
Add to this many people’s lack of vigilance when it
comes to keeping their software up to date, and many
companies’ inability to upgrade without disruption to
business critical applications, and you can see why
criminals will take advantage of any path that leads to
such ripe pickings.
Watering hole attacks
As well as inserting malicious code into your website
that will download malware to visitors’ vulnerable
devices, criminals also inject malware onto your site in
order to redirect visitors to another site. That site will
contain malware, which will infect the victim with a zero-
day exploit.
As explained in our ‘Website Vulnerabilities Guide’, this
is an exploit that takes advantage of a vulnerability that
no one yet knows about, which is why the criminals keep
the code on their own malicious site, to keep it secret.
This technique is known as a watering hole attack, and is
becoming increasingly popular with cybercriminals.
8. p. 8
The Power to Destroy: How Malware Works
What malware can do
What it does How it earns criminals money
Ransomware locks a users’ computer and displays a
single warning screen. Support cannot even remote into
the device to try and remove the malware. Often the screen
will impersonate a local law enforcement agency and the
software can sometimes even use the victim’s own camera
to include a photo of them in the warning.
As the name indicates, criminals demand a ransom to
unlock the device. Usually they pretend it’s a fine for illegal
or illicit behaviour on the victim’s part, imposed by the
local law enforcement agency. Even when you pay, often
they don’t unlock your device. Last year it is thought three
percent of victims paid up.
Botnets are networks of dispersed computers and servers
that criminals use to distribute spam emails or generate
bogus clicks on pay-per-click advertising. The right malware
will silently incorporate a victim’s device into one of these
botnets.
Although the returns on this sort of malware are not
immediately high, it is hard to detect and difficult to
remove meaning it offers a long-term steady stream of
income for criminals.
Keystroke logging does exactly what it says on the tin.
This malware is able to record every key that is pressed
meaning it can look for 16-digit combinations that are
likely to be credit card details, 6-digit date-of-birth
sequences or unusual strings of characters that are likely
to be passwords.
This type of malware is used to gather information for
identity theft, credit card fraud and account hacking.
Information is a highly valuable commodity on the
black market, and malware that can gather this type of
intelligence can reap big rewards, especially if it’s one of
your big clients that happen to fall victim and criminals
bypass their more sophisticated and strongly protected
systems.
Further malware distribution. If the victim of this
malware is connected to a network, everyone in that
network, and all the servers connected to it, are at risk
as the malware distributes to every device placing data,
devices and operations at risk.
The rewards all depend on how far the malware is
distributed and what additional malware is triggered on
different machines as per their vulnerabilities. This type of
malware can paralyse an organisation, cause major data
breaches and cost hundreds of thousands to rectify.
There are a many different sorts of malware that look to turn a profit for criminals, or sometimes simply cause
disruption and disturbance. The type of malware that criminals are most likely to try and distribute using your website,
however, are those that make them money.
If your site has been infected, the following types of malware can be downloaded to a client or customer’s device
simply by them arriving on your site. All they will see is your brand, followed by either a warning from their anti-virus
software, or worse, the effects of an infection.
The Symantec ISTR also reported on the Shamoon attacks. In 2012, this malware, which targeted energy companies,
was able to wipe entire hard drives. This type of action is extremely sophisticated, and so far it has been limited to
high-value targets, but it indicates a trend: ‘if it is possible, someone will try it; if it is profitable, many people will
do it’.
9. p. 9
The Power to Destroy: How Malware Works
WHAT’S BAD FOR ClIENTS IS WORSE FOR YOU
If your website is responsible for the
infection of a client’s computer, or
worse their entire network, it’s going
to cost you more than just their lost
business. In particular if you are a
small business you need to prove to
big clients that they are safe in their
online interactions with your website.
Targeted attacks have increased considerably against
small businesses in the last year and at least part of
that is thought to be down to criminals thinking they
can take advantage of small companies’ often weak
defences to leapfrog the stronger defences of the
bigger businesses they interact with.
As a result, big clients are demanding more stringent
security from their third party providers and partners.
The Norton Secured Seal is one way of proving up front
that you take yours and their safety seriously. It is
displayed over 750 million times each day, and is the
most recognised trust mark on the Internet.9
The cost of customer trust
Putting individual customers at risk could cost you dearly
as well. The estimated loss of business cost for the
average security breach is £300-600 for small businesses
and £10,000-15,000 for large organisations.10
In addition, if a search engine crawls your site and finds
malicious code, you will be immediately blacklisted,
wiping out all your search engine rankings and credibility.
Warnings from a search engine or a customer’s own anti-
virus software about the safety of your site can destroy
your reputation in seconds. Not only is that thought to
cost £1,500-8000 for small businesses and £25,000-
115,000 to large organisations, but once trust is lost it is
also incredibly hard to regain.11
When a customer searches for your business you want
to start building trust from the very first click, not losing
it. The Norton Secured Seal, which is included with all
Symantec SSL Certificates, is displayed in search engine
results next to your site and proves that you monitor and
protect your website, you are who you say you are and you
take online security seriously. Symantec Seal-in-Search is
certainly a way that you can build trust from the very first
moment someone searches online.
£300 - £600FOR SMALL BUSINESS
£10,000 - £15,000
FOR LARGE ORGANISATION
ESTIMATED lOSS OF BUSINESS COST FOR AvERAgE
SECURITY BREACH
$500-1000
$1,800-10,000 for small businesses and $40,000-
190,000
$15,000-25,000
10. p. 10
The Power to Destroy: How Malware Works
Despite the scale of the threat from
cybercriminals, over half of business
owners have never carried out a
website vulnerability assessment.12
You need to know your weak points
before you can even begin to
implement technology and processes
to protect against them.
A Symantec vulnerability assessment provides you with
an actionable threat report to help you prevent the
malicious spread of malware through your website.
Ultimately when you fail to properly secure your website
you are putting your business, your customers and
clients at risk. With the increase in drive-by web attacks,
any number of people could fall victim to the malware
lurking on your site. It’s in the interests of everyone in
the wider online community for you to stay secure.
Partner with professionals
As you’ve read, cybercriminals see malware as part of a
serious, multi-million dollar industry. They invest time
and money in exploiting vulnerabilities and maximising
the impact of their malicious software.
You, on the other hand, need to focus on the growth
and success of your own business, therefore you need
a security partner that is as committed to keeping
websites secure as the criminals are to exploiting them.
Symantec has a full range of Website Security Solutions
to help you search for vulnerabilities, encrypt data, spot
malware and inspire confidence on your website. We are
the leading source of trust online and we protect all the
companies in the Fortune 500. We can help to protect
you too.
Take responsibility
11. p. 11
The Power to Destroy: How Malware Works
1. Symantec’s Vulnerability Assessment – Feeling Vulnerable? You Should Be,
https://www.symantec-wss.com/campaigns/14601/uk/assets/VA-WhitePaper-UK.pdf
2. Symantec’s Website Security Threat Report 2013, https://www.symantec.com/content/en/us/enterprise/images/mktg/SOP/EMEA/14385_
symantec_wstr_whitepaper_uk.pdf
All subsequent Internet security statistics are sourced from the ISTR unless otherwise footnoted.
3. Department for Business Skills and Innovation, 2013 Information Security Breaches Survey, https://www.gov.uk/government/uploads/system/
uploads/attachment_data/file/200455/bis-13-p184-2013-information-security-breaches-survey-technical-report.pdf
4. http://www.symantec.com/connect/blogs/cost-cybercrime-2012
5. 2013 Information Security Breaches Survey.
6. Symantec Intelligence Report: July 2013,
http://www.symantec.com/security_response/publications/monthlythreatreport.jsp
7. 2013 Information Security Breaches Survey.
8. http://www.theregister.co.uk/2012/07/25/japan_finance_ministry_trojan_attack/
9. International Online Consumer Research: US, Germany, UK, July 2012
10. 2013 Information Security Breaches Survey.
11. 2013 Information Security Breaches Survey.
12. Symantec’s Vulnerability Assessment – Feeling Vulnerable? You Should Be,
https://www.symantec-wss.com/campaigns/14601/uk/assets/VA-WhitePaper-UK.pdf
References
12. Symantec Website Security Solutions
Website Security Threat Report 2013
ABOUT SYMANTEC
Symantec Website Security Solutions include industry leading SSL, certificate
management, vulnerability assessment and malware scanning. The Norton™
Secured Seal and Symantec Seal-in-Search assure your customers that they
are safe from search, to browse, to buy.
More information is available from
��l�k�h�b�j�v�f�
The Power to Destroy: How Malware Works
www.symnatec.com/en/aa/ssl-certificates
Email us on:
ssl_sales_au@symantec.com
ssl_sales_asia@symantec.com