Last Updated: 2008-09-01 16:16:33 UTC
by John Bambenek (Version: 1)
I was perusing some of the data put out by the Shadowserver Foundation that tracks botnets. One piece of information grabbed my eye, namely that over the last 3 months, the number of infected machines quadrupled. During the same time period, there isn't an appreciable increase in new malware, new viruses or anything that would obviously indicated why this is so. I imagine that the bad guys have gotten better about keeping machines owned, but there is one vector that we need to get much better about tracking and managing, and that's direct web-based malware. The timing, very roughly, coincides with when we started to see increase SQL injection attacks against webservers (mind you, this is an educated guess that SQL injections are a big part of this, not a statement of fact). We are very good at tracking email-based malware (including lead-the-user-to-the-bad-website variety) and certainly network based attacks. Short of spidering the web on a consistent basis, it gets difficult to find infected sites for that malware. We at the ISC, and I'm sure many others, are working on ways to honeypot pure web-based attacks to capture this malware, but much work is left to be done.
It's one of the disadvantages of operating in a reactive fashion, we are behind the power curve for some time until we figure out a way to approach something close to parity.
bambenek /at/ gmail \dot\ com