Lazy web devs blamed for malware frenzy

The number of links to malicious web pages rocketed by over 500 percent in the first half of this year, as hackers looked to snare unsuspecting users wherever they go on the internet, according to new IBM research.

The firm's X-Force 2009 Mid-Year Trend and Risk Report found that malware writers were using increasingly sophisticated ways to infect users, including compromising legitimate sites and posting malicious links on blogs and social networking pages.

On the web application side, hackers were favouring SQL injection and cross site scripting attacks to infect visitors to legitimate sites which have been hacked with data-stealing Trojans.

SQL attacks rose 50 percent from fourth quarter of 2008 to the first quarter of 2009, and then nearly doubled from the first to the second quarter this year.

Just yesterday, it was reported that a single SQL attack had compromised more than 50,000 sites.

Craig Lawson, senior security consultant at IBM Internet Security Systems in Sydney said that it was application developers, not operating system or web server vendors, that were to blame for allowing their code to so easily be compromised.

"Web application developers are not doing the necessary pre-release code checks," he said. "The C coders of this world working on operating systems, they get it. If Microsoft can turn around a patch within 30 days, that is a spectacular result - they are literally trying to turn around a battleship.

"But there are web developers using fancy Flash development tools that spew out HTML code at the other end and off they go.

Lawson said many web application vendors were 12 months late on patches.

"The web application is the easiest to fix," he said. "All you have to do is update and refresh the code. If anything web developers have less excuses for vulnerabilities than anybody else."

According to the IBM report, the growth in new vulnerabilities appears to have slowed somewhat.

The actual volume of newly found vulnerabilities dropped eight per cent compared to the first half of 2008, but nearly half are still going unpatched by vendors, according to James Rendell, senior technology specialist at IBM X-Force.

"Web application framework vendors feature strongly among those with unpatched vulnerabilities," he added. "In terms of overall disclosures Apple is first, but this is not in any way reflective of the quality of the software, just that the firm is being diligent in releasing patches and disclosing vulnerabilities."