Java Exploits Up, Adobe Attacks Down: Cisco Report

Java exploits appear to be increasing as attacks targeting Adobe Reader and Acrobat decline, according to a Cisco 3Q10 Global Threat Report, released Wednesday.

Java exploits rose from 5 percent of all malware encounters in July to 7 percent in September. Conversely Adobe Reader and Acrobat experienced a decline in exploitats throughout the quarter, falling from 3 percent of all malware encounters in July to 1 percent in September.

Security experts said the increase in Java exploits represents a continuation of a trend occurring through the year.

Mary Landesman, market intelligence manager at Cisco, said that the decline in Adobe exploits likely has little to do with the platform being more secure. Rather, hackers have migrated away from Adobe platforms in an effort to find alternative distribution methods for attacks, such as vulnerable Java applications. Hackers gravitated toward Java, in part, due to higher availability of public exploit code, among other reasons, she said.

"It really has much more to do with the preferences being made by the attacker," she said. "When the Java exploits were made public, (hackers) saw such a big uptick in infection rates that they decided to focus more on Java and a bit less on Adobe."

Landesman said that malware authors also gravitated toward Java exploits because they are often first to be delivered when a user visits a compromised site.

"Whatever gets delivered first is the one that attackers will be able to use to reach the highest number of victims," Landesman said. "They're getting the low hanging fruit."

Other reasons for the uptick could be attributed to the fact that Java updates are still not, by and large, on the public radar, coupled with an inconsistent update delivery model that sometimes left older versions of the application on the system along with the newly installed patches.

"Users are not aware that they have Java. They're not aware that it needs to be updated, or that it's supposed to be updated," she said, adding that Java would likely change its update model to a more regularly scheduled patch cycle down the road.

"We'll hopefully see the same sorts of changes with Java patch delivery that we've seen with other targeted applications, where the vendor has revamped that process," she said.

Next: Channel Partners Say They've Seen Rise In Java Exploits

Meanwhile, channel partners corroborated that they've seen a distinct uptick in the number of Java exploits in their customers' IT environments.

"It is up. Malware is definitely up right now based on the new Java engines," said Roy Miehe, president of Campbell, Calif.-based AAAntivirus. Miehe said that he's seen attacks that redirect the visitor to an exploit server, which scans the victim's machine for vulnerable versions of the browser, Java, Flash and PDF reader. Once scanned, the exploit server launches a tailored attack targeting the most prominent vulnerabilities on the user's system.

Miehe added that the upsurge in Java-related attacks can be attributed to ease of Java-related redirects that lead to drive-by download attacks, which infect users without any intervention.

"If you replace that Java, you can do a redirect," he said.

Additionally, the Cisco report found that:

-- Targets for the Stuxnet worm were evenly distributed geographically, with the largest number of targets in the U.K, followed by Hong Kong;

-- The Rustock Botnet, one of the largest spam botnets, affiliated with pharmaceutical and counterfeit watch merchandise, reached a peak in late August that accounted for 21 percent of spam activity;

-- The volume of spoofed LinkedIn e-mail delivering the Zeus Trojan reached a peak at 31.26 percent of all spam in mid-September;

-- The Pharmaceutical and Chemical verticals had the greatest risk for Web malware encounters in the third quarter of 2010. Other high risk verticals included Energy & Oil, and Agriculture & Mining.