Since the world wide web and HTTP have become so widely adopted for new complex services, security holes and cloaking methods have arisen. In turn, this realm has become a playground for malware authors, driven by the vast amount of client traffic integrating with the aforementioned services. To successfuly attack clients, servers have increasingly been in focus as a primary attack point. We have witnessed this not only with classic SQL injection, PHP code injection, SEO campaigns, etc - but also with malware recently, turning servers into spawning grounds for all successive client side attacks. For instance, Gumblar was known to siphon FTP account credentials to gain access to servers. The most recent variation of Virut (W32/Virut.CE) targets server side pages - HTM, ASP, and PHP. These pages are injected with further malicious links, leading to a chain of infections. We detect this injected server code as HTML/Virut.CE, and have noticed success on Virut's part with this methodology.
While Virut.CE has only been in the wild for less than six months, its predecessor who I have written about before - Virut.A, has had much success over the past two years and remains very prevalent to date. Virut.CE seems to be following a similar path, with increasing detection not only on client side infections - but server side as well. Indeed, detections for HTML/Virut.CE, the infected server page component of Virut.CE, rose significantly in April 2009 as infections of W32/Virut.CE begin to pick up. Given Virut.A's track record, servers may be under attack for quite some time with this threat. While this is only an example of one such attack, it should serve as a reminder that a valid security framework is required for both servers and clients to tackle next generation threats. Such a framework will effectively attack the spawning grounds of modern threats and will surely go a long way in terms of mitigation.