Mallware on legitimate websites

[alphaomega]

Just received report on security of internet. An interesting reading. How secure are the webs you create?

Trusted Web sites: Exploit tool of choice
Websense Security Labs provides twice-yearly reports assessing Web-based malware. Their latest report is not encouraging. Here’s why:
• 233 percent growth in the number of malicious sites in the last six months and a 671 percent growth during the last year.
• 77 percent of Web sites with malicious code are legitimate sites that have been compromised.
• 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.
• 57 percent of data-stealing attacks are conducted over the Web.
• 85 percent of all unwanted emails in circulation contained links to spam sites and/or malicious Web sites.
Data acquisition
Websense uses their ThreatSeeker Network to collect data about compromised Web sites. The network consists of 50 million real-time data-collection points, each capable of monitoring Web and e-mail content for malicious code. The system is powerful enough to scan 40 million Web sites and 10 million e-mail messages per hour.
Threat Webscape
In order to understand what Web sites would be most appealing to cybercriminals, Websense created Threat Webscape. It is their way of classifying Web sites with regards to malware threats. They group Web sites into one of three classifications:
• The 100 most-visited Web sites, usually “Social Networking” or “Search” sites.
• The next million most-visited sites, primarily current event and news sites.
• The remaining Web sites, typically business sites, blogs, and personal Web sites.
The focus needs to be on the 100 most-visited Web sites. They get the traffic, which catches the attention of the bad guys. Also of interest, is what these popular Web sites have in common:
• More than 47 percent of the top 100 sites support user-generated content.
• 61 percent of the top 100 sites either host malicious content or contain a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.
Prominent examples
Websense could not have timed the release of their report better. There have been several examples of high-profile Web sites being compromised this past week. Here is a quote from the New York Times:
“Over the weekend, some visitors to the Web site of The New York Times received a nasty surprise. An unknown person or group sneaked a rogue advertisement onto the site’s pages.”
As I am writing, Ryan Naraine of ZDNet reported that PBS.org is also similarly compromised:
“Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits.”
Both being trusted Web sites raises little suspicion. This makes the two Web sites very effective malware delivery tools.
Web 2.0 the cure and curse
From the above information, we can see that Web sites using Web 2.0 applications comprise almost 50 percent of the top 100 sites. The reason they are popular is the ability for anyone to create content that can be viewed by the public. Web sites like Facebook and Twitter are prime examples and we know how successful they are.
Web 2.0 capabilities also increase the chance for abuse. The dynamic nature of Web 2.0 sites create opportunities for cybercriminals to carry out a variety of attacks.
For example, security researcher Ronen Zilberman found a serious vulnerability on the Facebook Web site. If exploited, the vulnerability would allow hackers to steal personal information, pictures, and friend lists from unsuspecting members. Zilberman explains on his blog site that attackers use Cross-Site Request Forgery (CSRF) to trick the visitor’s computer into performing actions without the member’s knowledge.
On the rise
People accidentally going to malicious Web sites or being directed to one via e-mail messages, are still useful exploit tools. But, compromising for-real Web sites is a win-win situation for cybercriminals. They don’t have to worry about suspicious-looking URLs or displayed pages.
Experts are concerned about the number of compromised legitimate Web sites. Nine-ball has infiltrated over 40,000 sites as of June 2009. Gumblar, another exploit has compromised 70,000 Web sites. The following slide (courtesy of Websense) shows how prolific Nine-ball is:
Final thoughts
It stands to reason. Compromising the real thing will always give better results. As users, our only option is to keep computer operating system and application software up-to-date; doing so will prevent malware delivered by compromised Web sites from gaining a foothold.

[innominds]

Quote:

77 percent of Web sites with malicious code are legitimate sites that have been compromised.

This is really an alarming situation. If this is true. how one can browse internet?

[wige]

Quote:

Originally Posted by innominds

This is really an alarming situation. If this is true. how one can browse internet?

Very carefully, with a strong firewall and constantly updated antivirus software. Make sure your browser is up to date, and preferably made by a company other than Microsoft (even though IE8 has relatively few known issues, it is so much of a target users are usually better off with Firefox) and ensure all of your plugins can be trusted. Most of the recent attacks I have seen have targeted cross-platform plugins such as Flash (affecting ALL browsers) rather than the browser itself.

I have, more than once, come across highly trusted sites that were compromised either through their ads or through the site itself. E-mail was such a target a few years ago that now it is virtually impossible to deliver malware that way - the easiest method is to use a site visitors are likely to visit and trust.

[innominds]

Quote:

the easiest method is to use a site visitors are likely to visit and trust.

I agree with your opinion.
Even if one uses a strong AV like Kaspersky then it is difficult to suspect a trusted website.

[moneymen]

How can someone expect his site to be considered trusted if he allowed that kind of compromising ?
People just wont listen.If everybody would spend at least 10 minutes per day on securing websites that % would be not 73 but like 20% or less

[Doc]

I read a piece the other day, regarding this issue on Facebook. Apparently, the games they play over there, like Mafia Wars, is the sort of portal being used. Nearly all of the games, collectibles, birthday shares, gifting, etc., require access to your contacts and profile information. It is very simple for someone to post something like, "John has voted NO on the XYZ poll. Cast your vote!" and take you to an off-site spoofpage, while your profile information is being harvested. That is why I refuse to participate in any more of them.

This is presumable why Facebook recently "upgraded" their system (to the point it is almost totally disfunctional!).