Superguide: the death of 'trusted' Web sites?

The explosion in drive-by download attacks continues to grow. How has the situation got so dangerous? Are there any "trusted" Web sites left?

In May 2007, Google joined the security community in warning users about the threat from drive-by download attacks, which is where users' computers are infected with malware when they visit an affected Web site.

By February 2008, the number of drive-by download attacks had increased by 300 percent and showed no signs of abating. Google's researchers investigated billions of URLs and found more than three million unique URLs on over 180,000 Web sites were attempting to automatically install malware.

The drive-by download phenomenon has destroyed the concept of a "trusted" Web site. In the first half of 2007, Sophos claimed to have discovered around 30,000 malicious Web sites appearing every day. Only 20 percent of these were actually run by the criminals deploying the malware -- the rest were genuine, and previously "trusted" sites that had been hacked by criminals to deliver their malware.

"It's no surprise to see legitimate Web pages targeted for these attacks," said Carole Theriault, senior security consultant at Sophos. "Businesses generally aren't too strict about stopping their employees accessing these Web sites, while the sites themselves will already have their own daily flow of user traffic, saving hackers the trouble of trying to entice unenlightened Web surfers."

The appearance of toolkits, which makes it a simple process turning any Web site into a malicious one, has exacerbated the problem.

The best-known toolkit, Mpack, uses cross-site scripting to place malicious iframes on legitimate Web sites. Iframes are used by Web designers to open additional windows (often hosted on other sites) within a main Web page; iframes can also be used by criminal hackers to redirect browsers to malicious-code sites.

The criminals perpetrating these attacks rely on users stumbling on a site that contains their malware with unpatched browsers, operating systems and applications.

Unfortunately, the sheer volume of software on the average PC makes it near impossible for the majority of users to remain completely safe from such attacks.

Sites that have recently been discovered dishing out malware to unsuspecting surfers include The Sydney Opera House, The Bank of India, Facebook, MySpace and at least ten of the AFL team Web sites.

ZDNet.com.au has compiled this guide to help you understand, and better deal with, the threat from drive-by downloads.

Web sites and applications that have been attacked

  • Bank of India is hacked and dangerous

    Security experts are warning Bank of India customers to steer clear of its official Web site because it is serving up several information-stealing Trojans.

  • AFL teams a danger on the Web: Google

    Google has flagged the Web sites of 10 Australian Football League (AFL) clubs as potentially dangerous, preventing visitors from accessing the teams' sites via the search engine.

  • Sun denies Java patch release put billions at risk

    Sun has denied its staggered patching schedule for a recent Java flaw put billions of devices at risk.

  • Patch or get PWNED in a flash

    Recently fixed vulnerabilities in Sun's Java Runtime Environment and Adobe's Flash player mean that unpatched systems are vulnerable and could be infected with spyware or recruited into a botnet by simply visiting a Web page with exploit code -- and Google last month warned that 10 percent of Web sites contain this kind of malicious code.

  • Don't fear Sydney Opera House trojan

    The Web site of the Sydney landmark has been found to harbour malware but it has been described as an "irritant" rather than a "major security risk".

  • Cursor flaw gives Vista security a black eye

    Microsoft's release of a "critical" patch on Tuesday poked holes in Vista's security promises, but security experts advise against discounting the new operating system.

  • Skype fixes critical security flaw

    Skype has fixed a critical security hole in the latest version of its Windows VoIP software, which could have allowed specially crafted Web sites to load and run malicious code on victims' PCs.

  • Security product had 60 flaws after being patched

    Vulnerability-testing company Secunia has slammed one security vendor for having "inherent code problems" in its backup and antivirus software.

Related News

  • iFrame attacks: Blame your Web admin guy

    With one new Web site compromised every 14 seconds, including some of the biggest names, it's almost impossible to tell what's a "trustworthy" Web site. But who's at fault for exposing Internet users?

  • "Trusted" Web sites can no longer be trusted

    Restricting your Web surfing to "trusted" sites is no longer enough to keep your machine safe from malware, according to security experts.

  • Web attackers get better at hiding

    Cybercrooks who rig Web sites to break into PCs are getting better at hiding their malicious code, a security expert said this week.

  • Single-line attack infects thousands of Web sites

    Thousands of Web sites have fallen victim to an attack using just one line of code that maliciously re-directs browsers via Javascript to servers that are hosting a variety of drive-by exploits. Multiple browsers and operating systems are affected by this code if not correctly patched.

  • Hundreds of sites hit with dynamic malware

    In January of 2008, ScanSafe reported that it had discovered more than 200 UK-based Web sites that were using malicious javascript to place trojans and rootkits onto victims' machines.

  • Malware Web sites: now 30,000 a day

    Security experts demand more vigilance by Web-hosts to curb the explosion in malware-infected Web sites, which are appearing at a rate of 30,000 per day, according to Sophos.

  • Web-borne security attacks explode

    Internet-borne security threats have taken over the mantle as a greater risk to companies' security than e-mail attacks, according to security vendor Sophos.

  • Cyberattacks outstripping defences

    Cyberattacks today have become so complex that there may be no real way to completely protect against them, internet security researchers have warned.

Go to next page for related feature articles and Whitepapers.

1 2 Next >
Advertisement

Print feature brought to you by Adobe

Talkback 4 comments

    nice Anonymous -- 11/03/08

    nice compliation of links. this is a big issue and i really have no idea how we are going to protect against it.

    good work zd

    Webmaster security Steve Roper -- 11/03/08

    As the IT manager for a web dev company, understanding this issue is part of my job. With all the vulnerabilities in modern OSes, it's impossible to guarantee against attacks, but every webmaster has the responsibility to do everything possible to mitigate the threat. Besides ensuring that our server software is ALWAYS patched and fully up to date, I've implemented the following additional policies to minimise the danger of any of our clients' websites being compromised, for the benefit of any other devs out there who might find this info useful:

    1. We never display any content on our sites that we do not control - no Google ads, no external site components. Everything on our sites (including any ads) is hosted only on our servers.

    2. All site code is designed in-house: HTML, Perl, PHP, Javascript, Java apps, everything. We don't use third-party code in our site scripts and pages, just our own codebase. We don't use Flash at all. Server-side apps where required use Java.

    3. All site files (HTML, CSS, JS, Java, P* scripts and config files like .htaccess) are refreshed daily from backups stored on a system not connected to the Internet. We "sneakernet" the files over on an external HDD, and transfer the files to our servers with Secure FTP.

    4. All our site admin passwords are changed daily, using a random password generator of our own devising. Staff can obtain passwords if required from the same non-connected machine that houses our backups. All password requests are logged.

    While these measures might not be hackerproof (nothing ever is), they ensure that anyone trying to compromise our clients' websites would have to be VERY determined and be familiar with our operations and procedures. We do everything we can to reduce the risk, but in the end, that's all you can do.

    Hacked websites Anonymous -- 14/03/08

    the word 'exasperated' should be 'exacerbated'.

    Good Timing! Anonymous -- 17/03/08

    you publish this the week that 165,000 sites are attacked in this way...

    a coincidence?

Add your opinion

Back to top

Featured