In a nutshell, Google used all the Web page data collected by the Google search engine in indexing Web sites to look for malicious code. They searched more than 7 billion URLs and found 450,000 of them infected with malware designed to infect visitors' browsers (about 0.06 percent). When a suspicious Web page was found, it was then loaded using a virtual machined honey client (such as a honeypot mimicking an end-user’s browsing actions). They then recorded the changes the suspicious Web site made to the visiting honey client. If the Web site installed software without the explicit permission of the mimicked end-user, the site was marked as malicious. Some Web sites installed up to 50 malicious programs from a single visit.

For the past seven years, the most frequent way that people got infected with malware was by clicking malicious file attachments or rogue embedded Web links. Although I thought that some people would never stop opening every strange e-mail and clicking on every file attachment, apparently our anti-spam, anti-virus, and anti-malware filters are doing a better job, because frustrated hackers have moved on to infecting (mostly) innocent Web sites.

When users visit an infected Web site, if they have a vulnerable browser (not just Internet Explorer) or other application (Flash, Java, and so on), the user gets infected with a criminally minded bot. Web sites were compromised one of five ways (the Google paper uses four main categories):
-- Poor Web site security
-- Vulnerable applications (PHP, CGI, ASP, SQL, and so on)
-- User-contributed content (for example, cross-site scripting)
-- Malicious advertising inclusion
-- Malicious third-party software component (widget) inclusion

I don’t have the space to cover the specifics in this column, but the last two types really grabbed my interest. Many Web sites are paid to include roving advertising banners and pop-ups. While these services are often maintained by legitimate, respected Web advertisers, the actual ad content is often subcontracted to a subcontractor of a subcontractor. The top-level owner has no idea that their legitimate advertising banner service has been co-opted by malware criminals. They should know — it’s unexcusable — but they don’t.

The last item, widgets, is just as interesting. Many Web sites borrow free widgets (traffic counters, for example), and for months or years, the widget functions as intended. The widget code is often hosted on another external server. But at a later date, the “free” widget code may be maliciously manipulated to inject malware links. It appears that in many cases, the bad guys are giving away free widgets and encouraging widespread adoption so that they can use them as infection vectors later on.

The Google paper contains many other salient points, such as the widespread use of banking Trojans (which I’ve written about several times), and how many major, trusted Web sites are infected, but I want to highlight one last topic. It’s becoming more common for the Web page exploits to test the client for the presence of unpatched software, be it Windows, Internet Explorer, Firefox, RealPlayer, Shockwave Flash, Java, or QuickTime. The exploits actually scan the computers looking for a specific vulnerability, and then infect it.

The lessons to learn from this are fourfold:
-- Malware is trending away from malicious e-mails to innocently infected Web sites
-- You must make sure that all client OS and applications are patched (and not just the OS)
-- Consider investing more in technologies that can mitigate these types of rogue threats
-- Educate end-users about the evolving malware threat to keep them alert

Good luck, and keep your eyes open.