This brings us to the current state of malware. Google recently released a paper entitled "The Ghost in the Browser: Analysis of Web-based Malware." Researched for more than 12 months through May 2007 by a crack team of malware analysts, including Niels Provos of Honeyd fame, this is one of the best malware reporting papers I’ve ever read. It’s a quick read and should be studied by anyone who has to protect computers.
In a nutshell, Google used all the Web page data collected by the Google search engine in indexing Web sites to look for malicious code. They searched more than 7 billion URLs and found 450,000 of them infected with malware designed to infect visitors' browsers (about 0.06 percent). When a suspicious Web page was found, it was then loaded using a virtual machined honey client (such as a honeypot mimicking an end-user’s browsing actions). They then recorded the changes the suspicious Web site made to the visiting honey client. If the Web site installed software without the explicit permission of the mimicked end-user, the site was marked as malicious. Some Web sites installed up to 50 malicious programs from a single visit.
For the past seven years, the most frequent way that people got infected with malware was by clicking malicious file attachments or rogue embedded Web links. Although I thought that some people would never stop opening every strange e-mail and clicking on every file attachment, apparently our anti-spam, anti-virus, and anti-malware filters are doing a better job, because frustrated hackers have moved on to infecting (mostly) innocent Web sites.
When users visit an infected Web site, if they have a vulnerable browser (not just Internet Explorer) or other application (Flash, Java, and so on), the user gets infected with a criminally minded bot. Web sites were compromised one of five ways (the Google paper uses four main categories):
-- Poor Web site security
-- Vulnerable applications (PHP, CGI, ASP, SQL, and so on)
-- User-contributed content (for example, cross-site scripting)
-- Malicious advertising inclusion
-- Malicious third-party software component (widget) inclusion
I don’t have the space to cover the specifics in this column, but the last two types really grabbed my interest. Many Web sites are paid to include roving advertising banners and pop-ups. While these services are often maintained by legitimate, respected Web advertisers, the actual ad content is often subcontracted to a subcontractor of a subcontractor. The top-level owner has no idea that their legitimate advertising banner service has been co-opted by malware criminals. They should know — it’s unexcusable — but they don’t.
The last item, widgets, is just as interesting. Many Web sites borrow free widgets (traffic counters, for example), and for months or years, the widget functions as intended. The widget code is often hosted on another external server. But at a later date, the “free” widget code may be maliciously manipulated to inject malware links. It appears that in many cases, the bad guys are giving away free widgets and encouraging widespread adoption so that they can use them as infection vectors later on.