Malicious Web: Not just porn sites

The New Zealand Honeynet Project, which produced Capture-HPC (mentioned here last week), also produced an excellent white paper about using Capture-HPC to identify malicious Web servers. On the group's Web site, you'll find that paper, the captured data, and the tools for anyone to inspect and replicate.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

The New Zealand Honeynet Project inspected more than 300,000 URLs (nearly 149,000 hosts) for three weeks and found 306 malicious URLs served from 194 malicious servers. Here are the most interesting points, to me:

1. The highest percentage of malicious Web servers were tied directly to adult content. No surprise here. But all types of content (e.g. news or sponsored links) were nearly as bad.  It's not like you can just avoid adult sites and be safe.

2. Many of the malicious Web sites turn non-malicious, and vice versa, all the time. I've talked about this in previous columns, but essentially many malware writers are taking great pains to make sure an infected Web site serves up malicious content to any given IP address only once. That strategy defeats additional inspection by anti-malware researchers and honeyclients.

3. Only 12 percent of malicious URLs appeared on a blacklist. Nevertheless, counterintuitive as it may seem, blacklists were highly effective at blocking a large percentage of attacks. This is because the blacklists often blocked the main back-end computers serving up most of the malware. In today’s Web-intertwined world, most of the infected Web sites actually point to a smaller number of “super server” hosts. Block them, and the original infected site is defanged.

4. Fully patched computers blocked 100 percent of the malicious attempts (for the study, the project used Internet Explorer 6 SP2 instead of the better-defended Internet Explorer 7).

5. The study includes analysis of several real Web sites and exploits.

6. Many of the exploits attempted to steal log-on names and passwords.

7. Most attacks used JavaScript to initiate the exploitation.

The paper ends with several defense recommendations, including:

* Keep fully patched, both OS and applications.
* Blacklists are effective.
* Don’t run as root or admin in browser sessions.
* Host-based firewalls offer additional protection.

I encourage any computer security defender to download and read this honeyclient paper.