When you surf the Web, do you feel lucky? New research by Google suggests you shouldn't. In fact, "vulnerable" might be the appropriate feeling.
How ironic that Google allows you to initiate a Web search by clicking on a button labeled "I'm Feeling Lucky." The button is supposed to take you to the first Web site that turns up in your search. Instead, it just might take you to malware hell.
In a preliminary report issued by Google in early February (see All Your iFrames Point to Us in the Google blog), researchers reveal the depth of the worldwide malware problem and conclude “the scope of the problem is significant.” This isn’t news if you’ve ever have to clean up the mess left behind after a malware infection. But if you’re feeling fairly confident that you do enough to protect yourself and the other users on your network, this report should open your eyes to the real world, and it’s not pretty.
Over a 10 month period spanning most of 2007, Google researchers conducted in-depth analysis of over 66 million URLs. The study focused on the prevalence of “drive-by downloads” – that is, exploits that use browser vulnerabilities and other techniques to automatically download and run malware when you visit a Web site.
Drive-by downloads represent a shift in the methods used by hackers to invade your systems. Not long ago, wide-scale attacks that took aim at overwhelming computing resources were the preferred game plan. Such attacks use a “push” model. As network tools got better at defending against denial-of-service attacks, the bad guys adopted a “pull” model that has users inadvertently downloading unwanted payloads.
Two “pull” techniques are in wide use today. In one, hackers use social engineering to entice trusting users to perform some action that downloads software carrying a payload. For example, clicking on a link to an e-card that turns out to be bogus. Fortunately, end users can be taught to be cautious of such con games.
The second, more ominous method is to automatically deliver the payload when the user lands on a compromised Web page. Worst of all is that landing on a malicious site is often completely out of the hands of the Web surfer, as he may actually be taken there without his knowledge.
This is all attributed to a broad and sophisticated malware distribution network. The report describes it like a tree. The outer branches (Web pages, or “landing sites”) draw unsuspecting Web users into a trunk system (Web servers, or “distribution sites”) that are the root distribution points of the malware. Hackers concentrate on finding ways to expand the number of compromised landing sites that then hop users to the distribution sites where the payload gets delivered.
According to the report, attackers use a number of techniques to control the content of benign Web sites and turn them into nodes in the malware distribution networks. One of the techniques is to compromise a Web server, usually one that is not updated with the latest security patches. For example, the Google researchers found that 38.1% of the Apache servers and 39.9% of servers with PHP scripting support reported a version with security vulnerabilities. (The software versions of Microsoft Web servers could not be determined for the purposes of this study. There’s little doubt that they, too, have a high occurrence of unpatched vulnerabilities.) (Compare Patch and Vulnerability Management products)
Exposure to Web malware is not strongly tied to a particular browsing habit. Many people commonly believe that browsing “gray” content such as adult Web pages (e.g., gambling or pornography) increases the likelihood of being targeted by drive-by downloads, and that staying on “safe” sites such as business or social pages reduces their vulnerability. Though this sounds logical, the Google researchers blew this myth out of the water through analysis of millions of URLs.
The researchers randomly selected 7.2 million URLs and categorized them by content (using DMOZ categories). The adult category did land at the top of the list in this control group – in other words, the highest percentage of the random sites have adult content. Then they took 3.3 million URLs known to be malicious and fit them into DMOZ categories. It turns out that the top categorizations of URLs known to be malicious include, in ranked order: society; computers; regional/U.S.; business/industrial; arts/entertainment; computers/Internet; business; adult; health; arts; online communities; and so on down the line. What does this tell you? That seemingly benign Web sites – perhaps the kind that you visit everyday for work or pleasure – have the ability to deliver dangerous malware payloads.
Suddenly, I don’t feel so lucky anymore. Next week, we’ll look at the role of online ads and how they unintentionally may be delivering malware.