Legitimate web sites increasingly used as attack vectors

January 27, 2008

Gone are the days where the average web user could assume to remain reasonably secure by sticking to surfing legitimate sites only.

According to security vendor Websense, the majority of web sites serving up attack code are legitimate domains that have been hacked by criminals. This marks the first time that legitimate sites outnumber the malicious ones hackers purposefully set up to spread malware.1

Websense found that 51% of the sites it classified as malicious in the second half of 2007 had been compromised and then seeded with attack code that infected unpatched machines visiting the URLs. The remaining 49% were "intentionally built for malicious intent".1 (Please note that this does not mean that 51% of all web sites on the Internet are compromised. It means that 51% of malicious web sites are legitimate sites that became compromised for the purpose of serving malware).

At least one other firm estimated that hacked legitimate sites surpassed maliciously-created Web sites some time ago. In its January Malicious Page of the Month report, Finjan stated that in the middle of 2007, legitimate sites made up 80 percent of all malicious sites. Earlier this month, for example, security firm Finjan warned that hackers had bypassed security on at least 10,000 legitimate domains to install the Random JS infection toolkit.2

These findings are reinforced by Sophos, who are discovering 6,000 new infected webpages every day. Sophos reports that 83% of these web sites of all types, from antique dealers to ice cream manufacturers and wedding photographers, belong to innocent companies and individuals - unaware that their sites have been hacked and are now hosting malware on behalf of virus writers.3

Compromised sites often contain browser exploits that allow hackers to push Trojans and the like onto vulnerable PCs. Sophos reports that the well-known iFrame vulnerability in Internet Explorer remained the preferred vector for malware attacks throughout last year.3

Paul Ferguson of TrendMicro says that they've recently seen literally thousands of compromised web sites and web pages that, if visited by an unsuspecting user with an arbitrary unpatched vulnerability, they become victimized.4

Although every web site is potentially at risk, criminals are targeting sites with "high user count" probabilities - web sites with large audiences, e-commerce Web sites with potential "high value" compromise possibilities, and even entire server farms in third-party hosting facilities.4

For example, BusinessWeek's web site was recently compromised on January 16th.5 Earlier this month the same rang true for Computer Associates' web site, as well as sites belonging to the state of Virginia, the city of Cleveland, and Boston University. In the latter case visiting the infected pages would redirected end users to a rogue site, which in turn attempted to exploit multiple vulnerabilities to engage in click fraud as well as install key-logging software that stole passwords for various online games.6

The web sites themselves are compromised by hackers in a variety of ways, such as exploiting misconfigurations or unpatched servers, said Dan Hubbard, vice president of security research at Websense. A significant number of the sites, however, are compromised by the multi-exploit tool kits made infamous by Mpack and Neosploit. Websense estimates that 19%, or about one in five, of malicious sites were created or compromised using such tool kits.7

These methods pose a significant risk because many security companies rely on web site reputation to protect customers. Compromised sites have a good reputation, plus they have a built-in group of visitors to the site. This raises the effectiveness of the attacks and diminishes the need for the attackers to create lures to get traffic to the sites.8

1. "Legitimate sites now deliver majority of malware", Computerworld, January 24, 2008

2. "Attackers favor compromise over creation ", SecurityFocus, January 23, 2008

3. "Drive-by download menace spreading fast", The Register, January 23, 2008

4. "Technology Shift: The World Wide Compromise of The Web", TrendLabs Malware Blog, January 22, 2008

5. "Even 'Trusted' Web Sites Can Get Compromised", TrendLabs Malware Blog, January 16, 2008

6. "Hackers turn Cleveland into malware server", The Register, January 8, 2008

7. "Most malware comes from legit sites, says researcher", Computerworld, January 23, 2008

8. "Websense Research Highlights: Q3-Q4 2007", Websense Security Labs, January 17, 2008