Malware is increasingly being hosted on legitimate business Web sites. Once online, the payload it’s delivering to unsuspecting surfers is growing increasingly dangerous.
A few weeks ago, for instance, the official Sony PlayStation site was infected. Visitors to the site would trigger a script that would run a phony virus scan. This would produce a fake alert, pressuring visitors to purchase a bogus antivirus product.
A full 79 percent of malware-hosting Web sites are legitimate, according to a recent report by London vendor Sophos. Sophos also reported detecting a new malware-infected Web page every five seconds—three times the rate of a year before.
These trends seem to validate a predication made by the SANS Institute earlier this year. The Bethesda, Maryland-based research center ranked attacks on trusted sites as its number one threat in a list of the top ten cyber security menaces of 2008. Such attacks give attackers “a huge advantage” over the unwary public, according to the institute. SANS also wrote that Web attacks have morphed from simple ones based on one or two exploits to more sophisticated attacks based on scripts that cycle through multiple exploits to even more damaging ones with “packaged modules that can effectively disguise their payloads.”
Analysts from SANS and elsewhere attribute the rise in Web site attacks to the increasing sophistication of tools that can automatically scan the Web for vulnerabilities.
SANS says many attacks are targeting browser components. These could include Adobe Flash Player and QuickTime, which aren’t automatically patched when a Web site is updated.
This rise in trusted site-malware presents new challenges for IT administrators, says Graham Cluley, a Sophos senior technology consultant. It is no longer enough for organizations to block certain sites, such as ones with gambling or file sharing.
To protect themselves, more organizations are taking advantage of Web appliance tools, he says. Sophos, for example, is seeing rising sales in its Web Security and Control product, he says. A piece of hardware that connects to a server in the data center, the device scans Internet pages as employees access them, blocking prohibited urls. It also has “bi-directional traffic inspection": Sophos continually updates the product with prohibited Web pages and, if an employee lands on an infected site that hasn’t been blocked, a report is automatically sent back to the vendor.