Slashdot Mirror
Growth of the Underground Cybercrime Economy
AC50 writes "According to research from Trend Micro's TrendLabs compromised Web sites are gaining in importance on malicious sites created specifically by cyber-criminals. The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware."
Any site serving up adverts is potentially sering up malware. Durr.....
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
"...even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware." I've been telling my users this forever. Some of them just don't have the mind set or skills to fend off the malware, which is part of why I have a job. It's all about locking down the computer. Of course, this is a sliding scale. Lock it down enough to totally (possible??) protect it, and the user can't do many of the usual tasks. Leave it open to being able to work, and you have security holes. I've always been a fan of sandboxing, but it's still too complex for the usual user. If the user makes changes that need to be stable, then how do they commit them without risking infection from some malware they've picked up in the process? Security is a moving target and we must always be ready to recover from an incident, no matter how secure we THINK our computers are. It's a dirty world out there, as this article ably demonstrates.
... use it together with adblocker and a good antivirus package and your web experience will be safe and much faster.
If you mod me down, I will become more powerful than you can imagine....
> [...] can serve forth malware
Serve Forth malware from a website? I'd be more concerned about JavaScript malware and the like.
"And there be unix which have made themselves unix for the kingdom of heaven's sake." - Matt. 19:12
Slashdot is safe. It's the only site I visit. Make sure not to open the articles. You never know.
What?
http://www.google.com/search?q=site:.edu+viagra .gov
http://www.google.com/search?q=site:.gov+viagra
Only two pwned sites in the top 10 for
It'd be ironic if idtheft.utah.gov was handing out malware.
Replace viagra with other spamwords & you'll get more of the same
[Fuck Beta]
o0t!
In the end, the majority of security problems lies with the user. We need better computer security education in schools and instill a healthy sense of paranoia in the youth.
Do we really need Trend Micro's PC-cillin?
Boot from a live CD. Or use a virtual machine. Of course you can always use a less popular operating system.
What?
Microsoft needs to get their new service pack out the door. No, I don't mean Vista SP1. Microsoft needs to get XP SP3 out. So many people think Windows Update is some silly annoyance that Microsoft threw in there for who knows what. They never heed the requests to install updates and reboot, since that takes so long. Then when their machine slows to a crawl with adware, they ask us to fix them. And in other cases, their computers join a botnet and spam us all.
XP SP3, on the other hand, can have marketing support behind it. Articles can talk about it and how to install it, and people won't get so annoyed at a one-time installation. XP SP3 includes fixes for the still-quite-popular ADODB.Stream and animated cursor exploits, and at this point, finding browser exploits is getting into diminishing returns. Now that Microsoft cares, Windows is having its code audited much more thoroughly than when XP SP2 was made.
Service packs also give Microsoft an opportunity to release fixes for security holes found internally, since service packs are so different from the previous version. If they patched holes quickly like Firefox does with incremental patches, they'd be revealing those holes to attackers armed with machine code diff programs.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware
I still believe you're still more likely to get malware on dodgy sites. As worded in the summary, this sounds like an excuse someone came up with to justify their penchant to troll for pr0n, war3z and mp3z.
These posts express my own personal views, not those of my employer
It may well debunk the idea that visiting mainstream sites is safe, but that doesn't mean you shouldn't think twice before visiting a site which you're not sure of. Especially if you browse with internet exploder..
It's only taken 2 months to realize that the most common forms of computer attacks are going to continue in 2008, and all this despite the open memo to on-line criminals:
... be afraid. In fact be just a 'little' more afraid each year, things are definitely getting worse.
"Dear blackhats,
Please, please, please make a new year's resolution to stop making viruses, stealing money and sending spam.
Loving Regards,
Trend Micro."
Everybody out there on the ether
And the web regresses back several years. Kind of hard to progess when one's reaction is to run away.
We have a list of major sites being exploited by active phishing scams, which we update every three hours. There are 56 sites on the list right now. Most sites don't stay on the list too long, but we still have 14 that have been on the list since last year. Most of them are DSL service providers with compromised machines they haven't kicked off. Some providers are proactive about this, and some aren't. Then there are a few compromised sites that just have no clue about how to fix their problem. One such site is the teacher web space for a school district.
By, well, nagging, we've been able to get the big players to fix their problems. Google, Yahoo, MSN, and Dell were all on the list at one point, but they've all tightened up their systems.
The points we make with this list are that 1) the number of major sites involved is small, and 2) blacklisting at the second level domain level causes acceptable levels of collateral damage. So go ahead, blacklist the whole second level domain in your phishing filters. Think of it as a way to encourage sites to clean up their act. Or as a way to find out where to apply the clue stick.
This list is about "major" sites, ones in Open Directory (1.7 million sites.) The issue there is with attackers trying to steal the credibility of the major site. At the other end of the scale, any domain less than a few weeks old probably isn't worth connecting to. Or at least it should be read with all executable content disabled, including HTML email. Also, any link with more than one redirect probably shouldn't be followed.
It's easier to filter out the attackers if you're willing to filter out the bottom-feeders as well. But that's another story.
Thank you for commenting on slashdot! LOL! You'd love the zany TOTALLY NUDE shots from my webcam! All you have to do is CLICK MY LINK and you will see me totally exposed! This is not a hack or virus or any of that, I am just trying to increase my exposure (if you know what I mean) in !script=LOCAL_CITY!@user! so I thought I would hit you up personally, since you seem soooo kewl! I luv yer pix and maybe we can get a little more personal if you Czech out my pix on my sight. XOXOXO 3 --Bubbles.
FairTax baby!
http://www.wired.com/politics/security/news/2007/09/pfizerspam
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Firstly, everyone in this market puts out these sort of research reports - monthly, quarterly, annually, it varies - partly to inform and educate, but mostly for the PR value. Of course everyone sees much the same threat environment, so they're all much of a muchness, PR spin notwithstanding. I don't see my employers' annual threat survey on the Slashdot front page; hmmmm, maybe I should submit it? Or maybe not...
Secondly - "serve forth" PUH-leassseee... just reminds me of the great UK rapper Silver Bullet and his popular number, "Bring Forth the Guillotine!" from 89. Oh hey, look, anti-virus software... silver bullet... myth... hmmmm.
can u pls fix link, no pix!? u sound hot, got email?
A trustworthy website will remove malware after the first complaint and will give subsequent visitors a warning and a tool to remove the malware in question. There is still a risk, however the chance of encountering malware on a bank website is significantly less than 100% versus purposely malicious domains and the owner is spending effort to protect you rather than infect you.
Or you could just install all updates for your favorite OS or a 3rd party browser and virtually eliminate the chance of unintentionally installing a malware executable. Even IE7 is positively fascist when it comes to downloads and plugins these days.
There are a finite number of exploitable bugs in Windows XP for very large values of finite.
Problem Exists Between Chair Keyboard? What's a chair keyboard? A keyboard you can sit on?
I'm looking for contacts that leech gameboy roms and need to acquire large quantities of crack or hot radioactive material. This month I offer a free fully automatic handgun to spray your classroom with each order. -- Message protected by international copyright. (c) Crime.Inc 2008
It's free and does a reasonable job at indicating risk level to the less computer savvy (in green, amber and red)
About TFS... (didn't bother to read TFA, this being /.)
... profit.
WTF? Use Adblock not to download the malware-pushing banners.
Don't download code. Music, videos, etc. OK, but NOT code. Unless you KNOW it's safe.
And finally : use a Macintosh or Hackintosh. There's no malware on OSX.
It's really laughable. Fortune500 sites pushing malware? That's why you Americans have "class action lawsuits" and "ambulance-chasing lawyers". 1+1+1=
Making laws based on opinions that stem up from false informations leads to witch hunts.
Don't know about you but I believe one aspect of the cyber-crime growth is peoples inclination to press hyper links named "compromised Web sites"
Break the sound barrier - bring the noise.
I'm guessing you'd have to download the code and check it before you can know if it's actually safe.. depending on your definition of 'safe' of course.
which is totally what she said
I notice that the Altiris site contains very poor writing.
It would be great to have a suggestion from a better company.
I've been beating the drum about Internet Explorer and its deliberate malware distribution features like ActiveX for years. Over 10 years, in fact, since it was 1997 when Microsoft introduced Active Desktop...
When people tell me "oh yes, I use Internet Explorer, but I only visit well known websites I can trust" I have been able in some cases to convince them that thanks to forums and other sources of third party content even "trusted" websites can source malware.
Despite what Trend Micro suggests, the best approach to security is still taking proper care with the software you use. They talk about attacks on embedded devices like cellphones, but note that they're primarily talking about their potential as backdoors for infected files, not about their embedded browsers being attacked directly. Antivirus companies want antivirus software installed on everything... that's how they make money... but until they ship software that is purely a scanner and doesn't patch the OS you're more likely to have the AV software than any virus damage your PDA, cellphone, or non-Windows PC.
But taking care with the software you use DOESN'T mean only using bad software on good websites, but not using bad software at all. The best antivirus, then, is to avoid using software that deliberately includes backdoors to allow automatic installation and execution of unsandboxed code from websites. The poster boy for this insane design is, of course, Internet Explorer, which is actually built around this model and were Microsoft to fix it they would have to break a lot of working products. But there are similar design flaws, albeit ones not so automatically easy to exploit, in other browsers... for example Firefox and Safari will happily install code for you if the code is wrapped up in the appropriate package. In Firefox that package is the XPI... and I would recommend keeping the list of whitelisted sites in Firefox empty at all times. In Safari that package is the Dashboard widget, and the option 'Open "Safe" Files after downloading' which is now (thankfully) off by default in new installs (though it doesn't prevent Dashboard widgets from being installed).
And now Microsoft is pushing a cross-platform infection vector under the name Silverlight, and there's an open-source clone of it by the name "Moonlight" under development. Some days I despair, truly.
And no number of "I'm about to do something stupid, is this OK?" dialog boxes are good enough. After 20 years as a system administrator, the last several years of which were spent fighting an increasingly frustrating battle against malware riding on this misfeature of Microsoft's security model, I can only recall one time where someone was *twice* convinced to download and explicitly run an infected file from the shell... but I've repeatedly had people come to me saying "Peter... I clicked on the wrong button again, and my computer's acting funny".
If you're a software developer, and you find yourself adding an "I'm about to do something stupid" dialog... please reconsider whether it's actually necessary. It almost never is. People really would rather explicitly download and install a plugin, for example, than have the browser pop up annoying messages all the time. Really.
Yes, you're not in any greater risk hanging out in crackhouses, because even the banks you visit sometimes have dangerous bank robbers in them.
That statement is one of the stupidest analyses of relative risk that I've ever heard.
--
make install -not war
When you write: think twice before visiting a site which you're not sure of. Especially if you browse with internet exploder..
Surely you mean think twice before [...] you browse with internet exploder..
My girlfriend checks website links routinely in PDF documents as part of her work and her machine is routinely attacked my adware and malware by supposedly innocuous websites that are supposed to be related to educational institutions or professional, technical type organizations hosting white papers, and other such information. (yeah yeah, run on sentence, sue me) I'm guessing some of these sites have been compromised or intentionally corrupted by webmasters for personal gain. In my experience this stuff happens all the time.
Javascripters building "enterprise" applications.
You get what you pay for.
Deleted
The perfecr punishment: "Apps testing on Vista"
Its really not quit as complex as most make it out to be.
1. If you are a system administrator it is your job to secure the system and take steps to prevent malware. Examples would be updating firefox and also becasue of IE's little active x trick restrict it through group policy " (Add-On managment and Restrict file downloads) both in group policy and have been since Server 2000". If you are not using it and have had a machine under your control infected with malware through the browser you have no one to blame but yourself since the year 2000.
2. Home users will never learn and will always be the cause of many problems whether Microsft or some other OS hosted.
Bashing any OS for poor security is pointing the finger at the wrong person. Yes you get your exploits but the malware problem is System administrator and Home user supported. In the sense to many sys admins that do not know anything and home users... well repeat number 2 reason above.
Just my 2 cents
Here's a passing thought: I'm very against the practice of an ISP blocking incoming/outgoing ports as a general business practice, as this negatively affects the technically inclined users. However, what if an ISP had a default port 80 forward to their website, where the owner of the IP could authenticate and enable direct access to the port? That way, non-techie users don't serve up malware sites, and techie users can easily enable the service and go about their business.
Along the same lines, could this technique be expanded to more/all ports by default? What if the ISP blocked all incoming non-related connections by default (in the same manner as a firewall would, I'm unclear on the exact conditions), but had an easily accessible control page? Provided that the users were made very aware of this feature (not a simple task), wouldn't this do a great deal to curb the spread of malware?
Feel free to shoot this down, I'm not seeing a glaring flaw that would prevent this from being done. An ISP could even provide a notification utility that would alert the user if they have an application that tries to listen in on a protected port.
You're confusing Virtual Memory with a Virtual Machine.
The OP is quite correct. It's a heck of a lot easier to clean up an attack that has compromised a VMWare image than one which has compromised the PC.
wow good job on the -1 scores guys...didn't know that was attainable.
some people...
fortune 500 companies can get compromised. It's not like it's impossible, and they are the most likely to have a sophisticated system for downing compromised systems (Intrusion detection systems, automatic filtering of forums eg: Slashdot has code that tries to reject links or code that is 'known bad' although not necessarily links to bad sites) and the ability to power power off or 'stop internet to' any single server without having to access it physically) but no system is 100% fool proof, besides which, who is going to prove that said fortune 500 company compromised john doe of new jersey's system when the server was comprised for .1 seconds before it got detected and shut off? if john doe doesn't discover the problem until 3 years later when the hacking group who originally compromised his system got hacked itself, and the system finally crashed, instead of just running malware in the screen saver...
i mean fortune 500 companies hire big shot lawyers to take care of the small fries, and they hire seven figure technology specialists to deal with any major problems.
speaking as someone who had malware on his computer unknowingly for 3 years, until other computer hackers (not the ones who originally installed the software) got into my system did i realize I had even been compromised.
so frankly, it would be hard for me to sue anyone, since my ISP doesn't watchdog my network activity to see if hackers are using my system, the hackers who rooted my system were professionals, but it's not like they can be sued...
I even had a hardware firewall, besides windows, but it was a cheap one, not like when i used to use a freebsd firewall... but freebsd got to be a major pain to install. now there is smooth wall 3.0... but since I've become so adverse to using windows on the net, that it's not even worth it to play online games.
https://www.gnu.org/philosophy/free-sw.html
My point was more that Fortune 500 companies could just "not put ads" on their sites, it's not like they're not rich enough to publish whatever content on the 'Net for what they see as chump change.
Unless they're online ads, but are any of those in Fortune 500?
And, how are those sites "compromised" to serve malware? With seven-figures security people, they'd write a Trusted system, encrypted end-to-end with math proofs that it Just Can't be hacked, ever, and do that in a year.
Making laws based on opinions that stem up from false informations leads to witch hunts.
I'm sorry, but even fortune 500 companies have problems with systems being compromised. you're thinking that for whatever reason they can control all the input and all the out put data.
yahoo which was an early pioneer in the internet space was highly dependent on FreeBSD, to date they still code and maintain Yahoo BSD, and submit considerable amounts of code to the FreeBSD project.
even with programmers writing their own operating system yahoo has had times where servers got compromised. furthermore, they have for years had data Crossing their network that Is Not end to end secure. because of common carrier laws, yahoo mail, yahoo briefcase, and even geocities doesn't guarantee that any of that data is free of viruses or exploits.
why do you think yahoo and google invested in captcha systems for their servers? it was to reduce spam and fraud committed with 'automatic' tools designed by crackers to make it easier to compromise systems and do their 'illicit' jobs.
and yes google is a fortune 500 at number 241 and yahoo is at 357. (for year 2007)
the whole point is that even 2 fortune 500 companies can transmit code that will compromise your system, because they are protected by common carrier laws. there is no promise that going to a geocities site won't in some way let hackers install software on your system, the whole point is that hackers build bots that do this for them so they make money, and fortune 500 companies have failed in coming up with a secure system against botnet installers, especially over networks where they have legal immunity.
even a small portion of files on download.com contain adware, even though download.com has a no adware policy. but we were talking about what fortune 500 companies are doing, for internet security, so i used the geocities/yahoo mail etc...
https://www.gnu.org/philosophy/free-sw.html