Slashdot Mirror

← Back to Stories (view on slashdot.org)

Growth of the Underground Cybercrime Economy

Posted by samzenpus on from the nothing-is-safe dept.

AC50 writes "According to research from Trend Micro's TrendLabs compromised Web sites are gaining in importance on malicious sites created specifically by cyber-criminals. The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware."

35 of 94 comments (clear)

  1. Any site by Merls+the+Sneaky · · Score: 5, Informative

    Any site serving up adverts is potentially sering up malware. Durr.....

  2. it's called No Script by timmarhy · · Score: 4, Informative

    ... use it together with adblocker and a good antivirus package and your web experience will be safe and much faster.

    --
    If you mod me down, I will become more powerful than you can imagine....
    1. Re:it's called No Script by CSMatt · · Score: 2, Informative

      Seconded, and also only allow whitelisted cookies.

    2. Re:it's called No Script by Architect_sasyr · · Score: 2, Interesting

      An interesting feature of google that I've always liked is the "This page may harm your computer" or whatever they put on dangerous links. I wonder how viable it would be to have a firefox plugin that did something similar. Not so much the patching of the bugs, but maybe some sort of distributed (P2P) system that says "Yep, this is dangerous, we aint patched it yet, so go there if you like but we don't recommend it"

      Might help out, might not. If I had something like that running in my company I reckon I could reduce half the problems (as opposed to making the proxy server do all the work).

      --
      Me failed English...
      FreeBSD over Linux. If my comments seem odd, this may explain...
    3. Re:it's called No Script by Anonymous Coward · · Score: 3, Informative

      NoScript doesn't help if a site already on your whitelist gets compromised.

    4. Re:it's called No Script by mrbluze · · Score: 2, Insightful

      ... use it together with adblocker and a good antivirus package and your web experience will be safe and much faster. ..together also with a windows-free computer, I guess. But the problem is that websites people visit nowadays require scripts to be enabled. They will be deliberately targeted over sites which don't mandate scripting, so the problem remains. Best way is to design computer systems with the assumption that they will be hacked and then see how to prevent or minimize any damage, from the outset, instead of the old model which assumes the software was all honestly and flawlessly written.
      --
      Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
    5. Re:it's called No Script by mlts · · Score: 4, Interesting

      I think as time goes on, perhaps the best way to browse the Web is having a virtual machine running under a dedicated, locked down user, so if the OS in the VM is compromised, an unknown exploit that might let malware out of the VM to compromise the host would be stopped. Its not 100%, but it seems to be the best way of doing things. Of course, the Web browser should have Noscript and Adblock functionality for a lock on the front door.

      Eventually, I wonder if the Web browser should be completely enclosed in its own VM, where it doesn't require an explicit launching of a client OS, perhaps similar to how Thinstall wraps applications so all changes are only written to a sandbox directory. Vista's protected mode in IE7 is a start, where IE7 does not have access to the full Registry, but more separated from the rest of the machine with limits on CPU and other resources.

    6. Re:it's called No Script by jesser · · Score: 4, Informative

      An interesting feature of google that I've always liked is the "This page may harm your computer" or whatever they put on dangerous links. I wonder how viable it would be to have a firefox plugin that did something similar.

      Firefox 3 does this. If you start to load a site that's in Google's database of malicious (and compromised) pages, Firefox 3 will show a big red "Suspected attack site!" thing instead of parsing the page.

      Mozilla and Google put a lot of effort into making it possible to do this without slowing down page loads. Firefox downloads a list of 32-bit hash prefixes for compromised sites. If a hash prefix matches (which will happen on any malicious page load and perhaps 0.1% of other page loads), Firefox asks Google for the rest of the hash. Both the local database lookup (which can require disk access) and the possible request to Google happen in parallel with Firefox resolving the DNS entry and connecting to the site.

      Last week, the site of Firebug author Joe Hewitt was compromised, and Firefox 3 Beta 3 users saw this.

      --
      The shareholder is always right.
    7. Re:it's called No Script by porkUpine · · Score: 2, Informative

      I currently run Firefox in SVS (Altiris) (Along with the suggestions above). Basically Firefox runs in it's own virtual layer on the machine with no access to the "real" OS. I can run multiple instances to allow for different security settings. It's nice because I don't have to actually boot a VM just to surf the web safely. http://juice.altiris.com/glossary/term/252

    8. Re:it's called No Script by Ed+Avis · · Score: 4, Informative

      Note that all modern operating systems do run each process in its own virtual machine. The process sees its own memory space that has no relation to the physical memory layout of the machine (indeed, it may even be bigger) and it has no direct access to the hardware. It gets CPU time that doesn't correspond to any one physical CPU; it may get timeslices from different CPUs if the operating system decides this. If it wants to read or write a file, it has to make a call to the operating system which first checks it has the appropriate permissions and then arranges for the I/O without allowing the user process to talk to the disk directly. Nor can processes access memory belonging to a different process, unless both agree to set up a shared memory scheme.

      The problem is not lack of virtualization. Everything is virtualized already. The problem is excessive permissions given to the programs running in each virtual address space. For example, the web browser should not have any rights to save files outside a designated 'downloads' directory.

      --
      -- Ed Avis ed@membled.com
    9. Re:it's called No Script by TubeSteak · · Score: 2, Informative

      Eventually, I wonder if the Web browser should be completely enclosed in its own VM, where it doesn't require an explicit launching of a client OS, perhaps similar to how Thinstall wraps applications so all changes are only written to a sandbox directory. http://www.sandboxie.com/
      I read about it in the comments of some /. thread
      All changes are written to a sandbox directory, convienently called "sandbox"
      And you can launch more than just your web browser in it.
      --
      [Fuck Beta]
      o0t!
  3. Forth malware by Chris+Burkhardt · · Score: 3, Funny

    > [...] can serve forth malware

    Serve Forth malware from a website? I'd be more concerned about JavaScript malware and the like.

    --
    "And there be unix which have made themselves unix for the kingdom of heaven's sake." - Matt. 19:12
    1. Re:Forth malware by misleb · · Score: 2, Funny

      Serve Forth malware from a website? I'd be more concerned about JavaScript malware and the like.


      Haskell malware is the best!
      --
      "THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
  4. I sure hope by iminplaya · · Score: 5, Funny

    Slashdot is safe. It's the only site I visit. Make sure not to open the articles. You never know.

    --
    What?
  5. The Power of Google by TubeSteak · · Score: 4, Interesting

    http://www.google.com/search?q=site:.edu+viagra
    http://www.google.com/search?q=site:.gov+viagra
    Only two pwned sites in the top 10 for .gov
    It'd be ironic if idtheft.utah.gov was handing out malware.

    Replace viagra with other spamwords & you'll get more of the same

    --
    [Fuck Beta]
    o0t!
    1. Re:The Power of Google by TubeSteak · · Score: 4, Interesting

      I hate replying to my own comments, but the States seem to be doing a much poorer job than the Federal Government.

      http://www.google.com/search?q=site:k12.ny.us+viagra
      That brings up pwned K-12 school websites from New York

      http://www.google.com/search?q=site:.ny.us+ringtones
      This frequently brings up state websites
      EG: New York State's Division of Military and Naval Affairs website has been exploited.

      I don't mean to pick on New York, but they seem to be worse than many other States.
      Replace .NY. with your state's abbreviation

      --
      [Fuck Beta]
      o0t!
  6. So.... PEBCK by ruinevil · · Score: 2, Insightful

    In the end, the majority of security problems lies with the user. We need better computer security education in schools and instill a healthy sense of paranoia in the youth.

    Do we really need Trend Micro's PC-cillin?

  7. Windows XP SP3 by Myria · · Score: 4, Insightful

    Microsoft needs to get their new service pack out the door. No, I don't mean Vista SP1. Microsoft needs to get XP SP3 out. So many people think Windows Update is some silly annoyance that Microsoft threw in there for who knows what. They never heed the requests to install updates and reboot, since that takes so long. Then when their machine slows to a crawl with adware, they ask us to fix them. And in other cases, their computers join a botnet and spam us all.

    XP SP3, on the other hand, can have marketing support behind it. Articles can talk about it and how to install it, and people won't get so annoyed at a one-time installation. XP SP3 includes fixes for the still-quite-popular ADODB.Stream and animated cursor exploits, and at this point, finding browser exploits is getting into diminishing returns. Now that Microsoft cares, Windows is having its code audited much more thoroughly than when XP SP2 was made.

    Service packs also give Microsoft an opportunity to release fixes for security holes found internally, since service packs are so different from the previous version. If they patched holes quickly like Firefox does with incremental patches, they'd be revealing those holes to attackers armed with machine code diff programs.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
    1. Re:Windows XP SP3 by erroneus · · Score: 3, Insightful

      Is there something in SP3 that will magically fix the stupidity of users or will it patch the Windows kernel with a Linux kernel?

    2. Re:Windows XP SP3 by sumdumass · · Score: 2, Interesting

      They never heed the requests to install updates and reboot, since that takes so long. Then when their machine slows to a crawl with adware, they ask us to fix them. And in other cases, their computers join a botnet and spam us all.
      This might be more because they havehad an experience where an update broke their computer or some app. This is probably especially true when SP2 came around because of it's ability to fail and render the computer useless if certain Spyware has been installed. They might have fixed that bug, but I was stuck restoring a lot of computers for suckers who had automatic updates on and clicked go ahead when SP2 was offered.

      And I say suckers not because they installed SP2, but because they had so much spyware that it could actually cause sp2 to fail and leave them without a working computer. I don't know if it still is that way or not. But it was a problem when it first came out. I also have a couple printers and some barcode readers fail on sp2 or an update right around that time. Yea, basically a serial connection fails to work and needed to be replaced with a newer version to run in XPsp2. I don't know what they were doing with the Barcode reader that required that much of a tie in to XP that a service pack or an update could break it's operation. But anyways, things breaking is probably a more valid reason these people are gun shy the just laziness. Although, I wouldn't completely discount laziness.
    3. Re:Windows XP SP3 by techno-vampire · · Score: 3, Funny
      Then when their machine slows to a crawl with adware, they ask us to fix them.


      You must have a well-trained set of users. Most people just buy a new computer when that happens.

      --
      Good, inexpensive web hosting
    4. Re:Windows XP SP3 by cerberusss · · Score: 2, Interesting

      You're modded funny, but when a new Dell Vostro costs $299 and the machine is more than 2 years old, then it might be worth it.

      --
      8 of 13 people found this answer helpful. Did you?
  8. Debunks nothing by syousef · · Score: 2, Insightful

    The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware

    I still believe you're still more likely to get malware on dodgy sites. As worded in the summary, this sounds like an excuse someone came up with to justify their penchant to troll for pr0n, war3z and mp3z.

    --
    These posts express my own personal views, not those of my employer
  9. It's a problem, but the size is limited. by Animats · · Score: 5, Informative

    We have a list of major sites being exploited by active phishing scams, which we update every three hours. There are 56 sites on the list right now. Most sites don't stay on the list too long, but we still have 14 that have been on the list since last year. Most of them are DSL service providers with compromised machines they haven't kicked off. Some providers are proactive about this, and some aren't. Then there are a few compromised sites that just have no clue about how to fix their problem. One such site is the teacher web space for a school district.

    By, well, nagging, we've been able to get the big players to fix their problems. Google, Yahoo, MSN, and Dell were all on the list at one point, but they've all tightened up their systems.

    The points we make with this list are that 1) the number of major sites involved is small, and 2) blacklisting at the second level domain level causes acceptable levels of collateral damage. So go ahead, blacklist the whole second level domain in your phishing filters. Think of it as a way to encourage sites to clean up their act. Or as a way to find out where to apply the clue stick.

    This list is about "major" sites, ones in Open Directory (1.7 million sites.) The issue there is with attackers trying to steal the credibility of the major site. At the other end of the scale, any domain less than a few weeks old probably isn't worth connecting to. Or at least it should be read with all executable content disabled, including HTML email. Also, any link with more than one redirect probably shouldn't be followed.

    It's easier to filter out the attackers if you're willing to filter out the bottom-feeders as well. But that's another story.

  10. Re:Frosty Piss by sporkme · · Score: 2, Funny

    Thank you for commenting on slashdot! LOL! You'd love the zany TOTALLY NUDE shots from my webcam! All you have to do is CLICK MY LINK and you will see me totally exposed! This is not a hack or virus or any of that, I am just trying to increase my exposure (if you know what I mean) in !script=LOCAL_CITY!@user! so I thought I would hit you up personally, since you seem soooo kewl! I luv yer pix and maybe we can get a little more personal if you Czech out my pix on my sight. XOXOXO 3 --Bubbles.

    --
    FairTax baby!
  11. No news is old news by Anonymous Coward · · Score: 2, Interesting
    Noughtly, disclaimer: I work for a Trend competitor.

    Firstly, everyone in this market puts out these sort of research reports - monthly, quarterly, annually, it varies - partly to inform and educate, but mostly for the PR value. Of course everyone sees much the same threat environment, so they're all much of a muchness, PR spin notwithstanding. I don't see my employers' annual threat survey on the Slashdot front page; hmmmm, maybe I should submit it? Or maybe not...

    Secondly - "serve forth" PUH-leassseee... just reminds me of the great UK rapper Silver Bullet and his popular number, "Bring Forth the Guillotine!" from 89. Oh hey, look, anti-virus software... silver bullet... myth... hmmmm.

  12. This doesn't defy conventional wisdom by iamacat · · Score: 4, Insightful

    A trustworthy website will remove malware after the first complaint and will give subsequent visitors a warning and a tool to remove the malware in question. There is still a risk, however the chance of encountering malware on a bank website is significantly less than 100% versus purposely malicious domains and the owner is spending effort to protect you rather than infect you.

    Or you could just install all updates for your favorite OS or a 3rd party browser and virtually eliminate the chance of unintentionally installing a malware executable. Even IE7 is positively fascist when it comes to downloads and plugins these days.

    1. Re:This doesn't defy conventional wisdom by marzipanic · · Score: 3, Informative

      Ah yes, Active X control etc, I like the fact and it is impressive, that Windows Defender (compulsory with Vista) blocks Windows Live Toolbar! A nation devided cannot stand.... Nothing beats common sense (trademarked) though does it?

      Most of the hosts are not aware their site has been "infected" half of the time. I used a site regularly until one day it tried to download some malware in an iframe and an flv file. Not aware at all their site had got a problem.

      Not helped by some people who use a certain "site advisor" program giving it a green tick because it was "full of pretty, cool and amazing things" instead of looking at what their anticrapware app was singing / doing and warning people accordingly.

      For that fact alone I refuse to bank online, I just feel safer. Call me old fashioned....

      --
      In the name of sticking up for someone with autism, f**k you! Prejudiced bastard.... that is unlawful and linuc for dumm
  13. Re:it's called fleeing in terror! by red+star+hardkore · · Score: 2, Interesting

    Kind of hard to progress also when you wake up some morning and find your life savings have been transferred to some dodgy account in Russia. It isn't fleeing in terror, it's putting a hold on things until developers realise that security is as important as functionality.

  14. For very large values of finite. by anandsr · · Score: 2, Insightful

    There are a finite number of exploitable bugs in Windows XP for very large values of finite.

  15. Re:Frosty Piss by somersault · · Score: 2, Insightful

    I'm guessing you'd have to download the code and check it before you can know if it's actually safe.. depending on your definition of 'safe' of course.

    --
    which is totally what she said
  16. Truth wrapped up in FUD, and the way forward... by argent · · Score: 4, Insightful

    I've been beating the drum about Internet Explorer and its deliberate malware distribution features like ActiveX for years. Over 10 years, in fact, since it was 1997 when Microsoft introduced Active Desktop...

    When people tell me "oh yes, I use Internet Explorer, but I only visit well known websites I can trust" I have been able in some cases to convince them that thanks to forums and other sources of third party content even "trusted" websites can source malware.

    Despite what Trend Micro suggests, the best approach to security is still taking proper care with the software you use. They talk about attacks on embedded devices like cellphones, but note that they're primarily talking about their potential as backdoors for infected files, not about their embedded browsers being attacked directly. Antivirus companies want antivirus software installed on everything... that's how they make money... but until they ship software that is purely a scanner and doesn't patch the OS you're more likely to have the AV software than any virus damage your PDA, cellphone, or non-Windows PC.

    But taking care with the software you use DOESN'T mean only using bad software on good websites, but not using bad software at all. The best antivirus, then, is to avoid using software that deliberately includes backdoors to allow automatic installation and execution of unsandboxed code from websites. The poster boy for this insane design is, of course, Internet Explorer, which is actually built around this model and were Microsoft to fix it they would have to break a lot of working products. But there are similar design flaws, albeit ones not so automatically easy to exploit, in other browsers... for example Firefox and Safari will happily install code for you if the code is wrapped up in the appropriate package. In Firefox that package is the XPI... and I would recommend keeping the list of whitelisted sites in Firefox empty at all times. In Safari that package is the Dashboard widget, and the option 'Open "Safe" Files after downloading' which is now (thankfully) off by default in new installs (though it doesn't prevent Dashboard widgets from being installed).

    And now Microsoft is pushing a cross-platform infection vector under the name Silverlight, and there's an open-source clone of it by the name "Moonlight" under development. Some days I despair, truly.

    And no number of "I'm about to do something stupid, is this OK?" dialog boxes are good enough. After 20 years as a system administrator, the last several years of which were spent fighting an increasingly frustrating battle against malware riding on this misfeature of Microsoft's security model, I can only recall one time where someone was *twice* convinced to download and explicitly run an infected file from the shell... but I've repeatedly had people come to me saying "Peter... I clicked on the wrong button again, and my computer's acting funny".

    If you're a software developer, and you find yourself adding an "I'm about to do something stupid" dialog... please reconsider whether it's actually necessary. It almost never is. People really would rather explicitly download and install a plugin, for example, than have the browser pop up annoying messages all the time. Really.

  17. Too many words... by argent · · Score: 2, Informative

    When you write: think twice before visiting a site which you're not sure of. Especially if you browse with internet exploder..

    Surely you mean think twice before [...] you browse with internet exploder..

  18. Re:Questionable company by porkUpine · · Score: 2, Informative

    Juice is a community site. Google Altiris SVS for better information.

  19. Re:Nonsense by Teancum · · Score: 2, Insightful

    No this isn't virtual memory.... it is a virtual machine. Memory and CPU registers are supposed to be separated and each process is supposed to be divided so they can't directly access each other but rather need to route through the operating system in order to send information to each other. Only in practice this doesn't always happen.

    And this is a problem with VMWare as much any other sort of processor division. The main problems was that once the virtual machines were set up for each process in Windows, all sorts of holes were punched into the environment for message passing and other issues that allowed for inter-process communications. And *THAT* is where the security holes came into play.

    All VMWare and other similar software provides is another level of abstraction... and some initial security that Windows supposedly provided originally but then ignored with a drive to provide inter-process actions. The same thing can happen with Virtual Machines... and between networked computers. Just that it is another level of abstraction moving up the food chain.