Slashdot Mirror

← Back to Stories (view on slashdot.org)

Growth of the Underground Cybercrime Economy

Posted by samzenpus on from the nothing-is-safe dept.

AC50 writes "According to research from Trend Micro's TrendLabs compromised Web sites are gaining in importance on malicious sites created specifically by cyber-criminals. The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware."

17 of 94 comments (clear)

  1. Any site by Merls+the+Sneaky · · Score: 5, Informative

    Any site serving up adverts is potentially sering up malware. Durr.....

  2. it's called No Script by timmarhy · · Score: 4, Informative

    ... use it together with adblocker and a good antivirus package and your web experience will be safe and much faster.

    --
    If you mod me down, I will become more powerful than you can imagine....
    1. Re:it's called No Script by Anonymous Coward · · Score: 3, Informative

      NoScript doesn't help if a site already on your whitelist gets compromised.

    2. Re:it's called No Script by mlts · · Score: 4, Interesting

      I think as time goes on, perhaps the best way to browse the Web is having a virtual machine running under a dedicated, locked down user, so if the OS in the VM is compromised, an unknown exploit that might let malware out of the VM to compromise the host would be stopped. Its not 100%, but it seems to be the best way of doing things. Of course, the Web browser should have Noscript and Adblock functionality for a lock on the front door.

      Eventually, I wonder if the Web browser should be completely enclosed in its own VM, where it doesn't require an explicit launching of a client OS, perhaps similar to how Thinstall wraps applications so all changes are only written to a sandbox directory. Vista's protected mode in IE7 is a start, where IE7 does not have access to the full Registry, but more separated from the rest of the machine with limits on CPU and other resources.

    3. Re:it's called No Script by jesser · · Score: 4, Informative

      An interesting feature of google that I've always liked is the "This page may harm your computer" or whatever they put on dangerous links. I wonder how viable it would be to have a firefox plugin that did something similar.

      Firefox 3 does this. If you start to load a site that's in Google's database of malicious (and compromised) pages, Firefox 3 will show a big red "Suspected attack site!" thing instead of parsing the page.

      Mozilla and Google put a lot of effort into making it possible to do this without slowing down page loads. Firefox downloads a list of 32-bit hash prefixes for compromised sites. If a hash prefix matches (which will happen on any malicious page load and perhaps 0.1% of other page loads), Firefox asks Google for the rest of the hash. Both the local database lookup (which can require disk access) and the possible request to Google happen in parallel with Firefox resolving the DNS entry and connecting to the site.

      Last week, the site of Firebug author Joe Hewitt was compromised, and Firefox 3 Beta 3 users saw this.

      --
      The shareholder is always right.
    4. Re:it's called No Script by Ed+Avis · · Score: 4, Informative

      Note that all modern operating systems do run each process in its own virtual machine. The process sees its own memory space that has no relation to the physical memory layout of the machine (indeed, it may even be bigger) and it has no direct access to the hardware. It gets CPU time that doesn't correspond to any one physical CPU; it may get timeslices from different CPUs if the operating system decides this. If it wants to read or write a file, it has to make a call to the operating system which first checks it has the appropriate permissions and then arranges for the I/O without allowing the user process to talk to the disk directly. Nor can processes access memory belonging to a different process, unless both agree to set up a shared memory scheme.

      The problem is not lack of virtualization. Everything is virtualized already. The problem is excessive permissions given to the programs running in each virtual address space. For example, the web browser should not have any rights to save files outside a designated 'downloads' directory.

      --
      -- Ed Avis ed@membled.com
  3. Forth malware by Chris+Burkhardt · · Score: 3, Funny

    > [...] can serve forth malware

    Serve Forth malware from a website? I'd be more concerned about JavaScript malware and the like.

    --
    "And there be unix which have made themselves unix for the kingdom of heaven's sake." - Matt. 19:12
  4. I sure hope by iminplaya · · Score: 5, Funny

    Slashdot is safe. It's the only site I visit. Make sure not to open the articles. You never know.

    --
    What?
  5. The Power of Google by TubeSteak · · Score: 4, Interesting

    http://www.google.com/search?q=site:.edu+viagra
    http://www.google.com/search?q=site:.gov+viagra
    Only two pwned sites in the top 10 for .gov
    It'd be ironic if idtheft.utah.gov was handing out malware.

    Replace viagra with other spamwords & you'll get more of the same

    --
    [Fuck Beta]
    o0t!
    1. Re:The Power of Google by TubeSteak · · Score: 4, Interesting

      I hate replying to my own comments, but the States seem to be doing a much poorer job than the Federal Government.

      http://www.google.com/search?q=site:k12.ny.us+viagra
      That brings up pwned K-12 school websites from New York

      http://www.google.com/search?q=site:.ny.us+ringtones
      This frequently brings up state websites
      EG: New York State's Division of Military and Naval Affairs website has been exploited.

      I don't mean to pick on New York, but they seem to be worse than many other States.
      Replace .NY. with your state's abbreviation

      --
      [Fuck Beta]
      o0t!
  6. Windows XP SP3 by Myria · · Score: 4, Insightful

    Microsoft needs to get their new service pack out the door. No, I don't mean Vista SP1. Microsoft needs to get XP SP3 out. So many people think Windows Update is some silly annoyance that Microsoft threw in there for who knows what. They never heed the requests to install updates and reboot, since that takes so long. Then when their machine slows to a crawl with adware, they ask us to fix them. And in other cases, their computers join a botnet and spam us all.

    XP SP3, on the other hand, can have marketing support behind it. Articles can talk about it and how to install it, and people won't get so annoyed at a one-time installation. XP SP3 includes fixes for the still-quite-popular ADODB.Stream and animated cursor exploits, and at this point, finding browser exploits is getting into diminishing returns. Now that Microsoft cares, Windows is having its code audited much more thoroughly than when XP SP2 was made.

    Service packs also give Microsoft an opportunity to release fixes for security holes found internally, since service packs are so different from the previous version. If they patched holes quickly like Firefox does with incremental patches, they'd be revealing those holes to attackers armed with machine code diff programs.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
    1. Re:Windows XP SP3 by erroneus · · Score: 3, Insightful

      Is there something in SP3 that will magically fix the stupidity of users or will it patch the Windows kernel with a Linux kernel?

    2. Re:Windows XP SP3 by techno-vampire · · Score: 3, Funny
      Then when their machine slows to a crawl with adware, they ask us to fix them.


      You must have a well-trained set of users. Most people just buy a new computer when that happens.

      --
      Good, inexpensive web hosting
  7. It's a problem, but the size is limited. by Animats · · Score: 5, Informative

    We have a list of major sites being exploited by active phishing scams, which we update every three hours. There are 56 sites on the list right now. Most sites don't stay on the list too long, but we still have 14 that have been on the list since last year. Most of them are DSL service providers with compromised machines they haven't kicked off. Some providers are proactive about this, and some aren't. Then there are a few compromised sites that just have no clue about how to fix their problem. One such site is the teacher web space for a school district.

    By, well, nagging, we've been able to get the big players to fix their problems. Google, Yahoo, MSN, and Dell were all on the list at one point, but they've all tightened up their systems.

    The points we make with this list are that 1) the number of major sites involved is small, and 2) blacklisting at the second level domain level causes acceptable levels of collateral damage. So go ahead, blacklist the whole second level domain in your phishing filters. Think of it as a way to encourage sites to clean up their act. Or as a way to find out where to apply the clue stick.

    This list is about "major" sites, ones in Open Directory (1.7 million sites.) The issue there is with attackers trying to steal the credibility of the major site. At the other end of the scale, any domain less than a few weeks old probably isn't worth connecting to. Or at least it should be read with all executable content disabled, including HTML email. Also, any link with more than one redirect probably shouldn't be followed.

    It's easier to filter out the attackers if you're willing to filter out the bottom-feeders as well. But that's another story.

  8. This doesn't defy conventional wisdom by iamacat · · Score: 4, Insightful

    A trustworthy website will remove malware after the first complaint and will give subsequent visitors a warning and a tool to remove the malware in question. There is still a risk, however the chance of encountering malware on a bank website is significantly less than 100% versus purposely malicious domains and the owner is spending effort to protect you rather than infect you.

    Or you could just install all updates for your favorite OS or a 3rd party browser and virtually eliminate the chance of unintentionally installing a malware executable. Even IE7 is positively fascist when it comes to downloads and plugins these days.

    1. Re:This doesn't defy conventional wisdom by marzipanic · · Score: 3, Informative

      Ah yes, Active X control etc, I like the fact and it is impressive, that Windows Defender (compulsory with Vista) blocks Windows Live Toolbar! A nation devided cannot stand.... Nothing beats common sense (trademarked) though does it?

      Most of the hosts are not aware their site has been "infected" half of the time. I used a site regularly until one day it tried to download some malware in an iframe and an flv file. Not aware at all their site had got a problem.

      Not helped by some people who use a certain "site advisor" program giving it a green tick because it was "full of pretty, cool and amazing things" instead of looking at what their anticrapware app was singing / doing and warning people accordingly.

      For that fact alone I refuse to bank online, I just feel safer. Call me old fashioned....

      --
      In the name of sticking up for someone with autism, f**k you! Prejudiced bastard.... that is unlawful and linuc for dumm
  9. Truth wrapped up in FUD, and the way forward... by argent · · Score: 4, Insightful

    I've been beating the drum about Internet Explorer and its deliberate malware distribution features like ActiveX for years. Over 10 years, in fact, since it was 1997 when Microsoft introduced Active Desktop...

    When people tell me "oh yes, I use Internet Explorer, but I only visit well known websites I can trust" I have been able in some cases to convince them that thanks to forums and other sources of third party content even "trusted" websites can source malware.

    Despite what Trend Micro suggests, the best approach to security is still taking proper care with the software you use. They talk about attacks on embedded devices like cellphones, but note that they're primarily talking about their potential as backdoors for infected files, not about their embedded browsers being attacked directly. Antivirus companies want antivirus software installed on everything... that's how they make money... but until they ship software that is purely a scanner and doesn't patch the OS you're more likely to have the AV software than any virus damage your PDA, cellphone, or non-Windows PC.

    But taking care with the software you use DOESN'T mean only using bad software on good websites, but not using bad software at all. The best antivirus, then, is to avoid using software that deliberately includes backdoors to allow automatic installation and execution of unsandboxed code from websites. The poster boy for this insane design is, of course, Internet Explorer, which is actually built around this model and were Microsoft to fix it they would have to break a lot of working products. But there are similar design flaws, albeit ones not so automatically easy to exploit, in other browsers... for example Firefox and Safari will happily install code for you if the code is wrapped up in the appropriate package. In Firefox that package is the XPI... and I would recommend keeping the list of whitelisted sites in Firefox empty at all times. In Safari that package is the Dashboard widget, and the option 'Open "Safe" Files after downloading' which is now (thankfully) off by default in new installs (though it doesn't prevent Dashboard widgets from being installed).

    And now Microsoft is pushing a cross-platform infection vector under the name Silverlight, and there's an open-source clone of it by the name "Moonlight" under development. Some days I despair, truly.

    And no number of "I'm about to do something stupid, is this OK?" dialog boxes are good enough. After 20 years as a system administrator, the last several years of which were spent fighting an increasingly frustrating battle against malware riding on this misfeature of Microsoft's security model, I can only recall one time where someone was *twice* convinced to download and explicitly run an infected file from the shell... but I've repeatedly had people come to me saying "Peter... I clicked on the wrong button again, and my computer's acting funny".

    If you're a software developer, and you find yourself adding an "I'm about to do something stupid" dialog... please reconsider whether it's actually necessary. It almost never is. People really would rather explicitly download and install a plugin, for example, than have the browser pop up annoying messages all the time. Really.