The explosion in drive-by download attacks continues to grow. How has the situation got so dangerous? Are there any "trusted" Web sites left?
In May 2007, Google joined the security community in warning users about the threat from drive-by download attacks, which is where users' computers are infected with malware when they visit an affected Web site.
By February 2008, the number of drive-by download attacks had increased by 300 percent and showed no signs of abating. Google's researchers investigated billions of URLs and found more than three million unique URLs on over 180,000 Web sites were attempting to automatically install malware.
The drive-by download phenomenon has destroyed the concept of a "trusted" Web site. In the first half of 2007, Sophos claimed to have discovered around 30,000 malicious Web sites appearing every day. Only 20 percent of these were actually run by the criminals deploying the malware -- the rest were genuine, and previously "trusted" sites that had been hacked by criminals to deliver their malware.
"It's no surprise to see legitimate Web pages targeted for these attacks," said Carole Theriault, senior security consultant at Sophos. "Businesses generally aren't too strict about stopping their employees accessing these Web sites, while the sites themselves will already have their own daily flow of user traffic, saving hackers the trouble of trying to entice unenlightened Web surfers."
The appearance of toolkits, which makes it a simple process turning any Web site into a malicious one, has exacerbated the problem.
The best-known toolkit, Mpack, uses cross-site scripting to place malicious iframes on legitimate Web sites. Iframes are used by Web designers to open additional windows (often hosted on other sites) within a main Web page; iframes can also be used by criminal hackers to redirect browsers to malicious-code sites.
The criminals perpetrating these attacks rely on users stumbling on a site that contains their malware with unpatched browsers, operating systems and applications.
Unfortunately, the sheer volume of software on the average PC makes it near impossible for the majority of users to remain completely safe from such attacks.
Sites that have recently been discovered dishing out malware to unsuspecting surfers include The Sydney Opera House, The Bank of India, Facebook, MySpace and at least ten of the AFL team Web sites.
ZDNet.com.au has compiled this guide to help you understand, and better deal with, the threat from drive-by downloads.
Web sites and applications that have been attacked
Virus encyclopaedia infects visitors with malware
Security vendor Trend Micro's UK and Japanese Web sites were hacked last week; attackers managed to inject malicious iFrames into their "virus encyclopaedia" pages.
Facebook banner ad serves an IE exploit
Unpatched PCs running Internet Explorer could fall victim to adware when visiting social networking site Facebook.
Bank of India is hacked and dangerous
Security experts are warning Bank of India customers to steer clear of its official Web site because it is serving up several information-stealing Trojans.
AFL teams a danger on the Web: Google
Google has flagged the Web sites of 10 Australian Football League (AFL) clubs as potentially dangerous, preventing visitors from accessing the teams' sites via the search engine.
Sun denies Java patch release put billions at risk
Sun has denied its staggered patching schedule for a recent Java flaw put billions of devices at risk.
Patch or get PWNED in a flash
Recently fixed vulnerabilities in Sun's Java Runtime Environment and Adobe's Flash player mean that unpatched systems are vulnerable and could be infected with spyware or recruited into a botnet by simply visiting a Web page with exploit code -- and Google last month warned that 10 percent of Web sites contain this kind of malicious code.
Don't fear Sydney Opera House trojan
The Web site of the Sydney landmark has been found to harbour malware but it has been described as an "irritant" rather than a "major security risk".
Cursor flaw gives Vista security a black eye
Microsoft's release of a "critical" patch on Tuesday poked holes in Vista's security promises, but security experts advise against discounting the new operating system.
Microsoft Office flaws up 300 percent
Between 2006 and 2007, there was an almost threefold rise in flaws found in Microsoft software, according to vulnerability-scanning company Qualys.
Apple QuickTime zero-day flaw 'extremely critical'
Security research firm Secunia has reported what it calls an "extremely critical" vulnerability in media-streaming program Apple QuickTime.
Attackers exploit dangerous PDF file vulnerability
On Monday, Adobe patched vulnerabilities in versions 8.1 and earlier of its Acrobat and Acrobat Reader. If exploited, an attacker could launch malicious code on an affected system.
Security flaws unearthed in Google's Android
Researchers have found some holes in Google's Android SDK that could make the software vulnerable to hack attacks.
Skype fixes critical security flaw
Skype has fixed a critical security hole in the latest version of its Windows VoIP software, which could have allowed specially crafted Web sites to load and run malicious code on victims' PCs.
Security product had 60 flaws after being patched
Vulnerability-testing company Secunia has slammed one security vendor for having "inherent code problems" in its backup and antivirus software.
QuickTime 'evil pink box' flaw hits Second Life
Researchers have shown how to exploit a flaw within QuickTime, allowing an attacker to make money stealing from innocent Second Life victims.
Related News
iFrame attacks: Blame your Web admin guy
With one new Web site compromised every 14 seconds, including some of the biggest names, it's almost impossible to tell what's a "trustworthy" Web site. But who's at fault for exposing Internet users?
"Trusted" Web sites can no longer be trusted
Restricting your Web surfing to "trusted" sites is no longer enough to keep your machine safe from malware, according to security experts.
Web attackers get better at hiding
Cybercrooks who rig Web sites to break into PCs are getting better at hiding their malicious code, a security expert said this week.
Single-line attack infects thousands of Web sites
Thousands of Web sites have fallen victim to an attack using just one line of code that maliciously re-directs browsers via Javascript to servers that are hosting a variety of drive-by exploits. Multiple browsers and operating systems are affected by this code if not correctly patched.
Hundreds of sites hit with dynamic malware
In January of 2008, ScanSafe reported that it had discovered more than 200 UK-based Web sites that were using malicious javascript to place trojans and rootkits onto victims' machines.
Malware Web sites: now 30,000 a day
Security experts demand more vigilance by Web-hosts to curb the explosion in malware-infected Web sites, which are appearing at a rate of 30,000 per day, according to Sophos.
Web-borne security attacks explode
Internet-borne security threats have taken over the mantle as a greater risk to companies' security than e-mail attacks, according to security vendor Sophos.
Cyberattacks outstripping defences
Cyberattacks today have become so complex that there may be no real way to completely protect against them, internet security researchers have warned.
Browser features "more trouble than they're worth"
Disabling the majority of features in a Web browser may be the safest bet to keep malicious hackers at bay, says a US based IT security watchdog.
Web 2.woe: Simple security flaws going unfixed
Web application vulnerabilities are simple to fix but they're here to stay and will likely get worse, say security analysts.
Criminals set sights on growing army of Mac users
If Mac users fall for scams that PC users have faced for years, it wont be long before money-hungry crime gangs exploit them, say security experts.
'Lighter' Norton 360 V2.0 takes aim at the Web
"Lighter" is the key word Symantec hopes customers will feel when installing Norton 360 version 2.0, which is the company's security and backup system for small business and home users that was launched today.
Go to next page for related feature articles and Whitepapers.
Features
2007: How was it for security?
Security researchers worked overtime in 2007, which turned out to be a nightmare for software vendors from day one. In January alone, Apple, Google, Microsoft and Adobe were just some of the household names embarrassed for leaving gaping holes in their products.
Developers must take personal responsibility: Gartner
We sat down with security analyst Andrew Walls at Gartner ITExpo and asked him how Web 2.0 affects application security.
The secure Mac: myth or legend?
Apple computers have built a solid reputation on being virus-free, but is the reality different from the image?
Facebook, MySpace threaten your job, savings
While they present a wonderful opportunity to meet people with similar interests, sites like MySpace, Facebook, and even LinkedIn can also cause trouble.
Virtual worlds a risky bet for big business?
The thriving community of Internet users that are opting for a 'Second Life' in virtual worlds are a tempting market for advertising. But is a virtual presence a viable option for big business?
For F-Secure, it's all about the safety net
Kimmo Alkio takes stock of the current state of hackers, attackers, dot-bank domains and mobile phone viruses.
Whitepapers
PandaLabs: Detailed analysis of Mpack
This PDF contains everything you may ever want to know -- and probably a lot more -- about Mpack.
3Com: Understanding and Preventing Spyware in the Enterprise
Spyware continues to evolve and expand across the Internet. It annoys customers, consumes bandwidth and computing capacity, exposes an Enterprise to liability and security risks, and reduces productivity.
BitDefender: Proactive security – IT body armour against
Defending against today's diverse array of security risks can be an enormous drain on corporate resources; especially for emerging and growing businesses which need to protect themselves against exactly the same threats as large scale enterprises, but with only a fraction of the IT resources.
BitDefender: Emerging Threats to Business Security
Now more than ever, businesses need to be concerned about the security of their networks. The number, variety and strength of the threats to computer and network security have dramatically increased and businesses need to be prepared against an ever-changing landscape of malware attacks.
Sophos: Security Threat Report 2008
A recent survey showed that only 30 percent of computer users thought that 2008 would be a better year for internet security. Despite vast improvements in technology, hackers have responded by upping their game. Their main focus remains financial gain, and new methods to steal from users and companies continue to emerge. The Sophos security threat report talks about recent attacks and gives predictions and advice for 2008.
Sophos: Unauthorised applications: Taking back control
Employees installing and using unauthorised applications like Instant Messaging, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. This paper looks at why it is important to control such applications, discusses the various approaches, and highlights how integrating this functionality into malware protection is the simplest and most cost-effective solution.
McAfee: Patching: Is It Always With the Best Intentions?
Over the years malicious software has attempted every trick in the book when it comes to hooking into an operating system not only to remain persistent at the time of execution but also beyond system reboots. This paper will describe how hooking into the operating system has changed over the years, including some examples of the most 'Interesting' methods from MS DOS, early Windows versions and present-day contemporary methods.
CA: Protect Your Family Against Today's Internet Threats
Internet crime is big business. A decade ago, writing harmful software was largely driven by individual hackers' desire for recognition. Today, profit is the clear motive. Organised groups of criminals create the tools and the distribution mechanisms for a wide variety of harmful software that can be used in criminal enterprises. Their software perpetrates harm well beyond offensive photos or annoying pop-up ads. They can steal one's passwords, draining the bank account or running up one's kid's online gaming bill.
MessageLabs: Solving Business Threats Caused by Improper Use of the Internet by Employees
Employees spend many hours on the Internet, and much of the time isn't used for their work. A recent study by Salary.com and America Online found that US employees squander an average of two hours of company time online every day, time that costs their companies $759 billion annually. Employers face serious problems with employees' improper use of the Internet, including viruses from downloads of software and other materials found online.
IBM: Cyber Attacks On The Rise: IBM 2007 Midyear Report
So far 2007 has been a very interesting and unexpected year on many security fronts. The IBM Internet Security Systems X-Force research and development team discovered, analysed and recorded new vulnerabilities and the status of varying threats throughout the first six months of this year. That data is compiled in this report.