Legitimate Sites the Source of Most Malware

By Dave Nixon

According to a senior security researcher the majority of websites producing malware are legitimate. Dan Hubbard, Websense’s vice president of security research, said that exceptionally, legitimate sites taken over by hackers outnumber malicious ones.

51 percent of the sites it categorised as malicious in the second half of 2007 had been compromised and then seeded with attack code that contaminated unpatched machines visiting the URLs, according to data compiled by Websense. The outstanding 49 percent were “intentionally built for malicious intent,” the Websense report said.

Hacking genuine sites to make them pass on malware gives attackers instant advantages, said Hubbard. “It’s a great vector because they don’t need to drive users to the sites in many cases; they also get free hosting, of course, and it’s hard to trace ownership,” Hubbard said. “Additionally, if someone is allowing access based on reputation, then they may go undetected.”

The success for hackers - who get exposure to the integral audience that’s composed of a hacked site’s normal visitors - is a disaster for everyone else, a detail that’s been proved by numerous prominent events where hacked sites discharged malicious code.

Last year, for instance, the websites of Dolphin Stadium and the Miami Dolphins NFL team, host to Super Bowl XLI, were compromised so that they served up malicious JavaScript to visitors that, consecutively, attempted to load a Trojan onto unpatched PCs.

In August 2007, the Bank of India, one of that country’s principal banks, was also found to contain malicious code after being compromised. Later, criminals connected with the notorious Russian Business Network, a St. Petersburg-based malware and hacking hosting network, were implicated in the Bank of India attack.

The trend is increasing, said Hubbard, who noted that the previous report projected that the share of malicious sites that were actually compromised genuine domains was in the mid-30 percent range. Indeed, a pair of recent mass hacks - one that compromised upward of 90,000 sites and another at least 10,000 - verified the degree of the problem.

Hubbard intimated that with an approximation of the number of sites serving up malicious code. “Counting sites can be a tricky game because there are sometimes entire domains we classify that have thousands of pages,” he said. “However, it’s safe to say that at any given time, we have more than 2.5 million in the malicious categories.”

Sites are hacked in a variety of ways, said Hubbard, who intimated that there is no single method that stands out. “Compromises are all over the place, unfortunately, including miss-configurations, no patches and so on.”

A considerable number of the sites, however, are compromised by the multi-exploit tool kits made notorious by Mpack and Neosploit. Websense estimates that 19 percent of malicious sites were formed or compromised using such tool kits.

“Exploit tool kits are being utilised more than ever,” Hubbard said. “This can be a sign of increased sharing or increased numbers of sites that the same groups are attacking and infecting successfully.”