Cyber crooks hijack 10,000 websites

Sadly I think it's genuine

"Anyone else wondering if it is the anti-malware companies themselves creating this software just to keep themselves in business?"

Not me. Many years ago I used to think this about anti-virus software, but malware is different because there's a huge amount of money to be made by the criminal elements (via botnet extortion, password logging etc..), that it's creating the professional levels of resources we're seeing.

Well yes, since you mention it...

" Anyone else wondering if it is the anti-malware companies themselves creating this software just to keep themselves in business? "

Yep, just you and every other paranoid nutjob kook since the beginning of Usenet.

Sure

" Anyone else wondering if it is the anti-malware companies themselves creating this software just to keep themselves in business? "

Sure, and there's a vast conspiracy amongst lawyers to promote crime in order to keep them all employed (prosecutors and defense).

I got an email from my hosting service Monday morning saying that they had temporarily disabled PHP because of "certain threats". They turned it back on Monday evening, so there must be some sort of fix. I don't use PHP, Javascript, Active-X or any other of those malware vectors.

Just rename it

'IFramed' compatible with Organized Crime or Police (Cross platform version)

The Vast Anti-Virus Conspiracy

"Not me. Many years ago I used to think this about anti-virus software, but malware is different because there's a huge amount of money to be made by the criminal elements (via botnet extortion, password logging etc..)"

Same is true of viruses. Viruses, like malware, are written for profit, often by Eastern European organized crime. Viruses install remote command-and-control or mail-server software (or both) onto infected PCs; lists of infected PCs are then sold to spammers, or to people who use them to create "botnets" for extortion or DDoS rackets.

The antivirus companies don't NEED to invent fictitious threats for their software to circumvent.

So, where is a problem?

I can't find the problem here actually. Nowadays keyloggers are so widespread, that it would be silly enough to surf the Internet without having anti-keylogger installed. Moreover we can find numerous sites in the Internet dedicated exatly to anti-keylogging protection(like www.anti-keylogger.org or others), so I can't find a problem here....

Yet another reason to hate Javascript

.. and all of these exploits are thanks to crap like "ActiveX", "Visual Basic (Script)", and "Javascript" being given carte blanche to do just about anything.

When I thought Javascript was dying thanks to server-side webapps (PHP, Java/JSP, J2EE, .net, ASP) somebody had to "invent" AJAX, bringing in the Web 2.0 buzz.

Now lots of sites *require* Javascript to function, and Javascript itself seems to be turning into the new ActiveX.

BTW, PHP isn't a malware vector unlike ActiveX/Javascript, because PHP's run on the server side. That said, PHP apps itself might be exploitable...

To all Javascript/PHP haters

If you want your website to be anything more than a document repository, some form of user-responsive scripting is essential. Some of the important uses of Javascript are:

* Instant/real-time form validation

* Foldout and rollover help guides on Web pages

* Warning alerts when a user makes an error

* CSS-to-browser matching

* Browser compatibility checking

* Frame killers to prevent other sites from framing or obfuscating yours

* Email address hiding to protect your email from spam spiders

* Pre-emptive page and image loading to speed up browsing and balance server load

* Dynamic in-page information updates

Yes, lots of sites require Javascript because without it they CAN'T function! Try using iGoogle with Javascript turned off - it can't do any of the things it does. Try creating a web page without it, and see how it messes up in Internet Suxplorer while displaying correctly in Firefox, or vice versa. Try creating a Web form without it, and see how many angry emails you get from users wasting time waiting for a server to tell them they forgot to enter something, so they have to enter all that data over again.

Browsers these days have all sorts of security options built in to control renegade Javascript. I've been to dozens of malware sites and watched while they tried to install something on my PC, only to be thwarted by my clicking No in all the "This site is trying to install XXX-Toolbar, do you want to allow this" dialogues that pop up.

You can set your security options to prevent Javascript from doing unsavoury things like silent installing, opening popups, blocking the context menus, or changing the status bar text or browser chrome.

All our sites use Javascript, if only to hide our email addresses and ensure cross-browser compatibilty. Damned if I'm going to expose my email address to spam spiders, or leave my site looking a mess in Internet Suxplorer, just because some twat's too paranoid to turn on Javascript or too lazy to check their security settings. Come to our sites with Javascript turned off and all you get is a page telling you to turn it on if you want to proceed. (Ah, I love the <noscript> tag!) Yes, we get a few complaints. But the vast majority of our customers love our sites, so for those few that don't like it, tough - go elsewhere, if you can find an "elsewhere" that doesn't use Javascript and provides the same service.

Blanket-blocking Javascript simply reduces your web experience to passive page viewing. Spend some time in your browser options learning about and configuring your security settings. When you go out on a Friday night, you spend time checking that you have your keys, wallet, comb, mobile phone etc. before going out. Do the same before going out on the internet.

----------

@Daniel Ballado-Torres: Java and its various incarnations are CLIENT-SIDE applications - why do you think you have to install the JVM on your machine before you can view any Java applets?

Re: To all Javascript/PHP haters

Umm, the issue here isn't that people are being complete idiots and clicking yes or going to suspect web sites.

The issue is that, first of all, legitimate web sites have had nasty code injected into them, and that said nasty code exploits security loopholes in various browsers' implementations of your precious javascript.

I turn off javascript because:

A: The nasty people are very good at figuring out these security loopholes, and often put them to use before a working patch is available.

B: Sites I wouldn't have a reason to distrust on the surface, may have dodgy security and be susceptible to the attacks we are seeing reported in this article.

C: Javascript is often used not just for good, helpful things like forms validation and such, but for things like annoying scrolling text and other crimes against my eyes.

When I really need to use javascript for a site, I temporarily enable it with NoScript. If I go there everyday and don't worry about "B" happening, it gets permanently enabled, like iGoogle.

Now, full-fledged Java is another thing. I hate it because of the amount of resources I have always seen it use up just using it.