Growth of the Underground Cybercrime Economy

AC50 writes "According to research from Trend Micro's TrendLabs compromised Web sites are gaining in importance on malicious sites created specifically by cyber-criminals. The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware."

Any site

[Merls the Sneaky (1031058)]

Any site serving up adverts is potentially sering up malware. Durr.....

Re:

[PlusFiveTroll (754249)]

Thank You for failing the game, please try again. Many of the criminals doing said things in articles are in countries that turn a blind eye to such crimes.

it's called No Script

[timmarhy (659436)]

... use it together with adblocker and a good antivirus package and your web experience will be safe and much faster.

Re:

[CSMatt (1175471)]

Seconded, and also only allow whitelisted cookies.

Re:it's called No Script

[mlts (1038732)]

I think as time goes on, perhaps the best way to browse the Web is having a virtual machine running under a dedicated, locked down user, so if the OS in the VM is compromised, an unknown exploit that might let malware out of the VM to compromise the host would be stopped. Its not 100%, but it seems to be the best way of doing things. Of course, the Web browser should have Noscript and Adblock functionality for a lock on the front door.

Eventually, I wonder if the Web browser should be completely enclosed in its own VM, where it doesn't require an explicit launching of a client OS, perhaps similar to how Thinstall wraps applications so all changes are only written to a sandbox directory. Vista's protected mode in IE7 is a start, where IE7 does not have access to the full Registry, but more separated from the rest of the machine with limits on CPU and other resources.

Re:

[porkUpine (623110)]

I currently run Firefox in SVS (Altiris) (Along with the suggestions above). Basically Firefox runs in it's own virtual layer on the machine with no access to the "real" OS. I can run multiple instances to allow for different security settings. It's nice because I don't have to actually boot a VM just to surf the web safely. http://juice.altiris.com/glossary/term/252 [altiris.com]

Questionable company

[Futurepower(R) (558542)]

I notice that the Altiris site contains very poor writing.

It would be great to have a suggestion from a better company.

Re:it's called No Script

[Ed Avis (5917)]

Note that all modern operating systems do run each process in its own virtual machine. The process sees its own memory space that has no relation to the physical memory layout of the machine (indeed, it may even be bigger) and it has no direct access to the hardware. It gets CPU time that doesn't correspond to any one physical CPU; it may get timeslices from different CPUs if the operating system decides this. If it wants to read or write a file, it has to make a call to the operating system which first checks it has the appropriate permissions and then arranges for the I/O without allowing the user process to talk to the disk directly. Nor can processes access memory belonging to a different process, unless both agree to set up a shared memory scheme.

The problem is not lack of virtualization. Everything is virtualized already. The problem is excessive permissions given to the programs running in each virtual address space. For example, the web browser should not have any rights to save files outside a designated 'downloads' directory.

Re:

[Teancum (67324)]

No this isn't virtual memory.... it is a virtual machine. Memory and CPU registers are supposed to be separated and each process is supposed to be divided so they can't directly access each other but rather need to route through the operating system in order to send information to each other. Only in practice this doesn't always happen.

And this is a problem with VMWare as much any other sort of processor division. The main problems was that once the virtual machines were set up for each process in Window

Re:

[TubeSteak (669689)]

Eventually, I wonder if the Web browser should be completely enclosed in its own VM, where it doesn't require an explicit launching of a client OS, perhaps similar to how Thinstall wraps applications so all changes are only written to a sandbox directory.

http://www.sandboxie.com/ [sandboxie.com]
I read about it in the comments of some /. thread
All changes are written to a sandbox directory, convienently called "sandbox"
And you can launch more than just your web browser in it.

Re:

[Architect_sasyr (938685)]

An interesting feature of google that I've always liked is the "This page may harm your computer" or whatever they put on dangerous links. I wonder how viable it would be to have a firefox plugin that did something similar. Not so much the patching of the bugs, but maybe some sort of distributed (P2P) system that says "Yep, this is dangerous, we aint patched it yet, so go there if you like but we don't recommend it"

Might help out, might not. If I had something like that running in my company I reckon I co

Re:it's called No Script

[jesser (77961)]

An interesting feature of google that I've always liked is the "This page may harm your computer" or whatever they put on dangerous links. I wonder how viable it would be to have a firefox plugin that did something similar.

Firefox 3 does this. If you start to load a site that's in Google's database of malicious (and compromised) pages, Firefox 3 will show a big red "Suspected attack site!" thing instead of parsing the page.

Mozilla and Google put a lot of effort into making it possible to do this without slowing down page loads. Firefox downloads a list of 32-bit hash prefixes for compromised sites. If a hash prefix matches (which will happen on any malicious page load and perhaps 0.1% of other page loads), Firefox asks Google for the rest of the hash. Both the local database lookup (which can require disk access) and the possible request to Google happen in parallel with Firefox resolving the DNS entry and connecting to the site.

Last week, the site of Firebug author Joe Hewitt was compromised, and Firefox 3 Beta 3 users saw this [mozilla.com].

McAfee SiteAdvisor

[frog51 (51816)]

It's free and does a reasonable job at indicating risk level to the less computer savvy (in green, amber and red)

Re:

[kent_eh (543303)]

An interesting feature of google that I've always liked is the "This page may harm your computer" or whatever they put on dangerous links.

I got an e-mail from my Mom on Monday night that said:

I was downloading something into AVG, and I saw something in red letters that said it was a 'trojan horse'. Is that friend or foe? I think it's probably safe, but I thought I should check with you first..."

Yes, she's confused about what AVG's role in the download is, but that aside.
There was a banner popped up with big red letters, and the word "warning" and she still thought it might be safe.
I guess there is some glimmer of hope, given she had enough doubt to ask me, but still I'd submit she is among the "average users" that need their computers to protect them from themselves. I'm looking at some of the sandboxes that are being linked in this thre

Re:

[by Anonymous Coward]

NoScript doesn't help if a site already on your whitelist gets compromised.

Re:

[mrbluze (1034940)]

... use it together with adblocker and a good antivirus package and your web experience will be safe and much faster.

..together also with a windows-free computer, I guess. But the problem is that websites people visit nowadays require scripts to be enabled. They will be deliberately targeted over sites which don't mandate scripting, so the problem remains. Best way is to design computer systems with the assumption that they will be hacked and then see how to prevent or minimize any damage, from the outset, instead of the old model which assumes the software was all honestly and flawlessly written.

Re:

[timmarhy (659436)]

you can selectively run the scripts. for example i block the analyitics scripts when i go to gmail but gmail still works fine

Re:

[xeoron (639412)]

Very true... but I often feel the safest while using Lynx or W3m

Re:

[red star hardkore (1242136)]

Kind of hard to progress also when you wake up some morning and find your life savings have been transferred to some dodgy account in Russia. It isn't fleeing in terror, it's putting a hold on things until developers realise that security is as important as functionality.

Forth malware

[Chris Burkhardt (613953)]

> [...] can serve forth malware

Serve Forth malware from a website? I'd be more concerned about JavaScript malware and the like.

Re:

[misleb (129952)]

Serve Forth malware from a website? I'd be more concerned about JavaScript malware and the like.

Haskell malware is the best!

I sure hope

[iminplaya (723125)]

Slashdot is safe. It's the only site I visit. Make sure not to open the articles. You never know.

Re:

[phalse phace (454635)]

Make sure not to open the articles. You never know.

Open articles? I don't think /.ers have anything to worry about.

The Power of Google

[TubeSteak (669689)]

http://www.google.com/search?q=site:.edu+viagra [google.com]
http://www.google.com/search?q=site:.gov+viagra [google.com]
Only two pwned sites in the top 10 for .gov
It'd be ironic if idtheft.utah.gov was handing out malware.

Replace viagra with other spamwords & you'll get more of the same

Re:The Power of Google

[TubeSteak (669689)]

I hate replying to my own comments, but the States seem to be doing a much poorer job than the Federal Government.

http://www.google.com/search?q=site:k12.ny.us+viagra [google.com]
That brings up pwned K-12 school websites from New York

http://www.google.com/search?q=site:.ny.us+ringtones [google.com]
This frequently brings up state websites
EG: New York State's Division of Military and Naval Affairs website has been exploited.

I don't mean to pick on New York, but they seem to be worse than many other States.
Replace .NY. with your state's abbreviation

So.... PEBCK

[ruinevil (852677)]

In the end, the majority of security problems lies with the user. We need better computer security education in schools and instill a healthy sense of paranoia in the youth.

Do we really need Trend Micro's PC-cillin?

Windows XP SP3

[Myria (562655)]

Microsoft needs to get their new service pack out the door. No, I don't mean Vista SP1. Microsoft needs to get XP SP3 out. So many people think Windows Update is some silly annoyance that Microsoft threw in there for who knows what. They never heed the requests to install updates and reboot, since that takes so long. Then when their machine slows to a crawl with adware, they ask us to fix them. And in other cases, their computers join a botnet and spam us all.

XP SP3, on the other hand, can have marketing support behind it. Articles can talk about it and how to install it, and people won't get so annoyed at a one-time installation. XP SP3 includes fixes for the still-quite-popular ADODB.Stream and animated cursor exploits, and at this point, finding browser exploits is getting into diminishing returns. Now that Microsoft cares, Windows is having its code audited much more thoroughly than when XP SP2 was made.

Service packs also give Microsoft an opportunity to release fixes for security holes found internally, since service packs are so different from the previous version. If they patched holes quickly like Firefox does with incremental patches, they'd be revealing those holes to attackers armed with machine code diff programs.

Re:Windows XP SP3

[erroneus (253617)]

Is there something in SP3 that will magically fix the stupidity of users or will it patch the Windows kernel with a Linux kernel?

Re:

[Myria (562655)]

Is there something in SP3 that will magically fix the stupidity of users or will it patch the Windows kernel with a Linux kernel?

No, but at least it will be harder for attackers to exploit them. There is a finite number of exploitable bugs in Windows XP and Internet Explorer, and since few new features are being added, few new bugs are being added.

As for Linux, are things really much different [slashdot.org]?

For very large values of finite.

[anandsr (148302)]

There are a finite number of exploitable bugs in Windows XP for very large values of finite.

Re:

[sumdumass (711423)]

They never heed the requests to install updates and reboot, since that takes so long. Then when their machine slows to a crawl with adware, they ask us to fix them. And in other cases, their computers join a botnet and spam us all.

This might be more because they havehad an experience where an update broke their computer or some app. This is probably especially true when SP2 came around because of it's ability to fail and render the computer useless if certain Spyware has been installed. They might have f

Re:Windows XP SP3

[techno-vampire (666512)]

Then when their machine slows to a crawl with adware, they ask us to fix them.

You must have a well-trained set of users. Most people just buy a new computer when that happens.

Re:

[cerberusss (660701)]

You're modded funny, but when a new Dell Vostro costs $299 and the machine is more than 2 years old, then it might be worth it.

Debunks nothing

[syousef (465911)]

The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware

I still believe you're still more likely to get malware on dodgy sites. As worded in the summary, this sounds like an excuse someone came up with to justify their penchant to troll for pr0n, war3z and mp3z.

It's a problem, but the size is limited.

[Animats (122034)]

We have a list of major sites being exploited by active phishing scams, [sitetruth.com] which we update every three hours. There are 56 sites on the list right now. Most sites don't stay on the list too long, but we still have 14 that have been on the list since last year. Most of them are DSL service providers with compromised machines they haven't kicked off. Some providers are proactive about this, and some aren't. Then there are a few compromised sites that just have no clue about how to fix their problem. One such site is the teacher web space for a school district.

By, well, nagging, we've been able to get the big players to fix their problems. Google, Yahoo, MSN, and Dell were all on the list at one point, but they've all tightened up their systems.

The points we make with this list are that 1) the number of major sites involved is small, and 2) blacklisting at the second level domain level causes acceptable levels of collateral damage. So go ahead, blacklist the whole second level domain in your phishing filters. Think of it as a way to encourage sites to clean up their act. Or as a way to find out where to apply the clue stick.

This list is about "major" sites, ones in Open Directory (1.7 million sites.) The issue there is with attackers trying to steal the credibility of the major site. At the other end of the scale, any domain less than a few weeks old probably isn't worth connecting to. Or at least it should be read with all executable content disabled, including HTML email. Also, any link with more than one redirect probably shouldn't be followed.

It's easier to filter out the attackers if you're willing to filter out the bottom-feeders as well. But that's another story.

Re:

[Ed Avis (5917)]

WTF? Are you suggesting that users should avoid infection by not visiting websites with a domain 'less than a few weeks old'? How are they going to verify this information before each page click? If this is really a good rule to follow, it needs to be built into the browser. You can't rely on users not to do something stupid when the definition of 'stupid' gets wider and wider each year.

It only takes one site to compromise the user's machine if the user is running something exploitable. Surely the only

Re:

[Animats (122034)]

You can't rely on users not to do something stupid when the definition of 'stupid' gets wider and wider each year.

Of course it has to be automated. That's what we're working on. Our free browser plug-ins will be out shortly.

Re:

[Animats (122034)]

There's a tinyurl on the list, but I don't see how that would serve any good. It should be the site the tinyurl points to, no?

"tinyurl.com" and "notlong.com" are phishing magnets, because phishing filters don't typically block their domain. So phishing sites use them to bypass filters. Those services try to keep up with phish reports and block those URLs, but they're falling behind. We encourage them to automate the process; as soon as a URL appears in any of the major phishing databases (PhishTank, A

No news is old news

[by Anonymous Coward]

Noughtly, disclaimer: I work for a Trend competitor.

Firstly, everyone in this market puts out these sort of research reports - monthly, quarterly, annually, it varies - partly to inform and educate, but mostly for the PR value. Of course everyone sees much the same threat environment, so they're all much of a muchness, PR spin notwithstanding. I don't see my employers' annual threat survey on the Slashdot front page; hmmmm, maybe I should submit it? Or maybe not...

Secondly - "serve forth" PUH-leassseee.

This doesn't defy conventional wisdom

[iamacat (583406)]

A trustworthy website will remove malware after the first complaint and will give subsequent visitors a warning and a tool to remove the malware in question. There is still a risk, however the chance of encountering malware on a bank website is significantly less than 100% versus purposely malicious domains and the owner is spending effort to protect you rather than infect you.

Or you could just install all updates for your favorite OS or a 3rd party browser and virtually eliminate the chance of unintentionally installing a malware executable. Even IE7 is positively fascist when it comes to downloads and plugins these days.

Re:

[marzipanic (1147531)]

Ah yes, Active X control etc, I like the fact and it is impressive, that Windows Defender (compulsory with Vista) blocks Windows Live Toolbar! A nation devided cannot stand.... Nothing beats common sense (trademarked) though does it?

Most of the hosts are not aware their site has been "infected" half of the time. I used a site regularly until one day it tried to download some malware in an iframe and an flv file. Not aware at all their site had got a problem.

Not helped by some people who use a certain

Truth wrapped up in FUD, and the way forward...

[argent (18001)]

I've been beating the drum about Internet Explorer and its deliberate malware distribution features like ActiveX for years. Over 10 years, in fact, since it was 1997 when Microsoft introduced Active Desktop...

When people tell me "oh yes, I use Internet Explorer, but I only visit well known websites I can trust" I have been able in some cases to convince them that thanks to forums and other sources of third party content even "trusted" websites can source malware.

Despite what Trend Micro suggests, the best approach to security is still taking proper care with the software you use. They talk about attacks on embedded devices like cellphones, but note that they're primarily talking about their potential as backdoors for infected files, not about their embedded browsers being attacked directly. Antivirus companies want antivirus software installed on everything... that's how they make money... but until they ship software that is purely a scanner and doesn't patch the OS you're more likely to have the AV software than any virus damage your PDA, cellphone, or non-Windows PC.

But taking care with the software you use DOESN'T mean only using bad software on good websites, but not using bad software at all. The best antivirus, then, is to avoid using software that deliberately includes backdoors to allow automatic installation and execution of unsandboxed code from websites. The poster boy for this insane design is, of course, Internet Explorer, which is actually built around this model and were Microsoft to fix it they would have to break a lot of working products. But there are similar design flaws, albeit ones not so automatically easy to exploit, in other browsers... for example Firefox and Safari will happily install code for you if the code is wrapped up in the appropriate package. In Firefox that package is the XPI... and I would recommend keeping the list of whitelisted sites in Firefox empty at all times. In Safari that package is the Dashboard widget, and the option 'Open "Safe" Files after downloading' which is now (thankfully) off by default in new installs (though it doesn't prevent Dashboard widgets from being installed).

And now Microsoft is pushing a cross-platform infection vector under the name Silverlight, and there's an open-source clone of it by the name "Moonlight" under development. Some days I despair, truly.

And no number of "I'm about to do something stupid, is this OK?" dialog boxes are good enough. After 20 years as a system administrator, the last several years of which were spent fighting an increasingly frustrating battle against malware riding on this misfeature of Microsoft's security model, I can only recall one time where someone was *twice* convinced to download and explicitly run an infected file from the shell... but I've repeatedly had people come to me saying "Peter... I clicked on the wrong button again, and my computer's acting funny".

If you're a software developer, and you find yourself adding an "I'm about to do something stupid" dialog... please reconsider whether it's actually necessary. It almost never is. People really would rather explicitly download and install a plugin, for example, than have the browser pop up annoying messages all the time. Really.

Safe to Play in Traffic

[Doc Ruby (173196)]

The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware."

Yes, you're not in any greater risk hanging out in crackhouses, because even the banks you visit sometimes have dangerous bank robbers in them.

That statement is one of the stupidest analyses of relative risk that I've ever heard.

What can I say?

[Colin Smith (2679)]

Javascripters building "enterprise" applications.

You get what you pay for.

   

Cybercrim tsunami (almast stay 1 ahead)

[LM741N (258038)]

The perfecr punishment: "Apps testing on Vista"

Re:

[sporkme (983186)]

Thank you for commenting on slashdot! LOL! You'd love the zany TOTALLY NUDE shots from my webcam! All you have to do is CLICK MY LINK [slashdot.org] and you will see me totally exposed! This is not a hack or virus or any of that, I am just trying to increase my exposure (if you know what I mean) in !script=LOCAL_CITY!@user! so I thought I would hit you up personally, since you seem soooo kewl! I luv yer pix and maybe we can get a little more personal if you Czech out my pix on my sight. XOXOXO 3 --Bubbles.

Re:

[Corwn of Amber (802933)]

About TFS... (didn't bother to read TFA, this being /.)

WTF? Use Adblock not to download the malware-pushing banners.
Don't download code. Music, videos, etc. OK, but NOT code. Unless you KNOW it's safe.

And finally : use a Macintosh or Hackintosh. There's no malware on OSX.

It's really laughable. Fortune500 sites pushing malware? That's why you Americans have "class action lawsuits" and "ambulance-chasing lawyers". 1+1+1= ... profit.

Re:

[somersault (912633)]

I'm guessing you'd have to download the code and check it before you can know if it's actually safe.. depending on your definition of 'safe' of course.

Try Pfizer, for one

[winkydink (650484)]

http://www.wired.com/politics/security/news/2007/09/pfizerspam [wired.com]

Too many words...

[argent (18001)]

When you write: think twice before visiting a site which you're not sure of. Especially if you browse with internet exploder..

Surely you mean think twice before [...] you browse with internet exploder..