Growth of the Underground Cybercrime Economy

AC50 writes "According to research from Trend Micro's TrendLabs compromised Web sites are gaining in importance on malicious sites created specifically by cyber-criminals. The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware."

Any site

[Merls the Sneaky]

Any site serving up adverts is potentially sering up malware. Durr.....

it's called No Script

[timmarhy]

... use it together with adblocker and a good antivirus package and your web experience will be safe and much faster.

Re:it's called No Script

[CSMatt]

Seconded, and also only allow whitelisted cookies.

Re:it's called No Script

[Anonymous Coward]

NoScript doesn't help if a site already on your whitelist gets compromised.

It's a problem, but the size is limited.

[Animats]

We have a list of major sites being exploited by active phishing scams, [sitetruth.com] which we update every three hours. There are 56 sites on the list right now. Most sites don't stay on the list too long, but we still have 14 that have been on the list since last year. Most of them are DSL service providers with compromised machines they haven't kicked off. Some providers are proactive about this, and some aren't. Then there are a few compromised sites that just have no clue about how to fix their problem. One such site is the teacher web space for a school district.

By, well, nagging, we've been able to get the big players to fix their problems. Google, Yahoo, MSN, and Dell were all on the list at one point, but they've all tightened up their systems.

The points we make with this list are that 1) the number of major sites involved is small, and 2) blacklisting at the second level domain level causes acceptable levels of collateral damage. So go ahead, blacklist the whole second level domain in your phishing filters. Think of it as a way to encourage sites to clean up their act. Or as a way to find out where to apply the clue stick.

This list is about "major" sites, ones in Open Directory (1.7 million sites.) The issue there is with attackers trying to steal the credibility of the major site. At the other end of the scale, any domain less than a few weeks old probably isn't worth connecting to. Or at least it should be read with all executable content disabled, including HTML email. Also, any link with more than one redirect probably shouldn't be followed.

It's easier to filter out the attackers if you're willing to filter out the bottom-feeders as well. But that's another story.

Re:it's called No Script

[jesser]

An interesting feature of google that I've always liked is the "This page may harm your computer" or whatever they put on dangerous links. I wonder how viable it would be to have a firefox plugin that did something similar.

Firefox 3 does this. If you start to load a site that's in Google's database of malicious (and compromised) pages, Firefox 3 will show a big red "Suspected attack site!" thing instead of parsing the page.

Mozilla and Google put a lot of effort into making it possible to do this without slowing down page loads. Firefox downloads a list of 32-bit hash prefixes for compromised sites. If a hash prefix matches (which will happen on any malicious page load and perhaps 0.1% of other page loads), Firefox asks Google for the rest of the hash. Both the local database lookup (which can require disk access) and the possible request to Google happen in parallel with Firefox resolving the DNS entry and connecting to the site.

Last week, the site of Firebug author Joe Hewitt was compromised, and Firefox 3 Beta 3 users saw this [mozilla.com].

Re:it's called No Script

[porkUpine]

I currently run Firefox in SVS (Altiris) (Along with the suggestions above). Basically Firefox runs in it's own virtual layer on the machine with no access to the "real" OS. I can run multiple instances to allow for different security settings. It's nice because I don't have to actually boot a VM just to surf the web safely. http://juice.altiris.com/glossary/term/252 [altiris.com]

Re:it's called No Script

[Ed Avis]

Note that all modern operating systems do run each process in its own virtual machine. The process sees its own memory space that has no relation to the physical memory layout of the machine (indeed, it may even be bigger) and it has no direct access to the hardware. It gets CPU time that doesn't correspond to any one physical CPU; it may get timeslices from different CPUs if the operating system decides this. If it wants to read or write a file, it has to make a call to the operating system which first checks it has the appropriate permissions and then arranges for the I/O without allowing the user process to talk to the disk directly. Nor can processes access memory belonging to a different process, unless both agree to set up a shared memory scheme.

The problem is not lack of virtualization. Everything is virtualized already. The problem is excessive permissions given to the programs running in each virtual address space. For example, the web browser should not have any rights to save files outside a designated 'downloads' directory.

Re:it's called No Script

[TubeSteak]

Eventually, I wonder if the Web browser should be completely enclosed in its own VM, where it doesn't require an explicit launching of a client OS, perhaps similar to how Thinstall wraps applications so all changes are only written to a sandbox directory.

http://www.sandboxie.com/ [sandboxie.com]
I read about it in the comments of some /. thread
All changes are written to a sandbox directory, convienently called "sandbox"
And you can launch more than just your web browser in it.

Re:This doesn't defy conventional wisdom

[marzipanic]

Ah yes, Active X control etc, I like the fact and it is impressive, that Windows Defender (compulsory with Vista) blocks Windows Live Toolbar! A nation devided cannot stand.... Nothing beats common sense (trademarked) though does it?

Most of the hosts are not aware their site has been "infected" half of the time. I used a site regularly until one day it tried to download some malware in an iframe and an flv file. Not aware at all their site had got a problem.

Not helped by some people who use a certain "site advisor" program giving it a green tick because it was "full of pretty, cool and amazing things" instead of looking at what their anticrapware app was singing / doing and warning people accordingly.

For that fact alone I refuse to bank online, I just feel safer. Call me old fashioned....

Too many words...

[argent]

When you write: think twice before visiting a site which you're not sure of. Especially if you browse with internet exploder..

Surely you mean think twice before [...] you browse with internet exploder..

I can vouche for this story.

[singingjim1]

My girlfriend checks website links routinely in PDF documents as part of her work and her machine is routinely attacked my adware and malware by supposedly innocuous websites that are supposed to be related to educational institutions or professional, technical type organizations hosting white papers, and other such information. (yeah yeah, run on sentence, sue me) I'm guessing some of these sites have been compromised or intentionally corrupted by webmasters for personal gain. In my experience this stuff happens all the time.

Re:Questionable company

[porkUpine]

Juice is a community site. Google Altiris SVS for better information.

Nonsense

[Anonymous Coward]

You're confusing Virtual Memory with a Virtual Machine.

The OP is quite correct. It's a heck of a lot easier to clean up an attack that has compromised a VMWare image than one which has compromised the PC.