Growth of the Underground Cybercrime Economy

AC50 writes "According to research from Trend Micro's TrendLabs compromised Web sites are gaining in importance on malicious sites created specifically by cyber-criminals. The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware."

So.... PEBCK

[ruinevil]

In the end, the majority of security problems lies with the user. We need better computer security education in schools and instill a healthy sense of paranoia in the youth.

Do we really need Trend Micro's PC-cillin?

Re:it's called No Script

[mrbluze]

... use it together with adblocker and a good antivirus package and your web experience will be safe and much faster.

..together also with a windows-free computer, I guess. But the problem is that websites people visit nowadays require scripts to be enabled. They will be deliberately targeted over sites which don't mandate scripting, so the problem remains. Best way is to design computer systems with the assumption that they will be hacked and then see how to prevent or minimize any damage, from the outset, instead of the old model which assumes the software was all honestly and flawlessly written.

Windows XP SP3

[Myria]

Microsoft needs to get their new service pack out the door. No, I don't mean Vista SP1. Microsoft needs to get XP SP3 out. So many people think Windows Update is some silly annoyance that Microsoft threw in there for who knows what. They never heed the requests to install updates and reboot, since that takes so long. Then when their machine slows to a crawl with adware, they ask us to fix them. And in other cases, their computers join a botnet and spam us all.

XP SP3, on the other hand, can have marketing support behind it. Articles can talk about it and how to install it, and people won't get so annoyed at a one-time installation. XP SP3 includes fixes for the still-quite-popular ADODB.Stream and animated cursor exploits, and at this point, finding browser exploits is getting into diminishing returns. Now that Microsoft cares, Windows is having its code audited much more thoroughly than when XP SP2 was made.

Service packs also give Microsoft an opportunity to release fixes for security holes found internally, since service packs are so different from the previous version. If they patched holes quickly like Firefox does with incremental patches, they'd be revealing those holes to attackers armed with machine code diff programs.

Debunks nothing

[syousef]

The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware

I still believe you're still more likely to get malware on dodgy sites. As worded in the summary, this sounds like an excuse someone came up with to justify their penchant to troll for pr0n, war3z and mp3z.

Bullhonkey

[Anonymous Coward]

The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware.

How on earth does that debunk the conventional wisdom about not visiting questionable sites??

It may well debunk the idea that visiting mainstream sites is safe, but that doesn't mean you shouldn't think twice before visiting a site which you're not sure of. Especially if you browse with internet exploder..

Re:Windows XP SP3

[erroneus]

Is there something in SP3 that will magically fix the stupidity of users or will it patch the Windows kernel with a Linux kernel?

This doesn't defy conventional wisdom

[iamacat]

A trustworthy website will remove malware after the first complaint and will give subsequent visitors a warning and a tool to remove the malware in question. There is still a risk, however the chance of encountering malware on a bank website is significantly less than 100% versus purposely malicious domains and the owner is spending effort to protect you rather than infect you.

Or you could just install all updates for your favorite OS or a 3rd party browser and virtually eliminate the chance of unintentionally installing a malware executable. Even IE7 is positively fascist when it comes to downloads and plugins these days.

For very large values of finite.

[anandsr]

There are a finite number of exploitable bugs in Windows XP for very large values of finite.

Re:Frosty Piss

[somersault]

I'm guessing you'd have to download the code and check it before you can know if it's actually safe.. depending on your definition of 'safe' of course.

Truth wrapped up in FUD, and the way forward...

[argent]

I've been beating the drum about Internet Explorer and its deliberate malware distribution features like ActiveX for years. Over 10 years, in fact, since it was 1997 when Microsoft introduced Active Desktop...

When people tell me "oh yes, I use Internet Explorer, but I only visit well known websites I can trust" I have been able in some cases to convince them that thanks to forums and other sources of third party content even "trusted" websites can source malware.

Despite what Trend Micro suggests, the best approach to security is still taking proper care with the software you use. They talk about attacks on embedded devices like cellphones, but note that they're primarily talking about their potential as backdoors for infected files, not about their embedded browsers being attacked directly. Antivirus companies want antivirus software installed on everything... that's how they make money... but until they ship software that is purely a scanner and doesn't patch the OS you're more likely to have the AV software than any virus damage your PDA, cellphone, or non-Windows PC.

But taking care with the software you use DOESN'T mean only using bad software on good websites, but not using bad software at all. The best antivirus, then, is to avoid using software that deliberately includes backdoors to allow automatic installation and execution of unsandboxed code from websites. The poster boy for this insane design is, of course, Internet Explorer, which is actually built around this model and were Microsoft to fix it they would have to break a lot of working products. But there are similar design flaws, albeit ones not so automatically easy to exploit, in other browsers... for example Firefox and Safari will happily install code for you if the code is wrapped up in the appropriate package. In Firefox that package is the XPI... and I would recommend keeping the list of whitelisted sites in Firefox empty at all times. In Safari that package is the Dashboard widget, and the option 'Open "Safe" Files after downloading' which is now (thankfully) off by default in new installs (though it doesn't prevent Dashboard widgets from being installed).

And now Microsoft is pushing a cross-platform infection vector under the name Silverlight, and there's an open-source clone of it by the name "Moonlight" under development. Some days I despair, truly.

And no number of "I'm about to do something stupid, is this OK?" dialog boxes are good enough. After 20 years as a system administrator, the last several years of which were spent fighting an increasingly frustrating battle against malware riding on this misfeature of Microsoft's security model, I can only recall one time where someone was *twice* convinced to download and explicitly run an infected file from the shell... but I've repeatedly had people come to me saying "Peter... I clicked on the wrong button again, and my computer's acting funny".

If you're a software developer, and you find yourself adding an "I'm about to do something stupid" dialog... please reconsider whether it's actually necessary. It almost never is. People really would rather explicitly download and install a plugin, for example, than have the browser pop up annoying messages all the time. Really.

Re:Nonsense

[Teancum]

No this isn't virtual memory.... it is a virtual machine. Memory and CPU registers are supposed to be separated and each process is supposed to be divided so they can't directly access each other but rather need to route through the operating system in order to send information to each other. Only in practice this doesn't always happen.

And this is a problem with VMWare as much any other sort of processor division. The main problems was that once the virtual machines were set up for each process in Windows, all sorts of holes were punched into the environment for message passing and other issues that allowed for inter-process communications. And *THAT* is where the security holes came into play.

All VMWare and other similar software provides is another level of abstraction... and some initial security that Windows supposedly provided originally but then ignored with a drive to provide inter-process actions. The same thing can happen with Virtual Machines... and between networked computers. Just that it is another level of abstraction moving up the food chain.