Growth of the Underground Cybercrime Economy

AC50 writes "According to research from Trend Micro's TrendLabs compromised Web sites are gaining in importance on malicious sites created specifically by cyber-criminals. The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware."

Re:

[sporkme]

Thank you for commenting on slashdot! LOL! You'd love the zany TOTALLY NUDE shots from my webcam! All you have to do is CLICK MY LINK [slashdot.org] and you will see me totally exposed! This is not a hack or virus or any of that, I am just trying to increase my exposure (if you know what I mean) in !script=LOCAL_CITY!@user! so I thought I would hit you up personally, since you seem soooo kewl! I luv yer pix and maybe we can get a little more personal if you Czech out my pix on my sight. XOXOXO 3 --Bubbles.

Re:

[Corwn of Amber]

About TFS... (didn't bother to read TFA, this being /.)

WTF? Use Adblock not to download the malware-pushing banners.
Don't download code. Music, videos, etc. OK, but NOT code. Unless you KNOW it's safe.

And finally : use a Macintosh or Hackintosh. There's no malware on OSX.

It's really laughable. Fortune500 sites pushing malware? That's why you Americans have "class action lawsuits" and "ambulance-chasing lawyers". 1+1+1= ... profit.

Re:

[somersault]

I'm guessing you'd have to download the code and check it before you can know if it's actually safe.. depending on your definition of 'safe' of course.

Re:

[kesuki]

fortune 500 companies can get compromised. It's not like it's impossible, and they are the most likely to have a sophisticated system for downing compromised systems (Intrusion detection systems, automatic filtering of forums eg: Slashdot has code that tries to reject links or code that is 'known bad' although not necessarily links to bad sites) and the ability to power power off or 'stop internet to' any single server without having to access it physically) but no system is 100% fool proof, besides which,

Re:

[Corwn of Amber]

My point was more that Fortune 500 companies could just "not put ads" on their sites, it's not like they're not rich enough to publish whatever content on the 'Net for what they see as chump change.

Unless they're online ads, but are any of those in Fortune 500?

And, how are those sites "compromised" to serve malware? With seven-figures security people, they'd write a Trusted system, encrypted end-to-end with math proofs that it Just Can't be hacked, ever, and do that in a year.

Re:

[kesuki]

I'm sorry, but even fortune 500 companies have problems with systems being compromised. you're thinking that for whatever reason they can control all the input and all the out put data.

yahoo which was an early pioneer in the internet space was highly dependent on FreeBSD, to date they still code and maintain Yahoo BSD, and submit considerable amounts of code to the FreeBSD project.

even with programmers writing their own operating system yahoo has had times where servers got compromised. furthermore, they h

Any site

[Merls the Sneaky]

Any site serving up adverts is potentially sering up malware. Durr.....

Re:

[flyneye]

If it can be any site,that leaves the criminal themselves as the point of removal.
I figure if legislation can be passed to void our other constitutional rights,they can jolly well legislate stronger penalties for phishers,Black hat hackers,script kiddies and virii/trojan coders. Cut off their hands and reproductive organs so we don't have to bother with them or future generations of them.

Re:

[PlusFiveTroll]

Thank You for failing the game, please try again. Many of the criminals doing said things in articles are in countries that turn a blind eye to such crimes.

Re:

[flyneye]

Yes,but,we still have some here and the therapeutic value is beyond priceless.
So,like the cannibals who barfed up the missionary,you can't keep a good man down.

little hint

[ILuvRamen]

even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware

Pssst....they mean Yahoo :-P But really if you think about it, way too may big companies serve up software that spies on you or serves up ads or has a dual installer that also installs something bad. I don't think that's what they're talking about though. Pretty sure they mean just random banner ads for virus infested "free screensavers" and stuff.

Try Pfizer, for one

[winkydink]

http://www.wired.com/politics/security/news/2007/09/pfizerspam [wired.com]

Re:

[Corwn of Amber]

Use Adblock not to download the malware-pushing banners.
Don't download code. Music, videos, etc. OK, but NOT code. Unless you KNOW it's safe.
And finally : use a Macintosh or Hackintosh. There's no drive-by on OSX. And the USB-sticks? My friends CLEAN theirs on my macs, lol.

Fortune500 sites pushing malware? That's why you Americans have "class action lawsuits" and "ambulance-chasing lawyers". 1+1+1= ... profit.

Re:

[Bombula]

Here's another little hint: start making ALL websites accountable for their content. We do need better oversite of the DNS sysem anyway. So then if you're in violation? BAM, your site gets pulled from DNS. Yahoo et al will fall in line instantly, as will anyone else who is serious about keeping their site up. All the tens of millions of junk sites out there pushing malware and other garbage will just start getting shut off. If they want to spend the time money creating new sites with new links every

No kidding!

[Anonymous Coward]

"...even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware." I've been telling my users this forever. Some of them just don't have the mind set or skills to fend off the malware, which is part of why I have a job. It's all about locking down the computer. Of course, this is a sliding scale. Lock it down enough to totally (possible??) protect it, and the user can't do many of the usual tasks. Leave it open to being able to

it's called No Script

[timmarhy]

... use it together with adblocker and a good antivirus package and your web experience will be safe and much faster.

Re:

[CSMatt]

Seconded, and also only allow whitelisted cookies.

Re:it's called No Script

[mlts]

I think as time goes on, perhaps the best way to browse the Web is having a virtual machine running under a dedicated, locked down user, so if the OS in the VM is compromised, an unknown exploit that might let malware out of the VM to compromise the host would be stopped. Its not 100%, but it seems to be the best way of doing things. Of course, the Web browser should have Noscript and Adblock functionality for a lock on the front door.

Eventually, I wonder if the Web browser should be completely enclosed in its own VM, where it doesn't require an explicit launching of a client OS, perhaps similar to how Thinstall wraps applications so all changes are only written to a sandbox directory. Vista's protected mode in IE7 is a start, where IE7 does not have access to the full Registry, but more separated from the rest of the machine with limits on CPU and other resources.

Re:

[porkUpine]

I currently run Firefox in SVS (Altiris) (Along with the suggestions above). Basically Firefox runs in it's own virtual layer on the machine with no access to the "real" OS. I can run multiple instances to allow for different security settings. It's nice because I don't have to actually boot a VM just to surf the web safely. http://juice.altiris.com/glossary/term/252 [altiris.com]

Questionable company

[Futurepower(R)]

I notice that the Altiris site contains very poor writing.

It would be great to have a suggestion from a better company.

Re:

[porkUpine]

Juice is a community site. Google Altiris SVS for better information.

Re:it's called No Script

[Ed Avis]

Note that all modern operating systems do run each process in its own virtual machine. The process sees its own memory space that has no relation to the physical memory layout of the machine (indeed, it may even be bigger) and it has no direct access to the hardware. It gets CPU time that doesn't correspond to any one physical CPU; it may get timeslices from different CPUs if the operating system decides this. If it wants to read or write a file, it has to make a call to the operating system which first checks it has the appropriate permissions and then arranges for the I/O without allowing the user process to talk to the disk directly. Nor can processes access memory belonging to a different process, unless both agree to set up a shared memory scheme.

The problem is not lack of virtualization. Everything is virtualized already. The problem is excessive permissions given to the programs running in each virtual address space. For example, the web browser should not have any rights to save files outside a designated 'downloads' directory.

Nonsense

[Anonymous Coward]

You're confusing Virtual Memory with a Virtual Machine.

The OP is quite correct. It's a heck of a lot easier to clean up an attack that has compromised a VMWare image than one which has compromised the PC.

Re:

[Teancum]

No this isn't virtual memory.... it is a virtual machine. Memory and CPU registers are supposed to be separated and each process is supposed to be divided so they can't directly access each other but rather need to route through the operating system in order to send information to each other. Only in practice this doesn't always happen.

And this is a problem with VMWare as much any other sort of processor division. The main problems was that once the virtual machines were set up for each process in Window

Re:

[Ed Avis]

Separation of memory and cpu registers does not make a virtual machine. Sorry. We've had that for decades now.

See Wikipedia:

Virtual machines are separated in two major categories, based on their use and degree of correspondence to any real machine. A system virtual machine provides a complete system platform which supports the execution of a complete operating system (OS). In contrast, a process virtual machine is designed to run a single program, which means that it supports a single process. An essential

Re:

[Ed Avis]

I don't think that's true. Even on Slashdot people talk of the Java virtual machine, the Flash virtual machine and so on. If they don't say that a Linux process container is also a virtual machine, this is more likely to be because they haven't thought about it, rather than because they understand the history of operating systems and have carefully decided to change the definition of a VM to mean a system-level VM only. After all, if the virtualized CPU, memory space and hardware presented to a process i

Re:

[TubeSteak]

Eventually, I wonder if the Web browser should be completely enclosed in its own VM, where it doesn't require an explicit launching of a client OS, perhaps similar to how Thinstall wraps applications so all changes are only written to a sandbox directory.

http://www.sandboxie.com/ [sandboxie.com]
I read about it in the comments of some /. thread
All changes are written to a sandbox directory, convienently called "sandbox"
And you can launch more than just your web browser in it.

Re:

[Pros_n_Cons]

I dont know if It's the "best" way to secure a web browser but I read a few days ago on a Red Hat employee's blog about how Fedora 9 is going to have the browser confined by SElinux, the way its done is kinda clever in my opinion cause it confines the wrapper. Making plugins only allowed to write to .mozilla or .adobe, etc. I dont think it will protect against mozilla (yet) flaws itself but plugins are certainly more than half the battle.
the URL is http://danwalsh.livejournal.com/15700.html#cutid1 [livejournal.com] if you're

Re:

[Architect_sasyr]

An interesting feature of google that I've always liked is the "This page may harm your computer" or whatever they put on dangerous links. I wonder how viable it would be to have a firefox plugin that did something similar. Not so much the patching of the bugs, but maybe some sort of distributed (P2P) system that says "Yep, this is dangerous, we aint patched it yet, so go there if you like but we don't recommend it"

Might help out, might not. If I had something like that running in my company I reckon I co

Re:it's called No Script

[jesser]

An interesting feature of google that I've always liked is the "This page may harm your computer" or whatever they put on dangerous links. I wonder how viable it would be to have a firefox plugin that did something similar.

Firefox 3 does this. If you start to load a site that's in Google's database of malicious (and compromised) pages, Firefox 3 will show a big red "Suspected attack site!" thing instead of parsing the page.

Mozilla and Google put a lot of effort into making it possible to do this without slowing down page loads. Firefox downloads a list of 32-bit hash prefixes for compromised sites. If a hash prefix matches (which will happen on any malicious page load and perhaps 0.1% of other page loads), Firefox asks Google for the rest of the hash. Both the local database lookup (which can require disk access) and the possible request to Google happen in parallel with Firefox resolving the DNS entry and connecting to the site.

Last week, the site of Firebug author Joe Hewitt was compromised, and Firefox 3 Beta 3 users saw this [mozilla.com].

McAfee SiteAdvisor

[frog51]

It's free and does a reasonable job at indicating risk level to the less computer savvy (in green, amber and red)

Re:

[Bert64]

The trouble with siteadvisor, is that it's quite easy to identify when it's hitting your site.
With that in mind, it's fairly easy to serve up a different site to siteadvisor, or just not serve the malware.

To see an example of a site that does this, look up www.acunetix.com on siteadvisor, notice how siteadvisor has downloaded some programs from their site and verified them malware free, look also how siteadvisor has submitted its email address to the site and not received any email.
Now go to acunetix.com, a

Re:

[kent_eh]

An interesting feature of google that I've always liked is the "This page may harm your computer" or whatever they put on dangerous links.

I got an e-mail from my Mom on Monday night that said:

I was downloading something into AVG, and I saw something in red letters that said it was a 'trojan horse'. Is that friend or foe? I think it's probably safe, but I thought I should check with you first..."

Yes, she's confused about what AVG's role in the download is, but that aside.
There was a banner popped up with big red letters, and the word "warning" and she still thought it might be safe.
I guess there is some glimmer of hope, given she had enough doubt to ask me, but still I'd submit she is among the "average users" that need their computers to protect them from themselves. I'm looking at some of the sandboxes that are being linked in this thre

Re:

[Anonymous Coward]

NoScript doesn't help if a site already on your whitelist gets compromised.

Re:

[Keeper Of Keys]

NoScript doesn't help if a site already on your whitelist gets compromised.

While it's literally true that if a site on my whitelist (netvibes.com, for instance) has its server compromised and a bad script is introduced there, my browser will get hit, as I understand it this is not generally how such script-based attacks happen.

Usually a bad script from some other domain is introduced onto a page, eg through a widget, a badly-screened comment form, an ad script, etc. Without NoScript, these scripts are treated with the same level of trust as those hosted on the site's domain. B

Re:

[mrbluze]

... use it together with adblocker and a good antivirus package and your web experience will be safe and much faster.

..together also with a windows-free computer, I guess. But the problem is that websites people visit nowadays require scripts to be enabled. They will be deliberately targeted over sites which don't mandate scripting, so the problem remains. Best way is to design computer systems with the assumption that they will be hacked and then see how to prevent or minimize any damage, from the outset, instead of the old model which assumes the software was all honestly and flawlessly written.

Re:

[timmarhy]

you can selectively run the scripts. for example i block the analyitics scripts when i go to gmail but gmail still works fine

Re:

[red star hardkore]

Kind of hard to progress also when you wake up some morning and find your life savings have been transferred to some dodgy account in Russia. It isn't fleeing in terror, it's putting a hold on things until developers realise that security is as important as functionality.

Re:

[xeoron]

Very true... but I often feel the safest while using Lynx or W3m

Forth malware

[Chris Burkhardt]

> [...] can serve forth malware

Serve Forth malware from a website? I'd be more concerned about JavaScript malware and the like.

Re:

[misleb]

Serve Forth malware from a website? I'd be more concerned about JavaScript malware and the like.

Haskell malware is the best!

I sure hope

[iminplaya]

Slashdot is safe. It's the only site I visit. Make sure not to open the articles. You never know.

Re:

[phalse phace]

Make sure not to open the articles. You never know.

Open articles? I don't think /.ers have anything to worry about.

The Power of Google

[TubeSteak]

http://www.google.com/search?q=site:.edu+viagra [google.com]
http://www.google.com/search?q=site:.gov+viagra [google.com]
Only two pwned sites in the top 10 for .gov
It'd be ironic if idtheft.utah.gov was handing out malware.

Replace viagra with other spamwords & you'll get more of the same

Re:The Power of Google

[TubeSteak]

I hate replying to my own comments, but the States seem to be doing a much poorer job than the Federal Government.

http://www.google.com/search?q=site:k12.ny.us+viagra [google.com]
That brings up pwned K-12 school websites from New York

http://www.google.com/search?q=site:.ny.us+ringtones [google.com]
This frequently brings up state websites
EG: New York State's Division of Military and Naval Affairs website has been exploited.

I don't mean to pick on New York, but they seem to be worse than many other States.
Replace .NY. with your state's abbreviation

Re:

[Eric(b0mb)Dennis]

Nice! Utah's ID Theft site has a nice spam/ad loaded h4x0r page!

http://www.idtheft.utah.gov/pn/modules/pagesetter/pntemplates/plugins/function.str.php?/viagra/viagra.html [utah.gov]

hahaha, that's great.

So.... PEBCK

[ruinevil]

In the end, the majority of security problems lies with the user. We need better computer security education in schools and instill a healthy sense of paranoia in the youth.

Do we really need Trend Micro's PC-cillin?

Wanna be safe?

[iminplaya]

Boot from a live CD. Or use a virtual machine. Of course you can always use a less popular operating system.

Re:

[drrck]

I don't think the people that will be affected by this will be interested in a less popular operating system.

Windows XP SP3

[Myria]

Microsoft needs to get their new service pack out the door. No, I don't mean Vista SP1. Microsoft needs to get XP SP3 out. So many people think Windows Update is some silly annoyance that Microsoft threw in there for who knows what. They never heed the requests to install updates and reboot, since that takes so long. Then when their machine slows to a crawl with adware, they ask us to fix them. And in other cases, their computers join a botnet and spam us all.

XP SP3, on the other hand, can have marketing support behind it. Articles can talk about it and how to install it, and people won't get so annoyed at a one-time installation. XP SP3 includes fixes for the still-quite-popular ADODB.Stream and animated cursor exploits, and at this point, finding browser exploits is getting into diminishing returns. Now that Microsoft cares, Windows is having its code audited much more thoroughly than when XP SP2 was made.

Service packs also give Microsoft an opportunity to release fixes for security holes found internally, since service packs are so different from the previous version. If they patched holes quickly like Firefox does with incremental patches, they'd be revealing those holes to attackers armed with machine code diff programs.

Re:Windows XP SP3

[erroneus]

Is there something in SP3 that will magically fix the stupidity of users or will it patch the Windows kernel with a Linux kernel?

Re:

[Myria]

Is there something in SP3 that will magically fix the stupidity of users or will it patch the Windows kernel with a Linux kernel?

No, but at least it will be harder for attackers to exploit them. There is a finite number of exploitable bugs in Windows XP and Internet Explorer, and since few new features are being added, few new bugs are being added.

As for Linux, are things really much different [slashdot.org]?

For very large values of finite.

[anandsr]

There are a finite number of exploitable bugs in Windows XP for very large values of finite.

Re:

[erroneus]

I'd even deny that much since for something to be considered "finite" the end of the list has to have been determined, not merely presumed. New problems are constantly being discovered with no end in sight. "...with no end in sight" makes it sound rather infinite doesn't it?

At least in the case of OSS, quite a few problems can be identified through examination of the source. In closed or proprietary sourced situations, people have to pretty much experiment with things and test a lot. And even though it

Re:

[sumdumass]

They never heed the requests to install updates and reboot, since that takes so long. Then when their machine slows to a crawl with adware, they ask us to fix them. And in other cases, their computers join a botnet and spam us all.

This might be more because they havehad an experience where an update broke their computer or some app. This is probably especially true when SP2 came around because of it's ability to fail and render the computer useless if certain Spyware has been installed. They might have f

Re:Windows XP SP3

[techno-vampire]

Then when their machine slows to a crawl with adware, they ask us to fix them.

You must have a well-trained set of users. Most people just buy a new computer when that happens.

Re:

[V!NCENT]

Ah! So that's why Vista is selling so well now!

Re:

[cerberusss]

You're modded funny, but when a new Dell Vostro costs $299 and the machine is more than 2 years old, then it might be worth it.

Debunks nothing

[syousef]

The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware

I still believe you're still more likely to get malware on dodgy sites. As worded in the summary, this sounds like an excuse someone came up with to justify their penchant to troll for pr0n, war3z and mp3z.

Bullhonkey

[Anonymous Coward]

The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware.

How on earth does that debunk the conventional wisdom about not visiting questionable sites??

It may well debunk the idea that visiting mainstream sites is safe, but that doesn't mean you shouldn't think twice before visiting a site which you're not sure of. Especially if you browse with internet exploder..

Too many words...

[argent]

When you write: think twice before visiting a site which you're not sure of. Especially if you browse with internet exploder..

Surely you mean think twice before [...] you browse with internet exploder..

Congratulations Trend Micro!

[Anonymous Coward]

It's only taken 2 months to realize that the most common forms of computer attacks are going to continue in 2008, and all this despite the open memo to on-line criminals:

"Dear blackhats,

Please, please, please make a new year's resolution to stop making viruses, stealing money and sending spam.

Loving Regards,

Trend Micro."

Everybody out there on the ether ... be afraid. In fact be just a 'little' more afraid each year, things are definitely getting worse.

It's a problem, but the size is limited.

[Animats]

We have a list of major sites being exploited by active phishing scams, [sitetruth.com] which we update every three hours. There are 56 sites on the list right now. Most sites don't stay on the list too long, but we still have 14 that have been on the list since last year. Most of them are DSL service providers with compromised machines they haven't kicked off. Some providers are proactive about this, and some aren't. Then there are a few compromised sites that just have no clue about how to fix their problem. One such site is the teacher web space for a school district.

By, well, nagging, we've been able to get the big players to fix their problems. Google, Yahoo, MSN, and Dell were all on the list at one point, but they've all tightened up their systems.

The points we make with this list are that 1) the number of major sites involved is small, and 2) blacklisting at the second level domain level causes acceptable levels of collateral damage. So go ahead, blacklist the whole second level domain in your phishing filters. Think of it as a way to encourage sites to clean up their act. Or as a way to find out where to apply the clue stick.

This list is about "major" sites, ones in Open Directory (1.7 million sites.) The issue there is with attackers trying to steal the credibility of the major site. At the other end of the scale, any domain less than a few weeks old probably isn't worth connecting to. Or at least it should be read with all executable content disabled, including HTML email. Also, any link with more than one redirect probably shouldn't be followed.

It's easier to filter out the attackers if you're willing to filter out the bottom-feeders as well. But that's another story.

Re:

[Ed Avis]

WTF? Are you suggesting that users should avoid infection by not visiting websites with a domain 'less than a few weeks old'? How are they going to verify this information before each page click? If this is really a good rule to follow, it needs to be built into the browser. You can't rely on users not to do something stupid when the definition of 'stupid' gets wider and wider each year.

It only takes one site to compromise the user's machine if the user is running something exploitable. Surely the only

Re:

[Animats]

You can't rely on users not to do something stupid when the definition of 'stupid' gets wider and wider each year.

Of course it has to be automated. That's what we're working on. Our free browser plug-ins will be out shortly.

Re:

[Animats]

There's a tinyurl on the list, but I don't see how that would serve any good. It should be the site the tinyurl points to, no?

"tinyurl.com" and "notlong.com" are phishing magnets, because phishing filters don't typically block their domain. So phishing sites use them to bypass filters. Those services try to keep up with phish reports and block those URLs, but they're falling behind. We encourage them to automate the process; as soon as a URL appears in any of the major phishing databases (PhishTank, A

Limit the impact of compromized DSL/cable boxen?

[darkfire5252]

Here's a passing thought: I'm very against the practice of an ISP blocking incoming/outgoing ports as a general business practice, as this negatively affects the technically inclined users. However, what if an ISP had a default port 80 forward to their website, where the owner of the IP could authenticate and enable direct access to the port? That way, non-techie users don't serve up malware sites, and techie users can easily enable the service and go about their business.

Along the same lines, could this

No news is old news

[Anonymous Coward]

Noughtly, disclaimer: I work for a Trend competitor.

Firstly, everyone in this market puts out these sort of research reports - monthly, quarterly, annually, it varies - partly to inform and educate, but mostly for the PR value. Of course everyone sees much the same threat environment, so they're all much of a muchness, PR spin notwithstanding. I don't see my employers' annual threat survey on the Slashdot front page; hmmmm, maybe I should submit it? Or maybe not...

Secondly - "serve forth" PUH-leassseee.

This doesn't defy conventional wisdom

[iamacat]

A trustworthy website will remove malware after the first complaint and will give subsequent visitors a warning and a tool to remove the malware in question. There is still a risk, however the chance of encountering malware on a bank website is significantly less than 100% versus purposely malicious domains and the owner is spending effort to protect you rather than infect you.

Or you could just install all updates for your favorite OS or a 3rd party browser and virtually eliminate the chance of unintentionally installing a malware executable. Even IE7 is positively fascist when it comes to downloads and plugins these days.

Re:

[marzipanic]

Ah yes, Active X control etc, I like the fact and it is impressive, that Windows Defender (compulsory with Vista) blocks Windows Live Toolbar! A nation devided cannot stand.... Nothing beats common sense (trademarked) though does it?

Most of the hosts are not aware their site has been "infected" half of the time. I used a site regularly until one day it tried to download some malware in an iframe and an flv file. Not aware at all their site had got a problem.

Not helped by some people who use a certain

Re:

[iamacat]

I used a site regularly until one day it tried to download some malware in an iframe and an flv file.

Well, did you report the problem and see if you are taken seriously?

For that fact alone I refuse to bank online, I just feel safer. Call me old fashioned....

I rather prefer online bank robberies to regular ones.

Criminaly great offer

[Raphael Emportu]

I'm looking for contacts that leech gameboy roms and need to acquire large quantities of crack or hot radioactive material. This month I offer a free fully automatic handgun to spray your classroom with each order. -- Message protected by international copyright. (c) Crime.Inc 2008

The answer

[mach1980]

Don't know about you but I believe one aspect of the cyber-crime growth is peoples inclination to press hyper links named "compromised Web sites"

Truth wrapped up in FUD, and the way forward...

[argent]

I've been beating the drum about Internet Explorer and its deliberate malware distribution features like ActiveX for years. Over 10 years, in fact, since it was 1997 when Microsoft introduced Active Desktop...

When people tell me "oh yes, I use Internet Explorer, but I only visit well known websites I can trust" I have been able in some cases to convince them that thanks to forums and other sources of third party content even "trusted" websites can source malware.

Despite what Trend Micro suggests, the best approach to security is still taking proper care with the software you use. They talk about attacks on embedded devices like cellphones, but note that they're primarily talking about their potential as backdoors for infected files, not about their embedded browsers being attacked directly. Antivirus companies want antivirus software installed on everything... that's how they make money... but until they ship software that is purely a scanner and doesn't patch the OS you're more likely to have the AV software than any virus damage your PDA, cellphone, or non-Windows PC.

But taking care with the software you use DOESN'T mean only using bad software on good websites, but not using bad software at all. The best antivirus, then, is to avoid using software that deliberately includes backdoors to allow automatic installation and execution of unsandboxed code from websites. The poster boy for this insane design is, of course, Internet Explorer, which is actually built around this model and were Microsoft to fix it they would have to break a lot of working products. But there are similar design flaws, albeit ones not so automatically easy to exploit, in other browsers... for example Firefox and Safari will happily install code for you if the code is wrapped up in the appropriate package. In Firefox that package is the XPI... and I would recommend keeping the list of whitelisted sites in Firefox empty at all times. In Safari that package is the Dashboard widget, and the option 'Open "Safe" Files after downloading' which is now (thankfully) off by default in new installs (though it doesn't prevent Dashboard widgets from being installed).

And now Microsoft is pushing a cross-platform infection vector under the name Silverlight, and there's an open-source clone of it by the name "Moonlight" under development. Some days I despair, truly.

And no number of "I'm about to do something stupid, is this OK?" dialog boxes are good enough. After 20 years as a system administrator, the last several years of which were spent fighting an increasingly frustrating battle against malware riding on this misfeature of Microsoft's security model, I can only recall one time where someone was *twice* convinced to download and explicitly run an infected file from the shell... but I've repeatedly had people come to me saying "Peter... I clicked on the wrong button again, and my computer's acting funny".

If you're a software developer, and you find yourself adding an "I'm about to do something stupid" dialog... please reconsider whether it's actually necessary. It almost never is. People really would rather explicitly download and install a plugin, for example, than have the browser pop up annoying messages all the time. Really.

Safe to Play in Traffic

[Doc Ruby]

The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware."

Yes, you're not in any greater risk hanging out in crackhouses, because even the banks you visit sometimes have dangerous bank robbers in them.

That statement is one of the stupidest analyses of relative risk that I've ever heard.

I can vouche for this story.

[singingjim1]

My girlfriend checks website links routinely in PDF documents as part of her work and her machine is routinely attacked my adware and malware by supposedly innocuous websites that are supposed to be related to educational institutions or professional, technical type organizations hosting white papers, and other such information. (yeah yeah, run on sentence, sue me) I'm guessing some of these sites have been compromised or intentionally corrupted by webmasters for personal gain. In my experience this stuff

What can I say?

[Colin Smith]

Javascripters building "enterprise" applications.

You get what you pay for.

   

Cybercrim tsunami (almast stay 1 ahead)

[LM741N]

The perfecr punishment: "Apps testing on Vista"

Poor Administration or Users

[PhilPSU]

Its really not quit as complex as most make it out to be.

1. If you are a system administrator it is your job to secure the system and take steps to prevent malware. Examples would be updating firefox and also becasue of IE's little active x trick restrict it through group policy " (Add-On managment and Restrict file downloads) both in group policy and have been since Server 2000". If you are not using it and have had a machine under your control infected with malware through the browser you have no one to b