Blog

Recently researchers at Google released a paper at the Usenix conference titled “The Ghost in the Browser”.

See: http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf

The paper outlined research efforts at Google that spanned several months analyzing websites, their content, and the amount of malicious code discovered within the sites. It highlights the significant shift and increases in the web as an attack vector and was well presented.  Security research in this area is particularly important due to the volume and sophistication of web attacks and its encouraging seeing a major search engine player researching the issues.

The paper has garnered a lot of media attention, much of which we believe the media overstated the problem and miss-represented some of the statistics.

The Good NEWS

Several media reports used headlines similar to:   “10% of sites are Dangerous” and “Google finds 10% of sites are malware laced”. The headlines and reports read as though 10% of the websites on the entire Internet contain malicious code. While we believe that the report does not portray this as an overall percentage of the websites. It is a representation of the number of sites that matched a pre-qualified list of candidate URL’s.

The good NEWS is that 10% of the *entire* web does not contain malicious code.

The BAD NEWS

As previously mentioned, we encourage this type of research and were happy to see Google spending resources on investigating the very serious problem of web borne attacks. Not only is the number of sites hosting malicious code rising, but the amount of samples on those sites is increasing, the sophistication of the attacks is rising, and the coverage of traditional signature-based technologies is declining.

The BAD NEWS is that Google only covered the tip of the iceberg in the study. While 10% of the entire web is not plagued with malicious code the situation is indeed getting worse. The report did a good job at representing the data that Google collected and researched, however other areas of web attacks need to be mentioned in combination with search engine queries. The following are *some* (note: not all) of the methods we are seeing on a daily basis with our ThreatSeeker™ technology which mines more than 90 million websites every 24 hours and performs advanced reputation analysis on an additional 10 million sites, domains, IP addresses, and networks per day.

Additional Web Attack Method Examples:

• Email and Instant Messaging Lures
• Deception attacks that use social engineering to gather data from the user
• Deception attacks that entice users to run malicious code without an exploit
• Compromising of well-known sites with malicious code for a small period of time
• Typo-Attacks on popular domain names
• Update sites that act as a central hub for Trojan Downloader’s to get refreshed

An Example

A very recent example that we discovered is an attack on the Google brand itself. Since this site contains no exploit code we are OK with publishing the URL itself. However, we do not recommend connecting to this site unless you are a security professional!

The site Gooogle.bz has been online for a while now and continues to attempt to spread code to users who connect to the site. The site poses as Gooogle Italy. As you can see from the below screenshots, users who connect to Gooogle.bz are asked to download and install a “google video player”. The site itself uses no exploit code whatsoever but has an Active X CLASSID which will prompt visitors to install the code. The actual binary download file “sert.exe”. This file is a piece of adware and not a video player. Assuming users install it code will be installed which changes the default homepage on the machine and advertisements display popup windows when users search. Often these popup windows include adult content related sites.

The replaced homepage also requests that users install another piece of code which installs a Trojan Horse/Adware with the filename “ExactSearch”. There is also a file called linkpal.exe which attempts to change your machines security zone settings.

Screenshot 1: The main page:

Screenshot 2: Deception to attract download and installation:

Screenshot 3: Post-infection popup window example:

Screenshot 4: Homepage modified on reboot and new deception attempt to install code: