Security

Guess what? Your favorite websites are more likely to serve malware than p0rn sites

A new report may change your perception of websites and malware. Michael P. Kassner ferrets out what Cisco is excited about.

The web is the most formidable malware delivery mechanism we've seen to date, outpacing even the most prolific worm or virus in its ability to reach -- and infect -- a mass audience silently and effectively.

That's from the 2013 Cisco Annual Security Report. A bit further in the paper I ran across something that is equally troubling:

Many security professionals -- and certainly a large community of online users -- hold preconceived ideas about where people are most likely to stumble across dangerous web malware.

That comment was of interest to me on several levels. Although I do not consider myself a security professional, I report what they say. And, I am an online user, so the comment had me wondering. Finally, the company I work for recently rolled out an enterprise-wide website blacklist. And if the people creating and selling blacklists are basing their choices on bad assumptions, the blacklist is nothing more than an annoyance.

Preconceived ideas?

Let's see if you're earmarked for having preconceived ideas. What websites would you select as ones most likely to serve malware? It seems logical to choose shady sites, you know, the ones selling illegal pharmaceuticals, fake Rolex watches, or p0rn sites.

If those were your choices as well, then we are both wrong. Cisco reports:

Our data reveals the truth of this outdated notion, as web malware encounters are typically not the by-product of "bad" sites in today's threat landscape. Web malware encounters occur everywhere people visit on the Internet -- including the most legitimate of websites they visit frequently, even for business purposes.
The following slide from the report shows the different kinds of websites, and their likelihood of serving malware to unsuspecting visitors.

Source: Cisco

Dynamic Content websites and Content Delivery Networks have top honors at 18 plus percent. I wasn't sure what Dynamic Content or Content Delivery Networks meant, so I checked with Wikipedia:

  • Dynamic webpage: A dynamic web page is a kind of web page that has been prepared with fresh information (content and/or layout), for each individual.
  • Content Delivery Network: A large distributed system of servers deployed in multiple data centers in the Internet. The goal of a Content Delivery Network is to serve content to end-users with high availability and high performance.

To drive home the point, Cisco then looks at the most popular online applications (social networks and online video, for example), and the percentage of malware exposure encountered by each type.

I noticed search engines have made both slides. Hmmm.

Who's at fault?

Cisco was quick to point out all the websites it researched were not intentionally serving malware. But, I am not willing to let the developers and website owners off entirely. The report points out:

Exploits remain a significant cause of infection via the web, and their continued presence underscores the need for vendors to adopt security best practices in their product life cycles. Organizations should focus on security as part of the product design and development process, with timely vulnerability disclosures, and prompt/regular patch cycles.

It sounds like there's blame enough to go around. System administrators responsible for web servers, and system administrators responsible for client workstations are battling vulnerabilities, and the never-ending struggle to keep everything as up-to-date as possible.

Next target of opportunity

Cisco offered an opinion as to what most likely will be the bad guys' next target of opportunity:

The challenge of securing a wide range of applications, devices, and users -- whether in an "any-to-any" or Internet of Everything context -- is made tougher by the popularity of the cloud as a means of managing enterprise systems.

The report continues, explaining why:

Addressing security challenges presented by virtualization and the cloud requires rethinking security postures to reflect this new paradigm -- perimeter-based controls and old models of access and containment need to be changed to secure the new business model.

Final thoughts

What Cisco found is important. Unbeknownst to you, me, our favorite website's developer, and the website's owner, the website could be serving malware. And, if you happen to be vulnerable to the malware's exploit kit, you're going to get it.

My first run-in with website-based malware was during my research for Malvertising: Adverts that bite (June 2011). It seems the bad guys have spent the last 18 months fine-tuning their craft.

I'd like to extend my thanks to Cisco for their report, and use of slides in the report.

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");

document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

// -->

try {

var pageTracker = _gat._getTracker("UA-9822996-4");

pageTracker._trackPageview();

} catch(err) {}

// -->

About

Information is my field...Writing is my passion...Coupling the two is my mission.

36 comments
arun
arun

i bookmarked. i'm gonna share this to my friends. thanks for your advice. I learned some new things to prevent my website.

JeffDeWitt
JeffDeWitt

The other night I was checking some news sites and SodaHead and Avast started popping up these malware warnings. It looked like whatever was getting Avast upset was in one of the advertising links and it was being picked up even though I hadn't clicked on the links. Last night everything seemed to be back to normal.

Slayer_
Slayer_

I just got my first virus in years thanks to your advice!

dcolbert
dcolbert

The thing about the figures in this graphic, is I don't see a granular breakdown of what Dynamic Content and Content Delivery Networks comprise. I'm thinking that Dynamic Content and Content Delivery are probably drivers in the Pr0n industry, being that it seems unlikely that delivery vectors like Games and Health and Nutrition would show up as individual categories and porn would be entirely absent.

Slayer_
Slayer_

Did the study mention some safe ones?

lehnerus2000
lehnerus2000

I've been saying this for the last couple of years.

Edward D
Edward D

Thanks, Michael, This was a disturbing report. If I understand the message clearly, Web sites that have been considered "trustworthy" by (a sort of) default mentality can be hacked (perhaps that is not the right word) to deliver malware. Who can we trust? Do you know of any major industries, banks for example, that may have been affected? Ed

JCitizen
JCitizen

Krebs would be a good source to watch for TR member Edward DeRosier; he could get a pretty good picture of how to assess a bank site's(or other vendor) trustworthiness.

JCitizen
JCitizen

so that, at least, the vector isn't as likely a malvertisement.

Michael Kassner
Michael Kassner

There is some malware that will activate by just being open on web page, and then there is some that will activate if the arrow happens to be in the vicinity.

Michael Kassner
Michael Kassner

That I must apologize, although I have enough wiggle in the title's word choice to technically be the one to blame. How's that for trying to escape.

Michael Kassner
Michael Kassner

It is my understanding those two entities are related to the ad networks that push adverts to websites. The problem being the website developer is not aware of malware being served, as the content is independent of his server and code. The most talked-about case of this was the New York TImes.

Michael Kassner
Michael Kassner

Who would be the first to say that. Congratulations.

JCitizen
JCitizen

The news kept reporting increasing numbers of legitimate web-sites being infected with drive-by malware, it went from the tens of thousands to hundreds of thousands within just two years. So this news is not quite as shocking - to me anyway.

Michael Kassner
Michael Kassner

Malware from Advertising networks were the initial attack vehicle as website developers had no control over what ads were being shown.

Michael Kassner
Michael Kassner

The bad guys try hard to keep their malcode as inconspicuous as possible, so it is hard to say which sites are affected. The best thing you can do is make sure your computer's operating system and application software is up-to-date. There are other options, but they sacrifice convenience. I wrote about banks and malware a few years ago, but some of it is still relevant: http://www.techrepublic.com/blog/security/on-line-banking-how-safe-is-it/2409

Michael Kassner
Michael Kassner

It would be interesting to see how ad blockers distinguish website traffic from ad network traffic.

dcolbert
dcolbert

Not that I have any familiarity with the industry, but I think that a lot of porn outlets actually pioneered this method of affiliate and referral content linking. I think you're right, it is an inherent risk in the fact that these are supposed to be trusted networks of partner sites sharing content with one another and so mainstream sites you wouldn't expect deliver malware and viruses through this vector as well. I just think this segment of the infographic folds legitimate sites with the NSFW ones. I'll give you another example somewhere between porn sites and respectable mainstream sites... You ever get sidetracked by those "Trending on the Web" sidebars that deliver external content that is usually sensational, tabloid-style stories? Things like a red circle around a portion of a frame from a movie like Harry Potter, or a story like, "10 things girls don't know they're doing wrong in bed"... Those are the same basic methodology of delivering content that we're talking about here - and those will quickly get you into networks of affiliates that are rife with malware. Those don't really show up as an individual category here, either... but I think it is because they're all included in the two categories you define.

Michael Kassner
Michael Kassner

Advertising networks hit the New York Times and other big name sites, but I did not realize the extent portrayed by the Cisco report.

JCitizen
JCitizen

I was just accosted by a popup that insisted I click a box to confirm my membership! I tried reloading the page, but was kicked off TR, and had to navigate back to this article from a Bing search! Maybe TR is the new watering hole for malware writers? Good thing I have EMET configured! Anyway - I just wanted to add that lately it has become very difficult to acquire zero day exploits from the usual resources. When fellow honeypot testers started getting no bites from the usual web sites, they had to change tactics, because the old way of doing it resulted in dead links or failed to extract truly zero day bugs. Now the best source is to get a junk email account and simply open as many spam attachments as you can, to throw at the VM environment for testing. This has just been in the last two months - so Michael, your Cisco guys are right - the threatscape is constantly changing - and trying to keep up with it is like bobbing around in a storm on a peace of wooden flotsam from the last shipwreck I was on! I couldn't agree more with their assessment.

JCitizen
JCitizen

I know as well as a host file, MBAM will block IP addresses it deems malicious. This could be why things get boring when doing work on honeypots. But you have to test the defenses, and give them a chance to work. Testers sometimes have to turn off the protections that the Internet Explorer browser already supply to get a reaction to the particular solution they are testing. I would say IE 9 blocks about 85% of the zero day exploits right off the bat, using already known built in protections. It can be real work getting a hit sometimes. I'd say that happens to me occasionally, as well, running under my normal work load. Of course my email clients block most threats in my in box. so I rarely get a hit that way, just by accident.

Slayer_
Slayer_

There goes my reading comprehension.

CharlieSpencer
CharlieSpencer

I'm waiting for -1 votes to require a comment, or at least the voter's member name.

JCitizen
JCitizen

Inquiring minds want to know!?! LOL! :^0

Michael Kassner
Michael Kassner

I was making an assumption as it seemed that way to me. I should know better.

CharlieSpencer
CharlieSpencer

that's par for the course. I see that periodically, usually in conjunction with a variety of other site misbehaviors. Michael, I don't think it's any kind of scheduled account check. I usually log on to TR on a Monday and don't log off until Friday. Sometimes I'll go for several weeks without seeing this problem; when it happens, I'll see it several times in an afternoon.

Michael Kassner
Michael Kassner

I believe it might be just a check of your log in information.

Editor's Picks