Web-based malware infections rise rapidly, stats show

The number of Web sites hosting malicious software, either intentionally or unwittingly, is rising rapidly, according to statistics to be released on Tuesday from Dasient.

More than 640,000 Web sites and about 5.8 million pages are infected with malware, according to Dasient, which was founded by former Googlers to offer services to help Web sites stay malware-free and off blacklists.

That figure for infected pages is nearly double what Microsoft estimated in a report in April.

Meanwhile, the Google blacklist of malware infected sites has more than doubled in the last year, registering as many as 40,000 new sites in one week.

Dasient identified more than 52,000 Web-based malware infections, bringing the total to more than 72,000 unique infections logged by the company since it launched its malware analysis platform early this year.

Infections on newly compromised sites that have 10 pages or more spread to nearly one quarter of the pages on the site, on average. Nearly 40 percent of the infected sites were later reinfected.

Most of the malware infections are accomplished by JavaScript and iFrames being injected into legitimate sites, accounting for nearly 55 percent and 37 percent respectively, said Dasient co-founder Neil Daswani.

The statistics illustrate the growing trend of attackers targeting browsers and Web applications with SQL injections, cross-site scripting and other attacks that can lead to drive-by downloads. Infections can come from anywhere on a site, including widgets and ads.

Dasient will be providing a top 10 list of Web-based malware attacks for each week and other trend information, as well as publishing information about new infections via a Twitter feed.

Dasient is sharing information on the top Web-based malware infections with Web site owners.

(Credit: Dasient)

[Random_Walk]

Question: Will they get around to doing a breakdown as to type of malware, OSes targeted (well, we pretty much can guess at that), and/or type of infected site (PHP, ASP, what?)

That would be (IMHO) more useful than merely counting pages.

[pentest]

I would like to see those stats as well. My guess is that PHP leads the list as it is such a crappy language full of holes. ASP is likely #2. Those two scabs should end up with the bulk of the infections.

[n3td3v]

It was rising rapidly 10 years ago, it was rising rapidly 5 years ago. It's rising rapidly now, it will be rising rapidly in 5 years time and it will be rising rapidly in 10 years time. This is "vendor-speak" to get folks to buy anti-malware products, im falling into a deep sleep.

[cvaldes1831]

Security is the primary reason why I block ads. I start at the router (DNS cache poisoning script) and augment with browser-based software when applicable (AdBlock Plus on Firefox, NoScript).

Even common sense and cautious use will not protect you against drive-by infections.

[rmullen0]

I don't think Web 2.0 is helping anything. If anything, it will make it worse. IMHO, you should NOT have to have JavaScript enabled AT ALL. Nor, should you have to use any other proprietary plug-ins like Flash.

[Lerianis3]

rmullen0, you are living in a dream world. The fact is that some things cannot be done using the regular HTML functionality, like flash games. And, need I remind you that people CHOOSE to install these things.

The real issue is that these websites when they are found to be hosting malware are not IMMEDIATELY shut down and access blocked to them by the ISP that is hosting the site. That should be done immediately.

[rshah29]

Here's a stupid question: does malware affect Windows and Mac units the same? Since both platforms visit the same website, I assume the "Macs don't get viruses" theory doesn't hold with this?

[ballmerisanape]

Well.. they don't literally get viruses (self-replicating program). They (Macs) can get drive-by malware... as long as it is targeted toward them. The last proof of concept was exploited java and required no user interaction (other than visiting the site) to run. There are also key-loggers and such for the Mac.. but you have to be an administrator to install them (download/enter password/install).

[renGek]

It could be more vanilla than that. We are assuming malware from a site getting into your PC. But really, they are also talking about legit sites being infiltrated by a malware.

So when you go to a legit site thinking its legit and enter your credit card info, the info is getting recorded by the malware. It would make no difference what OS you are using in that case.

[redmarine]

Good thing I have AdBlock Plus. :P

Might consider getting Kaspersky as well.

[mjconver]

Not much of a site. "Top threats this week" goes to http://dasient.com/infection_library_index, which is a dead link.

[tom_k_underwood]

When I click "Top threats this week" it takes me to http://wam.dasient.com/wam/infection_library_index which seems to work.

[nrg.dude]

If they know which sites host malware, they should block them at the DNS servers. You don't stop known criminals from robbing you by continuing to let them wander the streets and trusting your rusty door locks to keep them out. Fortunately, it looks like Cisco might be headed in that direction.

[Lerianis3]

Ah, but if Cisco DOES start doing this, the fact is that many people will be upset because: 1. They didn't know that their site had malware/spyware on it, 2. These people will just get a NEW site with a random name, and 3. You can only pour resources into this for so long before it becomes a 'money hole'.

[Joseph Emmanuel]

How do you stop the viruses infect your website?

I also will Google t his question:).

[pentest]

1. Don't use Micorosft servers and web API's
2. Don't use PHP
3. Follow standard hardening practices.

It won't make you 100% secure,but it will make the bad guys move on.

[Lerianis3]

Actually, Microsoft servers and web API's are just fine. The real issue is other stuff like PHP, which Microsoft has nothing to do with, and other programming languages, some of which Microsoft does have a lot to do with.

[Lerianis3]

Actually, Microsoft servers and web API's are just fine. The real issue is other stuff like PHP, which Microsoft has nothing to do with, and other programming languages, some of which Microsoft does have a lot to do with.

[igl00lgi]

"Actually, Microsoft servers and web API's are just fine. ", ignorant.
"It won't make you 100% secure,but it will make the bad guys move on," ignorant with the exception of "It won't make you 100% secure."
"The real issue is other stuff like PHP..." ignorant.

Beware who you take advice from.

[kaiman75]

@pentest

Why so hard on PHP? Or is the fact that you don't know how to develop PHP websites to be secure? The fact is that .NET, JSP, etc all have their fair share of security holes too...

Because most of these trojans are executed in the browser on the client side (Javascript, iFrame, ActiveX, Java ), they are more then likely the result of cross-site scripting techniques that have to do more with account security then any one programming language running on the server.

Plugins like Adobe, Flash, and others don't help this fact... but don't blame it on PHP, blame it on poor security measures by hosting companies and their clients...

[igl00lgi]

Finally someone that actually knows what they are talking about.

[askgees]

There's only one way to deal with this issue. Internic or ICAN needs the authority to turn off their upstream basically taking them off of the web until their systems are cleaned, confirmed then turned back on. Anything else is like pi$$ing in the wind.

[Larsd01]

What I would like to know is, How can the END-user protect him/herself?
Common sense only goes so far - it won't protect you from problems on a legitimate (but infected) site.
Disabling Java, Flash, Adobe, etc. just won't work: end-users want to see their movies, games, pdf documents or whatever and simply refuse to run their browser in a mode that can't display half of their favourite websites.
Installing things like Adblock Plus and Noscript works fine for me since I run Firefox but most of the calls I get are from novice users who run Internet Exploder. Few run Firefox and those often don't have a clue about plug-ins.
Isn't there some product any end-user (even someone like grandma) can install to keep him/herself safe? By now, almost everyone I am dealing with has been educated to run, at a minimum, an antivirus program but I don't have a decent "grandma approved" solution to keep them safe from the dangers of the web.

[SteamChip]

I have the same observations. It takes a fair degree of technical skill to surf "web-safe"
Grandma is ultimately doomed unless another solution presents itself

[flared0ne]

I've encountered a few occurrences of infected sites -- usually traceable to 3rd-party ad-servers executing scripted attacks. There are a handful of sites that I go to regularly where I automatically "suit up" by going into config files and disabling all scripting -- oddly enough, those sites tend to load much faster (without the third-party ad-server access hits and delay times) and I'm not missing much...

The other thing I've done, with surprisingly revealing results, has been to put the URL string ".ru" into my blocked site list -- I've never noticed it interfering with anything legitimate that I cared about, and my security logs sometimes strongly indicate "wow, dodged a bullet visiting THAT site"... And if/when I report the incident to the pertinent website management, the response is generally both excited and thankful.

[sophosuser]

The scary thing about these web threats is that they're being hosted on perfectly (seemingly) legitimate sites. A standard URL filter will not protect an end-user from becoming infected. You need some layer of content scanning to ensure that even when allowed sites are visited the content is scanned. This applies to any consumer product as well. If your home systems are protected with URL filters be sure that you also have some content or at the very least pro-active (zero day) real time file scanning enabled. URL filters alone are not nearly enough.

Mike Donnelly, Security Analyst Sophos