Wednesday, January 23, 2008 10:55 AM
cmosby
Report: 51 Percent Of Malicious Web Sites Are Hacked - Security Fix
Report: 51 Percent Of Malicious Web Sites Are Hacked
The number of legitimate Web sites that have been hacked and seeded with code that tries to infect visitors PCs with malware now exceeds the number of sites specifically created by cyber criminals, according to a report released today.
San Diego based security firm Websense says that roughly 51 percent of all the malicious sites it found in the second half of 2007 were legitimate sites that were compromised by attackers. Malicious, compromised Web sites are especially dangerous because they usually already have a steady stream of trusting visitors. Many of these visitors may not have the latest patches for their Web browser of choice.
The report, available here in PDF form, doesn't go into how the sites were hacked, but Web site hackers compromise sites pretty much the same way they do personal computers: through unpatched security holes. These can be flaws in the Web server software itself, vulnerabilities in some application that runs on top of the server, or weaknesses in a site's back-end database software.
Dan Hubbard, Websense's vice president of security research, said that at any given time there are about two million compromised and malicious sites online, and that slightly more than half of those are hacked sites that range from mom-and-pop type stores to household brand names. The company scans about 600 million sites per week for signs that the sites are trying to foist malicious software on visitors or redirect them to sites that will.
The report follows recent discoveries that almost 100,000 Web sites - including that of security company Computer Associates, the Commonwealth of Virginia, the City of Cleveland - were hacked via Web application vulnerabilities in an apparently coordinated attack. In that attack, the code stitched into hacked sites was designed to perpetrate click fraud and steal online gaming credentials.
All Web software applications have flaws, and all need to be updated from time to time to keep the site healthy and to keep opportunistic predators away. This is an easy enough concept to grasp, except for the poor guy who just got his Web site working exactly the way he wants it and has seen prior server upgrades and reboots break everything.
The trouble is that many of these vulnerabilities are in software that announces its version level in the Web site code itself, giving any hacker with even the slightest Google search skills the ability to find hundreds or thousands of vulnerable Web sites with a few clicks (Web masters who inadvertently advertise their site's vulnerability this way are known as "Googledorks," and there is an entire Web site dedicated to listing these unfortunate targets).
Indeed, Hubbard said, there are multiple online forums and discussion groups where members keep tabs on Web site vulnerability states and hosting providers that have known weaknesses, as well as those providers that have operational restrictions that limit their ability to respond quickly to abuse complaints.
"What bad guys do is keep lists of hosting facilities that are not good at [phishing site or malware site] takedowns," Hubbard said. "They'll keep track of which providers don't have after-hours or weekend support staff, or those who employ personnel who can't speak English."
If it were only a matter of educating a bunch of Googledorks, the situation might not be so bleak right now. The reality is that that a great many compromised sites reside on shared servers run by hosting providers who are leasing the capacity from another hosting reseller, who in turn purchase the space from another reseller upstream, and so on. Figuring out whom to contact to notify the provider that they are hosting a hostile site can be a tedious task. Convincing some hosting providers that it's in their customers' best interests and the interests of the Internet as a whole to patch the applications provided to customers can be another challenge, as evidenced by an investigation Security Fix did last year into iPowerWeb, a hosting provider that has become known for hosting tens of thousands of hacked Web sites.
Hubbard said only about 30 percent of two million hostile sites drop off the list with any regularity: Infected legitimate sites with a fair number of regular visitors tend to get cleaned up pretty quickly, but others will languish on the company's blacklist for weeks or months at a time.
If you run a Web site and are looking for tools to help you test whether your site is vulnerable to known security holes, consider checking out some of these Web vulnerability scanning tools (many of them free).