Malware from the sites you trust

When we think of the computer viruses and worms (aka as malware) the very first things that usually comes to mind are suspicious email attachments and shady websites. However this association is becoming the biggest misconception of the information security world and no longer reflecting the real situation.

A common question we hear from people with infected computers is “I visit only good sites. How in the world did I get a virus?”  The answer can surprise some of them – FEW websites are truly safe and can guarantee malware-free web surfing. According to the Websense State of Internet Security, Q1-Q2 2009, 77% of web sites with malicious code are legitimate sites that have been compromised.

Malware creators take full advantage of the trusted sites with good reputation and millions of visitors. How do they do it? They do it in such creative ways that these “good” sites unknowingly host malicious content.

One of the methods often used is when exploiting a well-known website is to insert a small, simple piece of malicious code within the legitimate code.  This may take the form of a hidden HTML iframe or JavaScript which will cause your web browser to download malicious content from a completely different and not-so-trusted web server.  In most cases site visitors have no idea that malware is being installed on their computer and sometimes they are invited to download a file that appears to be legitimate.
The following picture provided in a Sophos White Paper entitled “No all malware detection is created equal” shows an example of a compromised with (A) iframe and (B) script web page that cases the browser to load content from the malicious site.

Another more common way that hackers can compromise a trusted web site is by exploiting vulnerable versions of web applications such as blogging, content management systems, shopping cart apps and etc. The technical term for these exploits include SQL Injection, Cross-site Scripting and PHP File Include attacks and these continue to be the three most popular techniques used for compromising web sites, according to the SANS Top Cyber Security Risks.

In the SQL injection attack, malware creators fill out the user input form fields such as “log in” or “comments” with a database commands that get them access to website’s database and let them plant malicious code inside of it. A successful SQL injection can be very powerful and can result in hacker being able to to read and modify sensitive data from the database, execute admin functions, issue commands to operating system and ultimately redirect site’s visitors to a malicious web server where they get infected with malware. This video demonstrates how SQL injection works:

The Cross-Site Scripting Attack, is described here in a recent example of an attack on a very popular legitimate web site reported by SC magazine: “YouTube, iTunes hit in holiday attacks.”

In the next techniques the websites willingly publish or allow to publish rich content that contains malicious code and comes from third party advertisements and widgets.

Malvertising is a common venue for malware attacks. The legitimate site is a part of the third-party ad network that rotates  image or flash ads across multiple web sites.  A hacker plants a banner with hidden malicious code in the ads inventory and this banner gets posted across multiple websites without any proper input validation. Visitors of these sites get infected with malware automatically and silently. Some 1.3 million malicious ads viewed daily according to the report provided by the web security firm Dasient.

Many websites utilize third party widgets like traffic counters, e-commerce buttons and etc. All a hacker needs to do is compromise the third party host and place  a piece of code into a widget. With a click of hacker’s mouse, all websites using an infected widget can start serving malware to its visitors without knowing it.

These are just several examples of how you can get end up with a serious malware infection even while you thought you were surfing trusted websites.