At times it seems as if doing business on the Web means living with risk, for users and marketers alike. Threats come up and spread fear, uncertainty and doubt about the viability of a channel (spam in all its forms), the accuracy of baseline metrics (click fraud, cookie deletion) or the integrity of e-commerce (data protection). In some cases, more or less acceptable solutions are found. More likely, the bad actors simply move on to the next more lucrative scam.
A team of Google researchers decided to add to our collective cyber-nightmares last week with a report that measured the number of pages out there on the Web that are capable of delivering malware—software that can take over a computer or browser without a user’s permission or even knowledge, leaving it open for use in spreading what hackers term “exploits”: anything from relaying spam e-mail to spreading viruses or applications to capture personal data.
And it’s a big number. According to the Google team, one Web page in 10 is capable of activating malicious code, and 16% may contain code that could infect a user’s PC. And they’re being aided in the spread of that malware by the demand-side pull of Web 2.0 content such as video and browser widgets and pay-per-click advertising.
The researchers surveyed billions of sites to produce the report, titled “The Ghost in the Browser: Analysis of Web-based Malware” and did an intensive analysis of 4.5 million of those pages.
They found that about 450,000 of those Web pages were capable of performing “drive-by downloads”, installing malicious code automatically without a user’s knowledge or consent. Another 700,000 pages seemed to contain code that could impair or damage a PC or browser.
The malware under scrutiny can do anything from simply altering browser bookmarks or resetting a start page without permission to capturing a user’s keystrokes to steal passwords or other account information. Malicious code can also let perpetrators “hijack” a string of PCs and turn them into a large botnet that can operate by remote control to relay spam messaging.
The method of infection marks a shift away from traditional means of spreading bad code through e-mail attachments.
In many cases, the malware detected by the Google researchers resided in elements of the Web page that were not planned or under the control of the Web operator. For example, the report found that hijacking entire Web servers, on which pages are hosted, could inject malware into each of those pages before they were served to visitors.
Internet ads can also cause PC infection, the report says. Most Web publishers let trusted ad networks deliver the online ads to their pages. But occasionally these networks sub-syndicate some of that inventory to other ad suppliers who are not directly known to then Web publishers, and this can result in redirecting visitors who click through those ads to pages that download malicious software.
Pages that allow users to post content, such as blogs, bulletin boards and wikis, can also expose visitors to malware, especially when they’re not checked regularly for bad code. And the Google researchers found a number of widgets offered by third parties to Web developers that were also used to download unpermissioned software onto visitors’ computers. One widget acted as a simple Web page traffic counter from 2002 until 2006, when it abruptly started to download malicious JavaScript code to every visitor to pages using the counter.
To install their malware on users’ computers, the bad guys can exploit unpatched weaknesses in widely used programs and tools such as QuickTime or Internet Explorer. They can also use “social engineering” to trick users into installing malware under a disguise. One example cited is showing visitors thumbnails of adult video titles and advising that Windows Media Player needs to download a missing codec to play the videos—a codec that is in fact malicious software.
Spyware may present a particular problem for Google and the other search networks. Late last month security software firm Exploit Prevention Labs found that Web operators were using Google AdWords pay-per-click ads to drive visitors to phishing sites that impersonated well-known brands. For example, EPL found that one in three times a Google search for “betterbusinessbureau” turned up a suspect pay-per-click ad in the top position.
The ad promised a link to the Better Business Bureau Web site. But users who clicked through were in fact redirected to a page hosted on a Russian server under the domain “smarttrack.org”. That page downloaded malware before sending them on instantaneously to the BBB site. In this case, the application was designed to inject extra code into the online response pages used by 100 banks. Users would be persuaded to enter extra information about their passwords, IDs, accounts, secret questions and other personal data, which would have been relayed to the hackers.
EPL reported that it had detected about 20 different search strings that resulted in links to pages operated by smarttrack.org, including “modern cars airbags required”.
But some commentators have suggested that Google should change some policies to give users more warning that the URL listed in a search ad may not be the one they’re headed to if they click. Right now, users can mouse over an organic search link and see the URL displayed in the status bar at the bottom of their browser screen. But mousing over a search ad reveals nothing.
Other observers have called for Google to be more diligent about checking the bona fides of marketers who set up AdWords accounts and start bidding on keywords.
Since last August, Google has posted an interstitial warning notice to searchers who click on a link the engine thinks runs a high risk of containing malware: “The site you are about to visit may harm your computer!” They’re also given a link to StopBadWare.org, an information clearinghouse for malware threats of which Google is a corporate sponsor. The warning page suggests they try another search result or a whole other search; but it also lets them continue to the page they first selected.
Since it was first deployed, the warning page has produced a pretty steady stream of protests from Web operators who maintain that their sites are harmless. On the other hand, a December 2006 report from the SiteAdvisor division of security software maker McAfee found that only 18% of the Google general search results containing malware were preceded by the warning page.