You probably know that out there in cyberspace there are web sites that are designed specifically to infect you with some kind of malware. You’re not worried because, well, you don’t visit those kinds of sites. You confine your web surfing activities to safe places; the companies you deal with regularly and dependable sites like Google and Yahoo. And when you go surfing for yourself, whether at home or at work, you only go down well trodden paths to sites like CNN, Amazon, eBay or YouTube. So why would there be anything to worry about?
The truth is that even if you have a usage profile like the one I described, you can get stung – and maybe you’ll never even guess that it happened until you feel the sting. Here’s how it could happen. A hacker sets up a spoof web site consisting of a few pages of a site that you visit regularly and then hacks into a DNS server that you pass through in order to get to that site. The hacker changes the DNS server’s cached IP Addresses to point you at the spoof site. When you visit the spoof site it infects you with some malware using one of two methods.
a) The “web site that you trust” convinces you to do something that seems innocuous but actually which executes an Active X control or some Ajax code that puts malware on your PC.
b) The web site exploits a security hole in your browser (old versions of Microsoft Internet explorer are particularly vulnerable) changing the security settings and then downloads malware onto your PC.
There are lots of variations on this idea, but in essence it involves exploiting your trust in dependable web sites to fool you.
Web sites didn’t use to be particularly dangerous as infection sources, but because of the functionality of some Web 2.0 capabilities it is far more likely that you will interact with a web site and thus it is easier for a hacker to fool you. Most people are wise enough to suspect phishing emails that direct them to spoof web sites although phishing in this way is still very successful. However, “poisoning the cache” in a DNS server is incredibly cunning. The perpetrator only needs to put up a single spoofed web page and you’ll probably never know it.
There are two defenses against being infected in this way. One is to depend on AV technology to detect whatever anyone tries to install on the PC, but AV technology is now widely regarded as ineffective and any well-informed hacker can get around it. Actually, believe it or not, there are even web sites that sell viruses which have been tested to get around any of the popular AV engines,
There is also software that regularly scours the Internet for web sites that carry viruses. The problem is that they cannot possibly stop the kind of exploit that I have described above – the drive-by malware infection. Such web sites only stay up need only stay up for a couple of hours to catch a healthy number of unsuspecting surfers.
The only technology we’re aware of that directly addresses the problem comes from a company called Finjan. Its software analyzes all web page executables in real-time before they execute and blocks those that attempt to download or run anything. So we have a situation here that is very similar to the AV market, where the majority of security products are ineffective and a mere handful (whitelisting products from SecureWave, Bit9, AppSense, Savant Protection and CA) actually do the job.
Cyber-thieves get cleverer all the time, and some of them are very skilled. To stay current and stay protected requires more than simply throwing money at a few security products. It means keeping pace with the threats. Web sites didn’t use to be a threat at all, but times have changed.