Malicious Web: Not just porn sites

InfoWorld - The New Zealand Honeynet Project, which produced Capture-HPC (mentioned here last week), also produced an excellent white paper about using Capture-HPC to identify malicious Web servers. On the group's Web site, you'll find that paper, the captured data, and the tools for anyone to inspect and replicate.

The New Zealand Honeynet Project inspected more than 300,000 URLs (nearly 149,000 hosts) for three weeks and found 306 malicious URLs served from 194 malicious servers. Here are what I think are the most interesting points:

1. The highest percentage of malicious Web servers were tied directly to adult content. No surprise here. But all types of content (e.g., news or sponsored links) were nearly as bad. It's not like you can just avoid adult sites and be safe.

2. Many of the malicious Web sites turn nonmalicious, and vice versa, all the time. I've talked about this in previous columns, but essentially many malware writers are taking great pains to make sure an infected Web site serves up malicious content to any given IP address only once. That strategy defeats additional inspection by anti-malware researchers and honeyclients.

3. Only 12% of malicious URLs appeared on a blacklist. Nevertheless, counterintuitive as it may seem, blacklists were highly effective at blocking a large percentage of attacks. This is because the blacklists often blocked the main back-end computers serving up most of the malware. In today's Web-intertwined world, most of the infected Web sites actually point to a smaller number of "super server" hosts. Block them, and the original infected site is defanged.

4. Fully patched computers blocked 100% of the malicious attempts (for the study, the project used Internet Explorer 6 SP2 instead of the better-defended Internet Explorer 7).

5. The study includes analysis of several real Web sites and exploits.

6. Many of the exploits attempted to steal log-on names and passwords.

7. Most attacks used JavaScript to initiate the exploitation.

The paper ends with several defense recommendations, including:

-- Keep fully patched, both the operating system and applications.

-- Blacklists are effective.

-- Don't run as root or admin in browser sessions.

-- Host-based firewalls offer additional protection.

I encourage any computer security defender to download and read this honeyclient paper.

Reprinted with permission from

For more enterprise computing news, visit Infoworld.com
Story copyright 2006 InfoWorld Media Group, Inc. All rights reserved.