Most malware comes from legit sites, says researcher

Computerworld - The majority of Web sites serving up attack code are legitimate domains that have been hacked by criminals, a security researcher said in a report released today. It's the first time that legitimate sites outnumber the malicious ones hackers purposefully set up to spread malware.

According to data compiled by Websense Inc., 51% of the sites it classified as malicious in the second half of 2007 had been compromised and then seeded with attack code that infected unpatched machines visiting the URLs. The remaining 49% were "intentionally built for malicious intent," the Websense report said.

Hacking legitimate sites to make them sling malware gives attackers instant advantages, added Dan Hubbard, Websense's vice president of security research. "It's a great vector because they don't need to drive users to the sites in many cases; they also get free hosting, of course, and [it's] hard to trace ownership," Hubbard said. "Additionally, if someone is allowing access based on reputation, then they may go undetected."

The win-win for hackers -- who get a crack at the built-in audience that's composed of a hacked site's usual visitors -- is a lose-lose for everyone else, a fact that's been proved by several prominent events where hacked sites spewed out malicious code.

A year ago, for example, the Web sites of Dolphin Stadium and the Miami Dolphins NFL team, host to Super Bowl XLI, were hacked so that they served visitors with malicious JavaScript that, in turn, tried to load a Trojan onto unpatched PCs.

Then in August 2007, the Bank of India, one of that country's largest banks, was also found hosting attack code after being hacked. Later, criminals associated with the notorious Russian Business Network, a St. Petersburg-based malware and hacking hosting network, were implicated in the Bank of India compromise.

The trend is accelerating, said Hubbard, who noted that the last report estimated that the share of malicious sites that were actually hacked legitimate domains was in the mid-30% range. In fact, a pair of recent mass hacks -- one that compromised upward of 90,000 sites and another at least 10,000 -- demonstrated the extent of the problem.

Hubbard echoed that with an estimate of the number of sites serving up attack code. "Counting sites can be a tricky game [because] there are sometimes entire domains we classify that have thousands of pages," he said. "However, it's safe to say that at any given time, we have more than 2.5 million in the malicious categories."

Sites are hacked in a variety of ways, said Hubbard, who noted that there is no one method that stands out. "[Compromises are] all over the place, unfortunately, [including] miss-configurations, no patches and so on."

A significant number of the sites, however, are compromised by the multi-exploit tool kits made infamous by Mpack and Neosploit. Websense estimates that 19%, or about one in five, of malicious sites were created or compromised using such tool kits.

"Exploit tool kits are being utilized more than ever," Hubbard said. "This can be a sign of increased sharing or increased numbers of sites that the same groups are attacking and infecting successfully."