Powered By InformationWeek Business Technology Network
 
Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

Report: Nearly 6 Million Infected Web Pages Across 640K Compromised Sites

Startup founded by ex-Google engineers tallies major jump in Website compromises and breadth of the infections

Oct 27, 2009 | 11:00 AM

By Kelly Jackson Higgins
DarkReading

More Websites are compromised today than ever, and about one-fifth of the pages on each newly compromised Website were infected as of this year's third quarter, according to new data gathered from real-time Web malware monitoring service provider Dasient.

Dasient, a startup whose co-founders include two former Google engineers, found 5.8 million individual Web pages infected across 640,000 compromised Websites. That represents a major increase from Microsoft's report in April of some 3 million infected pages, according to Dasient, which runs a behavioral-based service to diagnose infected Websites.

Ameet Ranadive, one of Dasient's co-founders and a former strategy consultant at McKinsey, says his company also detected more than 52,000 unique types of Web malware in the quarter. "Hackers are starting to see success here with Web-based attacks, so they are investing more in them," he says. "Websites are becoming more complex, and you have more Websites matching content, sourcing, and [banner] ads...creating opportunities to inject malicious content."

Among newly compromised Websites of 10 pages or more, nearly 20 percent of their pages were infected. The bad guys have been infecting more pages as a way to score more victims. "The more parts of a site that have been infected, the more difficult and challenging that it is to remediate and detect it," Ranadive says.

Reinfection of Websites is becoming a big problem, too: Of all the sites infected during the quarter, 39.6 percent were reinfected again during that period. That may be in part due to increasingly more complex and obfuscated malware that's hard to kill. "If a site is not [fully] clean...they are not only at risk, but at risk multiple times," Ranadive says.

Nearly 55 percent of Web-based malware was JavaScript-based, 37.1 percent was iFrame-based, and 8.1 was miscellaneous, according to Dasient. And vulnerable Web apps are only part of the problem, says Dasient co-founder Neil Daswani, formerly of Google. "The Website's code could be secure. But if it's using counters or ads or other functions from other sites, that code could be vulnerable" and then infect the site, he says.

Dasient also announced today it will open up its Web malware infection library via its Website and will list the top 10 Web-based malware threats each week, as well as other attack trends. Dasient has gathered data on more than 70,000 different Web-based malware infections since it first launched a few months ago.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.


Subscribe to RSS



Security Services Reports

You've Got (Secure) Mail: Using Service Providers to Boost Protection You've Got (Secure) Mail: Using Service Providers to Boost Protection
The SaaS market is still in its infancy, but hosted e-mail security firms are leading the way, thanks to ease of implementation and many obvious benefits. Still, these services are not without risks. In this Dark Reading Tech Center report, we'll discuss how to determine what mix of in-house and hosted email security makes sense for your organization.

Security Services Strategies For Small and Midsize Firms Security Services Strategies For Small and Midsize Firms
Infosec managers in small and midsize enterprise often feel like an army of one, constantly pinching pennies. But the paradigm shift from expensive on-premises management to off-premises hosting is good news for you, because today more than ever, the small business has access to large-enterprise security technologies via the phenomenon of subscription-based licensing. In this report, you'll discover how you can use security services strategically to gain economies of scale -- and a really deep bench.

Security Software as a Service: Navigating the New MSSP Landscape
This Dark Reading Security Services Tech Center Report offers advice on how to cut through the hype and claims by SaaS security vendors to get the best fit for your business. It provides a detailed look at the most popular types of cloud-based data protection and gives a rundown on the top service providers vying for your dollars.

Making the Business Case: Security Outsourcing in Financial Services
When it comes to online security, the financial community is under siege.  Between the troubled economy, the advent of more sophisticated attacks, and the growing number of threats inside and outside the organization, one thing is clear: financial services firms need help. In this report, we offer a look at the factors that are driving the financial industry toward security outsourcing - and how your institution can find the right provider.

Integrated Security Services: How To Choose The Right Provider Without Getting Burned
Providers ranging from Microsoft to Finallyfast.com offer everything from simple anti-malware, e-mail and content filtering services to sophisticated security applications, all in a single package. In this report, we discuss how to get the best "suite" for your business -- and your budget -- and what to beware of.

Making The Security Outsourcing Decision: A Reader's Guide
For years, enterprises resisted the idea of bringing a third party into their security strategies. Today, however, with security threats proliferating at alarming rates and economic pressures forcing major cutbacks, many companies are rethinking the security outsourcing decision. In this report, you'll learn about the wide variety of security services categories available on the market – their strengths and weaknesses, their costs, and what you should know before you make the outsourcing decision.