Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/14/2007
08:57 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Report: Web 'Mean Streets' Pervasive

New Honeynet Project research finds malicious Web servers in all corners of the Web, studies their behavior

If you still think avoiding risky sites keeps you safe on the Web, think again: Newly released research from the Honeynet Project & Research Alliance shows that even seemingly "safe" sites can infect you.

Each URL category the organization studied in the new "Know Your Enemy: Malicious Web Servers" report -- including adult, music, news, Warez, defaced, spam, and typo'ed links -- contained some malicious URLs. Some sites are still riskier than others, of course -- links on adult sites and in spam messages, for instance, are at the top of the danger list.

"Anybody is at risk," says Christian Seifert, a researcher from Victoria University in New Zealand and a member of the New Zealand Honeynet Alliance, a Honeynet Project affiliate. Seifert, who co-authored the report, says he and the other researchers also found that different browsers are more targeted than others, and that several defensive methods can reduce users' risk of client-based Web infection. (See Sweetening the Honeypot.)

You can get infected not only by following a link, but also by typing a link manually and getting faked out by typo-squatter URLs, the researchers found. You can also click on malware-infected links served up by search engines.

The group used a client honeypot developed by the Victoria University of Wellington and the New Zealand Honeynet Project to identify malicious Web servers on the Internet. The so-called "high-interaction" honeypot, which ran within a VMWare virtual machine, interacted with infected Web servers containing malware that can take over the client machine without the user's knowledge or interaction.

The Capture-HPC tool, which the Honeypot organization has also released publicly at http://www.nz-honeynet.org/capture.html, detected and recorded things like file system modifications and registry modifications.

The researchers deployed 12 virtual machine instances of the Capture-HPC client running Windows XP SP2 and Internet Explorer 6 SP2, with no content filtering or firewalling between them and the Internet. They studied over 300,000 URLs from around 150,000 hosts.

So why are non-adult sites also risky? "It may have to do with the business behind [it]," says Nicolas Fischbach, senior manager for network engineering/security at Colt Telecom, and a member of the Honeynet Project. While adult sites would "gently" infect a visitor with spyware or other less vicious malware -- so as to squeeze as much money out of the victim as possible -- other attackers might try to leverage a popular site's traffic to deploy their malicious code, he says.

"The Website is usually not directly related or not related at all... It's just a carrier," Fischbach says. "Maybe these guys even 'profile' the Website -- if the site's content is going to attract more non-security savvy users, the chances of 'owning' the client is even better."

Malicious URLs don't always behave badly, the researchers found. Some URLs went "benign" for a few sessions before going bad all over again during the Honeynet organization's study, according to the report.

"We were expecting to encounter some of these -- think about exploits that are delivered through advertisements," Seifert says. "However, it seems like this behavior also occurred on systems with static exploit links, so there must be some mechanism behind it that is designed to exercise such behavior [for] evading detection."

Still, you can protect yourself. First, don't discount blacklisting as a means of protection -- the Honeynet researchers found that the old-fashioned means of filtering out the bad sites can reduce the risk of client infection on the Web. "We were surprised that blacklisting was such an effective method. It means that providers of these blacklists have a good idea about the exploit providers out there," Seifert says.

Another way to ensure an attack doesn't harm the client is to keep the browser out of administrator mode, or in a sandbox, which prevents malware from getting installed on the machine, according to the report. Use a host-based firewall that blocks inbound and outbound connections by application, keep your browser and client machine patches updated, and disable JavaScript if possible, the report advises.

The Honeynet Project also found that IE6 SP2 was the most likely browser version to get infected, versus Firefox 1.5.0 and Opera 8.0.0, so it really is safer to use one of these less-targeted browsers, according to the report.

Have a comment on this story? Please click "Discuss" at the top of this page. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Honeynet Project Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Commentary
    What the FedEx Logo Taught Me About Cybersecurity
    Matt Shea, Head of Federal @ MixMode,  6/4/2021
    Edge-DRsplash-10-edge-articles
    A View From Inside a Deception
    Sara Peters, Senior Editor at Dark Reading,  6/2/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-34682
    PUBLISHED: 2021-06-12
    Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
    CVE-2021-31811
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    CVE-2021-31812
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    CVE-2021-32552
    PUBLISHED: 2021-06-12
    It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
    CVE-2021-32553
    PUBLISHED: 2021-06-12
    It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.