Report: Web 'Mean Streets' Pervasive

If you still think avoiding risky sites keeps you safe on the Web, think again: Newly released research from the Honeynet Project & Research Alliance shows that even seemingly "safe" sites can infect you.

Each URL category the organization studied in the new "Know Your Enemy: Malicious Web Servers" report -- including adult, music, news, Warez, defaced, spam, and typo'ed links -- contained some malicious URLs. Some sites are still riskier than others, of course -- links on adult sites and in spam messages, for instance, are at the top of the danger list.

"Anybody is at risk," says Christian Seifert, a researcher from Victoria University in New Zealand and a member of the New Zealand Honeynet Alliance, a Honeynet Project affiliate. Seifert, who co-authored the report, says he and the other researchers also found that different browsers are more targeted than others, and that several defensive methods can reduce users' risk of client-based Web infection. (See Sweetening the Honeypot.)

You can get infected not only by following a link, but also by typing a link manually and getting faked out by typo-squatter URLs, the researchers found. You can also click on malware-infected links served up by search engines.

The group used a client honeypot developed by the Victoria University of Wellington and the New Zealand Honeynet Project to identify malicious Web servers on the Internet. The so-called "high-interaction" honeypot, which ran within a VMWare virtual machine, interacted with infected Web servers containing malware that can take over the client machine without the user's knowledge or interaction.

The Capture-HPC tool, which the Honeypot organization has also released publicly at http://www.nz-honeynet.org/capture.html, detected and recorded things like file system modifications and registry modifications.

The researchers deployed 12 virtual machine instances of the Capture-HPC client running Windows XP SP2 and Internet Explorer 6 SP2, with no content filtering or firewalling between them and the Internet. They studied over 300,000 URLs from around 150,000 hosts.

So why are non-adult sites also risky? "It may have to do with the business behind [it]," says Nicolas Fischbach, senior manager for network engineering/security at Colt Telecom, and a member of the Honeynet Project. While adult sites would "gently" infect a visitor with spyware or other less vicious malware -- so as to squeeze as much money out of the victim as possible -- other attackers might try to leverage a popular site's traffic to deploy their malicious code, he says.

"The Website is usually not directly related or not related at all... It's just a carrier," Fischbach says. "Maybe these guys even 'profile' the Website -- if the site's content is going to attract more non-security savvy users, the chances of 'owning' the client is even better."

Malicious URLs don't always behave badly, the researchers found. Some URLs went "benign" for a few sessions before going bad all over again during the Honeynet organization's study, according to the report.

"We were expecting to encounter some of these -- think about exploits that are delivered through advertisements," Seifert says. "However, it seems like this behavior also occurred on systems with static exploit links, so there must be some mechanism behind it that is designed to exercise such behavior [for] evading detection."

Still, you can protect yourself. First, don't discount blacklisting as a means of protection -- the Honeynet researchers found that the old-fashioned means of filtering out the bad sites can reduce the risk of client infection on the Web. "We were surprised that blacklisting was such an effective method. It means that providers of these blacklists have a good idea about the exploit providers out there," Seifert says.

Another way to ensure an attack doesn't harm the client is to keep the browser out of administrator mode, or in a sandbox, which prevents malware from getting installed on the machine, according to the report. Use a host-based firewall that blocks inbound and outbound connections by application, keep your browser and client machine patches updated, and disable JavaScript if possible, the report advises.

The Honeynet Project also found that IE6 SP2 was the most likely browser version to get infected, versus Firefox 1.5.0 and Opera 8.0.0, so it really is safer to use one of these less-targeted browsers, according to the report.

Have a comment on this story? Please click "Discuss" at the top of this page. If you'd like to contact Dark Reading's editors directly, send us a message.