Searching For a Cure to Web Malware
by Eldar Tuvey - ScanSafe CEO - Tuesday, 13 November 2007.
Nine out of ten new web sites visited are found through Internet searches. In fact, web search has become an essential part of doing business online with more than 80 per cent of Internet users keying in a company name in a search engine even if they know the company’s web address. There’s no denying it “Googling” - or using any search engine for that matter - is as frequent an occurrence in offices as getting a cup of tea. But as use of search increases , so does the incidence of web-based malware. Hackers are exploiting vulnerabilities in web browsers as they catch up with the latest online behavioural and communication trends.

Analysis from the ScanSafe Security Threat Alert Team, which monitors web-based malware, shows that one-in-five Internet search results contain malware or offensive and illegal, content. Offensive content represents the greatest risk, accounting for 80 per cent of total search blocks.

Search engines have increasingly become a gateway for exposing businesses to security risks, such as Trojans, spyware, and keyloggers. Unsuspecting web users can be exposed to such malware from a wide range of web sites—including legitimate sites that have been compromised to unwittingly host malware. This malware can easily install itself on the corporate network and severely disrupt business operations.

Although it is an essential tool in the workplace, if secure web searching is ignored, it can become the Achilles' heel in corporate web filtering policies and expose companies to security breaches, information leakage and legal issues. One example of malware exploiting search engines is through the use of ‘spamdexing’. Compromised sites are appended with hidden text containing keywords and links to other (typically compromised) sites which host exploit code. This increases the ranking of the exploit site in search engines, thus when users search on those particular keywords, the exploit site is returned prominently in the results. Those who click through to the site will typically become victims of so-called ‘drive-by-downloads’ of malware. The Zhelatin family of malware, commonly referred to as the ‘Storm worm’, has been discovered using this technique to foist new variants of the malware onto victims’ computers.

In another Storm-related incident, Zhelatin-infected bloggers inadvertently posted Zhelatin spam with malicious links to their blogs. This occurred because these bloggers had configured their blogs to automatically post content sent to a particular address. When the Zhelatin mass-spamming component activated, it sent the spam to the blog address as well. Other malware, such as the Trojan MeSpam, append malicious links to Web 2.0 related activities, such as blog comments, forum posts, and webmail. Of course, search engines crawling these sites will include the miscreant posts in their search results, thus further exposing users.

Evolving web threats

Web-based threats have been a prominent attack method for virus authors ever since the success of the 2001 Nimda worm that spread via email and exploited unpatched vulnerabilities on Web servers. Today, the interactive technologies that are the backbone of Web 2.0 provide fertile ground for cross-site scripting (XSS) attacks. In addition, a lucrative black market in zero-day vulnerabilities, exploit toolkits, and commercially produced malware creates an environment conducive to drive-by downloads of malicious content from even the most legitimate of web sites.

How do you search safely?

Search is one of the many useful features of the Internet that exists today and is a critical component of navigating the rich array of web content available. To search safely, with advance warning of malware or offensive content, companies can utilize a corporate safe web search tool, which will provide guidance to employees on acceptable websites based on the company’s own acceptable usage policies.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th