Tuesday, 12 June 2007

Hacked Websites Spread Spyware

Recently a web hosting company was attacked by hackers, who put malware on some of the sites that the company hosted. This meant that, when visitors viewed the sites, their computers could have been infected with spyware without them knowing.



The web host made a couple of obvious mistakes in the way that it set up its systems, which you can deduce for yourself if you are interested. However, I don't think that concentrating on the specific details of the web host's security measures is the most useful thing for us to do. As Google's recent analysis of web-based malware [PDF] indicates, bad guys are attacking legitimate sites in order to upload malware. DreamHost's recent incident is likely to be just one of many. The main point is that malware can appear on potentially any website, regardless of whether it is hosting dodgy pictures of Paris Hilton losing the plot or world-class news.



This has consequences for regular websites visitors and for anti-malware companies that believe they can combat spyware using reputation-based detection systems. For example, Trend Micro is moving towards just such a system, referring to "in the cloud" reputation-based technology. Its rational is that bad sites provide malware, and there are a limited number of these bad sites. According to a newsletter on the Trend Micro website, "web reputation works by associating a reputation with a URL. It essentially performs a background check on a URL ensuring Internet users of a safer surfing experience and protecting them from visiting malicious URLs."



This is quite a limited approach, even if the bad guys stuck to their own small group of servers. For example, you'd expect an anti-virus program to detect a virus on a flash drive or in an email from a friend, not just when it's downloaded from a known naughty website. The bad news for people using this kind of protection service is that those who spread malware are not just using a small pool of servers that can be categorised easily as 'bad'. They are attacking sites that you, I and reputation-based services consider to be safe.



The recent misfortunes of DreamHost and its clients (and their visitors) illustrates that this is not a far-fetched, paranoid scenario. Spyware can and does appear on legitimate, trusted websites. In these situations reputation-based detection fails and you'll have to trust in your more traditional, definition-based security software. And we all know how effective (or not) these programs can be...