In a paper entitled “The Ghost in the Browser” (PDF) presented at the Usenix HotBots ’07 conference in April, Google researchers outlined a study which performed an in-depth analysis of some 4.5 million Web pages—condensed from a high-level analysis of several billion URLs. The researchers found found that about 700,000 pages looked to contain code which could compromise a user’s computer, and about 450,000 (or 1 in 10) could trigger so-called “drive-by downloads” that could install malicious software without the user’s knowledge, including keyloggers, spyware, and software capable of taking over a user’s machine and turning it into a spam generator.
The researchers found that in many cases, Web users are tricked into loading the malware-laden Web page by promises of software or media downloads, or—of course—adult material. The sites would claim the user needed a new codec or other component to use the files; the user would instead unwittingly install malware. Many of these sites have no significant Web presence of their own, leading researchers to speculate that traffic is being driven to them via email spam.
Other sites were found to be distributing malware through the use of banner advertisements or so-called “widgets” which weren’t under the direct control of the site operator. Some sites would tie into advertising networks or services which offered on-page utilities like statistics analysis, calendars, or media players; those utilities in turn referenced third-party sites, which would attempt to install malware.
Researchers also found that attackers were attacking entire Web servers (converting almost every page on the compromised server into a malware host), and that attackers were taking advantage of blog comment features and other Web 2.0 means of eliciting user-generated content as means to promote malware sites or to distribute software-based attacks.
The overwhelming majority of attempted exploits targeted vulnerabilities in Microsoft’s Internet Explorer Web browser.
Although Google attempts to warn users of potentially harmful sites listed in its search engine, the researchers’ conclusions are grim. “The sophistication of adversaries has increased over time and exploits are becoming increasingly more complicated and difficult to analyze,” wrote researcher Niels Provos and his colleagues. “Unfortunately, average computer users have no means to protect themselves from this threat.”
