The ultimate surfing challenge: Avoiding web sites with malicious content
Introduction
Some years ago it was an established "fact" that a computer could not be infected by malicious software by visiting a web page. But technology evolves quickly and some facts may change when new technology emerges. These days web pages are perhaps the most used propagation vector for malware.
What is really scary is that this is very hard to protect against, as this security article will show.
Malicious advertisements
In our security article in October 2009 - Web advertisements - a significant spreading vector for malware - we discussed advertisements as a spreading mechanism for malware. This technique is also known as malvertising. As one of the countermeasures that should be implemented by those who are responsible for setting up advertisements on web sites, we stated:
Only accepting advertisements from companies and organizations that have trusted security systems, will make a web site less vulnerable.
We still claim that this recommendation will reduce the chance that a web site will provide malicious content to the visitors. However, a news item that was available recently shows that the precaution does not suffice in all cases.
The security company Armorize, which specializes in securing web applications, reported on its blog that two of the largest and presumably most secure advertising companies had been serving malicious advertisements. Some banner advertisements from Google's DoubleClick and Microsoft's rad.msn.com were attempting to install a fake antimalware program and other malicious software. The malicious advertisements were using a range of different vulnerabilities in different applications in order to be able to infect the computers belonging to visitors to web sites infected with the malicious ads.
For more details about the malware the techniques used to circumvent the advertising agencies security systems, we refer to the very good and detailed analysis on Armorize's blog.
The main lesson to learn from this is that ordinary persons who are responsible for a web site's advertisements using third party systems have a major challenge. When two of the world's biggest players can be tricked, anyone can.
Safe surfing habits - do they exist?
What does this mean for the ordinary web surfer? How can he protect himself from exploitation by malvertising when he is surfing on the world wide web?
Previously the rule of thumb was to avoid "suspect" web sites like those associated with pornography etc. - "adult web sites" - as these supposedly were more insecure. According to CSO Online 28 September this year, a study from Websense shows that surfers are more likely to stumble across malicious content while visiting popular web sites than visiting porn and gaming sites. It is arguable if Websense's report substantiates this surprising statement, but the report clearly shows that one is not safe from encountering infection attempts by visiting well-known web sites.
Security mechanisms
So what can each and every one of us do in order to reduce the risk for being infected while we are using the web?
Update software
The single one most important action to perform is probably to install security patches to operating system and applications.
We know that most malware are using vulnerabilities in software to infect systems. Since it is a fact that users are slow in installing security updates, even new malware is designed to utilize old vulnerabilities. The malware, which was spread through the advertisments mentioned above, used several vulnerabilities - the oldest was fixed with a security update more than four years ago.
Use antimalware products
You should of course have security software installed. Antimalware products will protect you against most malware that spread through infected web sites. Such products are available from a variety of vendors. Norman has products for both personal use and for organizations.
Tweak security in browsers and other applications
Most applications have options to tighten security. Web browsers may e.g. be configured to stop interpreting scripts, and PDF readers may also be set up to act in a more secure way. It should be added that a more secure way of surfing will often be at the expense of the total surfing experience; each of us must decide what we value most.
There exist several add-ons to browsers that enhance the browsers security. We have previously mentioned the excellent NoScript add-on to Firefox. Other add-ons offer the possibility to filter advertisements and/or to prompt before any flash elements are displayed.
Ultimately, the level of security achieved when you are surfing the web depends on the security choices you make.
