Patch/Configuration Management, Vulnerability Management

Don’t trust some ‘trusted’ websites


Although most of web users feel relatively safe when we click on search results or visit the web sites or blogs of trusted businesses or friends, we should not be so carefree, according to security expert Roger Thompson.

"Trusted websites can't always be trusted," said Thompson, who serves as chief technical officer at Exploit Prevention Labs, a security software firm. "Cyber criminals are now finding ways to commandeer trusted web sites and use those sites to push driveby downloads, rootkits and other malicious exploits onto the computers of unsuspecting web site visitors."

Recently, Thompson discovered a website in the U.K. operated by a plasterer. The plasterer, hoping to promote his business on the web, had created a site using freely available tools. Unbeknownst to the plasterer, however, one of the freeware tools he downloaded, which allowed him to place a web counter on his site, was inadvertently exposing visitors to malicious crimeware.

As Thompson discovered, this counter had a second, hidden function. When someone visited the plasterer's site, the counter updated the visitor count by accessing a server in Slovakia. But then the Slovakian server surreptitiously contacts a server in Colorado, grabbing a piece of crimeware that was downloaded on to the unsuspecting visitor's computer. This crimeware took advantage of a security vulnerability in the Windows operating system know as Windows metafile, or "WMF", that allows cyber-criminals to download software onto a web site visitors' PC.

“There are dozens of such known security vulnerabilities in Windows. When new vulnerabilities are discovered, it typically takes Microsoft weeks or months to create a patch. And even after patches are released, many users never install them. Whenever computers are unpatched, they're vulnerable to crimeware,” said Thompson.

"It's an interesting business model by the bad guys," Thompson continued. "They build some free web tools, and then dupe completely innocent web site owners into acting as lures. People cruising the web stumble on these lure web sites from the big search engines like Google or Yahoo and then, one click later, they're hit,” he added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.