Searching For a Cure to Web Malware

Nine out of ten new web sites visited are found through Internet searches. In fact, web search has become an essential part of doing business online with more than 80 per cent of Internet users keying in a company name in a search engine even if they know the company’s web address. There’s no denying it “Googling” – or using any search engine for that matter – is as frequent an occurrence in offices as getting a cup of tea. But as use of search increases , so does the incidence of web-based malware. Hackers are exploiting vulnerabilities in web browsers as they catch up with the latest online behavioural and communication trends.

Analysis from the ScanSafe Security Threat Alert Team, which monitors web-based malware, shows that one-in-five Internet search results contain malware or offensive and illegal, content. Offensive content represents the greatest risk, accounting for 80 per cent of total search blocks.

Search engines have increasingly become a gateway for exposing businesses to security risks, such as Trojans, spyware, and keyloggers. Unsuspecting web users can be exposed to such malware from a wide range of web sites—including legitimate sites that have been compromised to unwittingly host malware. This malware can easily install itself on the corporate network and severely disrupt business operations.

Although it is an essential tool in the workplace, if secure web searching is ignored, it can become the Achilles’ heel in corporate web filtering policies and expose companies to security breaches, information leakage and legal issues. One example of malware exploiting search engines is through the use of “spamdexing’. Compromised sites are appended with hidden text containing keywords and links to other (typically compromised) sites which host exploit code. This increases the ranking of the exploit site in search engines, thus when users search on those particular keywords, the exploit site is returned prominently in the results. Those who click through to the site will typically become victims of so-called “drive-by-downloads’ of malware. The Zhelatin family of malware, commonly referred to as the “Storm worm’, has been discovered using this technique to foist new variants of the malware onto victims’ computers.

In another Storm-related incident, Zhelatin-infected bloggers inadvertently posted Zhelatin spam with malicious links to their blogs. This occurred because these bloggers had configured their blogs to automatically post content sent to a particular address. When the Zhelatin mass-spamming component activated, it sent the spam to the blog address as well. Other malware, such as the Trojan MeSpam, append malicious links to Web 2.0 related activities, such as blog comments, forum posts, and webmail. Of course, search engines crawling these sites will include the miscreant posts in their search results, thus further exposing users.

Evolving web threats
Web-based threats have been a prominent attack method for virus authors ever since the success of the 2001 Nimda worm that spread via email and exploited unpatched vulnerabilities on Web servers. Today, the interactive technologies that are the backbone of Web 2.0 provide fertile ground for cross-site scripting (XSS) attacks. In addition, a lucrative black market in zero-day vulnerabilities, exploit toolkits, and commercially produced malware creates an environment conducive to drive-by downloads of malicious content from even the most legitimate of web sites.

How do you search safely?
Search is one of the many useful features of the Internet that exists today and is a critical component of navigating the rich array of web content available. To search safely, with advance warning of malware or offensive content, companies can utilize a corporate safe web search tool, which will provide guidance to employees on acceptable websites based on the company’s own acceptable usage policies.

The important function that such services provide is the ability to notify web users of potential risks in real time. This distinction of real time is critical, as a site that was safe the last time it was crawled, may not be safe the next time it is accessed. By giving users the right information, in real time, they are able to take control of their online behaviour. This reduces the potential for accidental policy violations and makes it easier for administrators to maintain their security policy. Securing web searches in real time protects the user and the corporation, allowing the user to continue using productivity-enhancing search engines without the increased risk of exposure to malware and policy violations.