No Free Lunch
It should come as no surprise to anyone that there is no free lunch on the Internet. But last week we found a website that shows just how much that lunch could really cost.
We detected a site serving up WMF exploits that didn't seem to fit the usual pattern of a malicious site. It was a simple site set up by a small business owner—a plasterer in the UK—and seemed innocent enough. We analyzed the exploit, and came to the conclusion that while the plasterer was completely innocent, his site was not. He had likely built it using free templates or a wizard (perhaps offered by his ISP), and then added a few extras that he found somewhere, one of which was a free web counter. Millions of people have done the same.
But that simple web counter did more than register the number of visitors coming to the site. The server in Slovakia that provided the visitor count also reached back to a server in Colorado for a WMF exploit that attempted to install backdoors on visitors' systems. Anyone needing some plastering done in Leeds may get more than they intended.
These free tools are not likely to be used by big-traffic, high-visibility sites. Even the finest plasterer is going to generate monthly hits in the hundreds, not the millions. But by attaching malware to a free tool, the Bad Guys make it up in volume of sites corrupted. Every site using these free add-ons is an attack vector, and many of them will attract more visitors than our friend in Leeds, especially if they can land a top placement on one of the major search engines.
The line between innocent sites and malicious sites is blurring. And that free lunch may cost you far more than you think.