Monday, May 15, 2006

What a difference a line (of code) can make

Hi folks,

Taking some time out from the action here at the Anti-Spyware Coalition meeting for a quick Web security quiz:

Q: What’s the difference between a web site with 145 lines of html and that same web site with 146 lines of html?

A: Well, in the case of www(dot)midatlmortgage(dot)com it’s the difference between a being trusted web site and being a hacked web site that distributes exploits to its visitors. Please don’t go there unless you're fully patched or are running SocketShield.

When the Google bots made their cached copy on January 29th, 2006, there were 145 lines of html, but sometime between then and now, someone added one more, right in the middle, that starts with

i frame src="& # 104 ; & # 116 ; & # 116 ; & # 112 ; & # 58

That's not easy for human eyes to understand, but it's easy for a browser, and is the start of the address ("http:") of an exploit server.

What this means is that the Web site got hacked. And soon to be homeowners looking for mortgage information could get a whole lot more than they bargained for (CWS warez).

It also means that the Web is becoming less trustworthy.


Monday, May 08, 2006

No Free Lunch

Hi Folks,

It should come as no surprise to anyone that there is no free lunch on the Internet. But last week we found a website that shows just how much that lunch could really cost.

We detected a site serving up WMF exploits that didn't seem to fit the usual pattern of a malicious site. It was a simple site set up by a small business owner—a plasterer in the UK—and seemed innocent enough. We analyzed the exploit, and came to the conclusion that while the plasterer was completely innocent, his site was not. He had likely built it using free templates or a wizard (perhaps offered by his ISP), and then added a few extras that he found somewhere, one of which was a free web counter. Millions of people have done the same.

But that simple web counter did more than register the number of visitors coming to the site. The server in Slovakia that provided the visitor count also reached back to a server in Colorado for a WMF exploit that attempted to install backdoors on visitors' systems. Anyone needing some plastering done in Leeds may get more than they intended.

These free tools are not likely to be used by big-traffic, high-visibility sites. Even the finest plasterer is going to generate monthly hits in the hundreds, not the millions. But by attaching malware to a free tool, the Bad Guys make it up in volume of sites corrupted. Every site using these free add-ons is an attack vector, and many of them will attract more visitors than our friend in Leeds, especially if they can land a top placement on one of the major search engines.

The line between innocent sites and malicious sites is blurring. And that free lunch may cost you far more than you think.