Analysis: Mapping malware, spam on the Web

Analysis: Mapping malware, spam on the Web Washington - July 21, 2008: The growing prevalence of Web sites that can download malicious software onto the computers of unsuspecting visitors has led some to compare the Internet to the lawless Wild West, but a new survey suggests that in law and order terms, the Web looks more like a city with a broad variety of neighborhoods -- some safe, and some less so. The second annual "Mapping the Mal Web" report was prepared by researchers from Santa Clara, Calif.-based computer security giant McAfee Inc., using data from an analysis of 9.9 million oft-visited sites in 265 different Web domains -- the regions denominated in the last part of the Internet address. Domains are either generic, like .gov or .com, or national, like .ru, for Russia. The survey says that the .hk, for Hong Kong, domain was the Internet neighborhood with the highest proportion of risky sites, with nearly one in five being rated "red" or "yellow" in a three-part assessment system. "Green" sites are considered safe. "It's like a kind of giant tourist guide ¿¿ for the Web," said the survey's author, Shane Keats, adding that it would help Internet surfers identify the areas they ought to be wary in, telling them, in effect, "This is an alley you don't want to go down." The Chinese national domain, .cn, was the second-riskiest overall this year, tying with the generic domain .info, both of which had 11.8 percent of their sites flagged. Finland, .fi, remained the safest online destination for the second year running, with 0.05 percent of sites rated as risky, followed by Japan, .jp. Keats said the data were collected by a McAfee program that "crawls the Web, and clicks 'Yes' to everything," using a unique e-mail address and virtual computer for each site it visited. "If that (virtual computer) gets spyware on it" or the e-mail address started to receive large volumes of spam, "We know exactly where it came from," he said, and the site would be flagged. The free program, called SiteAdvisor, is one of a number of so-called safe search tools that warn surfers when they are about to visit a site considered dangerous. "No one suggests you shouldn't use the interstate (system) because there are horrible accidents on it every day," Keats said. "But if you are going to drive, drive in a safe car and put on your seat belt." "If you are going to surf the Web, make sure you have up-to-date security software and use a safe search tool," he said. The threats represented by risky sites "run the gamut from the merely annoying to the egregious," said Keats. At one end were the sites offering free downloads of screensavers or other software -- "a lot of them aimed at teens and tweens," according to Keats -- which were bundled with so-called adware, which generates annoying pop-up advertisements for users. Other sites promised free gifts in exchange for registration with an e-mail address, which was then sold to spammers. At the other end of the threat spectrum were so-called drive-by exploits, software that could download malicious software onto a visitor's computer without any further action on their part. "Just by touching the site," said Keats, surfers could end up infected with hacker programs like password sniffers, which enable people's identity and -- if they bank online -- their cash to be stolen; or have their computers recruited into vast "botnets" of infected and enslaved machines that hackers use to send spam or launch cyberattacks. "These are very dangerous, but very rare," said Keats of such drive-by exploit sites. The survey notes that just 0.07 percent of all sites analyzed attempted drive-by exploits, meaning that, in visiting 10,000 different Web sites at random, the average surfer would encounter just seven. But Keats pointed out that such sites were not equally rare everywhere. In the Romanian national domain, .ro, more than 1 percent of all Web sites were rated as risks for drive-by exploits -- making it the No. 1 domain for that threat, and twice as risky as the No. 2, the generic .info domain, where just over half of 1 percent of sites attempted an exploit. Keats said that hackers and others setting up such shady Web sites looked at three factors: lightness of regulation, ease of registration and cost. "You want to do business with someone who doesn't ask you any questions," he said, and since the majority of such sites were closed down relatively quickly, "You want to do business where it is cheapest" and easiest to register a site, to reduce overhead costs. Keats said Hong Kong jumped from 28th most risky domain last year to top of the list this year, at least in part because of a number of "entirely legitimate" changes the registrar -- the entity that leases a domain's Web addresses -- had made to the registration process to attract more users. "They offered two for (the price of) one domains, and made it easier to register multiple domains simultaneously," he said.