Posted by secExtra on May 13th, 2008

Of course you wouldn’t be surprised to hear security experts say that the number of computer threats continues to grow.  Putting ethics aside for a moment, if we had seen a single measly threat in the last twelve months, we could legitimately say that the number of pieces of malware has grown.  But this is not what is happening.  According to independent testing house AV-test.org, 2007 saw 5.5 million unique malware samples on the web – a whopping 460 percent increase over the previous year.  I know.  Kind of scary.  Now, this would mean very little if these malicious programs didn’t pose a threat, but the approach du jour is to infect legitimate but poorly protected websites and then drive you, the unsuspecting surfer, to them via cunningly worded spam messages and online ads.

So, how bad is the problem?  Sophos now discovers a new infected webpage every five seconds – that’s an average of more than 15,000 every day, three times more than in 2007.  It is easier than one might think to infect a website – just think about the glut of sites out there that are not properly maintained, and/or are running on web servers that lack security.  The whole purpose is to infect the machines of innocent web surfers like you, so that the hacker can use your PC to relay millions of spam messages and steal confidential data such as usernames and passwords.

It’s true that, as a surfer, there is little you can do to about sites getting infected, but you can better secure yourself from becoming a victim.  If you happen upon an infected webpage, the malware tries to sneak a peek at your system in order to find a way into your computer: looking for unpatched vulnerabilities, checking if anti-virus is not installed or not updated, or testing to see whether a firewall is present and properly configured.  If the malware finds and recognises any vulnerability in the security, it will try to exploit it.

Sadly, there is no magic solution – just as no one can guarantee 100 percent that you won’t have an accident when you hop into your car, the same is true of surfing in the online swamp.  To avoid the danger zones, you, at the very least, need to ensure that you patch all your software – particularly your browser, email and operating system – with security patches, run up-to-date anti-virus, and have a firewall in place to block unauthorised intrusions.  Further measures, such as filtering out spam messages, blocking access to infected or malicious sites, and preventing scripts from running by default on websites, will all work to further your defences against an attack.

And of course, those of you with websites should take heed as well.  Ensuring that the web server hosting the sites is up-to-date with security will help to fight off the critters from turning your site into a nasty swamp thing.

Carole Theriault, senior security consultant at Sophos