One in 10 Web Pages Could Carry Spyware: Google

Research by search giant Google has suggested that one in 10 Web pages is capable of activating malicious code and 16% may contain code that could infect a user’s PC. And they’re being aided in the spread of that malware by the demand-side pull of Web 2.0 content such as video and browser widgets.

Five Google researchers surveyed billions of sites to produce the report, titled “The Ghost in the Browser: Analysis of Web-based Malware” and did an intensive analysis of 4.5 million of those pages.

They found that about 450,000 of those Web pages were capable of performing “drive-by downloads”, installing malicious code automatically without a user’s knowledge or consent. Another 700,000 pages seemed to contain code that could impair or damage a PC or browser.

The malware under scrutiny can do anything from simply altering browser bookmarks or resetting a start page without permission to capturing a user’s keystrokes to steal passwords or other account information. Malicious code can also let perpetrators “hijack” a string of PCs and turn them into a large botnet that can operate by remote control to relay spam messaging.

The method of infection marks a shift away from traditional means of spreading bad code through worms in spam and e-mail attachments.

In many cases, the malware detected by the Google researchers resided in elements of the Web page that were not planned or under the control of the Web operator. For example, the report found that hijacking entire Web servers, on which pages are hosted, could inject malware into each of those pages before they were served to visitors.

Internet ads can also cause PC infection, the report says. Most Web publishers let trusted ad networks deliver the online ads to their pages. But occasionally these networks sub-syndicate some of that inventory to other ad suppliers who are not directly known to then Web publishers, and this can result in redirecting visitors who click through those ads to pages that download malicious software.

Pages that allow users to post content, such as blogs and bulletin boards, can also expose visitors to malware, especially when they’re not checked regularly for bad code. And the Google researchers found a number of widgets offered by third parties to Web developers that were also used to download unpermissioned software onto visitors’ computers. One widget acted as a simple Web page traffic counter from 2002 until 2006, when it abruptly started to download malicious JavaScript code to every visitor to pages using the counter.

To install their malware on users’ computers, can either exploit unpatched weaknesses in Microsoft’s Internet Explorer browser, or they can employ “social engineering” to trick users into installing malware under a disguise. They may be shown adult video thumbnails, for example, but told that Windows Media Player needs to download a missing codec to play the videos — a codec that is in fact malicious software.

Google is a corporate sponsor of StopBadWare.org, an independent clearinghouse for information on malware-infected sites. Since last August, Google searchers who click on a link the engine thinks runs a high risk of containing malware have gotten a warning notice: “The site you are about to visit may harm your computer!” They’re also given a link to StopBadWare.org, an information clearinghouse for malware threats of which Google is a corporate sponsor. The warning page suggests they try another search result or a whole other search; but it also lets them continue to the page they first selected.

Spyware may present a particular problem for Google and the other search networks. Late last month security software firm Exploit Prevention Labs found that Web operators were using Google AdWords pay-per-click ads to make visitors think they were clicking through to legitimate Web sites for groups such as the Better Business Bureau. In fact, the ads were redirecting traffic to pages that downloaded malware designed to capture banking IDs and passwords, then almost instantly sending visitors along to the sites they intended to find. Google reacted within days of the report, pulling the ads and closing the AdWords accounts in question.