May 18, 2007 at 8:00 AM ET
Don't click on attachments? Good. Always keep that firewall turned on? Even better. Stay away from the Internet's unsavory neighborhoods? Better still. Think you are protected?
Computer criminals are evolving their tactics to subdue your computer, experts say. Each time you invest more money and time in staying safe, the bad guys just find another way around your defenses. Their newest method may be the trickiest yet: Web pages booby-trapped with infectious computer code.
Such sites are popping up at an alarming rate, according to a new study issued by Google called “Ghost in the Browser.” (Adobe Acrobat required).
Unsuspecting Net users are victimized by simply doing what they do hundreds of times each day – visiting a Web page. Then, while the consumer browses content normally, a computer virus or Trojan horse program is silently installed.
In the study, Google found 300,000 Web sites laced with such malicious code, and another 700,000 suspicious sites. For perspective, the study found only 18,000 Web sites laced with adware.
So called drive-by downloads are not new, but criminals have seized on the tactic lately because their success rate with traditional e-mail viruses has tapered off thanks to improved software and consumer education. Avoiding e-mail viruses is fairly easy, as long as consumers following clear rules like "don't click on any attachments." But drive-by downloads are much more sinister, as no user interaction is required beyond opening an infected site in a Web browser.
Web 2.0 -- more risks
Dave Cole, a Symantec researcher, said even the tried-and-true advice to “stay out of the bad Web neighborhoods” doesn't work anymore. That’s largely because of the rapid increase in user-contribution Web 2.0-style sites -- sites like this blog that allow comments and other content to be uploaded. Hackers can often trick such Web sites into hosting their virulent computer code by using these tools to upload viruses. That means it's possible for consumers to visit what was once a harmless site -- say a blog they've looked at every day for a year without any problems -- and still become infected.
"Today it is not unlikely that you'll end up on a dangerous Web page even if you stick to good areas of ‘neighborhood,’” Cole said.
Once a consumer’s computer is infected by a drive-by download, it’s likely to become a zombie in an army of computers used by spammers to send out millions of unsolicited e-mails.
To see a demonstration of how spammers used hijacked computers to make money click on the video attached to this story.
The problem of hijacked computers – some believe as many as 100 million computers on the Net have been hijacked by hackers – is the subject of our recent three-part series, "Is Your Computer a Criminal."
The advent of drive-by downloads as the next important hacker tool puts search engines in the uncomfortable position of acting as a conduit between consumers and criminals. To counteract this threat, Google has quietly begun warning users whose searches turn up potentially malicious Web pages that "this site may harm your computer." The labeling began close to a year ago, said Google's Niels Provos, who co-authored the “Ghost in the Browser” report.
"The installation of software without user consent is something that can be detected easily," Provos said. The company ran billions of Web pages through a filter that looked for suspicious behavior. Of those, about 4.5 million pages tripped Google’s alarm, about 1 million contained some suspicious computer code and 450,000 were positively identified as dangerous. These sites now come with Google warning labels, and users must go to some trouble to actually visit the sites.
The practice has generated some controversy online, with a few writers criticizing Google for "policing" the Net and potentially censoring content. But Provos said the company has an appeals process for site owners who feel they have been improperly labeled as malicious, and that the firm is doing the right thing to keep users safe.
"We are taking the security of our users very seriously," Provos said. "No matter where the content comes from.”
RED TAPE WRESTLING TIPS Drive-by downloads are treacherous, but there are ways to minimize the likelihood that your computer will get hit. Provos suggests that computer users should:
• Use antivirus software and firewalls, along with services that automatically patch software like Windows. They won't keep you from visiting infectious Web sites, but they can stop the virus or Trojan horse from wreaking havoc on your computer.
• Visit only Web sites you trust. You can still become infected, but your odds of staying safe are better.
• Take the added precaution of running the Web browser in a "virtual machine," which isolates the browser software from the rest of the computer. Even if consumers visit a malicious site with a browser running in a virtual machine, the infection will not spread to the rest of the PC. Microsoft offers virtual PC software for both Macintosh and Windows, but only the Windows version is free. (An earlier version of this entry wrongly indicated that the Mac version was also free)