Thursday, 10. July 2008, 05:45:11
Yesterday I met for the first time a bad thing that I am told is becoming common. You go on a website, the website had been "infected" by a malicious code, you click on a link and you get redirected on a strange domain like "aykjfgves.com" from where your browser in tricked in downloading some executable files. At the end your computer is infected by a "bot" that can do pretty much everything, like phoning home your private information, download and install more bad software or use your computer and Internet connection to spread further attacks.
This is completely automatic. Those "bot-nets" are made via "bots" that "google" for random websites that are built upon software known to have some "hole" and then they try to inject their own code on those websites. Hammering the Internet in this way they are able to find a lot of sites whose software had not been patched with security updates or that were not developed with the correct security policies. At that point all the users that arrive on the infected website are redirected and tricked in downloading some "trojan horse" and become active part of the bot-net.
There isn't much you can do. You can't trust any website. In my case I had the antivirus that detected the bad payload in the redirected connection and blocked it. Plus, the bad domain to which I was redirected was also blocked by the Google blacklist included in Firefox 3. My understanding is both defenses work on already known threats but a brand new one has got good chances to pass.
Using Internet Explorer looks a little suicidal, due to the integration in the OS and the difficulty in managing the local security policies, for example the ActiveX.
Useful links:
Blog post on the issue with more links:
http://adblockplus.org/blog/blocking-malicious-sites-with-adblock-plusFree antivirus (for personal use only):
http://www.avast.com/eng/avast_4_home.htmlOn a side note: interestingly while using Opera 9.51 the above site redirects me on a casino site but the antivirus isn't triggered. I've tried several times and I am always redirected to the same casino page. Maybe the bot-net code detects what browser you are using and acts differently. I can't say if Opera is more secure in general terms but in this particular case it seems it is not redirected to downloading the executable files.
----------------------------
Riassunto: quando visitate un sito web qualsiasi, anche uno del quale siete abituali frequentatori, può capitare di essere rediretti verso un dominio strano dal quale il vostro browser scarica un "trojan" cioè un programma che in seguito provvede a scaricare altri amichetti poco raccomandabili che possono fare qualsiasi cosa gli pare col vostro computer e la vostra connessione.
Ripeto, questo può succedere con qualsiasi sito di cui vi siete sempre fidati.
Infatti esistono questi "bot" che automaticamente cercano dei siti Web che usano un certo particolare software e provano a sfruttare delle falle di questo software per aggiungere il proprio codice al sito. Quando il suddetto software non è stato aggiornato o non viene utilizzato con le corrette procedure di sicurezza il "bot" riesce a fare le proprie modifiche e quindi da quel momento il sito ridirige tutti gli utenti verso un altro dominio dal quale scaricheranno un trojan.
Nel mio caso l'antivirus si è accorto e ha bloccato la connessione al dominio "pirata", in più il dominio era bloccato da Firefox 3 tramite la blacklist di Google.
Ma il rischio esiste ed è costante, quindi fatevi i vostri conti. Sono particolarmente vulnerabili gli utenti di Windows che usano Internet Explorer a causa della integrazione con il sistema e della difficoltà di gestire le policy di sicurezza, sopratutto riguardo gli ActiveX.