By infiltrating a criminal computer network aimed at infecting visitors to legitimate websites, university researchers have gained firsthand insight into the scale and scope of so-called “drive-by downloading.” They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.
Drive-by downloading involves hacking into a legitimate site to covertly install malicious software on visitors’ machines or redirect them to another site.
In an unpublished paper, researchers at the University of California at Santa Barbara describe a four-month study in which they connected their servers to a collection of compromised computers known as the Mebroot botnet. Among their findings, the researchers discovered that, while the seedier sites on the Internet–those hosting porn and illegal downloads–were most effective at redirecting users to a malicious download site, business sites were more common among the compromised referrers.
“Once upon a time, you thought that if you did not browse porn, you would be safe,” says Giovanni Vigna, a UCSB professor of computer science and one of the paper’s authors. “But staying away from the seedy places on the Internet is no longer an assurance of staying safe.”
First discovered by researchers in late 2007, the Mebroot network uses compromised websites to redirect visitors to centralized download servers that attempt to infect the victim’s computer. The malicious software, named for its tactic of infecting a Windows computer’s master boot record (MBR), shows signs of professional programming, including a rapid cycle of debugging, researchers say.
“It is definitely one of the most advanced and professional botnets out there,” says Kimmo Kasslin, director of security response for antivirus firm F-Secure, which is based in Helsinki, Finland.
Smaller design teams can now prototype and deploy faster.