Report: Malware-laden sites double from a year ago
Two studies illustrate the hazards of Web surfing with more than 1 million sites infected with malware and more than 40 percent of sites in one study always vulnerable to attacks.
More than 1 million Web sites were believed to be infected with malware in the fourth quarter of last year, nearly double from the previous year, according to figures released today by Dasient.
Malvertising, advertising containing malware, also is on the rise, with impressions doubling to 3 million per day from the third quarter of 2010, Dasient said in a blog post.
"The probability that an average Internet user will hit an infected page after three months of Web browsing is 95 percent," the company said.
The news corresponds with information released this week by another security firm. An analysis of than 3,000 Web sites across 400 organizations last year found that 44 percent of them had serious vulnerabilities at all times, while 24 percent were frequently vulnerable for an average of at least 270 days a year, according to WhiteHat Security, which provides Web site testing and security services for companies. Meanwhile, only 16 percent of the sites examined were found to be rarely vulnerable, the report said.
About 64 percent of those sites had at least one information leakage vulnerability, which inched past Cross-site scripting as the most prevalent vulnerability, WhiteHat said.
Neither WhiteHat nor Dasient identified the Web sites they analyzed or disclosed whether any of the biggest Web brands were among those with malware or vulnerabilities.
Dasient researchers wanted to see how easy it would be to spread malware on social-networking sites and created some test accounts to spread various types of links. More than 80 percent of the dozen unidentified sites it tested allowed through links that were on Google's Safe Browsing list, while all of them allowed through links that led to a benign drive-by download.
In another test, the researchers posted an ad whose click-through links led to a benign drive-by download and found that the social-networking site kept the ad up for more than three weeks before pulling it. The ad had the headline "Click for a security test," led to a site at "hackerhome.org," and said a Windows calculator would pop up if the computer was vulnerable.