Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Can visiting a malicious site automatically infect my computer?

May 15, 2015 9:09AM PDT
Question:

Can visiting a malicious site automatically infect my computer?


Since I use Google search for everything these days, it's almost impossible to know what websites are bad and may have malicious intent. My questions to you are, can I get a virus infection just by simply visiting a bad website? Or does it require an action by me like clicking on something within the website? Is an antivirus good enough to protect me from these heinous sites? How do you know if a website is good or bad? I think I've been lucky so far as to not visiting one of these bad sites, but I'm curious as to how these malicious sites work and how I can avoid them, as well as protecting myself if I were to accidentally visit one of them. Your thoughts and suggestions are welcomed. Thank you in advance.

--Submitted by Roger W.

Discussion is locked

- Collapse -
Excellent Advice
May 23, 2015 8:04AM PDT

You are right. It is better to be prepared for the eventuality that something might happen. And the old "it can't happen to me" also applies. I thought I was OK but... Thank you for your guidance. I never want to again go through it any time soon. And I learned the hard way what a bootkit is. Very nasty since it operates as soon as the power button is hit. It hides in such a way that a lot of the regular protections don't even see it.

As you state, one of my fears is "the batch-file package from the original attack sleeping in the backup files". One never knows until the machine has been truly cleaned. Thanks again.

- Collapse -
Not quite completely false.
May 23, 2015 11:32AM PDT

<span id="INSERTION_MARKER">

griz_fan, galika1080 was not so far off, but did not state it well.<span>

<span>Javascript is not embedded in HTML, but can be automatically run from a page's HTML code. That is why your #4 is so important.
<span>

<span>As you said: <span style="font-size: 14.4799995422363px;">learn to spot the difference between sound advice<span style="font-size: 14.4799995422363px;"> and BS. And stop spreading BS.
<span style="font-size: 14.4799995422363px;">

<span style="font-size: 14.4799995422363px;">(retired programmer of 20 years)

- Collapse -
Try "View Source"
May 23, 2015 1:03PM PDT

I have a CD that is titled "Programming with HTML". It IS a programming language and it IS the language that your browser uses when you open a website. Yes, it is a text-based interpretive language. It can link by itself to other web sites and to script. If you don't know what a simple website is, you should go do some reading. Try doing a VIEW SOURCE on any website and tell me you don't see HTML or DHTML. Or do you use something else to create websites?

- Collapse -
HTML is NOT dangerous
May 23, 2015 5:34AM PDT

Let's clear this up - a web page is made up of several different parts. The ones this topic seems to be concerned with are:
HTML; Javascript; CSS; Images; Java; Cookies
HTML and cookies are only text. Text cannot hurt a computer. CSS tells a browser how to display certain elements of HTML, form objects, graphics, etc. It cannot hurt your computer.
That leaves Javascript, images and Java.
If you have security concerns and are not knowledgeable, you should turn java off.
If you're going to be visiting questionable sites, you should turrn off images and javascript (though that may remove your reason for wanting to be on that site!) Happy
You may also want to turn off cookies since it is possible for different sites to share information about you via cookies in certain cases.
Note that in the case of the person who posted they'd gotten a rootkit via hovering over part of a page, that would be javascript doing the dirty work. It's most likely it installed a pre-rootkit installer which would have loaded the real rootkit subsequently.
We need for laws to be passed and local authorities to be better trained to tackle the problem of malwarre, ransomware, rootkits, etc.

- Collapse -
Sorry
May 23, 2015 1:08PM PDT

Text such as HTML can hurt your computer if it drives your browser to pick up a file somewhere. It causes your browser to do things so, technically, it can hurt you. It can put your browser in a loop and can install spyware. Reading the html code (yes, it is code) with a text editor can't hurt your computer but executing that "code" with a browser or some other program can do lots of things, including mimicking other sites with not legitimate ones.

- Collapse -
Not much HTML anymore
May 24, 2015 1:13PM PDT

Actually, not much of it is HTML anymore. Back in the late 90's I hard-coded a bunch of websites basically using HTML 3, then later a bit of HTML 4.

Most websites nowadays actually generate the pages on the fly from a database, using programs such as Joomla. (That's why so many of them have the same general layout.) So if you look at the source code, what you'll generally see is just a bunch of links to things you can't actually see. Those databases, tied in with Google Analytics and a few other things, are the reason why when you search for a product on eBay, Amazon, or pretty much any other major retail website and then you leave the website, you keep seeing ads for the same type of product for the next week.

But just as those links to "black boxes" can serve up ads for cameras, raincoats, or whatever you searched for, they also can serve up malware.

- Collapse -
I Know That
May 25, 2015 4:25AM PDT

The point being that the HTML forwards you to websites that are written in other languages. Even though a lot of this is pure text, the text causes your browser to do things ("browser" being an executable file) and, if the browser has "vulnerabilities", the "text" as some referred to it, can still cause your browser to do things you don't want it to. Loading JAVA, JavaScript, and even downloading executable files in the background are all things your browser can do on command from HTML or any other web page programming language. I have Norton running and it recently alerted on a DLL file that my browser downloaded from a web page that I was visiting.

- Collapse -
I guess I always looked at it as a framework..
May 25, 2015 4:40AM PDT

Perhaps I look at it wrong, but HyperText Markup Language always looked to me like a form of programming; just a totally different kind of "language".

- Collapse -
It is Considered "Programming"
May 25, 2015 7:57AM PDT

I think you were thinking of the "protocol" HTTP or HTTPS which are frameworks, as you put it. This language (HTML) began being replaced by other languages which had to be added into browsers. They had ASP which generated HTML and you have java, javascript and others. The important thing with HTML is not the fact that it is a text file (so just having the file on your computer does nothing), but it causes the browser to do things, such as display a webpage consisting of text, pictures and active elements. If there is a vulnerability in the browser, then that could be exploited. To me, many cookies are text files too but, through the browser, they can be collecting information and sending it out (spyware). Also, the browser can be told to download and execute files containing malware, scripts, etc.

- Collapse -
Clarifications
Dec 23, 2015 9:22AM PST

[t is usually in a language called "HTML" but could also be Java, Javascript, ASP, or many other languages.] (quoted from above post)
To avoid misinforming anyone, I would like to make some clarifications to the post by Hforman -

HTML is a Hypertext Markup Language that tells the browser how to display stuff, not a real language that can execute anything or do any harm.

ASP; ASPX and PHP do NOT execute on your computer. Neither you nor your browser ever sees these server-side scripts. They merely put together the HTML pages that you do see.

Only Javascript and potentially Java can execute code on your computer. Although these can be devastating if from a malicious site, of the two only Java can be safely uninstalled or disabled without unduly affecting your web experience.

There are some good responses in this thread, but I would add a few more -
Never click a link from a Facebook post; email; etc. even if that link is from a friend.
That means even a link that your boss or your network administrator sends you in an email.

Spearphishing attacks can be very authentic-looking and seem to come from authoritative people when actually sent by a hacker.

If you're going to visit "questionable" sites, use a virtual machine like VirtualBox or the one from VMware.

Never browse the web while logged in as root or admin.

Consider switching to Linux (Ubuntu 15.10 is the current version). Ubuntu is really easy for light users of Windows to switch to, and it's great for guru users, but it can be a little tough at first on users that are beyond novice, yet not quite advanced, who may need to learn to deal with a terminal.

I switched my wife's laptop to Ubuntu last April and she didn't realize it wasn't Windows until I told her two weeks later. She's installed dozens of software programs (all free) with just a couple clicks in the Ubuntu Software Manager, and edits photos and video and uses all the office-type programs. She hasn't needed to use a terminal window at all.

Linux users do not need anti virus, and generally have less to worry about than Windows users.

- Collapse -
The old answer and the new . . .
May 15, 2015 2:42PM PDT

There was a time in the distant past when your computer could only be infected if you clicked on something to allow it. That age of innocence lasted for a very short time. Today it is possible to get infected just by visiting a malicious site. If you go looking for hacking tools, for example, you expect to be attacked and infected very quickly - sort of like the old saying that a visit to a ***** house often results in getting more than you expected or wanted. You can minimize the risk by making sure your operating system and applications are up to date. You must also be very careful to download and install utilities and updates only from a trusted site - I recommend using ninite.com to find and install any utilities you need, and save the installer to use it for installing updates to all of the same apps. If the utility is not available on ninite.com, consider very carefully before searching for and installing it from any other site. Another way to minimize the risk is to have a well-respected and widely used antivirus installed, and keep it up to date at all times. Periodically updating and running a Malwarebytes scan in addition to your regular antivirus is a good insurance policy - especially after you have visited a questionable site.

Protect yourself more by never following the links that come in emails or even in answers to postings you make in online discussion groups. If you get ANY email or message that purports to be from your bank, credit union, UPS, FEDEX, the IRS, any "secure email delivery" systems, or any site on which you might have a login account, do not follow any links included in that email, and certainly do not click on any attachments. Instead, go only directly to the web address you know to be the correct address for that account and login there. Just because the email link says it is to Discover Card that does not mean it will take you to the official secure site.

In any case - ALWAYS BE SKEPTICAL of anything that wants you to enter your login credentials, or provide any private information. PAY ATTENTION to the browser mechanisms that let you know when you are on a secure site - NEVER ENTER A PASSWORD if the browser indicates it is not a secure server.

Despite all of these precautions, you still might pick up an infection, but careful, skeptical people tend to have a lot fewer infections than those who are too trusting and possibly distracted.

Good luck.

- Collapse -
Spyware and virus
May 22, 2015 4:41PM PDT

Over and above the excellent recommendations you need a malware detection and removal program. Some people prefer
MacAffee.
I do not like the interface, it disrupts your work with enormous messages, does nor tell you when it updates.

I Use Norton 360. It is not perfect but It signals which software is safe on the Google replies, blocks malicious software and has daily updates that you can install as you please. You are in control.
Symantec has decades of experience in mainframe software. Microsoft Windows 7 Incremental Backup was in fact Norton Ghost. An Expensive program.
Now in 8.1 Microsoft implemented their own inferior system.
Norton 360 offers you a backup facility . It is a simpler program but I prefer it to the file Backup that windows 8 provides.

Cheers
Crisnevius

- Collapse -
In the past...
May 23, 2015 4:45AM PDT

I used to discourage folks from using Symantec/Norton products, but I must admit, they seem to have learned their lessons of the past and made a better product now. I still use Avast, because that is what I have my indigent clients use, so I subject myself to the same slings and arrows they might come across. MBAM has gone to a new licensing scheme where you get three installations a year for one price. It is hard to find the lifetime licenses now. If three people share one license it can cost a lot less for those who have a thin wallet.

Friends don't let friends do McAfee. Please don't do that to your local computer fix it guy - you and he/she will regret it.

- Collapse -
Secure server
May 24, 2015 5:08AM PDT

Thanks for your very helpful comments. How do I know if my browser indicates it is not a secure server? I use IE and chrome?

- Collapse -
Secure server.
May 24, 2015 5:33AM PDT

This is indicated by a padlock symbol in the address bar. You would see this when banking onlne for example. Also https is in the address bar.
Dafydd.

- Collapse -
Yes it can....
May 15, 2015 11:06PM PDT

Hforman gave a great response, but I also have to agree with the follow-up to that, and please don't use Symantec. They've gone from great software to greater bloatware, and do a lot of things we don't really need, and slow the computer in the process.

For the last 9 years now, I've been running Avast Av software - the free version - and recently they dropped a new business package that is also free if you meet certain limitations. I will say that before I installed the business version I didn't get a single advertising e-mail from them. That's a huge thing to say about an on-line company. They're not based in the US, which has some people squirming, but I still feel that's OK. Since the upgrade to the business version, I get daily e-mails telling me how many threats were blocked, and which systems they were blocked on. I'm OK with these, as it also keep my head in the game and allows me to tailor the blocking on the systems.

I also use multiple add-ons for my browsers to stop automatic scripts.

NoScript is an awesome addon, and once you spend the initial time configuring it, you'll find a lot of sites use the same sources for data, so you don't have to fully configure for every site. Once configured, it sits quietly in th background helping keep you safe.

Adblock Plus helps stop all those little ads that may be intrusive, and there's a free filter source they provide that you can use to turn on non-intrusive ads. I have those on - since sites can actually make money on just serving those ads to me. If they're making money on it, then they're more likely to stay open.

One thing Avast provides in the list of google hits is a little icon next to each link telling you if the site is safe or not. I find that comforting, but still don't trust any of them right off the bat, and manually control the scripts allowed.

Good luck,
Scott

- Collapse -
avast
May 22, 2015 10:22AM PDT

Just dont try to un-install avast hahahaha you will be in for a big surprise. took me nearly a week to
flesh out all that was left, including an entire down deep folder that I could not access and had to do it
in DOS mode.
I am still a hold out for XP. and the last update just trashed my system. they obviously didnt bother to
test it. just left the xp in the list of op systems it was good for.
but then, Happy I am now free from MS. Love my linux mint 17 Happy
time to see if Cnet has a linux forum Happy

- Collapse -
Fully Un-install Avast
May 23, 2015 2:36AM PDT

I too could not get Avast off my system. It was slowing up boot time, telling me I needed updates and showing an icon on the desktop no matter what I did. Even used one of those uninstall programs which clean the registry of the unwanted items. No dice. Fortunately I found Avast uninstaller on a web search. It's a tiny download and when I ran it, all those hidden remnants of Avast were gone. PC now runs faster and boots up nicely.

Been using Avast for so many years, have recommended it to others but something has changed since its earlier days. It really puts its hooks into a system and does almost all it can not to be uninstalled. I have since switched to another free anti-virus and so far so good.

- Collapse -
Hmmm?
May 23, 2015 4:53AM PDT

Avast used to leave nothing behind after uninstalls; I used to check it with Revo Uninstaller, and it left a clean slate. Perhaps it is because of the battle between Avast and malware in the boot environment that this has become necessary. This prompted me to look for an uninstall tool at Alwil software, and they have one called Avastclear, that you can run in safemode to clean it up.

- Collapse -
so what's the software? And a couple of missed mentions...
May 23, 2015 8:47AM PDT

Please post a link to that software. I could use it.

I think Adwcleaner hasn't been mentioned and I find it to be irreplaceable.
That and JRT.
And Spybot.

With Malwarebytes and Ccleaner running all the time gives a fairly safe machine, I think.

It should be mentioned at Adobe Flash and Java update pop up screens can be evil pretenders. Never click on them to update. Always go to their home pages and check your version there and update from there

Lastly: what we need is a software driven method of switching off from the internet as thoroughly as pulling an ethernet plug or shutting down a wifi does. Perhaps it exists but I haven't found it.

I would use it on my home network to isolate some machines (the kids) at different times and to isolate any machine the instant it got infected.

Then I'd llike software that monitors internet connections and categorised every single packet in order to find suspicious packets. We should be able to know at any time just which progs and processes are communicating with the web and why.

Unfortunately the state of the art today is such that we don't even know which progs and processes are running on our own computers, and why - things like Task Manager giving cryptic lists of no value to the ordinary user.

Many, many people are not using their computers as computers. My own family falls into this category quite frequently, I notice.

Our computers simply become 'web stations' or something, 'web clients', they are just running web originated things like emails, youtubes, games, news feeds.

All the power of the computer is simply not needed, not used, not needed. Nor is all the stored data.

But when an infection arrives from the web because the 'whole' machine is there, with its power and its data then the whole machine gets attacked.

We need bullet proof isolation as a matter of course. Using only that part of the computer that is required for these basic dumb web tasks and getting instant notification when access to the larger part of the computer is required.

How about that story of Chinese hackers running something from the web? Don't give a damn how good they are, they can't do it if they're not connected. There's much connected that doesn't need to be connected.

- Collapse -
Dumb terminals..
Dec 23, 2015 11:01AM PST

is what your are referring to. Not many people are going to want to do that at home - it entails a lot of IT knowledge to set up, and a very strong server for the whole family. Now days, they probably use something more like a "thin client' and a simpler server to do something fairly close to that.

There are two ways to emulate this goal if you are not too dependent on Microsoft's Office or other software.

1. Simply use a PC with Chrome OS, that relies on the browser alone to do all task, with little need for complicated operating system assets.

2. Use a sophisticated drive locking program like the public library. This makes it possible to reboot to restore everything back to the way it was before, and no updating or security software needed.

Doing number two may require a technician to install on the hard drive - Steady State is a free one Microsoft used on XP, but if your OS is newer, you will probably have to find a paid solution. CNET user reviews could aid in this task.

Novell had the best dumb terminal I'd every seen running at local schools but now they are promoting a SUSE Linux Enterprise version that is part of their "Free the Penguins" initiative. You would truly need to be a gear head to run this, I'd imagine.

- Collapse -
WOT better than Avast's site advisor..
May 22, 2015 6:09PM PDT

Avast will block a lot of those bad attacks, but I have to be honest, MBAM Pro beats it to the punch 95% of the time for blocking malicious servers. However AdBlock Plus, No Script and a good host file like Spyware Blaster with it's passive active x protections are pretty good for those that insist on using Internet Explorer. Spybot S&D and other host files can do a lot too.

MVPS used to be king of the host files, but with the new Windows. I haven't kept up.

- Collapse -
Malicious sites
May 15, 2015 11:33PM PDT

Prior to 07,I occassionaly recieved an infection on my PC mostly by redirection,since then, ZERO.I now use CCleaner pro - Mbam pro and Avast Internet Security{pro version},I don't think the pro versions of Mbam nor CCleaner are really neccessary - I love Avast firewall and Internet security however.I simply felt obligated to donate to them after many years of good service from their free apps.I never download a security app from any site other than {1}- Cnet downloads if available, alternates are- File Hippo or File Puma, nor do I open an email without Avast Mail Shield being turned-on.I have all shields in Avast set on high,if you accidentaly visit a bad page they will block it from opening,their are {as stated by many intelligent posters here} far too many ways to make your unit ill, to cover in 1 post.Please,allow CCleaner {fast trash dump} or Glarys utilities {comprehensive cleaner},to carry out the trash daily,and if you are new to this, have a friend set them up for you.I have 20+ friends and relatives whose units I set-up,and do not mind keeping them safe in the least.Best wishes,Travis

- Collapse -
Actually MBAM is excellent.
May 23, 2015 5:14AM PDT

The Pro version is uncanny in its ability to block malicious servers before they can enter your ports. It could be argued that it has a better firewall function than Avast! I personally only recommend one paid solution, and that is MBAM's. I'm not a shill for Malware-bytes, it is just that it has become necessary to admit that one cannot run for free all the time with today's threats. If you have nothing to lose on your computer, or don't do online banking or shopping, I can definitely say free is the only way to go.

To lower the cost for my clients I buy one license and share it will three people, so it isn't so expensive for them to keep up the Pro version annually. It still pays to get the lifetime license, if you can find it in a brick and mortar store or online retailer. Ironically Avast's firewall is TOO good for my computer, because it blocks all DRM communication from my blue-ray player and cable ready modules. This cannot be mitigated, because the MPAA has made these spywares hidden from all but the old Emsisoft Mamutu anti-spy utility. Now even Emsisoft has no way to mitigate these issues. so I just don't recommend them to anybody. Unfortunately this includes Comodo's free firewall. Although Comodo used to try to keep up with all the DRM spybots automatically, they just fell too far behind to make enjoying HD content usable.

Once again, I am not a shill for MBAM, it is just that I do volunteer work for indigent PC users, and have learned what reality is.

- Collapse -
Better AV pgms.
May 16, 2015 1:19AM PDT

Provide some sort of "web adviser" warning you of possible visit could be harmful. When active, it should display a warning and/or outright stop you if a known threat is present. You can simply ignore or disable the warning and proceed on at your own peril. Depending on the threat a simple vist can start the malware process as maybe only a small "bot" be attached to your visit and when you leave or realize the website isn't what you wanted, the malware process has started. Even visiting other websites the backgrd. "bot" continues in some to fully load or redirect you to once again be infected more fully. All-in-all, trust your AV to be doing what it's suppose to be doing, protecting you.

tada -----Willy Happy

- Collapse -
I still say...
May 23, 2015 5:22AM PDT

Web of Trust(WOT) is better than any of them for coming close to determining if the site needs blocked or has an iffy reputation. I've used all of them, and none better than WOT. None of them can keep up with all the new malicious sites, but MBAM pro seems to block the latest malicious sites just as soon as they are detected. It is easier to block by IP address, than put millions of definitions to malware in the scanner files. I'd say that is pretty smart - but with ICANN's new domains schemes, and IPv6 out now. It may become impossible to go that route as well very soon! Sad

- Collapse -
The MAC vs PC Question
May 22, 2015 10:27AM PDT

If you're using a MAC, the answer is No. While the information about how a browser works as described in this thread is correct, it is only the Windows and Android OS that are infected by visiting alone.

We did an experiment where we identified infected sites and then visited them with both PC's running Windows and Macs running Yosemite. None of the Macs were infected. All of the PCS were.

- Collapse -
Test was not the universal answer
May 22, 2015 12:34PM PDT

The reason you didn't get infected with your Macs was most likely that you only ran into MSFT specific viruses. There are many more MSFT specific viruses out there than Mac viruses. If you HAD run into a Mac virus, you most likely would have been infected unless you had appropriate protective software running.

- Collapse -
Depends on apps or plugins..
May 22, 2015 6:17PM PDT

Almost all the folks I know that run Apple software also run java with it, so actually they are just as vulnerable as any Windows or other operating system using the same things. If Apple starting blocking installations with java, I was not aware of it. I greatly suspect any browser running flash movies will eventually be found to have a vulnerability anyway. Saying other wise is disingenuous. I realize Apple is blocking the flash app, and it is no longer needed, but HTML-5 is just a time bomb waiting to happen on flash type content. The crackers will eventually find the holes in the new standards too.

- Collapse -
False sense of safety
May 22, 2015 3:08PM PDT

The only reason a Mac might be more secure than a PC is there are many more PCs out there and thus are a more attractive target. As Macs gain market share so will their attractiveness to malware writers. If you own a Mac and are smart you will use the same precautions that have been advised for PC users.