Hyperlink insecurity

Today, trusted Web sites can no longer be trusted. Those of us who collectively click on the billions of hyperlinks generated each day by search engines, blogs and e-mail are playing Russian roulette with our computers.

Can the search results of Google, Yahoo, MSN and Technorati really be so hazardous to our computers' health? Sadly, the answer is yes.

So why do we click on hyperlinks with such wild abandon? The answer is that most of us have been taught that as long as we're not accessing pornography or illegal file-sharing sites, and as long as we keep our antivirus and anti-spyware updated, we're safe.

It's time for a reality check.

Cybercriminals continue to innovate new and diabolical methods for delivering their crimeware payloads. Recently, they've entered the Web application development business, where they're helping good people develop trusted Web sites that unwittingly deliver a nasty malicious software payload.

Last month, while conducting my ongoing crimeware research, I stumbled into a new Web site in the U.K. operated by a self-employed plasterer. The plasterer, apparently hoping to promote his business online, had recently created a Web site using--as many of us do--free Web development tools.

Unbeknownst to the plasterer, however, one of the freeware tools he downloaded, which allowed him to place a Web counter on his site, was now inadvertently exposing his visitors to malicious crimeware.

My analysis revealed that the free Web counter had hidden functions. When someone visited the plasterer's site, the Web counter accessed a Web server in Slovakia, which then grabbed a drive-by download from a server in Colorado, that was then silently installed onto the unsuspecting Web site visitor's computer.

In this age of open-source and free software, the plasterer is not alone among Web site owners who utilize free Web development tools. The cybercriminals understand that people expect the Web to be free, which is why they're building tools to exploit that idea.

This plasterer's particular drive-by download took advantage of security vulnerability in a component in the Windows operating system known as Windows MetaFile.

It typically takes Microsoft weeks or months to issue a patch for each new vulnerability discovery. To Microsoft's credit, it cannot release patches any faster, because patches must be thoroughly tested to ensure they don't break other applications or introduce additional vulnerabilities.

So until a patch is issued, users are vulnerable to these exploits, usually in the form of a rootkit and other malicious software delivered via drive-by download. And the sad reality remains that, even after patches are released, many users never install them.

Virus writers in the 1990s were like cybergraffiti artists--their goal was to wreak havoc by tagging as many people as possible. But by the late 1990s, shadier elements had realized the profit potential of adware and spyware. They, too, focused their efforts on infecting as many users as possible.

Today, this shady element has evolved into fully fledged organized cybercrime gangs that buy, sell and distribute exploits for profit. And unlike the early virus writers, who often sought to make the presence of their virus known, crimeware distributors are stealthier and more calculating in their attacks.

If you knew there was a guillotine behind the front door of a certain percentage of businesses in your neighborhood, would you visit those businesses? The same holds true for Internet business.

How will Internet users respond if they begin to suffer hyperlink insecurity? What will become of the multibillion-dollar search engine business, and more importantly, what will happen to the millions of businesses of all sizes who rely upon search engines to guide customers to their front door?

It's enough to make you nostalgic for the days when we only needed to worry about viruses. Well, almost.