Firms tackle virus-laden Web sites, ads

As more users get hit by "drive-by downloads" and "malvertising," companies like Armorize and Dasient offer services to help keep surfers safe.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
Caleb Sima, chief executive of Armorize Armorize

Taiwan-based Armorize knows something about keeping malware off Web sites.

Four years ago, Wayne Huang left his job researching ways to help secure the Taiwanese government's networks from attacks. He and his brother, Matt Huang, a Stanford MBA graduate, decided to commercialize the research and launched Armorize, which became an anti-malware leader in Asia.

Now the company is taking its malware expertise to the United States. This week, Armorize announced it is moving its headquarters to San Francisco while keeping most of its research and development in Taipei. Armorize also is announcing a new version of its cloud-based service that detects and cleans up brand new exploits hiding in Web pages and ads that traditional anti-virus and other security software miss.

"Asia is on the cutting edge in terms of exploits, driven by politics," Armorize Chief Executive Caleb Sima said in an interview with CNET on Tuesday. "Governments (there) pay for cyberwarfare and intelligence gathering."

For years, malware primarily attacked computers by targeting holes in the operating system via e-mails with malicious attachments. Now that the Web has become so integral to the 21st century lifestyle, attackers are targeting computers with so-called "drive-by downloads" that target vulnerabilities in Web browsers, Adobe Flash, and other Web apps as people visit Web sites. The compromise requires no action on the part of the victim and typically the Web surfer has no idea that anything has happened.

Attackers can create malicious Web sites specifically for this purpose, or sneak malware onto legitimate Web pages through weaknesses in the site. A relatively new way of doing this is to sneak ads containing malware onto sites, also known as "malvertising."

The problem of ads delivering malware to Web surfers cropped up last year when visitors to The New York Times got hit. Another wave came earlier this year when the Drudge Report was targeted. Even ad platforms as big as Google's and Yahoo's were found to be delivering malicious ads.

Armorize scanned the Alexa top-ranked 200,000 Web sites and found that 1 percent were infected with malware that can be used in drive-by downloads. One site Armorize found to be used as a vehicle for delivering malware was boingboing.com, which attackers were likely using in the hopes of reaching a broad audience by taking advantage of the proximity of the domain to the popular blog at Boingboing.net.

Asia is the region where most of the drive-by attacks occur, according to this graphic from Armorize. Armorize

Armorize is offering its cloud-based HackAlert 3.0 service in the U.S. after providing it in Asia for the last four years. Targeted at corporations, large organizations, managed security service providers and hosting providers, the service looks for malware based on behavior, its code signature, (which antivirus typically detects) and based on whether the malware is included in various blacklists. It makes no distinction between whether the content is an ad or not.

The service can be set to scan a Web site every five minutes, to scan content before it is pushed to the site from the advertiser or ad network, or to make sure the ad copy is completely clean before it is pushed out to an ad network or Web site, according to Sima. "We can even alert you when your Web site is defaced," he said.

Armorize faces competition from Dasient, founded by former Googlers. Dasient offers an anti-malware service for Web sites and last week announced a specialized platform that focuses on protecting sites from malvertising.

"We estimate that there are close to 1.3 million malicious ads being viewed every day across the Web," Dasient co-founder Ameet Ranadive said in an interview.

Of the Web-based malware attacks that Dasient's system collected information on, 59 percent are drive-by downloads and 41 percent are fake antivirus warnings, also called "scareware."

And McAfee recently said it was partnering with Adgregate on an anti-malware scanning service for ads.

Advertising networks are anxious to find such solutions to the malware problem because malvertising hurts the entire industry, said Richard Sim, vice president of product management and marketing at anti-click-fraud firm Anchor Intelligence.

"Ad networks are opening up their APIs (application programming interfaces)" so the ads can be changed later, even after they have run, he said.

"Companies can test which creatives (ads) are performing well, change the colors and text, and roll out new versions," he said. "But that has opened up the door for fraudulent actors to get creative approved early on and then later insert malicious code into them. It's hard for ad networks to stay on top of this."