TechWeb

Hackers Spreading Spyware From Free Personal Web Sites

Jul 25, 2005 (10:07 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=166402311


Attackers are using free personal Web hosting sites provided by nationally- and internationally-known ISPs to store their malicious code, and to infect users with worms, viruses, and spyware, a security firm said Monday.

Websense, a San Diego, Calif.-based Web security and content filtering vendor, has detected a big jump in the use of personal hosting sites, said Dan Hubbard, the company's senior director of security and technology research.

"The growth of this trend is alarming," said Hubbard. "July has seen a major boom. In the first two weeks alone we found more instances than in May and June combined."

In the first half of the month, Websense found more than 500 free hosting sites created to spread keyloggers alone, Hubbard added. Since the beginning of the year, it's uncovered more than 2,500 such sites.

Although the hosted sites purport to offer up everything from online journals and photo albums to blogs and greeting cards, they all have one thing in common, said Hubbard. "Some type of automation was used to set all of them up, and fairly easily, too." Because they're free and easily created, they're considered disposable by the attacker. The average lifespan of such a site, said Hubbard, was between two and four days. They're attractive for other reasons as well.

"Attackers don't have to go to the trouble to find a compromised machine, search for one with a vulnerability they can exploit to turn into a zombie," said Hubbard. "Plus, they're reliable. Since they're offered up by national and international Internet service providers, they're built on a lot of infrastructure. Third, they often offer quite a bit of storage space, in some cases up to 500MB."

While Hubbard declined to name some of the ISPs his labs has found hosting some of the malicious sites, "you'd recognize the names," he said. "Some are mom and pop ISPs, but most are well-known."

The problems is that too few free hosting services offer even the most basic security tools, Hubbard said, pointing the finger at lackadaisical ISPs. None of the services found hosting malicious sites use a graphics-based question to make sure that a human, not a bot, registers for the service, he said. "None prevent uploading of executable files, and none are scanning [files] with anti-virus software," he added.

Putting their malicious programs on a site is only part of the hackers' chores, however. They also have to get people to visit these sites in order to install the code, such as a keylogger, on computers.

"It's not all about where hackers are storing code, but also how they're getting victims to visit those Web sites," Hubbard argued. "Social engineering techniques are still the most effective way of enticing people to a site."

Here, too, he said, the free Web hosting service sites play to the hackers' advantage. Because the domains of these services may include the name of a well-known ISP, it may be trusted by more users than a compromised, and unknown, IP address of a zombie PC.