The international Honeynet Project has used honeypot technology developed at Victoria University to track web-based security attacks.
Even seemingly safe web addresses are rife with attack code aiming at vulnerable clients, according to the Honeynet Project study based on the technology. The authors say that methods such as blacklists can be surprisingly successful in stopping client-side attacks.
Attackers are increasingly turning to end-user systems as a way around the antivirus and firewall systems that are blocking access to traditional attack routes, according to the researchers, who hail from the US, Germany and New Zealand.
“The ‘black hats’ are turning to easier, unprotected attack paths to place their malware onto the end-user’s machine,” they say in the study, called “Know your enemy: malicious web servers”.
The study used a “high-interaction” client honeypot, called Capture-HPC, developed by Victoria University of Wellington, to analyse more than 300,000 addresses from around 150,000 hosts.
It looked at various site categories, including adult, music, news, “warez,” defaced, spam and addresses designed to grab traffic from users who mistype common web addresses. While some categories were more likely to contain malicious addresses than others, all contained malicious addresses, the report says.
“As in real life, some ‘neighbourhoods’ are more risky than others, but even users that stay clear of these areas can be victimised,” the report says. “Any user accessing the web is at risk.”
Users can be led to malicious sites via links, typing in an address manually, mistyping an address or following search-engine results, the study says.
These results only confirm what security researchers have been saying for some time now. But the study also analyses the effectiveness of safeguards against such infections in some detail.
The research shows that blacklists, if regularly updated, can be a surprisingly effective way of blocking malicious addresses.
The researchers also recommend regular patching, but this may not always be straightforward, since the study finds a prevalence of attacks against plug-ins and non-browser applications. “Attacks also target applications that one might not think about patching, such as Winzip,” the study says.
Another technique that can block attacks would be to use a less popular browser, such as Opera, according to the study. “Despite the existence of vulnerabilities, this browser didn’t seem to be a target,” the study says.
The data used as the basis for the study has been made available on the Honeynet Project’s website.