In last week's newsletter, we began looking at a report from Google (see All Your iFrames Point to Us in the Google blog) in which researchers reveal the depth of the worldwide malware problem. For 10 months in 2007, Google captured data and studied how malware gets from servers it calls “distribution sites” to your PC using an obfuscated yet sophisticated network of compromised landing pages and hand-offs to relay sites. Web surfers go to a seemingly benign Web site, and without their knowledge or permission, they are transported to other Web sites that deliver malicious payloads.

Even innocent Web surfing can be hazardous these days, and it is steadily becoming more dangerous. In April 2007, less than .4% of the incoming search queries to Google’s search engine returned at least one link to a malicious site. By January 2008, this figure has risen to 1.3% of the search queries returning at least one link to a malicious Web site.

It’s not hard to understand why the trend is increasing when you see how easy it is for hackers to seed the search results with compromised content on otherwise benign Web sites. For instance, one way that hackers take control of benign Web pages is through third party contributed content (e.g., blog posts, forum discussions). It is relatively easy for a hacker to embed a link to a malware distribution site in content that they, themselves have posted.

Web-based ads are another source of compromise. On average, 12% of the overall search results that returned landing pages that were associated with malicious content were due to unsafe ads.

The report explains how it happens: “Today, the majority of Web advertisements are distributed in the form of third party content to the advertising Web site. This practice is somewhat worrisome, as a Web page is only as secure as its weakest component. In particular, even if the Web page itself does not contain any exploits, insecure ad content poses a risk to advertising Web sites. With the increasing use of ad syndication (which allows an advertiser to sell advertising space to other advertising companies that in turn can yet again syndicate their content to other parties), the chances that insecure content gets inserted somewhere along the chain quickly escalates. Far too often, this can lead to Web pages running advertisements to untrusted content. This, in itself, represents an attractive avenue for distributing malware, as it provides the adversary with a way to inject content to Web sites with a large visitor base without having to compromise any Web server.”

Linda Musthaler is a principal analyst with Essential Solutions Corporation.