Many people believe that most Internet users get infected with malware while browsing questionable sites that offer adult dating, porn, pirated software, etc. Contrary to popular belief, however, thousands of legitimate Web pages are compromised every day to serve malware to unsuspecting users. This method is called a drive by download, in which an unsuspecting user visits a site and malware is silently downloaded and installed onto the PC without any user intervention. The malware typically exploits a Web browser or operating system bug to gain access.

At McAfee Avert Labs in Bangalore we have worked on several recent incidents in which high-profile Indian Web sites have been compromised to serve malware. Pretty much every type of site has become a victim: banks, security vendors, portals, and businesses, as well as educational and government sites.

In the early days of the Web, the driving factor for hackers in compromising Web sites was fame, but today’s generation of malware authors operate as organized crime groups lured by quick money.

Internet users tend to blindly trust known sites that are widely popular. They do not suspect malicious behavior from regularly visited sites. For this reason, legitimate Web sites are increasingly being hacked by exploitable vulnerabilities in Web server software, ARP spoofing, or SQL injection techniques. Once they have access, hackers booby-trap the sites to serve malware.

In a typical attack scenario, the hacked Web pages are appended with a hidden iFrame that points to the attacker’s site. Users enter the address of a legitimate Web site (one they have visited for years) into their browser. Unknown to the users, the iFrame in the page they are viewing redirects them to the attacker’s page, which hosts a cocktail of browser and application exploits that infects their computers.