About 1,000 of the most popular 200,000 websites are U.S. sites actively serving up malware to unsuspecting visitors, according to a study by Web application security company Armorize Technologies Inc. And while the bulk of those malware-rigged websites are porn, gambling and music downloading sites, 15% are legitimate enterprise sites, including 7% that provide financial services.
Armorize aims to help financial firms and other organizations prevent drive-by downloads with its
Criminals use a variety of methods to inject malware into websites, including SQL injection and cross-site scripting, but the attacks are getting more sophisticated and harder to detect, said Caleb Sima, Armorize CEO and founder of SPI Dynamics, which was acquired by Hewlett-Packard Co. in 2007. For example, the malware will only execute on certain browser versions and in certain regions, he said. Legitimate websites can end up getting blacklisted by Google.
Armorize's website malware scanning service uses behavioral analysis to detect malicious code, which enables it to catch zero-day threats, Sima said. When customers receive an alert, they can either fix the problem on their own or use Armorize's host-based Web application firewall.
"It's about incident response," Sima said. "If I'm hacked and the person who tells me that is a customer or the press, that's the worst incident response."
Armorize's customers include Bank of India, which was hacked in 2007 and injected with malware that infected vulnerable PCs. Researchers at Sunbelt Software Inc. discovered that the bank's website was infected with a malicious IFrame that pushed out 22 pieces of malware.
Dan Blum, senior vice president and principal analyst at Burton Group (acquired by Gartner Inc. earlier this year), said he hasn't talked with HackAlert customers in order to evaluate how it scales to large sites, but is enthusiastic about the service.
"It's great to have another piece of the security ecosystem notifying websites of the problem as opposed to notifying enterprises that they need to block those sites," he said.
There's a need for both types of services, but notifying website owners of malware on their sites will clean up the problem, he added.
Other companies offering similar website malware scanning services include Palo Alto, Calif.-based Dasient Inc. and Redwood Shores, Calif.-based Qualys Inc. Last week, Dasient announced a tool to help publishers and advertising networks tackle the problem of malicious online ads, or "malvertising."
According to Dasient, approximately 1.3 million malicious ads are viewed every day. Forty-one percent of malicious ads are from fake antivirus pop-up ads while 59% are from drive-by downloads, the company said.
Armorize, which also sells an automated static source code analysis tool, said HackAlert 3.0 will be available June 1. Pricing is based on the number of URLs monitored and scanning frequency.