Know Your Enemy: Malicious Web Servers Study

Researchers from New Zealand’s Honeynet Alliance report that anyone is at risk on the internet. More increasingly attackers are now part of organized crime, set with the intent to defraud their victims.

The attackers goal: Deploy malware on a victim’s machine and to start collecting sensitive data, such as online account credentials and credit card numbers. Since attackers have a tendency to take the path of least resistance and many traditional attack paths are barred by a basic set of security measures, such as firewalls or anti-virus engines, the “black hats” are turning to easier, unprotected attack paths to place their malware onto the end user’s machine. They are turning to client-side attacks.

While this isn’t something that most of us didn’t already know, the number of things that can go wrong out on the internet for users is growing. The researchers also found that different browsers are more targeted than others, and that several defensive methods can reduce users' risk of client-based Web infection.

All URL categories the organization reviewed in the new "Know Your Enemy: Malicious Web Servers" report including news, adult, music, Warez, defaced URLs, spam, and links with misspelled names -- contained some malicious URLs. Some sites are obviously still riskier than others, of course -- links on adult sites and in spam messages, for instance, are at the top of the danger list.

The researchers found users may become infected not only by following a link, but also by typing a link manually and missing a letter and being snagged by typo-squatter URLs, the users are also going to malware-infected links served up by search engines.

The group used a client honeypot developed by the Victoria University of Wellington and the New Zealand Honeynet Project to identify malicious Web servers on the Internet. The "high-interaction" honeypot contacted infected Web servers containing malware. Malware can take over a user’s computer without the user's knowledge or interaction. The researchers studied more than 300,000 URLs from approximately 150,000 hosts.

Financial institutions may also want to look into using the Capture-HPC tool, which the Honeypot organization has also released publicly at This tool detects and records things like file system modifications and registry modifications.

The report examines the different kinds of client-side attacks and evaluates methods to defend against client-side attacks on web browsers. The report gives an overview of client-side attacks and introduces the honeypot technology that allows security researchers to detect and examine these attacks. The report also lists a number of cases where malicious web servers on the Internet were identified with the researchers’ client honeypot technology and then the researchers evaluated different defense methods. One valuable part of the report is a set of recommendations that one can implement to make web browsing safer.

To read the entire report: Know Your Enemy: Malicious Web Servers.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.