The problem of drive-by downloads from seemingly safe websites is worse than previously thought, according to Google, which counted hundreds of thousands of such malicious sites in a recent study.
In addition, the malware spread by such sites appears to be creating botnet-like structures, placing compromised user machines under the control of remote attackers, Google said.
The report, "The Ghost In The Browser: Analysis of Web-based Malware" (PDF), was written by Google researchers Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu.
"Computer users have become the target of an underground economy that infects hosts with malware or adware for financial gain," said Provos in the report. "Even a single visit to an infected website enables the attacker to detect vulnerabilities in the user’s applications and force the download a multitude of malware binaries."
This situation is a direct result of Web 2.0, Google found. The typical web portal now uses many complex applications on top of the simple web browser, allowing user feedback for instance, but since those applications are often not kept up to date, it is a cinch for hackers to compromise them.
The most common compromise methods were web server security, user-contributed content, advertising ant third-party widgets.
Some previous studies, including 2005 report from the University of Washington, have found that several thousand websites carry malicious downloads such as spyware or adware.
But Google's study found a higher proportion of malicious sites: around 450,000 sites that were successfully launching drive-by-downloads of malware binaries, and another 700,000 URLs that seemed malicous but about which researchers had lower confidence.
The figures were based on an initial analysis of several billion sites already crawled by Google, followed by a more in-depth analysis of about 4.5 million URLs, Google said.
Trojans were the most frequenty installed type of malware, with more than 300,000 URLs.
The malicious code puts users' systems under remote control, Google said.
"Frequently, this malware allows the adversary to gain full control of the compromised systems leading to the ex-filtration of sensitive information or installation of utilities that facilitate remote control of the host," Provos wrote. "We believe that such behavior is similar to our traditional understanding of botnets."
The main difference is that web-based malware infections are pull-based and as a result the command feedback loop is looser, he said.
On the other hand, "the population of potential victims is much larger as web proxies and NAT-devices pose no barrier to infection", Provos wrote. "Tracking and infiltrating botnets created by web-based malware is also made more difficult due to the size and complexity of the web."
Hackers use scripting languages to determine which vulnerabilities are present on a visitor's computer and use the information to request appropriate exploits from a central server, Google said.
Malware binaries also change frequently, possibly to thwart detection by anti-virus programs, the study found.
Google said it marks potentially dangerous pages with a label which can allow users to avoid exposure to such sites.