By the ZoneAlarm Team
Perhaps you heard about malware injections from mainstream sites. Computerworld blogger Darlene Storm recently wrote about attacks that targeted the popular Web host Media Temple (really popular – ranked 20 in the US).
Storm reported that Media Temple “provides web hosting for ABC, Adobe, NBC, Starbucks, Sony, Time, Toyota, Volkswagen and approximately 350,000 other domains internationally.” Media Temple has been working hard on these issues and they have been advising Website owners to prevent attacks by taking measures like updating software, fixing file permissions, and removing vulnerable plugins.
Because the Web browser security within ZoneAlarm products warns visitors about potentially dangerous sites long before Google marks the sites, Storm interviewed ZoneAlarm’s John Gable, director of product marketing. Here’s what they talked about…
How does ZoneAlarm determine if a site you land on is suspicious?
· We use a combination of technologies to evaluate the safety of a site so that we identify danger long before other systems.
· We start with a signature list from Netcraft of known dangerous sites.
· Then, to identify more suspicious sites, our specialized heuristics look at several different things, including:
o The source of the site – where it is physically located.
o How long the site has been active.
o How the site is signed or registered; whether it has a SSL certificate signed by a trusted authority, and the strength of that certificate.
o How the site is formatted – for example, does it share some visual characteristics with a legitimate site (like a bank's logo)? Depending on what we discover, we may block the site if we believe it is dangerous or just show a yellow alert if we think it is suspicious.
Are there trends in suspicious or malicious sites?
As John Gable said, “Malicious sites are using lots of different attack vectors at the same time – a ‘blended threat.’ Not only do they continue to create new dangerous sites all the time (hoping to pass defenses and signature lists by pure quantity and speed), but they combine or blend attacks. For example, you will often find a phishing site (that pretends to be a legit site that asks for a password) that also includes a drive-by-download (which exploits a vulnerability in your browser or plug-in to silently download viruses, spyware, etc. direct to your PC).”
Another way that ZoneAlarm Extreme Security and ZoneAlarm ForceField can provide early protection against compromised Websites is through our virtualization technology that automatically catches and neutralizes unauthorized downloads and browser installations. Because it doesn’t rely on signatures, this feature can catch new attacks that are unknown to antivirus programs.
You can read more about the Media Temple attacks in Storm’s article and a bit more about browser security here.