Pornography and malware

Discussion in 'other security issues & news' started by dcdc, Jan 31, 2006.

Thread Status:
Not open for further replies.
  1. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    Conventional wisdom says that adult/porn sites are more likely to contain malware of various kinds than other sites, so much so that from what I have heard antimalware testers will run through a list of known bad sites to see what malware gets picked up and what gets blocked by the applications under test.

    Evidently there must be some truth to this conventional wisdom. My optician was telling me that his nephew came to visit for a couple of weeks and would stay up at night playing computer games. After he left his uncle noticed that the computer was running dead slow, and had to take it to a repair facility. It turns out this loser had been visiting child pornography sites in Germany and had picked up an extraordinary amount of malware. Apparently the computer had little in the way of security installed.

    This does raise the question in my mind of why such sites should have this problem. Clearly it is not in their best interests from a business perspective to install malware on their own, or to fail to make a reasonable effort to keep their sites malware free. I could envision a righteous person perhaps trying to bring the site down by attempting to install malware on these sites, but that seems unlikely. The obvious alternative is nut cases, but why target adult sites if you are trying to spread your malware? Surely the traffic on them does not begin to match that of many more reputable sites, but maybe the latter have better protection against malware.

    Any thoughts?
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I think it's because people are less likely to report them to authorities. A lot of malware seems to come from very sleazy sites, and people don't want to share the information that they were browsing sleazy sites in the first place. The "porn" is just an excuse, though, and many of these sites probably don't even contain a lot of porn material apart from the first page: the real intention of these sites is to spread their malware.
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You might like to read up at http://www.webhelper4u.com/ - Webhelper does a lot of tracking on the transponder gang, the CoolWebSearch guys especially. The CoolWebSearch guys actually own a lot of the porn sites. I imagine the rest is done through advertising. I haven't done a whole lot of looking into it yet, but it seems to me that the porn sites get paid to show these advertisements, which unload all sorts of adware and spyware. CWS itself spreads some pretty nasty stuff, and they are responsible for a lot of the infections out there, and are affiliated with the others that spread the most as well.

    When it comes to this stuff, it's all about money.
     
  4. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    That's an interesting observation, that the site is just a front that masks the sole true intent of malware distribution.

    It sure does seem like a lot of work though, to set up, and pay for, a site just to spread your worms and viruses. I wonder if these sites can pull in enough money from popups or site subscribers to make them at least breakeven, or whether the instigators just don't care. There are a lot of strange people out there, and the downside of the internet is that it allows them to safely and easily reach out and annoy people with their nonsense.
     
  5. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    Thanks Notok for that interesting link and comments.
     
  6. houseisland

    houseisland Registered Member

    Joined:
    Jan 12, 2006
    Posts:
    107
    If when you are fixing an infected system you examine the time and date stamps on files associated with the malware infection and then do a search of IE's cache, you will often find "interesting" things that roughly match the date/time stamps for the malware: files from porn sites (particularly off-the-mainstream-track porn); files from hacker sites; files from low-profile sleazoid gambling sites,; etc.

    :eek:
     
  7. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    I've been fortunate to have had very little in the way of malware installed, a combination of a lot of AS running and cautious surfing. Every once in a while Norton will popup with some threat it blocked automatically, but other than false positives from a scan, that's about it.

    I routinely clean out my system with Window Washer at least once a day, and the IE cache goes with it, so I would probably not have that data around when I did find an infection. I have never looked at the time and date stamp on a file, and don't know how to locate it, so I wouldn't know how to do the exact comparison anyway.

    Isn't there some similar technique for tracking web traffic, even would-be anonymous traffic, by checking time signatures or something?

    I have wondered why no AS application has been developed that will tell you the likely source of an infection, as you mentioned. Such-and-such an application (or applications) were running when the malware installed. I wouldn't think it would be that hard to implement, but what do I know?
     
  8. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    I think the "mainstream" angle is important, too. From watching my son (he's an adult, by the way), I get the impression that the biggest such sites that wanna stay around are very conscientious about keeping their sites malware-clean.

    On one occasion we were more than a little surprised to see Spyward Guard's homepage-changed warning pop up, and of course kept the original homepage setting. Afterwards we agreed that there was almost certainly no malware involved, he'd probably accidentally hit the hot-key combo (or maybe clicked the link) for "Make this home page" without realizing it.
     
Loading...
Thread Status:
Not open for further replies.