Malicious Web Apps: How to Spot Them, How to Beat Them

These days, a Web app can be malware. Here's what you need to know about this emerging threat, and what to watch for.

Web apps are great. They're available for use virtually anywhere, anytime, from practically any device that has a Web browser. Web apps are also easy to update and maintain: The developer tweaks the app on the Web server, and everyone who uses it has access to the latest version.

But Web apps can contain more than you bargained for, and in some instances they may actually be malicious. You need to be aware of the risks that Web apps can pose, and know how to protect yourself.

How Can a Web App Be Dangerous?

A Web app is essentially a full-fledged application that runs within your Web browser. Just as easily as a Web app can track your reminders or play a game, it can infect your PC.

Cameron Camp, a security researcher at ESET, says that Web apps rely on popular Web development technologies such as Java or ActiveX, which malware writers have used to deAAliver malicious exploits. Adobe Flash is another common Web app platform that malware writers frequently target.

Tim Keanini, CTO of nCircle, says cyberattackers are talented, creative developers who are motivated to find innovative ways to part you from your money or information.

Typically, a malicious Web app is a form of Trojan horse: The app claims to be something else--and it may in fact run some legitimate utility or application--but once you click it, it runs malicious code in the background that may compromise your system or secretly download other malicious payloads from the Internet.

Speaking of Web apps, Camp warns, "While they allow increased functionality within the browser, users should be aware of how deeply into your system they may be able to reach."

Some malware attacks try to entice you to click a link in an email message, which then connects to a malicious Web app that infects your PC with malware. Other tainted apps lurk on the Web, waiting for victims to wander by. In some instances, attackers have exploited vulnerabilities on a website or have employed poisoned ads to get malware-bearing Web app content uploaded to an otherwise legitimate and trusted site.

Fred Pinkett, vice president of product management at Security Innovation, says that users should approach obscure or unknown websites with cautious skepticism. He explains, "Generally, the more well known, the more likely it's okay, but this does not always hold true. Look out for common tricks like IP addresses, misspellings of common sites, [and] funny-looking URLs with [special characters] in them, although this is not always malicious."

Don't assume that you're safe if you avoid Microsoft Windows. Web apps do frequently target specific vulnerabilities, and Windows is often a primary focus, but Web apps--both benign and malicious--are fundamentally platform-agnostic.

Defending Against Web App Attacks

Keanini of nCircle says that the best protection from malicious Web apps is also one of the most difficult safeguards to implement: educated users who are mindful of online security.

Rule number one is simple: If you have any doubt, don't click. This single rule would help people avoid most Web app malware, but it seems to be hard to drill into users' heads.

Given that an ill-advised click is almost inevitable, your next line of defense is to keep your security software up-to-date: Most such software can spot malicious behavior and can block many unknown threats as well, but the strongest protection comes from having updated security software that can identify current threats.

Malicious Web apps exploit vulnerabilities in your operating system or third-party applications to compromise your PC. You should enable Automatic Updates for Windows and other software that provides automatic upAAdating. Apply new updates as soon as they become available, in case exploit code is already circulating in the wild by the time the vendor develops a patch.

As Web-based attacks have evolved, browser makers have added security features to protect your system. Most current browsers have features to help identify the true root domain of a given website (so you don't get taken in by a phishing scam), and have controls in place to block malicious Web code. If you are using an outdated browser, though, it will protect you only against outdated threats, leaving you virtually defenseless against the latest malware.

Malice Aforethought

A malicious Web app may be able to acAAcess information across tabs from within the same browser session. So if you open a tab to a secure site--typically indicated by the "https" at the beginning of the URL--don't open additional tabs to lower-security (non-https) sites within the same browser window.

You should also treat browser plug-ins and add-ons with caution. Plug-ins and add-ons are great for expanding the capabilities of your browser and for making certain tasks more convenient, but they may also contain poorly written code with weak spots that Web-based malware can exploit. Choose your plug-ins and add-ons carefully--and only from organizations you trust.

People today connect to the Web from a more diverse array of devices than ever before. Web apps are more convenient and universal than locally installed software, but they come with some risks as well. Make sure you understand the nature of the threats, and take steps to recognize and defend against harmful Web apps so that you can productively enjoy the vast majority that aren't malicious.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline