Websites are susceptible to infection. Malicious hackers may use exploit kits or other techniques to infect websites. The infection may occur by changing a web server's configuration files or content. Some infections manifest themselves to users by redirecting the users to malicious websites. A redirection may be in the form of an HTTP response status code “302 Found” with the URL to which the user should be redirected.
For example, a user may attempt to navigate to a website such as http://www.acme-insecurity.com. In some cases, the infected website might redirect the user to an obviously malicious website such as http://www.malware-makers.com. The malicious website may display unwanted advertising, pornography, violence, or otherwise offensive content. The malicious website may attempt to transfer a virus or other malware to a redirected user. Additionally, redirections may eventually cause degrading machine hygiene as measured by rate or history of infections.
In other cases, the infected website might redirect the user to a more subtle malicious website such as http://www.acme_insecurity.com. In this example, the malicious website is located at an address that uses an underscore instead of the hyphen in the legitimate website address, which a redirected user might not notice. The malicious website may attempt to mimic the legitimate website to trick a redirected user into revealing sensitive or otherwise private information through a phishing or other social engineering attack. For example, the malicious website might attempt to steal a user's password by mimicking or spoofing the legitimate website so that a redirected user may attempt to login before realizing that the malicious website is fake.
Increasingly, websites are infected in such a way that users will be redirected only when certain conditions are satisfied. In some cases, an infected website may contain malicious code that redirects users to a malicious website only if the users arrived at the infected website by way of a particular search engine or social networking website. For example, if a user navigates to http://www.search-engine.com, searches for “Acme Insecurity,” and clicks a link in the search results for http://www.acme-insecurity.com, then the malicious code will detect that the referring website was Search-Engine.com. This referrer may satisfy the condition in the malicious code that triggers a redirect to the malicious website. In contrast, if the user navigates to http://www.acme-insecurity.com directly, then it may not satisfy any of the conditions to trigger a redirect. This user may continue browsing http://www.acme-insecurity.com as if the legitimate website was not infected at all.
Conventional website infection detection techniques may fail to take conditional redirection into account, making it difficult or even impossible for conventional techniques to reproduce, verify, or collect information about a website infection. Additionally, conventional techniques may also be more likely to detect false positives because they fail to determine when a redirect may be intentional by the legitimate website and not a result of an infection.
In view of the foregoing, it may be understood that there may be significant problems and shortcomings associated with current website infection detection technologies.