This is a question that many people have in mind. Especially since virus and malware infections are on the rise. And because the majority of internet users go online to access all kinds of websites. But along with this question come many others, all of which are interconnected.
What kind of websites contain viruses?
Do you have to do anything, in particular, to get infected?
How about if you have some kind of antivirus protection?
How do we know these questions? From our extensive research and dialogue with our readers, which makes us aware of the serious misconceptions about this topic. The wrong answers can give you a lot of trouble. So, to avoid that, we have to insist on each detail that makes a difference.
People wonder if you can get viruses or malware just by visiting a website. And they risk walking away with inaccurate information. This type of information will give them a false sense of security, something we are fighting against.
Which are those common misconceptions, you wonder?
Here they are:
- You can only get viruses from malicious websites.
- If you access a malicious website, as long as you don’t download anything, you’re OK.
- Even if you download something, on purpose or unknowingly, if you don’t open it, you’re OK.
- Should the malicious website try to automatically download something on your device, your antivirus software should flag and block the action.
A website doesn’t have to be malicious to pose dangers to a user. Sure, there are many malicious websites out there, specifically built to cause harm. Yet those are not the only threat.
There are also legit websites that may contain pieces of malicious content. Websites that have been hacked and that contain hidden malicious code. The code was inserted by hackers, without the knowledge of the persons who operate the website in good faith.
Sometimes it’s a script, other times it’s an ad, and the list can go on and on.
For some reason, people believe that even when visiting such a website, you don’t have to get infected. It’s like if you don’t touch it you can’t get it.
The problem is, however, that you can get it without touching it… Think of the human viruses that spread from one host to another. In a similar way, computer viruses can get viral without specific action from your side.
Allow us to detail the misconceptions from above and you’ll see what we mean.
The reason why you can’t rely on your antivirus for any kind of threat
If you think of it, most standard antiviruses first scan the files you’re accessing. Then, they match it against a database of virus signatures. When you access a website, you download the information contained in it. This means that the AV cannot decide on that information’s nature: malicious or harmless.
So, unless it is a piece of code that has already been flagged as malicious and is now included in the AV’s signature database… Chances are the antivirus software will not be able to protect you from an exploit atack.
But that’s not all!
Hackers have ways to keep spreading even the viruses that are already in the common AV databases. They use a so-called packer that encrypts the malware. And by changing its appearance, they make it undetectable to an antivirus that relies solely on signatures.
AV developers found a couple of solutions for these packers. They have implemented behavioral analysis, sandboxes or rollbacks. In other words, the antivirus will no longer look at the file’s signature only. It will try to emulate and interpret its behavior to see what it might do if released on your system.
How can something download on your device without you noticing it?
At this point, you have realized that no antivirus offers 100% protection. But now you may begin to question the possibility of something to download without you noticing it.
People say: “Wait, shouldn’t I see if something is being downloaded on my device?”.
We’ve already suggested that you can get viruses or malware just by visiting a website. Even if you don’t download something yourself. That’s because certain malicious files can automatically download on your device.
When that happens, it’s not the classical download of an attachment from the email app or a file from the internet browser.
The attacker won’t even use your internet browser’s downloader to drop the malicious file. They are trying to keep it all under the radar. So the download path is different than the norm and it usually relies on exploits.
Even if it wouldn’t be an exploit attack, most malware files are very small. When you download something as small as a few kilobytes, it’s hard to tell. Especially if you have a download speed around 0.5 Mb per second, it will end up on your device super fast. So, there would be no time for a download progress bar to show up on the screen.
But again, usually, getting viruses from compromised websites happens via exploit kits. It will be a malware exploit file, a very small one, which doesn’t take the normal download path.
Most importantly, that file is programmed to download itself AND to run itself automatically, right after it finishes the download. So the myth that if you don’t manually launch a malicious file you’re safe… It’s busted. Some malicious files launch automatically…
Exploit kits – the tools that can turn your world upside down
Exploit kits make it possible for your device to get a virus when simply accessing a website. Many of the dangerous malwares that have scared the world are transmitted via EK on devices all over the world.
From cryptoware to banking trojans, a lot can travel with such a kit. To make it worse, the standard antivirus protection is useless in front of this threat. Why? For the reasons that we detailed above.
Now, these exploits, also referred to as drive-bys, can look into the vulnerabilities of:
- the internet browser itself
- application software or web service such as Adobe Reader
- a plugin such as Flash, Java, or Silverlight
- a media player software etc.
Exploit kits are malicious toolkits. They are hosted on rogue servers. And users are redirected to them when accessing a compromised website.
You will be clueless about what is going on. You just can’t tell that you’re not on the server where the website you were trying to reach is hosted. Once your device starts communicating with the rogue server, the exploit kit will begin gathering information on you as a user.
Depending on what it finds, it decides what type of exploit will work better on your device. Then, it starts delivering it. If you don’t have the right kind of protection, the exploit will succeed. This means that the malicious software will be downloaded and executed on your device without you even knowing it.
So far, applications dedicated to anti-exploit have been developed. These are specifically designed to stop the malware unleashed by such exploit kits. Problem is, however, that running an anti-exploit app along with an antivirus or antimalware is not good. All kinds of conflicts may appear between the two of them. So, you’d have to make up your mind for one at a time.
How can you protect yourself from getting viruses or malware by visiting a website?
Judging by the information revised so far, antivirus software is not an effective solution because it relies on its database. Not that this kind of evaluation isn’t effective… But it simply cannot cover all the threats. Only the ones that are already known and in the AV software’s database.
The best way to keep exploits at a distance? Rely on security options that work with user permissions. Such options would only allow actions that the user allows in the first place. Whatever kind of action it detects on your device that hasn’t been allowed will be automatically forbidden. This is the way to prevent malicious code from automatically downloading and executing on your device.
The daunting task of choosing the best software to protect your device left aside, you’re still looking at a couple of other protection measures:
- Regardless of what software you use, keep it up to date. Not just the antivirus software, the antimalware tool or the anti-exploit app you rely on. But also your internet browser, your operating system, the plugins you work with. Exploit kits take advantage of vulnerabilities and updates patch vulnerabilities. The fewer vulnerabilities you have, the better protected you are, so, don’t miss out on any updates.
- Because plugins are a known vulnerability, ideally, you should stop using them. If you can’t, you should at least set them as Click-to-Play or Ask-to-Activate. That way, if an exploit tries to tamper one of your plugins, the action won’t go unnoticed because the plugin cannot work unnoticed.
- Since you know that ads can be an entrance point for malware, try to run an adblocker. Just keep in mind that this is limited protection. If you end up on a website with exploits built into the actual web page, not just into the advertising code, an adblocker won’t help.
- Since you know that scripts can run automatically and load malicious content, also try to run a script blocker. It will protect you from on-page exploits and it can also protect you from advertising-included exploits. The latter, however, isn’t a strong enough reason for you not to run an ad blocker separately.
- Consider playing around with whitelisting software. This type of software will prevent executable files from running, as long as you haven’t previously approved them. That way, if malicious code is downloaded automatically, it will still be prevented from running because you haven’t whitelisted it before.
Acting with caution is, as always, of the essence. Keep in mind that mainstream websites are more and more likely to spread malware. Hackers know that it’s easier to lure their victims on legit websites and they focus on exploiting their vulnerabilities rather than waiting for them to land on a shady website.
What we’re trying to say is that the chances for you to encounter malware when surfing the web are growing. Instead of trying to minimize those, try to increase your protection chances. Knowing that you can get viruses and malware just by visiting a website should certainly help you revise your online behavior and stay better protected!