Even seemingly safe web addresses can be full of attack code aiming at vulnerable clients, according to a new study from the The Honeynet Project & Research Alliance(http://www.honeynet.org/). The findings also include that finds that methods such as blacklists can be surprisingly successful in stopping client-side attacks.

“The ‘black hats’ are turning to easier, unprotected attack paths to place their malware onto the end-user’s machine,” they said in the study, called “Know Your Enemy: Malicious Web Servers.”

Users can be led to malicious sites via links, typing in an address manually, mistyping an address or following search-engine results.

Using a “high-interaction” client honeypot called Capture-HPC developed by the Victoria University of Wellington, the researchers analyzed more than 300,000 addresses from around 150,000 hosts.

Analyzed were various site categories, including adult, music, news, “warez,” defaced, spam and addresses designed to grab traffic from users who mistype common web addresses. While some categories were more likely to contain malicious addresses than others, they could be found everywhere:

“As in real life, some ‘neighborhoods’ are more risky than others, but even users that stay clear of these areas can be victimized,” the report said. “Any user accessing the web is at risk.”

While the findings are not really surprising – the existence of this kind of attack is long known – the study also analyzed the effectiveness of safeguards against such infections in some detail, showing that blacklists, if regularly updated, can be a surprisingly effective way of blocking malicious addresses.

While the study also recommends regular patching, but this may not always be straightforward, since the a prevalence of attacks against plug-ins and non-browser applications becomes obvious: “Attacks also target applications that one might have not think about patching, such as Winzip”.

Another technique that can block attacks would be to use a less popular browser, such as Opera: “Despite the existence of vulnerabilities, this browser didn’t seem to be a target”.

The data used for the study as well as the paper can be found here: http://www.honeynet.org/papers/mws/