The number of websites infected with malware is growing steadily. According to the Google Safe Browsing Malware List statistics, which were published in August 2009, almost 350,000 sites have been infected. (Please let me know if you know of more recent statistics.) Considering the increase that Google measured, it is quite likely that we’ve already passed the half million mark.

One point that advocates of Web applications argue is that Web apps are safer than desktop apps because they are not prone to infection from viruses and computer worms. In my view, this claim is no longer valid. The Web has become a dangerous place.

I think, there are two reasons for this development. Firstly, the bad guys have found out that the Web, not Windows, is the best place to spread their malware simply because the distribution options are more powerful. Popular sites have thousands of visitors who are not aware of the risks especially if the site owner is trustworthy.

Secondly, the growing complexity of content management systems and Web apps increases the likelihood of vulnerabilities that can be exploited by crackers, computer worms, and other vermin. The same applies to Web browsers that are supposed to replace full-blown operating systems. These new capabilities come at a price. More code always increases the risks for security holes. There is no such thing as a secure Web browser, just like there is no secure operating system.

In particular, popular content management systems are attractive for hackers because they can reach a large number of websites this way. In my view, Open Source CMS solutions are the most endangered systems because it is relatively easy for hackers to find vulnerabilities in the source code. The more complex these systems become the more difficult it gets for the corresponding Open Source community to detect the vulnerabilities before the hackers do.

Thus, even if you always update your CMS immediately and scan your site with vulnerability scanners regularly, you can’t be certain that a vulnerability in your CMS hasn’t been exploited already to upload malware to your site. The patch to close the security hole will come too late then because this won’t remove the malware from your site.

To find out if Google already detected malware on your site, you can use the Webmaster Tools. You’ll find the Malware menu point in the Diagnostics section. Bing’s Webmaster Center offers a similar service under the Crawl Issues tab.

If you don’t use the Webmaster Tools you can check your site with this URL: http://www.google.com/safebrowsing/diagnostic?site=4sysops.com. Replace 4sysops.com with the site you want to examine. You can also enter the form at GrapeThinking. Yet another option is the Google Safe Browsing plug-in for Firefox. As far as I know there is no such add-on for Internet Explorer or Chrome.

If Google or Bing identified your site as suspicious, it is already too late. I don’t have to tell you what it means if Google displays a warning page whenever a user clicks on a link to your site or removes your site from the index. Essentially, your website will cease to exist, not to mention the consequences for the reputation of your organization.

Hence, it makes sense to check your website regularly for malware with third-party tools. In my next article, I will discuss a couple of free website malware detection tools.