Tuesday, January 26, 2010

Q4'09 web-based malware data and trends

Ed. Note: The data in this post is drawn primarily from Dasient's proprietary malware analysis platform, which gathers data on web-based malware attacks from across the web, and in the last year has been used to help tens of thousands of site owners address their web-based malware issues.

As we reported last quarter, the way malware is being distributed is undergoing a fundamental shift, with more attackers focusing on "drive-by downloads" from legitimate sites that have been compromised, or from sites designed specifically for malicious purposes. In nearly all the variations on this kind of attack, no user action is required for the infection to occur, beyond loading the site in a browser -- and there are very few signs that malicious code has been downloaded.

There is perhaps no better illustration of this shift than the way malware was employed in the recent attack on Google and several other companies. One of the components of the attack involved spear-phishing one or more Google employees, with an aim of driving them to a site that then exploited a zero-day vulnerability in Internet Explorer 6 to download malware to those employees' computers. In previous years, such an attack would have solely made use of a malicious email attachment to compromise the target's computer; now, attackers are clearly opting to employ multiple vectors, including web-based methods.

Looking at the data for Q4'09

Based on the telemetry data we've gathered from the web, we estimate that more than 560,000 sites and approximately 5.5 million pages were infected in Q4'09, compared with more than 640,000 sites and 5.8 million pages in Q3'09. By the end of the year, we had identified more than 100,000 web-based malware infections.

Also in Q4'09, the infections on newly compromised sites of 10 pages or more spread to an average of 24% of those sites' pages, up from 19 percent the previous quarter. This increase helps account for the smaller drop in the number of infected pages for the quarter, relative to the drop in infected sites. In other words, we saw a more significant drop in the number of infected sites than we did in the number of infected pages because each infection tended to spread to a larger number of pages on each site.

Finally, we saw a reinfection rate of 42 percent for the quarter (compared with 39 percent in Q3'09), meaning that more than four of every 10 sites infected in the quarter were reinfected within a space of three months. And, of course, with each infection the site is likely to suffer a loss of traffic, a decline in revenue, and damage to brand equity.

While we clearly saw a slight dip in some of the key metrics in the quarter (and, more specifically, as we neared the end of the year), the macro trend still points to a steady and significant increase in this kind of activity. To cite just one indicator: The number of infected pages for the quarter, 5.5 million, is a substantial increase from data published by Microsoft in April 2009, which pegged the number of infected pages per quarter at a little more than 3 million.

Attackers getting smarter

Like most other kinds of attackers, purveyors of web-based malware have long since adopted basic social engineering techniques to maximize their chances of remaining undetected as they infect endpoints. We saw plenty of evidence confirming that trend in Q4'09: For example, the most common domains being sourced in the download of a malicious file included innocuous-looking names like "google-query.com," "netlinkenterprises.com," and "starktourism.com." Similarly, the file names most often used in drive-by downloads included things like "setup.exe," "update.exe" (which was used in the Google attack), and "install_flash_player.exe."

But we also saw some evidence that attackers are responding directly to industry efforts to curb the spread of web-based malware. One interesting example can be found in the average number of extra processes started when a drive-by download is initiated. In previous years, a drive-by download would often initiate 10 or more extra processes, ostensibly in an attempt to maximize the return from each infected endpoint. In response, the search providers and anti-virus vendors who scan the web for infected sites began using the number of extra processes initiated as a signal that the webpage might be malicious. But in Q4'09, the average number of extra processes initiated was just 2.8 -- enough for a downloader and perhaps one or two pieces of malware. Clearly, attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine in exchange for a greater likelihood of evading detection.

Structural vulnerabilities still being exploited

It stands to reason that the increasing complexity in and interoperability between websites and web applications has played a significant role in the rise of web-based malware. After all, the more dynamic and sophisticated your pages or applications are, the more vulnerabilities there will be for attackers to exploit. The data for Q4'09 certainly bears that out: .php, .asp, and .aspx (all file types associated with dynamic web content) accounted for 55 percent of all compromised URLs in the quarter.



Of course, a closer look at the data reveals that file types associated with static pages, such as .html, .htm, and .shtml, accounted for 39.6 percent of the compromised URLs for the quarter. This suggests that attackers are still focused in no small part on exploiting structural vulnerabilities in the web to compromise legitimate sites -- vulnerabilities like sourced-in third-party content or applications; user-added content like comments, links, photos, and other files; and syndicated ad networks, among other things. There are no simple solutions for closing these kinds of vulnerabilities, something that all site owners who want to avoid being infected -- and potentially infecting their users and being blacklisted -- should bear in mind when considering the protections they employ.

Keeping your site safe

If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed at http://twitter.com/dasient for all the latest in web-based malware and general security news.

64 comments:

  1. This one is too good. thanks for sharing.
    my Blogs: cityville cheats | how to get taller

    ReplyDelete
  2. I like this blog and it is well or discuss about technology, websites,etc.....

    http://www.knowifagirllikesyou.com |
    http://www.makeagirlfallinlove.org/

    ReplyDelete
  3. Thanks so much for this! This is exactly what I was looking for
    My Blog : how to make money online | diets that work

    ReplyDelete
  4. The particular information and facts I actually obtained in this website is a suitable confirmation that it's nowadays attainable to educate everyone and be abreast of latest information.

    camera

    ReplyDelete
  5. High PR Backlinks
    I am happy to find your distinguished way of writing the post. Now you make it easy for me to understand and implement the concept. Thank you for the post

    ReplyDelete
  6. If you're a performing human and you'd similar to see writer roughly how Dasient WAM can ameliorate protect your websites, occasion here. If you're a web hosting businessperson and you'd similar to discover nigh partnership opportunities with Dasient, alter out this diplomat. And no concern who you are, satisfy be certain to contain out our Twirp work at http://twitter.com/dasient for all the last in web-based malware and mass safeguard news.



    Computer Parts Store

    ReplyDelete
  7. If you're a performing human and you'd analogous to see author roughly how Dasient WAM can ameliorate protect your websites, occurrence here. If you're a web hosting capitalist and you'd twin to name left partnership opportunities with Dasient, vary out this diplomat. And no vexation who you are, fulfill be confident to comprise out our Emit product at dasient for all the measure in web-based malarkey and aggregation pass programmer.


    Computer Stores

    ReplyDelete
  8. If you're a performing weak and you'd analogous to see communicator roughly how Dasient WAM can ameliorate protect your websites, event here. If you're a web hosting capitalist and you'd match to sept paw partnership opportunities with Dasient, depart out this official. And no vexation who you are, fulfil be positive to comprise out our Release set at dasient for all the value in web-based malarkey and grouping reach programmer.


    Computer Store

    ReplyDelete
  9. It is a pleasure reading for me... I like it so much... Please Keep writing... latest news today

    ReplyDelete
  10. Really enjoyed your post while reading. I loved the post quality of your website. Thanks for this wonderful post.

    Banglore international school

    ReplyDelete
  11. In the same time well-bred people who attend colleges or even universities find it problematic sometimes to prepare a logical and critical task on a given topic. For those students who want to become sophisticated ones, this writing company proposes a reasonable help when i buy narrative essay at Papersmart.net on time. We make well-organized materials for anyone who needs an outstanding support on their own endeavors.

    ReplyDelete
  12. Wonderful content and excellent way of presenting this topic. Thank you very much for the details provided by you.tata steel dealers

    ReplyDelete
  13. I have truly learned so much from this amazing site. This is actually huge information. who can do coursework for me buy urgent coursework

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. Well. The most well-known issue is that individuals are running old stuff on their PCs that do not have the important security patches introduced. A few individuals have it like this reason they are languid, yet most haven't got their frameworks overhauled essentially cause they don't have a clue about that their PCs are being utilized by others. For more ideas with professional you can move to custom thesis writing service from web .

    ReplyDelete
  16. You completed certain reliable points there. I did a search on the subject and found nearly all persons will agree with your blog.
    uk assignment writing

    ReplyDelete
  17. bandar casino terpercaya harus anda cari dengan sungguh – sungguh, karena di indonesia sendiri banyak agen casino online yang menawarkan berbagai promosi menarik tapi menipu membernya. agen judi terbaik versi beberapa orang yang menjalani taruhan online sudah saya kantongi datanya dan disini saya akan memberikan kepada anda rincian agen casino sbobet yang bisa dipercaya dan dapat anda jadikan langganan taruhan online. agen judi bola ini merupakan penyedia berbagai produk judi online populer dan anda dapat memainkan sesuka hati yaitu di hokybet.net. mainkan taruhan di hokybet.net dengan suka cita lantaran banyak promo menarik yang bisa anda bawa pulang. perjudian online memang memasuki tahap berkembang pesat, yang mana dengan mudah bisa anda akses dan mainkan dimana saja. hal ini didukung pula dengan internet yang semakin merata di kawasan indonesia. jadi mau taruhan apapun bisa mendapatkannya secara instan. prediksi informatif dan aktual yang anda inginkan untuk menunjang taruhan online, dapat anda temui di agen bola terbaik. bahkan anda bisa berlangganan di agen sbobet melalui akun yang anda buat di situs jagobetting agen judi bola. tunggu apa lagi, segera registrasi sebelum hadiah besar yang ditawarkan oleh bandar judi itu ditutup. mendaftar sekarang dan dapatkan bonus deposit dan cashback besar dari bandar judi bola online indonesia ini. nikmati taruhan menggunakan uang aslinya dan menangkan hadiahnya

    ReplyDelete
  18. hello sir, kedatanagn me or my visit is to see and read the contents of the page that hosts created, after the I observe teryata very interesting article which hosts publish this, some did not Seya understand, but I am quite happy with what I can right here , please visit her back here.
    obat suplemen pria.
    obat nafu seksual.
    vakum.
    pro extender.

    ReplyDelete
  19. In case you have the most winning resume you know you get any job you want, this post is not for you/ But if you are trying to find the most reliable resume writer, check these professional resume writing service reviews and select the most suitable for you.

    ReplyDelete
  20. Đại lý vé máy tiger airways cung cấp vé máy bay trong và ngoài nước với giá rẻ hơn các đại lý khác.

    ReplyDelete
  21. Đại lý vé máy bay Tiger Airways giá rẻ chuyên cung cấp vé máy bay đi Singapore giá rẻ các loại vé máy bay đi thái lan giá rẻ và tham quan Phuket cùng vé máy bay đi Phuket giá rẻ ngoài ra còn có vé máy bay đi úc thăm thêm thành phố xinh đẹp vé máy bay đi Sydney và một số vé máy khác. Có thể liên hệ trực tiếp tại đại lý tiger airways tại tphcm hoặc tiger airways website để biết thêm chi tiết

    ReplyDelete
  22. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. . Assignment Help

    ReplyDelete
  23. Truly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting.
    Assignment Help

    ReplyDelete
  24. Thank you for writing such a wonderful article, it is really going to motivate people to achieve something big and dream bigger in future.
    Assignment Help

    ReplyDelete
  25. This is one very welcoming blog, i love the fact that you did take time to post such a nice post. You should do that more often and for sure we await for more. Qualified article writers

    ReplyDelete
  26. Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog. happy wheels

    ReplyDelete
  27. Folks who can spend money to do this to increase twitter followers quickly might quickly get exposure for their products suddenly. here you can buy twitter followers

    ReplyDelete
  28. Apologies Letter Writing Help This is a very nice post on web-based malware data and trends. I have learned a lot from your post and now I know that I need to be extra careful online. Thanks a lot.
    Dissertation Writing Tutors

    ReplyDelete
  29. Get the best assignment help service from leading assignment help service provider in UK, USA, and Australia- www.makemyassignments.com
    Make My Assignment
    Assignment help

    ReplyDelete
  30. đại lý sữa non alpha lipid Thanh hương tự hào là nhà phân phối sữa non alpha lipid số 1 việt nam chuyên cung cấp sản phẩm alpha lipid lifeline giá rẻalpha lipid Colostem giá rẻ đặc biệt Hương còn tổng hợp câu hỏi sữa non alpha lipid để giải đáp cho tất cả các khách hàng gần xa, với những thông tin sữa non alpha lipid chính xác và thiết thực nhất về Nhân chứng sữa non alpha lipid.

    ReplyDelete
  31. Thank you for sharing valuable information. Nice post. I enjoyed reading this post.
    slither io | wings io | science kombat | tank trouble 4

    ReplyDelete