Tuesday, September 14, 2010

Continued growth in web-based malware attacks -- over 1M web sites infected in Q2 2010

It’s time again for our quarterly web-based malware update. We’ve pulled the Q2 data from our telemetry systems that monitor millions of web sites daily, producing the data and forensics that allow us to extrapolate infection rates across the entire Internet. This quarter marks a significant spike in the number of infected websites - almost double the number of the previous quarter. Hackers have been very busy and are constantly coming up with new attacks. It’s therefore not surprising that our infection library has catalogued almost 200,000 different infections - up 58,000 from the previous quarter. Here are the details:

Over 1M Web Sites Infected

In Q2 2010, we estimate that 1.3 million web sites were infected, based on data from our telemetry systems. Q2 was the first quarter in history for which we believe that over one million web sites were infected in a three month time period. As we have now been tracking web-based malware statistics for four quarters, we have plotted the estimated number of infected web sites over that time period below. While there was a slight dip in Q4 ‘09 (looks like some cybercriminals took part of the holiday season off just like the rest of us), the growth over the past couple quarters has been significant -- growth by a factor of two over the past year. We should note that while the measured growth below is mostly due to increased activity on the part of cybercriminals, a part of it is due to improvements to the methodology and number of sites monitored by our telemetry.

In addition to trends that we gathered on web-based malware in general, we also studied trends in the more specific area of malvertising. Over all of Q2, based on the part of our telemetry that monitors dozens of ad networks, we estimate that over 1.6 million malvertisements are served on an average day, which represents an approximate increase of just over 20% from an estimate that we produced in mid-Q2. In addition, the average lifetime of a malvertising campaign was 11.5 days, an increase of over 50% from a measurement that we did in mid Q2. Kicking off malvertising campaigns on weekends gives cybercriminals a couple extra days of lifetime as IT teams often don’t get to look in depth into attacks over the weekends (unless they have automated solutions in place such as Dasient’s anti-malvertising service), and the intermittent nature with which malvertising creatives are served makes them harder to track and lock down contributing to the lifetime of the malvertising campaigns.

We observed that malvertising attacks have a high propensity for being launched closer to weekends, as per the graph below. Fridays and Saturdays were the most common days for the launch of malvertising attacks. Thursdays came in next, with Sunday following. Cybercriminals know that corporate IT teams are slower to respond due to weekend attacks, so they launch their attacks on and near the weekends to maximize the impact of their attack. Big money can be made via Fake Anti-Virus operations -- see the eWeek article at http://www.eweek.com/c/a/Security/3-Indicted-in-100-Million-Rogue-AntiVirus-Operation-696172/ for an example where over $100M was minted by the cybercriminals -- so every minute that the attack is live is critical.

Underlying Issue: Structural Vulnerabilities

The structural vulnerabilities research report that we issued this past July just prior to the BlackHat 2010 security conference highlighted the multitude of attack vectors that cybercriminals have at their disposal, and it appears that they are taking advantage of them. Structural vulnerabilities are ones in which a web site relies on third-party resources as part of the composition of the site, and when third-party resources get targeted or compromised, so do all the web sites that use those resources. Our key focus in this malware update is reviewing Q2 malware statistics, but we briefly review some of our findings from our structural vulnerabilites report that underlie the acceleration of the spread of web-based malware, while providing some new concrete examples:

* 75% of web sites uses external, third-party JavaScript widgets. Traffic and audience measurement widgets, for instance, are popular choices as targets. Forty-three percent of the top Alexa 100,000 web sites use widgets such as Google Analytics and JQuery (as per Stanford University research presented at this past July’s BlackHat security conference in Las Vegas). While we have thus far not yet seen a mass compromise due to widgets, such an attack, say via DNS cache poisoning against a popular ISP is not simply a theoretical possibility (see http://www.digitalsanctuary.com/tech-blog/security/att-dns-cache-poisoning.html). Every web site that uses these widgets can become a malware distribution vehicle, with users getting infected simply when they load web sites from such pages, when these attacks occur. Note also that in cases where DNS cache poisoning is used, the widget provider does not need to be compromised – only the ISPs do.

* 42% of web sites use third-party ad-related resources. Financial web sites are just as likely as the average web site to use ad-related resources, often to manage their own in-house ads and/or show third-party ads on auxiliary sites that they run in which users can give each other financial advice or on other user-generated-content offerings they make available. Publisher sites are twice as likely to show third-party ads than the average web site, and there has been an uptick in malvertising attacks this year.

* 91% of web sites use third-party applications, and/or out-of-date software. It has been known for some time that keeping client-side software patched has been a challenge, but keeping software on servers patched is just as hard or even harder. Upgrading server-side software, whether it be the version of the web server, the application server, language modules such as (PHP, ASP.NET, etc), or web applications can require porting of data and code and is often a non-trivial exercise and doesn’t get done in a very timely fashion. As cybercriminals can just easily lookup all the known security vulnerabilities for such server-side software and use available exploit kits, web sites using old or out-of-date server-side software can be turned into distribution vehicles for malware by exploiting known vulnerabiliites.

Infection Library Growth

During Q2, Dasient’s automated systems added over 58,000 unique entries to its infection library. Unlike the infection libraries of traditional anti-virus companies, Dasient’s infection library catalogs web-based code snippets that cybercriminals inject and use to compromise web sites and ad networks. In Q2, over 43,000 JavaScripts and over 15,000 IFRAMEs were added to Dasient’s infection library. As a percentage of the total number of new entires, JavaScript samples have increased by 19%, and JavaScript samples now make up 74% of the entries for the quarter (as compared to 55% three quarters ago).

Q2 2010Increase/Decrease (as a percentage of total)
JavaScript injections
74%+ 19%
IFRAME Injections
26%- 11%

Why use JavaScripts instead of IFRAMEs? JavaScripts have some advantages from the standpoint of an attacker. Most significantly, JavaScripts have access to the DOM elements in the rest of the page, thereby giving attackers more information and more capability to “muck” with the page. For example, an injected JavaScript has access to the page referrer, the URL address bar, the user’s cookie, and has the ability to write new, potentially malicious content into the web page. Scripts sourced in via IFRAMEs, by comparison, do not have the capability to access or communicate with the rest of the page.

Top Attacker Domains and Top-Level-Domains (TLDs)

As a part of our look into our growing infection library, we studied the most frequently occuring attacker domains used in SRC fields in malicious JavaScripts and IFRAMEs, as shown in the graphs below. Attackers seem to use more .com domains in aggregate as they want their domain name to seem as “legitimate” as possible and Chinese domain names tend to arouse suspicion. While the cybercriminal community seems to be using more .com domains in aggregate, specific .cn domains (such as the ones listed in the chart below) are more frequently used than their .com counterparts. We see that some of the domain names end in .com.cn (as in ustocn. com. cn), which have been accounted for as .cn domains in our study but seek to look more legitimate, as domains that have a .com followed by a country code are used by may legitimate organizations in many countries.

We also looked at just the top-level-domains (TLDs) that attackers used. From the chart below compared to similar statistics from Q1 2010, we see that the attackers are using significantly more .info domains that in the previous quarter. In Q1, .info domains took a backseat to .net, .org, and .ru domains, but has jumped ahead of all those TLDs in Q2.

Attacker Domain TLDs for Q2 2010

For Q1 2010

Drive-By Naming and Locations

When attackers send drive-by-downloads, they seem to like to choose one letter file names and innocent looking names like updates.exe and file.exe. Sometimes the file name starts with MS to imitate Microsoft processes. There are also a class of attacks that choose a random file name with fixed number of characters.

Temp and application data folders are the favorite choice of folders in which to store malicious executables. However, executables are sometimes copied to system directory after their initial storage, and run from there.

Overall, three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory.

Summary / Conclusion:

To summarize, some of the most interesting statistics from our Q2 malware update are:

* We estimate that 1.3 million web sites were infected in Q2 2010 (almost a 2x jump as compared to Q1)
* We estimate that for Q2, on average 1.6 million malvertisements were served on a daily basis.
* Most malvertising attacks are launched on weekends. Average lifetime for a malvertising campaign is 11.5 days.
* Our infection library grew by 58K entries, with relatively more JavaScript injections as compared to IFRAMEs in previous quarters
* Attackers use .com and .cn domains most frequently to host malicious code. There has been a rise in .info domains being infected and used to host malicious code.
* Three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory. The most common name for a drive-by-download was f.exe.

Hackers are going to continue to become more sophisticated. The malware epidemic is not slowing down - on the contrary, it’s exploding. Now is the time for businesses to educate themselves on how they can put safe security practices in place for their websites to protect their customers, their brand and their revenue. The first step is to make sure they are not exposed by monitoring their websites for malware regularly.

If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed for all the latest in web-based malware and general security news.

Keep your sites safe!
Your Dasient Team


  1. I had no idea there were so many viruses on the internet. I knew there were a lot, but not so many! For my own protection I use a hardware firewall from my wireless router and the Comodo Internet Security (which is free by the way). I think this should be enough.

    George of http://webhostingforacent.com/?v=g

  2. http://www.highprlink.in
    We also looked at just the top-level-domains (TLDs) that attackers used. From the chart below compared to similar statistics from Q1 2010, we see that the attackers are using significantly more .

  3. Select a theme which requests to you. Choosing a theme frequently takes as much study as the dissertation itself. To see more info please visit http://essayswriters.org/buy/.

  4. Even when smart people are told to prepare an article or a short story or just a simple overview of any kind, most of students tend to apply for our writing company help. This type of work requires serious brains as well as critical cogitation in a readable and structured form. Reflections over buying term papers for sale at Papersmart.net done by our custom writers are worthy of a deep research on a pointed theme. Ask for our help you know there must be someone to help you in.

  5. When MTV News caught up with fendi outlet Reeves back in April, he teased prada handbags that a script was "six weeks away," which about lines up with the timeline Vulture is presenting. He also gave us some insights about how this movie will line up replica chanel with the end of its predecessor.

  6. Its extremely magnificent thought here and getting paper for understudies and that not mean we convey just article powerful and professional writing services while we help in office work and office administrations.

  7. You ensure all the code on your website meets security standards. That is how hackers get in "unsecured old bad code". for homework help visit homework writing service | Chief Papers

  8. In today's world of high level of computer technology attacks are all sites and all blogs! Of course you need to use auxiliary programs for rejection of such attacks! By the way, recommend the best writing service you essay help!) The team of professionals save your essy!

  9. In the digital era, everything is being innovated and so are new problems. Working professionals with great experience of solving these technical problems should enroll for life experience degrees and get the recognition for their skills.

  10. This is a great article. It gave me a lot of useful information. thank you very much.
    i like play games
    juegos frozen
    juegos de frozen

  11. Great post. i like it. feeling great when reading your post .
    Versión en facebook en español descargar a los países hablan Español: facebook entrar direto agora , facebook en español descargar , facebook entrar direto agora

  12. Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write
    The place to play all unblockedgames online. Here you can find every blocked games such as: unblocked games , unblocked games happy , unblocked games 77 ,

  13. In these bachelor's degree programs, behavioral and applied sciences, occupational safety, hygiene and risk management are combined with other knowledge and skills for effective leadership. Candidates learn to anticipate, evaluate and control occupational hazards and environmental health risks. Graduates may go on to work as safety managers in various industries or pursue further professional education. custom essays cheap

  14. It's great that you've shared this with us! Thank you for your job. At the moment buy a dissertation

  15. Its really good information, i like your blog post. Thanks for sharing
    facebook entrar iniciar sesion gratis - Sitio Oficial iniciado sesión en Facebook lengua española. facebook entrar rápido, facebook iniciar sesion en tu cuenta de entrar facebook

  16. Thank you for that information you article.
    download baixar facebook movel, Facebook movel, baixar facebook. Facebook chat, baixar whatsapp, fazer o download baixar whatsapp gratis para Android, iPhone. Últimas Facebook

  17. useful. Hopefully you'll continue sharing your knowledge around.
    amazon gift card code free

  18. Super-Duper site! I am Loving it !! Will come back again, Im taking.
    hay day hack tool activation code

  19. For this action you could utilize your email address or your contact number or you give your full name and also the name of a close friend.
    free facebook accounts hacker

  20. Get your free codes of xbox live game here on this site and make your payable game absolutely free Thank you abonnement xbox live gratuit

  21. Nice post i like this post this is an awesome post for xbox user Thank you xbox live gold codes

  22. Top gamers are already utilizing our tools that are Hack for Coins to make it in Dragon Story Country Picnic Protection leader boards! Medals are essential for quick ends in Dragon Story Country Picnic Cheats. By utilizing our Dragon Story Country Picnic Defence Hack for Coins the game could be loved by you far more and could have an expertise that is enjoyable.

  23. A lot of Our Individuals ask us ways to hack Facebook password? You do not need to complete any sort of study to download the Facebook hack. Facebook & Router Password Finder is among the best offline Android app that aids you to conveniently discover the default passwords of any kind of Facebook router and also currently if you use this application to get the default Facebook password of any Facebook router after that you can find more than 1,200 Facebook routers' default passwords. The tools to Hack Facebook passwords on the most usual routers in the Netherlands are very easy to hack. Bunch of People ask me Ways to Hack Facebook Password?

  24. Snapchat Cheat software are freeware and may ONLY be downloaded in , we constantly releases an update for Snapchat Cheat software. NOTE : don't open cheat engine in the event that you want open this hack and that I'm not certain this hack can be utilized on Google Chrome. Snapchat Full Free Hack throws you in the grisly world of the zombie apocalypse where there are no second chances.
    Hay men now time desires to hack The Snapchat. Hack Snapchat Passwords, cheats, tool, trainer 100% working when you download from Crack7 on Android and iOS that will supply you with Free Unlimited Coin and Disable Ads. About game which use Hack Snapchat Password : Snapchat throws you into the gruesome world of the zombie apocalypse where there aren't any second chances. Hack Snapchat Password tool tested and working 100%. We now have listed all of the The Hack Snapchat Password tool features below for you.

  25. I found more information on your blog than on 20 blogs! Seriously, I really enjoyed reading your article and I've already bookmarked your blog. SimCity BuildIt Cheats

  26. I would like to mention that the issue you have selected for your article is very relevant. I appreciate your intention to aware people about web based malware attacks. Its awesome...essay writing service USA


  27. It is no longer news that the Acquired immune deficiency syndrome /Human Immune Virus (HIV/AIDS) is increasing by the day. The fear is that many people living with the sickness are scared of saying it because of the stigma that comes along with it.I am bold enough among many others to state that there is now a potent cure to this sickness but many are unaware of it. I discovered that I was infected with the virus 3 months ago, after a medical check-up. My doctor told me and I was shocked, confused and felt like my world has crumbled. I was dying slowly due the announcement of my medical practitioner but he assured me that I could lead a normal life if I took my medications (as there was no medically known cure to HIV). I went from churches to churches but soon found that my case needed urgent attention which i got from a herbal man Dr. Magana, this man is a native doctor who cure different kind of sickness you can receive a package from him anywhere you are in the world please contact him on this email: maganasolutioncentre@gmail.com, contact if you have similar problems

  28. Issue that you have portrayed in your article has great prominence in this era of technology. It gives a clear picture of malware attacks and its after effects. Thanks for communicating this complicated issue. Essay writing services

  29. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. . Assignment Help


  30. Online Assignment Help
    Assignment Writing Service
    I am happy to find this post very useful for me, as it contains lot of information. I always prefer to read the quality content and this thing I found in you post. Thanks for sharing.

  31. Nice blog and absolutely outstanding. You can do something much better but i still say this perfect. Keep trying for the best.Homework Help
    Homework Help Onlinep

  32. Couldn't be written any better. Reading this post reminds me of my old room mate! He always kept talking about this Assignment help

  33. Hello. Very useful article. I like how you wrote your article and explained everything.Not everyone can sp accurately describe they sounds and knowledge. If you have same problems they http://essay-mania.com will help in writing well-structured and qualitytexts.

  34. Wow! This post about web-based malware attack is very popular nowadays. I think social medias suffered most of all. Your advices here are very useful. I am hoping the same best work from you in future. If you will need any paper help - www.custom-paper-writing.org here to help you 24/7!

  35. Many companies sin essay quality economics h2 essay within urgent essays writing and processing.

  36. Obviously good writing skills are important when your job involves writing, be it as a journalist. If you are employed for your writing skills, having ‘good’ writing skills is a job requirement Scholarship essay writing service. I am a writer> our services helps student for their academic writing.

  37. Great post. i like it. feeling great when reading your post.Buy Custom Essays

  38. This comment has been removed by the author.

  39. It is really interesting article and I would surely refer my friends to read it. You can also access our website for assignment help which is HND Assignment Help and URL is http://www.hndassignmenthelp.co.uk Assignment Help UK

  40. The Jews Togel Online Singapore welcome Togel Online Hongkong this revolution in the Christian world, Bandar Togel Singapore and the Bandar Togel Jews Togel Online Terpercayashould show anexample. It is not an accident that Judaism gave birth to Marxism, and it is not an accident that the Jews readily took up Marxism: all this was in perfect accord with the progress of
    TheAgen Bandarq
    Communists Agen domino99
    are againstDomino Online
    religion (Christianity),Bandarq
    and Bandarq
    seek to Bandar domino destroy religion; yet, when we look deeper into the nature of Communism, we see that it is essential nothing else than a religion (Judaism)." (A Program for the Jews and Humanity, Harry Waton, p. 138).
    I shallAgen Bandarq use such influence asAgen Domino99 I have inDomino Online emphasizing the basic truths common Agen Poker to all denominations,Bandar Domino99 in Nonton Film Bioskop lowering denominational barriers and in promoting effective cooperation among Christians of whatever creed.The goal of Agen Bandarq
    Russia is in the Agen domino
    first instance aDomino Online
    World-Revolution. agen Bandarq
    The nucleus Bandar domino99 of opposition to such plans is to be found in the capitalist powers, England and France in the first instance, with America close behind them.
    In his novel Agen Bola Resmi Coningsby Bandar bola (London, 1844),Agen Bola Terpercaya Disraeli Agen Bola Terbesar drewAgen Bola online a picture Judi bola form Berita Bola the life Berita Bola of the JewsAgen Ibcbet ruling the world frombehind the thrones as graphic as anything in the Protocols of Nilus. Many believe, and it has been proved to most, Coningsby was a plagiarism of a Byzantine novel of the XVIIth century.

  41. Here you are the best website with info about hacking wifi, only the truth http://hackwifi1.com/ Check it out

  42. This comment has been removed by the author.

  43. While writing an essay the things may turn more complicated than you thought it would be, that`s why I offer you to use this professional writing service

  44. Fantastic blog page with all the terrific good items not to mention I’m absolutely sure this will be vastly advantageous.thanks for sharing your views.Cheap dissertation writing services