Tuesday, September 14, 2010

Continued growth in web-based malware attacks -- over 1M web sites infected in Q2 2010

It’s time again for our quarterly web-based malware update. We’ve pulled the Q2 data from our telemetry systems that monitor millions of web sites daily, producing the data and forensics that allow us to extrapolate infection rates across the entire Internet. This quarter marks a significant spike in the number of infected websites - almost double the number of the previous quarter. Hackers have been very busy and are constantly coming up with new attacks. It’s therefore not surprising that our infection library has catalogued almost 200,000 different infections - up 58,000 from the previous quarter. Here are the details:

Over 1M Web Sites Infected

In Q2 2010, we estimate that 1.3 million web sites were infected, based on data from our telemetry systems. Q2 was the first quarter in history for which we believe that over one million web sites were infected in a three month time period. As we have now been tracking web-based malware statistics for four quarters, we have plotted the estimated number of infected web sites over that time period below. While there was a slight dip in Q4 ‘09 (looks like some cybercriminals took part of the holiday season off just like the rest of us), the growth over the past couple quarters has been significant -- growth by a factor of two over the past year. We should note that while the measured growth below is mostly due to increased activity on the part of cybercriminals, a part of it is due to improvements to the methodology and number of sites monitored by our telemetry.

In addition to trends that we gathered on web-based malware in general, we also studied trends in the more specific area of malvertising. Over all of Q2, based on the part of our telemetry that monitors dozens of ad networks, we estimate that over 1.6 million malvertisements are served on an average day, which represents an approximate increase of just over 20% from an estimate that we produced in mid-Q2. In addition, the average lifetime of a malvertising campaign was 11.5 days, an increase of over 50% from a measurement that we did in mid Q2. Kicking off malvertising campaigns on weekends gives cybercriminals a couple extra days of lifetime as IT teams often don’t get to look in depth into attacks over the weekends (unless they have automated solutions in place such as Dasient’s anti-malvertising service), and the intermittent nature with which malvertising creatives are served makes them harder to track and lock down contributing to the lifetime of the malvertising campaigns.

We observed that malvertising attacks have a high propensity for being launched closer to weekends, as per the graph below. Fridays and Saturdays were the most common days for the launch of malvertising attacks. Thursdays came in next, with Sunday following. Cybercriminals know that corporate IT teams are slower to respond due to weekend attacks, so they launch their attacks on and near the weekends to maximize the impact of their attack. Big money can be made via Fake Anti-Virus operations -- see the eWeek article at http://www.eweek.com/c/a/Security/3-Indicted-in-100-Million-Rogue-AntiVirus-Operation-696172/ for an example where over $100M was minted by the cybercriminals -- so every minute that the attack is live is critical.

Underlying Issue: Structural Vulnerabilities

The structural vulnerabilities research report that we issued this past July just prior to the BlackHat 2010 security conference highlighted the multitude of attack vectors that cybercriminals have at their disposal, and it appears that they are taking advantage of them. Structural vulnerabilities are ones in which a web site relies on third-party resources as part of the composition of the site, and when third-party resources get targeted or compromised, so do all the web sites that use those resources. Our key focus in this malware update is reviewing Q2 malware statistics, but we briefly review some of our findings from our structural vulnerabilites report that underlie the acceleration of the spread of web-based malware, while providing some new concrete examples:

* 75% of web sites uses external, third-party JavaScript widgets. Traffic and audience measurement widgets, for instance, are popular choices as targets. Forty-three percent of the top Alexa 100,000 web sites use widgets such as Google Analytics and JQuery (as per Stanford University research presented at this past July’s BlackHat security conference in Las Vegas). While we have thus far not yet seen a mass compromise due to widgets, such an attack, say via DNS cache poisoning against a popular ISP is not simply a theoretical possibility (see http://www.digitalsanctuary.com/tech-blog/security/att-dns-cache-poisoning.html). Every web site that uses these widgets can become a malware distribution vehicle, with users getting infected simply when they load web sites from such pages, when these attacks occur. Note also that in cases where DNS cache poisoning is used, the widget provider does not need to be compromised – only the ISPs do.

* 42% of web sites use third-party ad-related resources. Financial web sites are just as likely as the average web site to use ad-related resources, often to manage their own in-house ads and/or show third-party ads on auxiliary sites that they run in which users can give each other financial advice or on other user-generated-content offerings they make available. Publisher sites are twice as likely to show third-party ads than the average web site, and there has been an uptick in malvertising attacks this year.

* 91% of web sites use third-party applications, and/or out-of-date software. It has been known for some time that keeping client-side software patched has been a challenge, but keeping software on servers patched is just as hard or even harder. Upgrading server-side software, whether it be the version of the web server, the application server, language modules such as (PHP, ASP.NET, etc), or web applications can require porting of data and code and is often a non-trivial exercise and doesn’t get done in a very timely fashion. As cybercriminals can just easily lookup all the known security vulnerabilities for such server-side software and use available exploit kits, web sites using old or out-of-date server-side software can be turned into distribution vehicles for malware by exploiting known vulnerabiliites.

Infection Library Growth

During Q2, Dasient’s automated systems added over 58,000 unique entries to its infection library. Unlike the infection libraries of traditional anti-virus companies, Dasient’s infection library catalogs web-based code snippets that cybercriminals inject and use to compromise web sites and ad networks. In Q2, over 43,000 JavaScripts and over 15,000 IFRAMEs were added to Dasient’s infection library. As a percentage of the total number of new entires, JavaScript samples have increased by 19%, and JavaScript samples now make up 74% of the entries for the quarter (as compared to 55% three quarters ago).

Q2 2010Increase/Decrease (as a percentage of total)
JavaScript injections
74%+ 19%
IFRAME Injections
26%- 11%

Why use JavaScripts instead of IFRAMEs? JavaScripts have some advantages from the standpoint of an attacker. Most significantly, JavaScripts have access to the DOM elements in the rest of the page, thereby giving attackers more information and more capability to “muck” with the page. For example, an injected JavaScript has access to the page referrer, the URL address bar, the user’s cookie, and has the ability to write new, potentially malicious content into the web page. Scripts sourced in via IFRAMEs, by comparison, do not have the capability to access or communicate with the rest of the page.

Top Attacker Domains and Top-Level-Domains (TLDs)

As a part of our look into our growing infection library, we studied the most frequently occuring attacker domains used in SRC fields in malicious JavaScripts and IFRAMEs, as shown in the graphs below. Attackers seem to use more .com domains in aggregate as they want their domain name to seem as “legitimate” as possible and Chinese domain names tend to arouse suspicion. While the cybercriminal community seems to be using more .com domains in aggregate, specific .cn domains (such as the ones listed in the chart below) are more frequently used than their .com counterparts. We see that some of the domain names end in .com.cn (as in ustocn. com. cn), which have been accounted for as .cn domains in our study but seek to look more legitimate, as domains that have a .com followed by a country code are used by may legitimate organizations in many countries.

We also looked at just the top-level-domains (TLDs) that attackers used. From the chart below compared to similar statistics from Q1 2010, we see that the attackers are using significantly more .info domains that in the previous quarter. In Q1, .info domains took a backseat to .net, .org, and .ru domains, but has jumped ahead of all those TLDs in Q2.

Attacker Domain TLDs for Q2 2010

For Q1 2010

Drive-By Naming and Locations

When attackers send drive-by-downloads, they seem to like to choose one letter file names and innocent looking names like updates.exe and file.exe. Sometimes the file name starts with MS to imitate Microsoft processes. There are also a class of attacks that choose a random file name with fixed number of characters.

Temp and application data folders are the favorite choice of folders in which to store malicious executables. However, executables are sometimes copied to system directory after their initial storage, and run from there.

Overall, three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory.

Summary / Conclusion:

To summarize, some of the most interesting statistics from our Q2 malware update are:

* We estimate that 1.3 million web sites were infected in Q2 2010 (almost a 2x jump as compared to Q1)
* We estimate that for Q2, on average 1.6 million malvertisements were served on a daily basis.
* Most malvertising attacks are launched on weekends. Average lifetime for a malvertising campaign is 11.5 days.
* Our infection library grew by 58K entries, with relatively more JavaScript injections as compared to IFRAMEs in previous quarters
* Attackers use .com and .cn domains most frequently to host malicious code. There has been a rise in .info domains being infected and used to host malicious code.
* Three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory. The most common name for a drive-by-download was f.exe.

Hackers are going to continue to become more sophisticated. The malware epidemic is not slowing down - on the contrary, it’s exploding. Now is the time for businesses to educate themselves on how they can put safe security practices in place for their websites to protect their customers, their brand and their revenue. The first step is to make sure they are not exposed by monitoring their websites for malware regularly.

If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed for all the latest in web-based malware and general security news.

Keep your sites safe!
Your Dasient Team


  1. I had no idea there were so many viruses on the internet. I knew there were a lot, but not so many! For my own protection I use a hardware firewall from my wireless router and the Comodo Internet Security (which is free by the way). I think this should be enough.

    George of http://webhostingforacent.com/?v=g

  2. http://www.highprlink.in
    We also looked at just the top-level-domains (TLDs) that attackers used. From the chart below compared to similar statistics from Q1 2010, we see that the attackers are using significantly more .

  3. Select a theme which requests to you. Choosing a theme frequently takes as much study as the dissertation itself. To see more info please visit http://essayswriters.org/buy/.

  4. Even when smart people are told to prepare an article or a short story or just a simple overview of any kind, most of students tend to apply for our writing company help. This type of work requires serious brains as well as critical cogitation in a readable and structured form. Reflections over buying term papers for sale at Papersmart.net done by our custom writers are worthy of a deep research on a pointed theme. Ask for our help you know there must be someone to help you in.

  5. When MTV News caught up with fendi outlet Reeves back in April, he teased prada handbags that a script was "six weeks away," which about lines up with the timeline Vulture is presenting. He also gave us some insights about how this movie will line up replica chanel with the end of its predecessor.

  6. Its extremely magnificent thought here and getting paper for understudies and that not mean we convey just article powerful and professional writing services while we help in office work and office administrations.

  7. You ensure all the code on your website meets security standards. That is how hackers get in "unsecured old bad code". for homework help visit homework writing service | Chief Papers

  8. This blog impressed me and over exceeded my expectations. jogos do friv | jogos de friv

  9. In today's world of high level of computer technology attacks are all sites and all blogs! Of course you need to use auxiliary programs for rejection of such attacks! By the way, recommend the best writing service you essay help!) The team of professionals save your essy!