Monday, November 22, 2010

Dasient Q3 Malware Update: Web-Based Malware Infections Double Since Last Year, Malvertising Attacks Continue Over Summer

In Q3 Dasient continued to monitor millions of sites on the Internet for web-based malware infections and malvertisements. Based on the data gathered, we estimate that in Q3 over 1.2 million web sites across the Internet were infected, which is double our estimate from exactly one year ago (see Figure 1 below). The web malware problem continues to grow dramatically as an increasing number of legitimate sites are getting infected.

Looking at the major modes of communication used on the Internet, email was one of the first such major mode of communication, and we saw attackers take advantage of it by distributing viruses as email attachments. Over time, we saw that email became web-based with services such as Hotmail, Yahoo! Mail, and Gmail, and such services had to incorporate anti-virus software on their servers to scan email attachments for malware. As web page views continued to increase and web pages themselves became more and more interactive via Web 2.0 trends, cybercriminals took advantage of the advent of drive-by-download techniques to infect users without requiring the opening of attachments, thereby allowing them to exploit web pages as an increasingly pervasive malware distribution platform.

While attackers continue to grow their use of almost every tool at their disposal (including spreading viruses via email attachment) and as the cybercriminal economy continues to thrive, our research indicates that the use of drive-by-downloads and rogue anti-virus schemes eclipse other modes of malware distribution.

As we approach 2011, we predict that as the usage specifically of social media web sites continues to grow, drive-by-downloads and rogue anti-virus will be used more aggressively on platforms such as Facebook and Twitter, as evidenced by threats such as the Koobface botnet that continually targets Facebook and the September XSS attack that targeted Twitter and redirected users to porn and malware sites. The Koobface authors, for instance, have built “attack modules” for several social media networks including Facebook, MySpace, Twitter, Hi5, Bebo, and Friendster. These attack modules are used to automatically post comment spam with malicious links and distribute fake anti-virus software to users of each of the different social media networks.

Figure 1. Web Malware Growth: Q3 2009 - Q3 2010

Large Government Agencies: Targets of Attack

Another interesting trend that we have observed is that larger and more well-known government agencies are being increasingly targeted by web-based malware infections. As per the table below, from 2008 to 2009, smaller and less-well-known government agency web sites were targeted, while from 2009 to 2010, agencies such as the National Institute of Health (NIH), the US Treasury, and the Environmental Protection Agency had their web sites infected.


Most Recent Infection

Monthly Page Views

National Institute of Health

October 2010


US Treasury

May 2010



March 2010


July 2009


Feb 2009


Feb 2009


Dec 2008


Figure 2. Larger Government Web Sites Infected in 2010. (Monthly page view data obtained from Quantcast)

In previous quarters, we measured that re-infection rates (the probability that if a web site is infected once, it will be infected again) were high - on the order of 40%- and from the table below, we see that government web sites are no exception. The NIH web site has been infected and re-infected five times, with the most recent infection occurring this past October. In addition, the State of Alabama had their site infected and re-infected 37 times before they seemingly locked down the issue in July 2009.


Number of Times Infected

Last Infection
















Figure 3. Re-infection Occurrences for Government Web Sites.

Another interesting government-related malware threat emanated this quarter – Stuxnet a very high profile and highly sophisticated Trojan that was believed to be written by a nation state. Stuxnet has the ability to reprogram automation equipment that controls and monitors critical infrastructure, and has the capability to conduct sabotage with an impact that is yet to be determined. Stuxnet was written to target a Siemens Simatic factory system, and is suspected to have been written to target nuclear reactors in Iran.

While the cybercriminal economy has been using malware explicitly for profit, nation-states may very well be increasing their investments in malware with the intent of preparing for future cyber-warfare scenarios. While Stuxnet propagated via USB sticks, one can imagine that an efficient way to infect critical, government-run infrastructure would be to infect government web sites, which government employees access more often than casual visitors.

Malvertisements Served in Q3: 1.5M per day

In Q3 2010, we estimate that over 1.5 million malvertisements were served online per day including both drive-by-downloads and fake anti-virus campaigns. Also, our systems measured that the average lifetime of a malvertising campaign was 11.1 days, indicating that malvertisments continue to be an extremely effective means of malware distribution for cybercriminals.

Top 10 Attacker Top-Level-Domains (TLDs)

In Q3, our systems reported that the most popular attacker domains were .com, .ru, and .info, in order of decreasing popularity. As compared to last quarter, there were a few shifts in the origin of attacks based on the TLD of the attackers code: we saw .cn (China) drop and .ru (Russia) jump.

Figure 4. Attacker Domain TLDs.

Top 10 Attacker Domains

In Figure 5, we show the top 10 attacker domains responsible for drive-by-downloads in Q3. Three of the top domains are plays on domain names that contain the word “ads” which was not the case in previous quarters. Usage of such domain names can be indicative of two things: 1) Attackers know that many sites are dependent on their ads for revenue and are more hesitant to remove resources on the page that relate to their ad revenue sources. Any extra time that a webmaster debates removing a widget on the page related to an ad slot is more time that the web site is serving malware. 2) Attacker mindshare is turning more and more to ads. Even if these domains in particular were used to spread more traditional web-based malware attacks, an increased focus on malvertising may be just around the horizon.

Of the attacker domains in Figure 5, and used very similar attack pattern, and the same exploit kits were running on both domains. Other domains conducting similar attacks that were not included in top 10, but ranked highly from time-to-time in our infection library’s top 20 throughout the quarter include and

Figure 5. Top Attacker Domains.

Top 10 Attacker URLs

The top 10 distinct attacker URLs which were responsible for serving malware are shown in Figure 6. Note that attacker domains in Figure 5 such as riotassistance. ru distribute their attack over 100 distinct URLs (e.g., riotassistance. ru/Java.js, riotassistance. ru/Debugger.js), and hence do not show up in the top 10 distinct attacker URL list even though the combined number of drive-bys conducted by them exceed the number of drive-bys by any one of the attacker URLs in Figure 5.

Figure 6. Top Attacker URLs.

Anti-Detection Techniques

Malware authors are continuing to deploy increasingly sophisticated attacks to evade detection. They know that the good guys try to run their malware in virtual machines such as VMWare and Parallels. As such, the malware authors have their malware do checks at run-time to determine if their malware might be under a microscope by security researchers or automated scanning engines.

We have a deep understanding of the types of checks that malware authors conduct, and report on some of the simple checks that we identified malware authors to be conducting. For instance, to check on whether or not the malware might be under scrutiny in a VMWare virtual machine, we have seen malware checks if a file by the name of vmhgfs.sys is present as a device driver under the Windows system directory. Or, to check whether or not the malware is being analyzed in Parallels, it checks for a device driver by the name of prleth.sys.

Other anti-detection mechanisms range from checking for running processes and loaded modules to verifying system BIOS information and counting the number of CPU cycles to execute blocks of code. While these are not new or advanced tactics, we are seeing them more often and earlier in the infection process.


Our Q3 Malware Update continues to show that websites are at an increasing risk of being compromised. Hackers are not only becoming smarter in finding new ways of spreading malware, the attacks themselves are also becoming more sophisticated and devastating. Without structurally protecting websites through monitoring, businesses and government organizations with an online presence are increasingly at a higher risk of being infected and of suffering the consequences. The sharp rise of social networking sites only expands the threat landscape and proper web security protection becomes a must.


  1. Scary statistics.
    It seems like the bad guys own the Internet, doesn't it? They do pretty much what they like.

    And according to many other reports Phishing Attacks on the rise. With governments getting involved, this is looking more and more like a behind the scenes war.

    1. dongtam
      mu private
      tim phong tro
      nhac san cuc manh
      tổng đài tư vấn luật
      văn phòng luật
      tổng đài tư vấn luật
      dịch vụ thành lập công ty
      chém gió
      trung tâm ngoại ngữvào mộng cảnh, khí tức quỷ dị này khiến cho bọn họ không kìm nổi mà run rẩy, ánh mắt kinh hãi đến cực điểm.

      - Xoẹt.

      Một luồng gió cuồng bạo thổi qua, ngay lập tức những cường giả bát tinh Đấu Tông đã trở thành đống xương trắng, toàn thân hóa thành tro tàn.

      - Hu.

      Một mảng máu ngập trời tràn ra.

      Mà lúc này ở viễn cổ Minh xà tộc những người bát tinh cửu tinh Đấu Tôn cũng tràn ngập ở trong biển lửa, biển lửa to lớn tràn ngập ánh sáng màu xanh đem những người thuộc viễn cổ Minh Xà tộc này điên dại thôn phệ.

      - A…

      Từng thanh âm thảm thiết vang lên, dưới sự chon vùi của biển lửa, trong biển lửa ngập tràn mấy

  2. Wow! what an idea ! What a concept ! Beautiful
    my Blogs: cityville cheats | how to get taller

  3. Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.

    Thank you for sharing this.

    ISO 9001

  4. According to Netcraft, about 20 per cent of websites run on IIS. This compares with 60 per cent running on Apache. In view of these two figures, the claim in the article that 44 per cent of websites have serious vulnerabilities at all times rather gives the lie to the tired old Linux propaganda myths. It's mathematically impossible for Windows to be responsible for vulnerabilities in 44 per cent of websites when only 20 per cent of sites run on Windows.

    There's no reason to believe Linux clients are particularly safe either. The web browser is the primary attack vector, and as noted security researcher Charlie Miller has pointed out, either IE8 or Chrome on Windows 7 is probably the most secure browsing environment. Chrome also runs on Linux, but Firefox, widely viewed as the most vulnerable browser, tends to be popular too, and as Miller also pointed out, Linux itself is 'no harder, in fact probably easier' to hack than Windows.
    Sciatic Nerve Pain
    Sciatic Nerve

    While attackers continue to grow their use of almost every tool at their disposal (including spreading viruses via email attachment) and as the cybercriminal economy continues to thrive, our research indicates that the use of drive-by-downloads and rogue anti-virus schemes eclipse other modes of malware distribution.

  6. This will increase the effectiveness of security and also it will help to increase the security as the main concern online is nothing but security. My Website There are many other things also to be noticed.

  7. But that means Parisot won't be able replica handbags to start filming until after Red 2 replica wathces (which starts shooting in the spring) wraps, but there could be worse news. At least this movie is actually gucci replica happening!

  8. This will increase the effectiveness of security and also it will help to increase the security as the main concern online is nothing but security.
    10th UP Board Result
    IPL 7 Live Score

  9. Primera Liga could be the First Split of Spain's Liga de Fútbol Profesional or perhaps Professional Sports League and is particularly known because the Liga BBVA following your bank in which sponsors that. It's just about the most glamorous and also competitive leagues on earth and the particular crowning wonder of sports in The world.

  10. Thanks for sharing this quality information with us. I really enjoyed reading. I think I need it.
    i like play games | jogos friv | juegos de matar

  11. الاستاذ
    شركة الفتح لنقل العفش
    شركة نظافه شامله
    شركة تنظيف واجهات زجاج
    شركة مكافحة حشرات بالرياض
    شركة تسليك مجارى بالرياض
    شركة تنظيف خزانات
    شركة تنظيف مسابح بالرياض
    شركة مكافحة فئران بالدمام
    شركة عزل خزانات بالدمام
    شركة وايط شفط بيارات بالدمام
    شركة تنظيف واجهات زجاج بالدمام
    شركة شفط بيارات بالدمام
    شركة عزل اسطح بالدمام
    شركة تسليك مجارى بالدمام
    شركة تنظيف خزانات بالدمام
    شركة نقل اثاث بالدمام
    شركة رش مبيدات بالدمام
    شركة مكافحة حشرات بالدمام
    شركة تنظيف قصور بالدمام
    شركة تنظيف بيوت بالدمام
    شركة تنظيف فلل بالدمام
    شركة تنظيف بالدام
    نقل بنجران
    شركة تنظيف سجاد ومكوكيت بنجران
    شركة تنظيف خزانات بجزان
    شركة مكافحة حشرات بجزان
    تنظيف بالرياض
    شركة تنظيف وعزل خزانات
    شركة مكافحة واباده حشرات
    تسليك مجارى بنجران
    شركة نقل اثاث
    شركة وايط شفط بيارات
    شركة تنظيف خزانات بالرياض
    نقل اثاث بالرياض
    تسليك مجارى بالرياض
    افضل شركة تنظيف شقق بالرباض
    شركة تنظيف فلل بالرياض
    شركة نقل اثاث وعفش بالرياض
    شركة نقل عفش داخل وخارج الرياض

  12. I understand what you bring it very meaningful and useful, thanks.
    friv 2

  13. شركة كشف تسربات المياه بالدمام
    شركة عزل أسطح بالدمام
    شركة عزل خزانات بالدمام
    كشف تسريب المياة بالدمام
    غسيل خزانات بالدمام
    افضل شركة تسليك مجارى بالدمام
    كشف تسربات المياة بالدمام والاحساء
    افضل شركة نظافة منازل بالاحساء
    كشف تسربات المياة بالدمام والاحساء
    كشف تسربات المياة بالاحساء
    افضل شركة كشف تسربات بالخبر
    شركة مكافحة الحشرات بالدمام والخبر
    افضل شركة نظافة بالدمام والخبر
    شركة عزل اسطح مبلطة وغير مبلطة بالجبيل
    شركة مكافحة حشرات بالجبيل
    شركة عزل اسطح بالجبيل
    شركة عزل مائى بالدمام والخبر والقطيف الجبيل
    كشف تسربات المياة بالدمام والخبر والقطيف والجبيل
    كشف تسربات المياة بالجبيل
    كشف تسربات المياة بالقطيف
    نظافة شقق بالدمام والقطيف
    شركة غسيل خزانات بالدمام الخبر القطيف
    كشف تسربات المياة بابقيق
    كشف تسربات المياة بابقيق
    كشف تسربات المياة بسيهات وعنك
    كشف تسربات المياة راس تنورة
    شركة سواعد

  14. This article is really fantastic and thanks for sharing the valuable post.
    The place to play all unblocked games 77 online. Here you can find every blocked games such as: unblocked games , unblocked games happy , unblocked games 77 ,

  15. Today you have the option to buy designer handbags, right from the comfort of your home through Internet. Designer handbags will still cost you a weeks' salary - so make sure the quality is worth it. Just because you are buying a replica doesn't mean you should settle for poor construction or cheap materials. You can ask any woman and she will tell you, has her own collection of designer handbags, will be a dream come true. With its high price, it is almost impossible for fashion lovers to purchase Louis Vuitton bags or lv bags. If you cannot buy an original handbag, the best you can do is to buy a replica wholesale handbags, because you have to save money to buy the original time fashion because the way things are changing rapidly in the fashion arena. We all agree that the fact that not every woman can afford to buy stylish and fashionable.
    Chanel brand is too expensive handbags, chanel bags is the best thing they can afford the price. Make sure that you choose an effective and reliable website to buy a designer handbags. The reason why people like the quality and materials of these handbags is almost original. When it comes to buying designer handbags, you will be at the maximum cannot afford more than one. Buy replica handbags is a good thing, because they are affordable, you can buy more than one handbag. Thus, the replica designer handbags , you can not spend too much money, to do a perfect impression. First-class ysl bags can give the highest quality you can provide to demonstrate the pride and confidence. I would say that it is difficult to distinguish between hell purse replica from its original version. These exchanges have led to the creation of replica designer, and a higher score because it is difficult to differentiate from the original. The producers know that people do not get embarrassed for her handbags replica captured. So, why not to avail them to save bucks on half-priced items like gucci bags.

  16. There is definately a lot to know about this subject. I like all of the points you've

  17. This comment has been removed by the author.

  18. Comprehensive Corner company is the best شركة تنظيف منازل بالرياض where criticism best cleaning services we be the best we have شركة تنظيف مجالس بالرياض to provide cleaning councils services and شركة تنظيف بيوت بالرياض and this for the convenience of our customers and here شركة تسليك مجارى بالرياض and even our services are not only dependent on the Riyadh there شركة مكافحة حشرات بجدة until we spend together here on insects and also شركة مكافحة حشرات بالدمام To provide better services where we offer شركة تسليك مجارى بالدمام here also شركة تنظيف منازل بالدمام
    We're always working for your convenience in our company offers best of pesticides through pesticide شركة رش مبيدات بالدمام and شركة رش مبيدات بجدة where there are a lot of insects, which specialize in, where we are the best شركة مكافحة بق الفراش بجدة and because we are special, there are other companies such as شركة الصفرات للتنظيف بالرياض They specialize where that they have شركة الصفرات لتنظيف المنازل بالرياض and شركة الصفرات لنقل الاثاث بالرياض
    Other services :
    شركة رش مبيدات بالدمام شركة تسليك مجارى بالدمام شركة تنظيف منازل بالدمام شركة مكافحة حشرات بالدمام

  19. This comment has been removed by the author.

  20. Very good post. I certainly love this website. Keep writing!
    i like play games happy wheels online and play happy wheels 2 games and zombie tsunami is the ideal game for anyone who loves the running game genre. Download retrica online includes more than eighty different filters with many different styles and include retrica indir , retrica camera, retrica app, retrica apk....