Monday, November 22, 2010

Dasient Q3 Malware Update: Web-Based Malware Infections Double Since Last Year, Malvertising Attacks Continue Over Summer

In Q3 Dasient continued to monitor millions of sites on the Internet for web-based malware infections and malvertisements. Based on the data gathered, we estimate that in Q3 over 1.2 million web sites across the Internet were infected, which is double our estimate from exactly one year ago (see Figure 1 below). The web malware problem continues to grow dramatically as an increasing number of legitimate sites are getting infected.

Looking at the major modes of communication used on the Internet, email was one of the first such major mode of communication, and we saw attackers take advantage of it by distributing viruses as email attachments. Over time, we saw that email became web-based with services such as Hotmail, Yahoo! Mail, and Gmail, and such services had to incorporate anti-virus software on their servers to scan email attachments for malware. As web page views continued to increase and web pages themselves became more and more interactive via Web 2.0 trends, cybercriminals took advantage of the advent of drive-by-download techniques to infect users without requiring the opening of attachments, thereby allowing them to exploit web pages as an increasingly pervasive malware distribution platform.

While attackers continue to grow their use of almost every tool at their disposal (including spreading viruses via email attachment) and as the cybercriminal economy continues to thrive, our research indicates that the use of drive-by-downloads and rogue anti-virus schemes eclipse other modes of malware distribution.

As we approach 2011, we predict that as the usage specifically of social media web sites continues to grow, drive-by-downloads and rogue anti-virus will be used more aggressively on platforms such as Facebook and Twitter, as evidenced by threats such as the Koobface botnet that continually targets Facebook and the September XSS attack that targeted Twitter and redirected users to porn and malware sites. The Koobface authors, for instance, have built “attack modules” for several social media networks including Facebook, MySpace, Twitter, Hi5, Bebo, and Friendster. These attack modules are used to automatically post comment spam with malicious links and distribute fake anti-virus software to users of each of the different social media networks.


Figure 1. Web Malware Growth: Q3 2009 - Q3 2010



Large Government Agencies: Targets of Attack


Another interesting trend that we have observed is that larger and more well-known government agencies are being increasingly targeted by web-based malware infections. As per the table below, from 2008 to 2009, smaller and less-well-known government agency web sites were targeted, while from 2009 to 2010, agencies such as the National Institute of Health (NIH), the US Treasury, and the Environmental Protection Agency had their web sites infected.



Site

Most Recent Infection

Monthly Page Views

National Institute of Health

October 2010

9,500,000

US Treasury

May 2010

435,000

EPA

March 2010

1,400,000

Unemployment.gov

July 2009

Unavailable

DC.gov

Feb 2009

250,000

Govtrip.com

Feb 2009

9,000

UsConsulate.gov

Dec 2008

90,000

Figure 2. Larger Government Web Sites Infected in 2010. (Monthly page view data obtained from Quantcast)


In previous quarters, we measured that re-infection rates (the probability that if a web site is infected once, it will be infected again) were high - on the order of 40%- and from the table below, we see that government web sites are no exception. The NIH web site has been infected and re-infected five times, with the most recent infection occurring this past October. In addition, the State of Alabama had their site infected and re-infected 37 times before they seemingly locked down the issue in July 2009.



Site

Number of Times Infected

Last Infection

NIH.GOV

5

10/2010

CA.GOV

3

8/2010

AL.GOV

37

07/2009

DC.GOV

16

02/2009

WASHINGTONDC.GOV

4

02/2009

Figure 3. Re-infection Occurrences for Government Web Sites.


Another interesting government-related malware threat emanated this quarter – Stuxnet a very high profile and highly sophisticated Trojan that was believed to be written by a nation state. Stuxnet has the ability to reprogram automation equipment that controls and monitors critical infrastructure, and has the capability to conduct sabotage with an impact that is yet to be determined. Stuxnet was written to target a Siemens Simatic factory system, and is suspected to have been written to target nuclear reactors in Iran.

While the cybercriminal economy has been using malware explicitly for profit, nation-states may very well be increasing their investments in malware with the intent of preparing for future cyber-warfare scenarios. While Stuxnet propagated via USB sticks, one can imagine that an efficient way to infect critical, government-run infrastructure would be to infect government web sites, which government employees access more often than casual visitors.


Malvertisements Served in Q3: 1.5M per day

In Q3 2010, we estimate that over 1.5 million malvertisements were served online per day including both drive-by-downloads and fake anti-virus campaigns. Also, our systems measured that the average lifetime of a malvertising campaign was 11.1 days, indicating that malvertisments continue to be an extremely effective means of malware distribution for cybercriminals.



Top 10 Attacker Top-Level-Domains (TLDs)

In Q3, our systems reported that the most popular attacker domains were .com, .ru, and .info, in order of decreasing popularity. As compared to last quarter, there were a few shifts in the origin of attacks based on the TLD of the attackers code: we saw .cn (China) drop and .ru (Russia) jump.



Figure 4. Attacker Domain TLDs.



Top 10 Attacker Domains

In Figure 5, we show the top 10 attacker domains responsible for drive-by-downloads in Q3. Three of the top domains are plays on domain names that contain the word “ads” which was not the case in previous quarters. Usage of such domain names can be indicative of two things: 1) Attackers know that many sites are dependent on their ads for revenue and are more hesitant to remove resources on the page that relate to their ad revenue sources. Any extra time that a webmaster debates removing a widget on the page related to an ad slot is more time that the web site is serving malware. 2) Attacker mindshare is turning more and more to ads. Even if these domains in particular were used to spread more traditional web-based malware attacks, an increased focus on malvertising may be just around the horizon.

Of the attacker domains in Figure 5, riotassistance.ru and nuttypiano.com used very similar attack pattern, and the same exploit kits were running on both domains. Other domains conducting similar attacks that were not included in top 10, but ranked highly from time-to-time in our infection library’s top 20 throughout the quarter include seamscreative.info and addonrock.ru.


Figure 5. Top Attacker Domains.



Top 10 Attacker URLs

The top 10 distinct attacker URLs which were responsible for serving malware are shown in Figure 6. Note that attacker domains in Figure 5 such as riotassistance. ru distribute their attack over 100 distinct URLs (e.g., riotassistance. ru/Java.js, riotassistance. ru/Debugger.js), and hence do not show up in the top 10 distinct attacker URL list even though the combined number of drive-bys conducted by them exceed the number of drive-bys by any one of the attacker URLs in Figure 5.



Figure 6. Top Attacker URLs.



Anti-Detection Techniques

Malware authors are continuing to deploy increasingly sophisticated attacks to evade detection. They know that the good guys try to run their malware in virtual machines such as VMWare and Parallels. As such, the malware authors have their malware do checks at run-time to determine if their malware might be under a microscope by security researchers or automated scanning engines.

We have a deep understanding of the types of checks that malware authors conduct, and report on some of the simple checks that we identified malware authors to be conducting. For instance, to check on whether or not the malware might be under scrutiny in a VMWare virtual machine, we have seen malware checks if a file by the name of vmhgfs.sys is present as a device driver under the Windows system directory. Or, to check whether or not the malware is being analyzed in Parallels, it checks for a device driver by the name of prleth.sys.

Other anti-detection mechanisms range from checking for running processes and loaded modules to verifying system BIOS information and counting the number of CPU cycles to execute blocks of code. While these are not new or advanced tactics, we are seeing them more often and earlier in the infection process.


Summary

Our Q3 Malware Update continues to show that websites are at an increasing risk of being compromised. Hackers are not only becoming smarter in finding new ways of spreading malware, the attacks themselves are also becoming more sophisticated and devastating. Without structurally protecting websites through monitoring, businesses and government organizations with an online presence are increasingly at a higher risk of being infected and of suffering the consequences. The sharp rise of social networking sites only expands the threat landscape and proper web security protection becomes a must.