The Dasient Q4 Malware Update: Significant Rise in Malvertising Attacks, Social Networking Sites Easy Distribution Platforms for Malware

Q4 2010 was a quarter in which we saw continued growth of web malware and malvertising attacks targeting legitimate sites. In this report, we focus on (1) quantitative measurements around web malware and malvertising, (2) analysis surrounding the most significant attacker domains for the quarter, and (3) results from some experiments we conducted on the potential impact that web malware could have on social media networks.

THE Q4 HIGHLIGHTS WERE:

*Malvertising is on a significant rise, with our estimates having doubled from Q3 to Q4 2010. Based on our Q4 estimates, three (3) million malvertising impressions were served per day, as compared to 1.5 million malvertising impressions per day in Q3 2010. The increase in the estimate from the previous quarter comes from a 25% growth in malvertising incidents from networks monitored last quarter, plus additional malvertising incidents from “remnant” ad networks that we started monitoring in Q4.

*More than one million web sites were estimated to be infected in Q4 2010. As compared to data from one year prior (Q4 2009), web malware infections have nearly doubled and are a growing threat that needs to be abated.

*The probability that an average Internet user will hit an infected page after three months of web browsing is 95%.

*The top attacker domain was ipq.com, a free DNS forwarding service. Cybercriminals are abusing DNS forwarding services in an effort to hide and reduce the cost of executing their attacks.

*We found that most social media networks are prone to being used as distribution platforms for malware. We conducted some safe, benign experiments on various social networking sites, and found that infections can occur relatively easily through them via user-generated-content (UGC) interactions and advertisements.

Other studies concurred with the growth of web malware targeting trusted sites. Cisco’s Q4 report measured a 139% growth in web malware in 2010, which is even higher than our conservative measurements (although not exactly for the same time period). A recent study from Blue Coat also acknowledges that malware now targets trusted sites.

As we head into Q1 2011, it is clear that cybercriminals are not likely to take a break -- among this new year’s notable cases are several BBC-operated web sites and some large financial exchanges including NASDAQ’s Directors Desk and the London Exchange websites which were infected by web malware, as a result of targeted attacks and malvertising.

MALVERTISING STATISTICS

Our estimates for the number of malvertising impressions for Q4 doubled as compared to Q3. In addition to there being a 25% increase in malvertising impressions based on the same set of networks that we monitored in Q3, we added tracking for more “remnant” ad networks which contributed to the additional increase. Remnant advertising refers to advertising space that is typically unsold until the very last minute. Remnant ad networks aggregate creatives and charge much lower rates than would otherwise be charged to advertisers. Reputable ad networks also often syndicate or sub-syndicate unsold ad space to remnant ad networks instead of filling them with “house” ads. With the addition of more remnant ad networks in our telemetry, we believe that we are more accurately reflecting the current state of malvertising.

The good news is that the average lifetime of a malvertising campaign has dropped for the second consecutive quarter in a row -- down to an average of 9.8 days, as compared to 11.1 in Q3, and 11.8 in Q2. As part of our telemetry, we track the ad networks of some of our customers. When we send automated alerts to ad networks regarding malvertisements with a set of forensics that allows them to identify and remove the malvertisements from circulation, we help bring down the average amount of time that those malvertisments are in circulation. In cases where we are not helping police the ads on a network, a user may report a malvertisment to a publisher, who then investigates and reports the malvertisment to their ad networks, who must then further investigate. Also, malvertisers typically mount their attacks on weekends, during which IT departments are slower to respond, as we have seen in previous quarters, and continued to see in Q4 2010 as per the figure below.

When Dasient monitors an ad network, and our automated systems detect a malvertisment (e.g., in the form of a drive-by-download or a fake anti-virus pop-up), our systems log extremely detailed forensics which are used to pinpoint exactly which ad on the network is malicious, so that it can efficiently be taken out of circulation. As such, our systems have helped bring down the average amount of time that a malvertisement circulates. We look forward to continuing to work with more customers, and more tightly integrate with our existing customers to further reduce the impact that malvertisers can have on the safety of the online advertising ecosystem.

WEB MALWARE STATISTICS

We estimate over 1.1M websites were infected in Q4 2010, which is almost double the number for the same time span in 2009, as shown in the figure below.

As was also the case in last quarter’s malware report, there is a continuing trend in the growing number of infected websites. Over the past year, we’ve estimated that over 4 millions domains have been infected. There are approximately 130 million domains on the Internet (as per domaintools.com), which means that 3% of active domains on the Internet have been infected in the past year. The problem is bad, and if we continue to see significant increases in infection rates, the problem will become untenable.

As of right now, the instantaneous probability that one gets infected by loading a random web page is roughly 1 in 3000 (as per a study conducted by Kaspersky). Assuming that the average internet user views 100 pages per day (back in 2006, comScore measured 90, so the current reality is probably higher), we show in the following graph the probability that a user will hit a web page that is infected is a function of time:

As you can see, the probability that a user is going to hit an infected web page increases quickly. After three months of web browsing, the probability that an average Internet user will hit an infected page is approximately 95%.

Although the numbers of infected web sites are climbing higher, it is interesting to note that most web malware attacks use a relatively small group of common exploits, as shown below, based on a study of the most commonly used exploit kits.

The exploits are identified by their Common Vulnerabilities and Exposure (CVE) numbers, and each bar shows the relative prevalence they are exploited in web malware attacks. Of course, we would expect that even as the exploits above get patched, cybercriminals will still have more than enough unpatched CVEs to choose from. That said, while it may be unlikely that we’ll have clients with no exploitable software in the near future, patches are a good thing!

ATTACKER DOMAIN STATISTICS

The figure below shows the top level domains that attackers use to host exploits or payloads. Similar to previous quarters, we note that attackers have a top preference for using .com domains as they seem the most legitimate. However, unlike previous quarters, we see that .cc domains have become the next popular, even more so than Russian, Indian, or Chinese domains. At least part of the reason for the popularity of .co.cc domains specifically is that they can be registered for free, and just as with anything else free in life, services that are offered for free are more likely to get abused.

The next figure below shows the top attacker domains that were used to host exploits and malicious payloads in web malware attacks for the quarter.

The top attacker domain was ipq. co, which is a free DNS forwarding service. In a effort to hide and reduce the cost of executing their attacks, cybercriminals are abusing DNS forwarding services, such as ipq.co. DNS Forwarding services are somewhat similar to URL shorteners, and can be abused to achieve obfuscation and pseudonymity for cybercriminals. By leveraging one or both types of services, they can be used to bypass basic detection mechanisms.

Various subdomains on ipq. co hosted obfuscated JavaScript that probes a client to determine if it had MDAC, PDF, JAVA, and ActiveX vulnerabilities, amongst others. The attacker domain then proceeds to compromise the client based on one of the probed exploits, and sends a malware binary to the user's machine. In some of our analyses, we saw that malware drive-by-downloads emanating from ipq. co were used to conduct email spam. Emails would be sent from the compromised machine with a variety of subjects and message bodies, advertising a job opportunity and requesting a recipients name, address, and phone number. Malware and botnet operators have historically shown themselves to be very good at social engineering, and in this case they are clearly taking advantage of recessions and high unemployment rates in their attacks. An example of one of the emails is below:

Subject: Career opportunity inside

Great!

I lead the HR department in the world famous company.

The corporation offers the wide range of different activities:
- consultation
- business support
- managing
- management of finances
- etc.

Urgently need the coworkers in Australia:
- common wages of 2 500 AUD, but you will get bonus for good work
- 2 - 3 working hours per day
- working time by your choice

If this vacancy awoke a great interest in you, do not hesitate and send us the following information to the e-mail address:

Name of yours:
Surname:
Country of your living:
The city:
Your E-mail address:
Phone number of yours:

The purpose of the email is most likely to recruit mules in Australia. Note that management of finances and working just a few hours a day are some of the perks offered with the job. The cybercriminal in this case may use the machines compromised on one hand to keystroke log their banking credentials, and also to send out emails to recruit mules to help transfer money out of the compromised accounts.

EXPERIMENTS ON SOCIAL NETWORKING SITES

In addition to targeting websites and ad networks directly, we have seen criminals stepping up their attacks against the popular social networks. We conducted some experiments on one dozen social networking sites to understand how they are protecting their users from malicious content and malicious advertisements.

All of the experiments we ran were benign and did not harm either users or the social networks. We posted status messages and ads on social media sites that were illustrative of the type of attacks that criminals might actually employ, but which did not actually harm any users or the social networks.

In our first set of experiments, we created “test” accounts on social media sites that were not connected to any real users (or “friends”) and posted status messages on them. The status posts included links to URLs that were flagged by Google Safe Browsing or included links to a benign drive-by-download in the messages. The URLs that were flagged by Google Safe Browsing were URLs that we submitted to Google to have them flagged, but do not cause any harm to users. Also, the benign drive-by download that we posted does not infect a user’s machine and does not send any malware to the user’s machine. Instead, it sends a copy of the standard Windows calculator application to the user’s machine, and starts the application. The test is designed to show that it is possible to infect the users machine, as the benign program is sent and started, but does so without harming the users machine or the social networking site itself.

Social networking sites are open platforms for communication that can be used by anyone, and cybercriminals are regularly conducting “tests” and attacks that are harmful, unlike the benign tests that we conducted during the compilation of this report. The cross-site-scripting attacks that took place against Twitter in September 2010 are a clear example of how attackers conducted harmful tests and virally evolved their attacks using the network effect of the site itself. Even more significant attacks against many social networks have been conducted by the Koobface botnet -- as per a study conducted by the Information Warfare Monitor, “Koobface spreads through social networking platforms by using credentials on compromised computers to login to the victim’s account and send messages that contain links to malware to friends that are linked to the account. … The malicious link is often concealed using the URL shortening service bit.ly and sometimes redirects once again through a Blogspot blog to a malicious Web page that encourages the user to run the accompanying executable.”

In our experiments, we posted three types of links in our posts: (a) URLs that were flagged on the Google’s Safe Browsing list, (b) links that led to a benign drive-by-download (as described above), and (c) links to a benign drive-by-download that were URL-shortened using services such as tinyurl and bit.ly. The results were fascinating -- 81% of the social networking sites that we tested let through links of type (a) that were flagged on Google’s Safe Browsing list, and 100% of the social networking sites that we tested let through links of type (b) to the benign drive-by-download.

We experimented with two types of links that were URL-shortened: (c1) links that were shortened with tinyurl, and (c2) links that were shortened with bit.ly. The tinyurl links of type (c1) redirected to a URL that was flagged on Google’s Safe Browsing list, and the bit.ly links of type (c2) redirected to tinyurl links that redirected to links flagged on the Google Safe Browsing list. As bit.ly checks links against Google’s Safe Browsing list before shortening, we had the bit.ly link go through a level of indirection to redirect to a URL flagged on the Google Safe Browsing list. We found that 72% of the social networking sites that we tested let through links of type (c1), and 81% of the social networking sites let through links of type (c2). We note that bit.ly does check links against Google’s Safe Browsing list before redirecting users, and that may account for why some social networking sites may be more liberal with letting through links shortened with bit.ly without any additional checks.

Double digit percentages of status messages on social networking sites have links in them, but most social networking sites don’t scan the links for malware. Twitter notably started using Google’s Safe Browsing API in August 2009 to check links, which has the advantage that some checking is done, but checking against the Google Safe Browsing list only catches URLs that are already known to be infected by Google.

If clicking on a link on a social networking site can infect a user’s machine, a user may perceive that the site itself may (at least partially) be at fault. At the same time, social networking sites have a hard challenge-- billions of posts take place per day, and hundreds of millions of posts may contain URLs. Some web sites display an interstitial page before linking a user off to a different domain, but most sites do not. Also, with the use of URL shorteners these days, it is practically impossible to guess where a link might send a user’s browser. As such, some services do not allow links to be posted at all on various parts of their site, but most sites do not curtail functionality to that extent.

In a second set of experiments, we posted advertisements whose click-through URLs led to a benign drive-by-download. An example of such an ad is below:

Despite Neil’s smile, the ad above is a scary-looking ad! Most of us would never click on such an ad. When the ad was posted, it did have a very low click through rate, but some of us were surprised it got clicked on at all. When the "Click for a security test" link in the ad is clicked on, users are redirected to an ad landing page with a benign drive-by-download.

In one of these experiments, we uploaded the ad with a budget of $100, and the ad was approved on 10/21/2010. It was scheduled to run for one month until 11/20/2010. The ad ran for over three weeks, almost the fully allotted duration before the ad was disapproved. The ad received 159,767 impressions and 103 clicks. Our account was charged $26.64 USD on 11/5, and $27.47 USD on 11/10 before it was disapproved on 11/12. Our account was charged a remaining $13.54 USD on 11/17 after the ad was disapproved.

If we would have put a picture of a pretty woman on the ad, wrote much more enticing text, and had the domain be something other than “hackerhome.org” our guess is that it probably would have received many more click-throughs.

As a point of comparison, the same ad would have been disabled almost immediately upon upload on at least some ad networks run by search engines because such ad networks that have been around for longer ensure that ad landing pages are automatically scanned for drive-by-downloads, pop-ups, and other undesirable behavior. Overall, we are still in the early days of the evolution of social networking sites, and we expect that such sites will deploy additional protections over time. It is also worth mentioning that social networking sites are not inherently safe or unsafe, and social networking sites are no more unsafe than your average web page on any other part of the Internet. The key difference is that they are receiving a lot more traffic and eyeballs, and that can make them an attractive target and platform for the distribution of malware as well as other forms of abuse by cybercriminals. As such, we believe that it is only a matter of time before social networking sites start deploying additional defenses. We recommend that social networking sites should take advantage of resources such as Google’s Safe Browsing API to check links against known lists of bad sites, and scan links for web malware threats so that their networks can be safer places for users over the medium and long-term.

SUMMARY

In looking at the statistics and the results of our research we can’t help but underscore the importance of protecting one's online presence from web malware and malvertising attacks. The numbers clearly show that hackers are not only ramping up their efforts, but they also continue to become smarter and constantly find new vectors of attack. While ‘traditional’ organizations (such as financial services, web hosting, publishers/ad networks etc.) continue to face the ever increasing web malware threat, the new name of the game is social media/networking sites. It’s no longer enough to be simply aware of the threat. Business owners need to take a proactive stance in protecting visitors who trust their sites. They can do this by regularly monitoring their websites for malware and malvertising.

"The increase in exploits targeting trusted websites and the ad supply chain highlight the need for all companies, including those in the advertising community, to harden their sites and processes to avoid being exploited," said Craig Spiezle, Executive Director and President Online Trust Alliance. “Left unchecked, consumers are increasingly being exploited, diminishing online trust and the vitality of the internet. Dasient’ s data is proof that failure to follow best practices and anti-malvertising guidelines is no longer an option."

If you're a business owner and you'd like to learn more about how the Dasient Web Malware Protection Suite can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed for all the latest in web-based malware and general security news.

Keep your sites safe!
Your Dasient Team