Malware finds a new home

By on
Malware finds a new home

Compromised Websites are replacing email for mass distribution of malware argues Paul A. Henry.

Conventional wisdom says email systems are the pipeline of choice for malware distribution. But times have changed, and so too have Internet attack patterns.

In many cases, mass-mailing malware is now inefficient due to the noise it generates as it traverses the Internet. Similar to a sonic boom, the noisy email attacks send echoes across the Web, giving administrators ample time to alert users, lock down networks and mitigate new threats.

Sure, targeted email attacks will continue. But compromised web pages are now rapidly emerging as the replacement vehicle of choice for mass malware distribution. Multiple layers of exploit code targeting Web systems have found a blind spot in safeguards such as traditional Anti-Virus and Intrusion Detection Systems (IDS).

Malware code using everything from simple UU encoding techniques to elaborate self-decoding Java scripts is currently wreaking havoc on the Internet. The methodology has become so popular that a security term has been coined to represent the act of web-based malware distribution—drive-by-downloads.

The attack trends are undeniable:

• Email based malware today is running at a rate that is less then half of that seen on 2006.

• At the same time web-based malware is seeing explosive growth, up over 150 percent in the same time period.

• On average more then 5,000 new websites hosting malware are discovered daily with China leading the way as the top malware hosting country in the world.

With these trends in mind, Web-based malware has caught the attention of security researchers. Google, for instance, recently disclosed that 450,000 out of 4.5 million URLs (1 in 10) were successfully launching malware binaries and another 700,000 URLs were found to have suspicious activity. Google published its findings in a report entitled "The Ghost In The Browser”.

A recent posting on the SANS Internet Storm Center (a security blog) revealed how quickly one bad site can turn into a web of problems. Specifically, the blog revealed that a single malware-hosting website contained a list of more than 600 other suspected malware sites.

Hybrid attacks are also becoming commonplace. In a hybrid attack, malicious banner ads can be posted across multiple web sites. When an unsuspecting user clicks on the malicious ad, he or she is redirected to a compromised website that installs key loggers on to the user’s PC.

The web-based malware explosion continues to evolve with popular video hosting websites now becoming yet another channel for malicious hackers. One recent victim is YouTube. The infamous Zlob adware has appeared on YouTube masquerading as a YouTube video object.

When a user selects the Zlob-compromised video they are bombarded with advertisements.

Alas, Malware wasn’t a one-time problem for YouTube. In another example, a video on YouTube called “After World Episode 6” caused a file with a movie icon to be downloaded to users’ PCs. When users click on the icon, two different Trojan horses are installed on their PCs. The Trojans steal the users’ personal information and then send it to a server in the former Soviet Union.

The situation sounds dire. Until you begin to examine a more modern approach to IT security known as a reputation-based defence systems, that is. The first and most advanced reputation-based solution, known as TrustedSource, combats both spam and web-borne malware.

TrustedSource leverages thousands of intelligent security outposts across the web to develop reputation scores for specific IP addresses, networks, domains and other Internet entities, as well as message content and images. Similar to your financial credit score, TrustedSource ranks Internet entities according to their associated risk, and then takes the appropriate action to either permit or block traffic from that entity.

The TrustedSource system examines dozens of variables, including:

• When was the domain registered?
• Who owns the domain and what other domains are owned by that entity?
• From where are URLs accessed and at what times?
• How many IPs host a domain and what did we learn about them?

TrustedSource reputation defence data now augments the capabilities of Secure Computing’s SmartFilter URL filter, providing the ability to effectively defend against web-borne malware. Simply put, the dynamic reputation information is combined with the URL filtering information within the URL filters database. Users are transparently protected from web-borne malware by the incorporation of reputation scores within traditional URL filtering.

Paul Henry is vice president, Technology Evangelism, at Secure Computing Corporation. He can be reached at

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?