It was just a matter of time before malware distributors started exploiting hosts. For the last several years Open Directory volunteer editors have noticed hosts they were exploited by programs that put hidden porn and drug links and text on the sites on that host.
There are also some parking hosts that are either adding the malware themselves or are being exploited.
Blogs may be next, if they are not a target already. We saw an explosion of "hijacked" blogs about 3-4 years ago. I assume the blog owner's password was hacked. Off-topic links and copied text was substituted for the original content. For a search engine there is little context to know what the original content was. It is quite evident to from the original title and description that the site is hacked/hijacked. Of course, once a search engine is instructed what to look for, it is effective in searching for similar sites. One example: --hamster-dwarf.blogspot.com-- The site was originally listed in Open Directory as " Hamster Hang Out - A general guide on the care of Campbell's Russian Dwarf hamsters. Includes information on care, diet and health." I think the content has changed :)
Even earlier than exploiting blogs, hackers/hijackers were changing content of free-hosted sites. I imagine it is fertile ground for malware producers. One example: -jwscattergood.mysite.wanadoo-members.co.uk- That particular free host is not worse than others, most were exploited.
Yes it's become very bad. I really appreciate the Google Safe Browsing API being available. While I haven't gotten to use it yet, it's another tool that can be used to prevent spreading of malware.
As for causes, I'd say most of the causes are on the web application area. There are tons of new exploits and vulnerabilities found daily and all it takes is a handful of people to forget to upgrade and there is another handful of websites with more malware.
Most of the Malware hosting runs along the same lines as spam... older domain URL's that have been purchased as place holders to serve up some kind of PPC ads.. normally about 6 mos. to a year after the first purchase a second purchase may occur when then has a refresh tag to and inside URL that has a +26 character pagename (26+.html, etc.) which has a large image of somekind at the top and drive by malware at the bottom.. by the time the image loads... it's too late..
i think better policing of DEAD URLs will go along way to fixing this problem.
On the analysis of the network connections: Did you investigate also new listening ports? I am wondering whether compromised hosts are abused as phishing sites (which might be promoted by some spam-malware that is pushed on the client machine)
On the anti-virus scan: Would be great if you could include some stats on the classification of the malware. In our work, we mostly saw fraudulent applications (approx 37%), spyware/adware (approx 6%), and bots/ rootkits/ spam apps (< 5%). While our data set only analyzed about 200 malicious URLs, it would be interesting to see results on the gigantic data set Google has available.
Its interesting that while Google has spent so much time researching drive-by downloads, they dont know how to test a product's protection against them. They still continue to use AV scanners to test drive-by downloads. That approach is just plain wrong.. because when you do that, you are testing only one aspect of the product - the av engine.
I have been looking at a specific feature in NIS/NAV2008 called Browser Defender that according to Symantec was specifically designed to detect and block drive-by downloads even if they are obfuscated.
I have to say, it works incredibly well even if you modifying the JScript to tweak the shell-code or the JScript. Google's tests did not take this into account, so the results that they have in their paper that the best protection they found was 70% is very misleading.
Google you need to fix your test methodology. What you should do is install the entire security product under test and then launch the browser with the offending URL and see if it detects it. Oh.. one important point. If have to have the ActiveX being exploited actually installed on the machine.
Google report was interesting reading, and it was satisfying to notice that it repeated some of the findings of the recent WOT study of dangerous websites: http://www.mywot.com/en/press/february
In this study we found out that the 3 categories of websites causing most damage to users are adult content (28% of the dangerous sites analyzed), software (27%), and entertainment (16%).
The study is based on analysis of 17 million websites rated by the WOT user community: www.mywot.com
The "malvertisement" problem has sadly been around for almost two years now (at least as far as i know) and it's worrysome that it's getting worse. One of the problems is indeed the increasing # of ad-networks and hence the longer redirect stream.
If anyone is interesting I've written extensively about the advertising problem: http://www.mikeonads.com/what-is-errorsafe-and-how-do-we-stop-it/
Sandi has a more up to date list of "bad ads" on her blog here: http://msmvps.com/blogs/spywaresucks/Default.aspx
It is tough to blame the ad-networks for this problem simply because there are more of them. That is like blaming car dealers for an increase in carjackings.
Do you (Google) contact the owner of the potentially affected host and let them know your findings? It may be helpful to give them your data so they can take measures to deal with the malware.
And Mcafee SiteAdvisor (www.siteadvisor.com) is a tool for web-users looking to verify if sites have been infected. This along with google's own system seem to do a decent job keeping people from accessing infected sites.
Nice work done!!! But can we have any permanent solution to avoid this malware from internet? Can Google remove such sites from search results that will stop visitors to visit such sites?
Given the impossibility of policing the internet we believe a client side browser security solution is needed. ZoneAlarm ForceField virtualizes the browser so that any malware received in a drive by download is trapped in the virtual session. More information is available at www.zonealarm.com. Laura Yecies General Manager, Check Point ZoneAlarm Consumer Division
The trouble with this is that it becomes more of a shock if a Google result turns out to be malware! :) I had a malware search result today. The URL was http://www.gbminis.lhosting.info/burris-b2a/international-sim-card-uk.html It would be nice if there was a way of reporting a search result as potentially harmful.. Regards Rick
The simple fact is that a browser, connected to the largest network in modern history, should not have the privilege to create and execute files, unattended, all over the OS system. If browser developers are unwilling to adopt a 'sandbox' security model we will continue to be vulnerable to internet-based attacks. Whether a site is trusted or not, it should not have any ability to permanently modify the browser or OS. Our security, software, and identities are continually compromised because the 'good guys' have the same interest as the 'bad guys'-- accessing detailed system/user information and exploiting it. Therefore, I assert that we will remain exposed to internet based 'attacks' because it is in the interest of browser makers to server up the greatest access to OS/User to advertisers and site traffic tools.
23 comments :
It was just a matter of time before malware distributors started exploiting hosts. For the last several years Open Directory volunteer editors have noticed hosts they were exploited by programs that put hidden porn and drug links and text on the sites on that host.
There are also some parking hosts that are either adding the malware themselves or are being exploited.
Blogs may be next, if they are not a target already. We saw an explosion of "hijacked" blogs about 3-4 years ago. I assume the blog owner's password was hacked. Off-topic links and copied text was substituted for the original content. For a search engine there is little context to know what the original content was. It is quite evident to from the original title and description that the site is hacked/hijacked. Of course, once a search engine is instructed what to look for, it is effective in searching for similar sites. One example:
--hamster-dwarf.blogspot.com-- The site was originally listed in Open Directory as " Hamster Hang Out - A general guide on the care of Campbell's Russian Dwarf hamsters. Includes information on care, diet and health." I think the content has changed :)
Even earlier than exploiting blogs, hackers/hijackers were changing content of free-hosted sites. I imagine it is fertile ground for malware producers. One example:
-jwscattergood.mysite.wanadoo-members.co.uk- That particular free host is not worse than others, most were exploited.
Yes it's become very bad. I really appreciate the Google Safe Browsing API being available. While I haven't gotten to use it yet, it's another tool that can be used to prevent spreading of malware.
As for causes, I'd say most of the causes are on the web application area. There are tons of new exploits and vulnerabilities found daily and all it takes is a handful of people to forget to upgrade and there is another handful of websites with more malware.
Most of the Malware hosting runs along the same lines as spam... older domain URL's that have been purchased as place holders to serve up some kind of PPC ads.. normally about 6 mos. to a year after the first purchase a second purchase may occur when then has a refresh tag to and inside URL that has a +26 character pagename (26+.html, etc.) which has a large image of somekind at the top and drive by malware at the bottom.. by the time the image loads... it's too late..
i think better policing of DEAD URLs will go along way to fixing this problem.
thanks for the heads up.. good article :)
Lots of information. Thanks guys!
On the analysis of the network connections: Did you investigate also new listening ports? I am wondering whether compromised hosts are abused as phishing sites (which might be promoted by some spam-malware that is pushed on the client machine)
On the anti-virus scan: Would be great if you could include some stats on the classification of the malware. In our work, we mostly saw fraudulent applications (approx 37%), spyware/adware (approx 6%), and bots/ rootkits/ spam apps (< 5%). While our data set only analyzed about 200 malicious URLs, it would be interesting to see results on the gigantic data set Google has available.
Christian
Its interesting that while Google has spent so much time researching drive-by downloads, they dont know how to test a product's protection against them. They still continue to use AV scanners to test drive-by downloads. That approach is just plain wrong.. because when you do that, you are testing only one aspect of the product - the av engine.
I have been looking at a specific feature in NIS/NAV2008 called Browser Defender that according to Symantec was specifically designed to detect and block drive-by downloads even if they are obfuscated.
I have to say, it works incredibly well even if you modifying the JScript to tweak the shell-code or the JScript. Google's tests did not take this into account, so the results that they have in their paper that the best protection they found was 70% is very misleading.
Google you need to fix your test methodology. What you should do is install the entire security product under test and then launch the browser with the offending URL and see if it detects it. Oh.. one important point. If have to have the ActiveX being exploited actually installed on the machine.
Google report was interesting reading, and it was satisfying to notice that it repeated some of the findings of the recent WOT study of dangerous websites: http://www.mywot.com/en/press/february
In this study we found out that the 3 categories of websites causing most damage to users are adult content (28% of the dangerous sites analyzed), software (27%), and entertainment (16%).
The study is based on analysis of 17 million websites rated by the WOT user community: www.mywot.com
Question: when will you solve the problem with iclk script that's being used as a redirector for spam, phishing and malware?
The "malvertisement" problem has sadly been around for almost two years now (at least as far as i know) and it's worrysome that it's getting worse. One of the problems is indeed the increasing # of ad-networks and hence the longer redirect stream.
If anyone is interesting I've written extensively about the advertising problem: http://www.mikeonads.com/what-is-errorsafe-and-how-do-we-stop-it/
Sandi has a more up to date list of "bad ads" on her blog here: http://msmvps.com/blogs/spywaresucks/Default.aspx
-mike
It is tough to blame the ad-networks for this problem simply because there are more of them. That is like blaming car dealers for an increase in carjackings.
Do you (Google) contact the owner of the potentially affected host and let them know your findings? It may be helpful to give them your data so they can take measures to deal with the malware.
And Mcafee SiteAdvisor (www.siteadvisor.com) is a tool for web-users looking to verify if sites have been infected. This along with google's own system seem to do a decent job keeping people from accessing infected sites.
www.mbridge.com
Nice work done!!! But can we have any permanent solution to avoid this malware from internet? Can Google remove such sites from search results that will stop visitors to visit such sites?
Given the impossibility of policing the internet we believe a client side browser security solution is needed. ZoneAlarm ForceField virtualizes the browser so that any malware received in a drive by download is trapped in the virtual session. More information is available at www.zonealarm.com.
Laura Yecies
General Manager, Check Point ZoneAlarm Consumer Division
The trouble with this is that it becomes more of a shock if a Google result turns out to be malware! :)
I had a malware search result today. The URL was http://www.gbminis.lhosting.info/burris-b2a/international-sim-card-uk.html
It would be nice if there was a way of reporting a search result as potentially harmful..
Regards
Rick
The simple fact is that a browser, connected to the largest network in modern history, should not have the privilege to create and execute files, unattended, all over the OS system. If browser developers are unwilling to adopt a 'sandbox' security model we will continue to be vulnerable to internet-based attacks. Whether a site is trusted or not, it should not have any ability to permanently modify the browser or OS. Our security, software, and identities are continually compromised because the 'good guys' have the same interest as the 'bad guys'-- accessing detailed system/user information and exploiting it. Therefore, I assert that we will remain exposed to internet based 'attacks' because it is in the interest of browser makers to server up the greatest access to OS/User to advertisers and site traffic tools.
Questo blog è davvero utile e pieno di ottime informazioni. Grazie mille
Redatto da http://www.cataniaroma.com
Post a Comment