Covering the global threat landscape

LAST-MINUTE PAPER: Cleaning up the net 2.0 - a success story of cleaning 3000+ websites

Adrian Leuenberger SWITCH

This talk is more or less a follow-up of Stefan Tanase's talk from 2011: 'Cleaning up the net - a tale of 100 infected websites', although from a very different angle and with rather different results. SWITCH is a Swiss university foundation which operates the network backbone for Swiss universities. SWITCH also operates the domain registry for .ch / .li domains on behalf of the government and is running a programme that enforces clean Swiss domains.

As Stefan rightly pointed out in his talk last year, prevention is not always easy or successful, and it is a fact that a vast number of web servers are compromised every day. The owners are rarely aware of the compromise, and if they are informed about it they do not know how to act, do not understand the issue, are not technically safe, do not act fast enough and so on. At the end of the day, infected servers continue to infect innocent visitors for far longer than necessary.

This was no different in Switzerland - until we changed the game. Between January 2012 and July 2012 a total of 1,052 affected websites were rendered harmless. Today, websites are usually cleaned within one day (that is 24 hours) on average. This talk will detail how it was possible to achieve such a fast clean-up pace, how we got to a cleaning rate of 95% and what challenges we still face. Together with the legislator, the Federal Office of Communications (OFCOM) in Switzerland, SWITCH implemented a unique process that does not exist anywhere else in the world and that allows the blocking of domains under certain circumstances. Namely, if the domain spreads malicious code (drive-by attacks) or is used to host phishing pages.

Looking at the issue from a technical perspective, attackers want compromised servers to remain alive as long as possible and to infect as many innocent visitors as possible. Due to this requirement, they hide their changes deep in the systems so that administrators have a hard time identifying the changes and reverting the system to a pristine state. We will point out the usual tricks that attackers use to hide their code and the locations where the code can be found.

To actually block domains, SWITCH is required to check each and every domain and ensure that there is in fact malicious code that spreads when visiting the page. This can only be done if the analyst looking at a certain domain knows all the tricks to hide the malicious code. After this semi-automatic verification, the website owners are informed and we have quite a few interesting reactions and feedback to share with the audience.