LAST-MINUTE PAPER: Cleaning up the net 2.0 - a success story of cleaning 3000+ websites
Adrian Leuenberger SWITCH
This talk is more or less a follow-up of Stefan Tanase's talk from 2011: 'Cleaning up the net - a tale of 100 infected
websites', although from a very different angle and with rather different results. SWITCH is a Swiss
university foundation which operates the network backbone for Swiss universities. SWITCH also operates the domain
registry for .ch / .li domains on behalf of the government and is running a programme that enforces clean Swiss domains.
As Stefan rightly pointed out in his talk last year, prevention is not always easy or successful, and it is a fact
that a vast number of web servers are compromised every day. The owners are rarely aware of the compromise, and if they
are informed about it they do not know how to act, do not understand the issue, are not technically safe, do not act fast
enough and so on. At the end of the day, infected servers continue to infect innocent visitors for far longer than necessary.
This was no different in Switzerland - until we changed the game. Between January 2012 and July 2012 a total of 1,052
affected websites were rendered harmless. Today, websites are usually cleaned within one day (that is 24 hours) on
average. This talk will detail how it was possible to achieve such a fast clean-up pace, how we got to a cleaning rate of
95% and what challenges we still face. Together with the legislator, the Federal Office of Communications (OFCOM) in
Switzerland, SWITCH implemented a unique process that does not exist anywhere else in the world and that allows the blocking
of domains under certain circumstances. Namely, if the domain spreads malicious code (drive-by attacks) or is used to host
Looking at the issue from a technical perspective, attackers want compromised servers to remain alive as long as possible
and to infect as many innocent visitors as possible. Due to this requirement, they hide their changes deep in the systems
so that administrators have a hard time identifying the changes and reverting the system to a pristine state. We will
point out the usual tricks that attackers use to hide their code and the locations where the code can be found.
To actually block domains, SWITCH is required to check each and every domain and ensure that there is in fact malicious
code that spreads when visiting the page. This can only be done if the analyst looking at a certain domain knows all the
tricks to hide the malicious code. After this semi-automatic verification, the website owners are informed and we have
quite a few interesting reactions and feedback to share with the audience.