2010-01-01
Abstract
'There are now over 100 times more infected websites on the Internet than three years ago.' Costin Raiu, Kaspersky Lab.
Copyright © 2010 Virus Bulletin
One of the marked trends in the world of cybercrime is the distribution of malware via the World Wide Web. While email worms such as Melissa wreaked havoc in the early years of the last decade, in recent years, the web has become the main distribution point for malware. Malicious programs are hosted on websites; users are then either tricked into running these programs manually, or exploits are used to execute the malware automatically on victim machines.
At Kaspersky Lab, we’ve been monitoring this trend with growing concern. In 2006, we designed and deployed a project called PatroKLes. PatroKLes monitors the web space for infections that are hitting high-profile websites.
There has been a sharp rise in the number of infected websites from roughly one in every 20,000 or so in 2006 to one in every 150 at the beginning of 2009. The number of infected sites now fluctuates around this number. This may mean that saturation point has been reached – all the websites that can be infected have been infected. However, the number rises and falls as new vulnerabilities and tools are discovered that allow attackers to take over new hosts.
In practice, one infected site in every 150 means that a new computer user will hit an infected website after only a few days of regular browsing. Sometimes it will happen even sooner, as search engine optimization (SEO) is often used to drive traffic to malicious websites.
In 2008, the malware most commonly detected on infected websites was Trojan-Clicker.JS.Agent.h, closely followed by Trojan-Downloader.JS.Iframe.oj. There were two very interesting cases in 2009, the first of which was Net-Worm.JS.Aspxor.a. Although this malware was first back in July 2008, it became far more widespread in 2009. It uses a kit which finds SQL injection vulnerabilities in websites which are then used to insert malicious iframes.
Another very interesting case is Gumblar, named after the Chinese domain that was used as an exploitation point. The ‘gumblar’ string, visible in the obfuscated JavaScript which is added to websites, is a clear sign that a website has been compromised. The ‘gumblar.cn’ domain, which was originally used in these attacks, has been taken down, but the bad guys have since switched to new domains.
Once an infection is identified, we attempt to inform the owners. We provide assistance with identifying the malicious code in the page, as well as suggestions on how to secure the server in the future. Unfortunately, we rarely hear back from the owners of these sites. Moreover, there are cases when the owners reply, but do not clean the infection.
Over the past three years, the number of legitimate websites that have been infected with malware has grown at an alarming rate. There are now over 100 times more infected websites on the Internet than three years ago. High-profile, high-traffic websites are a valuable commodity for cybercriminals, as there will be large pools of potential victims that can be infected via such sites. Our experience indicates that the owners of these websites are rarely aware of the infections, and when they are aware, they seldom know how to handle them: in some cases, sites have remained infected for years.
A lot of infections seem to arise through vulnerabilities in old versions of various CMS packages, ranging from PHPBB to WordPress. Yet, based on feedback we have received, the majority of website infections occur via stolen account credentials. Web developers or others with login credentials for the website get infected with a password-stealing trojan and the details are used to inject malware into the website. The sad fact is that most of these people are either using an outdated/pirate security suite, or are not running one at all.
In the end, it all comes down to the same basic points: most people are not running security solutions and most people do not really care when they get infected.
