Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's Research on Malware Distribution

Posted by Soulskill on from the making-a-mountain-out-of-a-really-big-piece-of-rock dept.

GSGKT writes "Google's Anti-Malware Team has made available some of their research data on malware distribution mechanisms while the research paper[PDF] is under peer review. Among their conclusions are that the majority of malware distribution sites are hosted in China, and that 1.3% of Google searches return at least one link to a malicious site. The lead author, Niels Provos, wrote, 'It has been over a year and a half since we started to identify web pages that infect vulnerable hosts via drive-by downloads, i.e. web pages that attempt to exploit their visitors by installing and running malware automatically. During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware. During the course of our research, we have investigated not only the prevalence of drive-by downloads but also how users are being exposed to malware and how it is being distributed.'"

6 of 83 comments (clear)

  1. Read it again by EmbeddedJanitor · · Score: 4, Insightful
    There are three million bad URLs being served off 180,000 web sites.

    Three million out of billions is not bad, assuming randomness (only, say 1 in 1000 chance of using a bad URL), but it is a lot worse than 180k out of billions.

    However not all URLs are used equally. Bad URLs linked to some popular pron site, for instance, will get hit a lot more than Joe Sixpack's facebook site.

    --
    Engineering is the art of compromise.
  2. Re:And what platform does the malware run on? by grcumb · · Score: 5, Interesting

    I found it quite interesting that the methodology of the research doesn't even bother to check sites with Mac OS X or Linux operating systems. But on the server side, Apache websites running outdated versions of PHP were singled out for comment.

    In all there were twice as many compromised IIS servers as Apache, but fully 50% of all compromised Apache servers were running some version of PHP.

    It was also interesting to note that computer-related websites ranked second only to social networking sites as most likely to be compromised with redirections to malware sites. Seems we might want to tone down our holier-than-thou rhetoric. 8^)

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  3. Maybe Goole should delist a few sites. by budgenator · · Score: 4, Interesting

    It occurred to me that if Google started desisting sites that tried to implant malware into visitors computers, then webmasters would be much more diligent about keeping the crap off their sites, or at least keep a few more hapless victims out of harm's way.

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds
  4. Re:Search engine ranking by calebt3 · · Score: 5, Insightful

    Searchers won't use your engine if it does not give them what they want.

  5. Actually they do add a warning for infected sites by Slur · · Score: 5, Informative

    One site I work on got hit by a PHPBB SQL injection attack and had a tiny iframe inserted into the forum header that pointed to a well-known malware site, hightstats.net (and if you're curious the malicious script is in the strong/044 folder). Google picked up on the iframe's contents being a malicious script and added the malware warning to the search results pertaining to the forums section of our website.

    I just wonder how it is that hightstats.net can still be in existence when it contains known malicious stuff that hackers are inserting into unwary websites?!

    --
    -- thinkyhead software and media
  6. Key points to take from the paper by The+Master+Control+P · · Score: 4, Informative

    2/3 of all malware distribution sites & sites that link to them are hosted in China.
    The next worst offender is the US with 1/6.
    About 3.5M websites attempt to send you to exploits from 180K distribution sites.
    63% of the 180K malicious sites are IIS, 33% are Apache, and a handful are other.
    80% of malware from not in ads (e.g. iframes) was within 4 redirects of the malware distributor.
    80% of malware from ads was more than 4 redirects from the distributor.
    3/4 of distribution sites and 1/2 of landing sites are in 2 blocks occupying 6.5% of IP4.
    Among drive-by downloads, 1/2 alter your startup, 1/3 attack your security, 1/4 corrupt your preferences, and 7% install BHOs.
    87% of outbound connections the malware initiates are HTTP, 8.3% are IRC.
    The three AV engines tested against malware retrieved by the study had detection rates of about 35, 50, and 70%.

    The part I find scariest is the 3.5M malware fronts. I mean, there are only about 70M active hosts on the entire Internet - that's 5 percent! Since I think that trying to make programmers these days write secure code is a lost cause, we should focus on breaking up the software monoculture. This kind of shit really starts to lose it's efficacy if only 1/4 or 1/5 attempts even attack the right browser...