More Than A Million Web Sites Infected By Malware

More than 1.2 million web sites were infected by malware in the third quarter of 2010, according to security firm Dasient. This includes legitimiate sites belonging to government agencies and “malvertisements,” or malicious advertisements.

In the third quarter of 2009, there were 560,000 web sites infected. While Dasient’s researchers expected the number to increase, the fact that it doubled was a surprise, said Dasient CTO Neil Daswani.

Drive-by Is Replacing Attachment

Instead of just growing in volume, malware has also changed how it spreads, said Daswani. While spam and email attachments are still popular, “drive-by-download” techniques, where the user is infected without clicking on a link or opening an attachment, is becoming more common, he said.

The popularity of web-based email services, such as Hotmail, Yahoo Mail, and Gmail, means that most attachments are being scanned automatically by anti-virus software. As a result, cyber-criminals are taking advantage of interactive Web 2.0 trends to implement drive-by-downloads instead of relying on attachments, according to Dasient.

Drive-by-downloads were originally occurring on malicious web sites the users landed on after clicking on a link in a spam e-mail, comment, or link on a social networking site. However, legitimate Web sites are increasingly becoming part of the problem as hackers repeatedly compromise the site and download malware on visitors’ computers.

According to Dasient’s data, drive-by-downloads and fake anti-virus scams are the most prolific methods for distributing malware.

Along with large and well-known sites like Google, government agencies are increasingly being targeted and re-infection rates remain high, said Daswani. From 2008 to 2009, hackers generally targeted smaller and less well-known government agency web sites but, in 2009 to 2010, larger and well-known government agencies were targeted, according to Dasient’s report. In the US, the State of Alabama has been infected and re-infected 37 times since 2008, while the National Institutes of Health has been re-infected five times.

According to Daswani, the probability of a site getting re-infected is high – at about 40 percent.

Malvertisement Market Booming

More than 1.5 million “malvertisements” – or ads and widgets whose sole purpose is to spread malware – were served online per day, according to Dasient’s data. This number includes both drive-by-downloads and fake anti-virus, said Daswani. These campaigns are also fairly long-lived in Internet time, lasting an average 11.1 days, according to the report.

Three of the top 10 domains responsible for drive-by-downloads have the word “ads” in the name, according to the Dasient survey. The domains were myads.name, freead.name, and adsnet.biz. Attackers are beginning to focus on malvertising as opposed to traditional Web-based attacks, said Daswani.

Looking at countries originating most attacks, Dasient noticed that Russia-based domains jumped during the quarter. Despite the frequency of China in the news, attacks from Chinese domains dropped, the company found.

Malware authors are aware of how the good guys work. There are increasing number of malware kits that check whether or not it is being executed in a virtual environment, such as VMware or Parallels, according to the report. As for zero-day exploits, authors “run [their programs] through 40 or more anti-virus software [packages] to make sure the viruses they are developing don’t get detected before releasing it,” said Daswani.

He predicted that, as social media proliferates in 2011, cyber-criminals will be more aggressive in using drive-by-downloads and rogue anti-virus scams to target users.