More than 1.2 million Websites were infected by malware in the third quarter of 2010, according to security firm Dasient. This includes legitimate sites belonging to government agencies and malvertisements, or malicious advertisements.
In the third quarter of 2009, there were 560,000 Websites infected. While Dasient’s researchers had expected the number to increase, the fact that it doubled was a surprise, said Dasient CTO Neil Daswani.
Instead of just growing in volume, malware has also changed in the way it spreads, said Daswani. While spam and e-mail attachments are still popular, “drive-by-download” techniques, where the user is infected without clicking on a link or opening an attachment, are becoming more common, he said.
The popularity of Web-based e-mail services, such as Hotmail, Yahoo Mail and Gmail, means that most attachments are being scanned automatically by antivirus software. As a result, cyber-criminals are taking advantage of interactive Web 2.0 trends to implement drive-by-downloads instead of relying on attachments, according to Dasient.
Drive-by-downloads were originally occurring on malicious Websites the users landed on after clicking on a link in a spam e-mail, comment or link on a social networking site. However, legitimate Web sites are increasingly becoming part of the problem as hackers repeatedly compromise the site and download malware on visitors’ computers.
According to Dasient’s data, drive-by-downloads and fake antivirus scams are the most prolific methods for distributing malware.
Along with large and well-known sites such as Google, government agencies are increasingly being targeted, and reinfection rates remain high, said Daswani. From 2008 to 2009, hackers generally targeted smaller and lesser-known government agency Websites, but in 2009 to 2010, the sites of larger and better-known agencies such as the Environmental Protection Agency, unemployment.gov, and National Institutes of Health, were targeted, according to Dasient’s report. The Website of Alabama has been infected and reinfected 37 times since 2008, while the National Institutes of Health’s Website has been reinfected five times.
According to Daswani, the probability of a site becoming reinfected is high—about 40 percent.
More than 1.5 million malvertisements—or ads and widgets whose sole purpose is to spread malware—were served online per day, according to Dasient’s data. This number includes both drive-by-downloads and fake antivirus, said Daswani. These campaigns are also fairly long-lived in Internet time, lasting an average 11.1 days, according to the report.
Three of the top 10 domains responsible for drive-by-downloads have the word “ads” in the name, according to the Dasient survey. The domains were myads.name, freead.name, and adsnet.biz. Attackers are beginning to focus on malvertising as opposed to traditional Web-based attacks, said Daswani.
Looking at countries from which most attacks originated, Dasient noticed that Russia-based domains had jumped during the quarter. Despite the frequency with which China is mentioned in the news, attacks from Chinese domains had dropped, the company found.
Malware authors are aware of how the good guys work. There are increasing numbers of malware kits that check whether or not the site is being used in a virtual environment, such as VMware or Parallels, according to the report.
As for zero-day exploits, authors “run through 40 or more antivirus software [programs] to make sure the viruses they are developing don’t get detected before releasing it,” said Daswani.
Dasient’s Daswani predicted that as social media proliferates in 2011, cyber-criminals will be even more aggressive in using drive-by-downloads and rogue antivirus scams to target users.