Blog

Android Malware Genome Project

Kudos to Xuxian Jiang and his colleagues at NC State for launching the Android Malware Genome Project. The project aims to provide sharing of Android malware samples and related data among vetted security researchers. This will enable a more complete understanding of the threats and increased response time in addressing them.

This initiative has a lot in common with our plans to build a better Clearinghouse for sharing information about badware URLs. Both projects represent an important evolution in how the "good guys" respond to the criminal underground. Traditionally, information about badware has been shared mostly through bilateral arrangements among trusted peers or in unstructured form through mailing lists. Both the AMGP and the StopBadware Clearinghouse strive to build centralized databases of information that will allow research information to be aggregated, so that all the participants can benefit from each others' strengths.

It's a tired cliché in the security world that there are no silver bullets; indeed, data sharing initiatives cannot be expected to eliminate badware. But projects like these do represent an important step toward collaboration and a more nimble response to new threats.

Recent badware stats

I recently caught up on reading various malware and cybercrime reports from the past few months. Here are a few stats and observations I thought would be especially interesting to the SBW community:

"Enterprise users experienced an average of 339 Web malware encounters per month in 4Q11." (up 205% year over year)

Avg. 20,141 unique Web malware hosts per month in 2011 (vs. 14,217 in 2010)

Source: Cisco 4Q11 Global Threat Report (Jan. 2012)
*****
Approx. 30,000 new malicious URLs each day in 2H11; 80% of those are legitimate

85% of malware comes from the web

Source: Sophos Security Threat Report 2012 (Jan. 2012)
*****
Malicious sites up 240 percent in 2011

40% of malnet entry points are via search engines/portals

Source: Blue Coat Systems 2012 Web Security Report (Feb. 2012)
*****
23% of malicious domain registrations could be blocked with basic validation of contact info

Source: Abused Internet Domain Registration Analysis for Calculating Risk and Mitigating Malicious Activity by KnujOn.com (Feb. 2012)
*****
Rogue AV campaign infected 200,000 Web pages, 30,000 unique hosts; more than 85% of sites in US, but more geographically dispersed visitors.

Source: Websense via Dark Reading (Mar. 2012)
*****
On average, two popular websites (among the Alexa top 25,000) serve drive-by downloads each day.

An estimated 1.6 million vulnerable users were exposed to drive-by downloads in one month across 58 popular (Alexa top 25,000) sites.

Source: Barracuda Labs (Mar. 2012)

Pages