Classifying sites as hacked or malicious

Posted on July 24, 2014 - 14:34 by ccondon

For the past several months, StopBadware's research team has been paying special attention to ways we can differentiate and track certain categories of infected websites. Thousands of website review requests are submitted to us every month; most of these are for hacked legitimate sites whose owners are concerned with cleaning up malware infections and protecting visitors. Some, however, are maliciously registered sites, or sites whose owners are abusing free hosting or dynamic DNS services to spread malware. When we encounter malicious sites like this, we want to make sure they stay on blacklists, and we want to be able to report them to people who can help take them down.

One of the first steps in doing that is developing a big picture understanding of the kinds of sites we encounter over time. Our team tracked the sites we tested manually (this is a relatively small percentage of the total number of review requests submitted to us) from late March to mid-July 2014. 

Because of the nature of infection chains, we differentiate between several types of sites when determining intention. Unsurprisingly, most of the sites we see are legitimate sites that have been hacked for use as landing pages (e.g., compromised with a malicious iframe, script, or http redirect). Exploit pages, of course, are almost always malicious by design, as they contain the malicious executable that infects the target machine with badware. StopBadware sees very few exploit pages; this is largely a result of our testing IPs being blocked by malware distributors. 

Note: Generally speaking, we consider sites that fall into the "free host" category to be malicious. This is not necessarily a comment on the practices or intentions of free hosting (or other free service) providers—many of whom are operating in good faith and some of whom have worked with us for years to curb abuse on their platforms—but rather a result of the fact that bad actors routinely abuse free services to spread malware. 

The most interesting category we examined was intermediary pages. Our researchers classified intermediary sites as hacked or malicious by looking at a number of factors, including WHOIS data, the page's accessibility, and whether the site has legitimate content. This type of analysis is a common practice in the security industry, but it's also rather resource-intensive—especially for a small nonprofit. 

Ideally, we'd like to be able to automatically classify malicious websites so we can make the Web safer and minimize abuse of our processes at the same time. Over the next few weeks, our team will be using our data and a third-party service to come up with an experimental classifier for malicious vs. hacked sites. We look forward to sharing additional data and results once the project is finished; in the meantime, advice from those with experience in this arena is welcome! 

*Special thanks to our outstanding research and testing intern, Luke Oglesbee, for his work on this! 

Community news and analysis: June 2014

Posted on July 9, 2014 - 14:25 by ccondon

Plugin vulnerabilities and new variants of old malware were prevalent themes in our partner community the past month, but there was some positive stuff, too. One highlight was an informative DreamUp on WordPress security hosted by our partners over at DreamHost. The DreamUp is over, but the video proof that it happened lives on:


Malware analysis

ESET: New interactive exploit kit redirection technique and recent targeted attacks against the Vietnamese government

Sophos: Reports of the demise of VBA viruses have been greatly exaggerated; a CryptoLocker wannabe called SimpleLocker demands ransoms from Android users.

Fortinet: A new Zeus variant and the JackPOS credit card stealer

Sucuri: Spam hack targets WordPress core install directories; a trio of security holes in plugins for WordPress: zero-day in TimThumb’s Webshot feature, vulnerability in the Disqus Comment System plugin, and a serious vulnerability in MailPoet's WP plugin

Other security news

Google: Maintaining digital certificate security; Google Drive update to protect shared links

Qualys: July 2014 Patch Tuesday preview and analysis

SiteLock: Could hackers really clone your business?

DreamHost + CloudFlare: 9 tips to make your WordPress blog more secure

Users exposed in May malvertising campaign

Posted on June 16, 2014 - 12:12 by ccondon

StopBadware's landing pages saw a big spike in traffic last month between May 30 and 31. We found that popular French torrent site t411[.]me was the main (though not only) culprit, and that the site had wound up on Google’s blacklist as the result of a malvertising attack.

Our overall traffic skyrockets whenever a popular site or group of sites is blacklisted. One of the first things we look at, however, is how many people are finding their way to our Firefox landing page—in other words, how many people are ignoring malware warnings, visiting the blacklisted site, and going the extra mile to report to us (and Mozilla) that the site they’re visiting is not, in fact, “a badware site.”

How many users visited the site over warnings and exposed themselves to malvertising? Over 37,000 between May 29 and June 1.

A little digging turned up research done by top-notch French security researcher malekal, who frequently documents malvertising campaigns as they make their way around the Web. It turns out this campaign was pushing fake Java and Flash updates—a particularly effective strategy on sites users are visiting to access online media. We know from experience that users tend to be more likely to click through warnings in order to access media streams or downloads.

Malicious advertising is one of the trickiest problems the security industry faces. We don’t know what the successful infection rate was for this campaign, but even a small fraction of the 37,000 users we know were exposed is an unacceptably high success rate for malware distributors.