NetCraft recently reported the results of their January 2008 survey, in which they identified over 155 million sites, almost half of which where active . It would be great to be able to gather data to estimate the proportion of these sites that are either outright malicious, or legitimate sites that have been compromised.
As we reported in the recent threat report , 2007 was a big year for web malware with a huge number of compromised sites identified. You cannot help but think that the bulk of the 155 million is indeed the ‘great unwashed’. Whilst hackers continue to have success in exploiting the weak security of web sites and servers there is little reason for them to change their tactics. Of course, they will target different vulnerabilities, use different kits and maybe target non-Windows platforms, but the use of compromised sites to hit victims with exploit scripts will continue.
One of the problems of dealing with such large volumes of data is spotting cases of interest or for further investigation. Two such examples are given below.
1. High-profile sites
SophosLabs monitor the URLs hosting malicious content each day, and trigger alerts on potentially interesting cases (e.g. governmental or high-profile organisation sites). Yesterday I noticed an attack implicating the BBC web site – definitely worth manually checking. It turns out the attack was very similar to those we have seen before, with just one minor change. After hitting you with exploits, instead of the usual redirect to Yahoo|Google|Aol…, this time the attack script redirected you to the BBC web site!
You can see that at the time of being processed, the payload delivered from this attack site was unavailable.
2. Interesting attacks
Several characteristics can be used to trigger whether an attack is of interest or not. Commonly, the detection name is used (we may be monitoring certain detections or tracking sudden bursts in reports of a particular detection). This morning, I was quickly reviewing some of the URLs detected by Sophos as Mal/ObfJS-B. Within the results I saw a Russian Harry Potter related URL.
It turns out that some legitimate fan site has been compromised in the familiar fashion:
It is not the first time we have seen Harry Potter linked with malware. Other Harry Potter sites have been compromised (none of them specifically targeted IMO, more a reflection of the sheer number of fan sites out there), and we had the infamous W32/Hairy which made various ‘amusing’ changes to the system .
One of the most important reasons to escalate an attack for further investigation is when a component is not detected. In such cases, the files and details of the attack will be escalated to the lab for analysis so the appropriate detections can be published.