via Peerlyst by
Web malware is huge. The web is now one of the top vectors for malware distribution. I took a glance at VirusTotal’s file statistics from the past seven days. I last mentioned VirusTotal in November:
“Threat intel analysts understand instinctually that having large sources of data can improve their ability to forecast. Information overload can be overcome with the right tools and the right methodology. Once that’s set, more information is better even when lots of false positives have to get weeded out.
VirusTotal is a perfect example of how many different vendors and independent researchers can join forces with the understanding that we’re stronger and more effective when we work together.
Many individuals use VirusTotal applications (web browser plugins, mobile apps, a native Windows client) to submit what malware they encounter that’s running in their operating system or through a URL. I don’t have any figures for how many individual researchers submit malware samples on a regular basis, but I do know all of the vendors and applications that are currently working with VirusTotal to submit samples from their malware detection vectors and discovered URLs.”
Out of the millions of submissions to VirusTotal in the past week, 381,765 were HTML files, 41,202 were JPEGs, and 6,572 were web open font format. The vast majority of those, it can be safely assumed, went through web servers to web browsers. People often view PDFs through the web as well, so many of the 819,853 PDF files probably went through the web. People also often go to the web for application installation files, so at least some of the 2,349,299 Win32 EXE files, 503,323 Android packages (APKs), and 300,000 ZIP files were web malware, too.
The abuse.ch project launched URLHaus back in March 2018. That was an absolutely excellent development, because the threat of web malware is quickly growing. According to abuse.ch, URLHaus’ objective is to “collect, track and share malware URLs, helping network administrators and security analysts to protect their network and customers from cyber threats.” URLHaus shares submissions with Google Safe Browsing, Spamhaus DBL, and SURBL, so when a malicious website is found, there are means to prevent other web surfers around the world from landing into that trap before web hosts take malicious sites down. That’s essential, because even though URLHaus reports straight to the web hosts, the worst hosts take months from being notified by URLHaus to take a site down! The average is still about eight days.
But here’s the good news. In the past ten months since URLHaus has been in operation, their team of 265 security researchers have helped to take about 100,000 malicious websites down! That’s incredible. What a wonderful team effort, they ought to be proud of themselves.
About 4,000 to 5,000 active malware distribution sites are identified each day. If that has been the average since March 2018, that means about 140,000 malware distribution sites have been identified in that time span. Perhaps around 40,000 URLHaus identified malware sites are still online. Ugh. Still, having most of he identified sites taken down is pretty darn good. The weakest link is clearly the web hosts themselves.
Which web hosts should belong on URLHaus’ Wall of Shame? According to URLHaus, the top web hosts for hosting identified malware are:
- DigitalOcean, 7,086 malware URLs
- GoDaddy, 5,263 malware URLs
- OVH, 3,312 malware URLs
- Unified Layer, 3,017 malware URLs
- Serverius, 1,803 malware URLs
- Aruba, 1,363 malware URLs
- Amazon, 1,286 malware URLs
- Cloudflare, 1,219 malware URLs
- Hetzner, 1,109 malware URLs
- CyrusOne, 1,100 malware URLs
- Google, 1,062 malware URLs
- Liquid Web, 1,052 malware URLs
- Cizgi, 952 malware URLs
- Strato Strato, 925 malware URLs
- Namecheap, 866 malware URLs
And here are the worst web hosts for Average Reaction Times. That’s the timespan between URLHaus reporting a malicious URL and the web host taking it offline:
- Infracom, 3 months, 23 days, 10 hours, 2 minutes
- Kazakh Telecom, 3 months, 18 days, 7 hours, 2 minutes
- China Telecom, 3 months, 16 days, 15 hours, 22 minutes
- Compubyte, 3 months, 13 days, 8 hours, 53 minutes
- Com4, 3 months, 11 days, 8 hours, 20 minutes
- Scud, 3 months, 9 days, 13 hours, 59 minutes
- Verizon, 3 months, 8 days, 19 hours, 56 minutes
- Atria Teknologi, 3 months, 6 days, 22 hours, 32 minutes
- China Unicom Shenzen, 3 months, 0 days, 17 hours, 28 minutes
- ICIDC, 3 months, 0 days, 3 hours, 31 minutes
- MauritiusTelecom, 2 months, 29 days, 15 hours, 8 minutes
- Vodafone, 2 months, 24 days, 21 hours, 55 minutes
- OWN, 2 months, 23 days, 4 hours, 38 minutes
- China Networks Inter-Exchange, 2 months, 22 days, 17 hours, 49 minutes
Come on, you guys! The average Average Reaction Time for all of the web hosts is about eight days! Some hosts have an Average Reaction Time of only a few hours! You take months? That’s despicable.
The top ten most commonly found web malware varieties are Emotet, Gozi, GandCrab, Breitschopp, Dridex, Dorv, Slimware, Loki, AgentTesla and Formbook.
Since URLHaus’ beginning in March 2018, there have been about 380,000 malware samples acquired. Assuming that URLHaus has identified 140,000 malware distribution sites during that time, a malicious URL is connected to about 2.7 pieces of malware on average. Ouch.
While celebrating the new 100,000 malware sites down figure, a representative of URLHaus had this to say on their blog:
“URLHaus wouldn’t be successful without the help of the community. It proofs that the key in fighting malware and botnets is sharing.
But we are not where we should be yet. There is still a long way to go with regards to response time of abuse desks. An average reaction time of more than a week is just too much and proofs a bad internet hygiene. I do also hope that the Chinese hosting providers weak up and start taking care about the abuse problems in their networks in time. Having malware distribution sites staying active for over a month is just not acceptable.”
What can be done to encourage Chinese web hosts to take malware more seriously?