For the bad guys, it can be a costly exercise to produce new families of malware in order to maintain their criminal activity at sufficient levels. Registering new domains is much more economical for them, and by spreading the malware across as many different websites and domains as possible, the longevity of each new malware is increased. When employing server-side polymorphism, the same family of malware code may be packaged differently into new strains, automatically and dynamically, each time it is accessed. This requires a different anti-virus signature each time in order to detect it accurately. These approaches combined with the use of “bullet-proof” hosting services and “fast-flux” hosting means that criminals can ensure that malicious websites are not taken down quickly in response to complaints.
In many cases the organized criminals often have highly automated techniques in place that require little or no monitoring, and their systems are automatically working day and night compromising as many legitimate websites as possible and registering new ones. Once these processes are in place, a compromised website can be re-configured remotely depending on what method the attackers are using.
Figure 1 - Chart showing distribution of new malware and malicious websites used to host malware
Analysis of the MessageLabs Intelligence data for August shows that 3,510 websites were being blocked daily, and on average 36.1% of these were domains being blocked for the first time, as shown in Figure 1. Similarly, analysis of the malware being blocked each day reveals that around 11.9% was new families of malware being blocked for the first time each day.
When a victim downloads malware directly from a compromised, legitimate website, the victim may be automatically led through a complex system of invisible redirects to the endpoint where the new malware is hosted. In addition, often many new websites are brought online over time to act as “stepping-stones” between the compromised websites and the endpoints where the malware is located, as seen in Figure 2.
Figure 2 - Diagram showing over time how more websites become linked to new malware code
In Figure 2, a new form of malware is created and initially only hosted on a small number of websites or directly linked in malicious hyperlinks from other websites or emails. Over time, more websites are used, and often a simple redirect is used to divert the visitor seamlessly to another website, or to the malware itself. Sometimes several redirections are used, as one website bounces the user to another before the malware is reached. This process would be invisible to the user, perhaps only noticeable as the page may take longer to load. The use of these “disposable” proxies helps to ensure that the websites hosing the malware remain obscured for as long as possible.
This indicates that each day, new legitimate websites are being compromised, and new websites for purely malicious intent are being established. For example, for each 100 domains blocked each day in August:
- 36 of them have not been blocked before
o 30 (84.5%) are blocks of older, compromised legitimate domains
o 6 (15.5%) are blocks of recently registered domains
- 64 are domains (legitimate or otherwise), that have been blocked previously and are known
Although it is fairly common for some top-level domains (TLDs) to be hosted in other countries that are different to the TLD country code, and this is certainly much more frequent for newer domains that have been established for malicious purposes. The location of newer malicious websites are more likely to not match the top-level country-code domains for which they are registered, as can be seen in Figure 3.
Global TLDs have also been included to show the location of the malicious website being hosted.
Figure 3 - Most frequently occurring TLDs used to host malicious website content, by physical location
For older, legitimate websites that have been compromised, this picture is very different and the TLD matches the expected location of the website much more frequently.