New Insights on Maliciousness in Top-ranked Domains

Jul 02, 12 New Insights on Maliciousness in Top-ranked Domains

by Paul Royal, Research Consultant

In March 2012, Barracuda Labs published its first report on observed maliciousness in Alexa top-ranked domains. This post continues that work and includes new measurements employed and the resulting discoveries made.

As a concise introduction, Barracuda uses a number of different research technologies to identify maliciousness on the web. One of these tools employs automated means to force a browser within a Windows virtual machine to visit a website, then looks at the network-level actions of the system to determine whether a drive-by download occurred. Earlier this year, we began examining the Alexa top 25,000 most popular websites each day.

Once a domain is identified as resulting in a drive-by download, we use properties of the Alexa rankings system to conservatively and accurately estimate the number of users served malicious content, as well as the subset that were likely compromised. Granular details of this process are provided in our previous report. We look at some of the same items in this study, but also delve further into the data to examine recurring maliciousness for a given domain, the use of ad networks as entry points to drive-by downloads, and the use of Java in exploit sites.

For the statistics we reexamine, the numbers for May 2012 affirm the observations made earlier. In May 2012, 39 of the Alexa top 25,000 websites, when visited, served drive-by downloads for at least one day. Over 7.8 million users were served malicious content; of these users, over 1.2 million were likely compromised. At least one Alexa top-ranked domain served malicious content 26 (or 83.8%) of the days in May. The sites involved spanned 13 countries, and once again, over 97% of the sites were at least one year old.

One of the new measurements we conducted takes a first look at recurring maliciousness. Of the 39 top-ranked domains found to result in drive-by downloads in May 2012, 11 (or 28%) yielded malicious content for more than one day. In the case of Herald Media’s news portal (heraldm.com, discussed separately), maliciousness persisted for more than one week. The average period of maliciousness for the 39 top-ranked websites was just over 36 hours.

In addition to investigation of recurring maliciousness, we also examined how, beginning with a visit to a popular website, malicious content was served to the browser. Given that almost all of the sites were long lived, we expected most instances of malicious content to arrive via the sites’ use of ad networks, which are a frequent target of criminals. However, to our surprise, malicious content originated from only 18 (or 46.1%) of the 39 sites. The remainder were, in one form or another, the result of directly compromising the website.

Finally, we measured the use of Java among browser-based exploits. Of the 39 sites, 34 (or 87.1%) served malicious content (usually targeting multiple software components) that included one or more exploits for Java (e.g., CVE-2012-0507). This finding supports the widely held belief that Java is one of the most ubiquitous targets of drive-by download attacks. Barracuda Labs recommends that users disable Java support in the web browser and re-enable the feature only when necessary.

A table that lists the 39 sites that served drive-by download exploits and granular details for each site is available for download here. An archive containing packet capture (PCAP) files showing the exact sequence of events that led to system compromise can be obtained by requesting it through the Barracuda Labs Contact Form.