Security Watch | Matt Hines » Handful of hosts account for mucho malware

May 08, 2007 | Comments: (0)

Handful of hosts account for mucho malware

TAGS: None

A new report published by the StopBadware.org consumer protection initiative identifies the top five service providers responsible for hosting the world's most prolific numbers of malware-brokering Web sites.

According to StopBadware -- a security project spearheaded by researchers at Harvard and Oxford Universities and backed by companies including Google, Lenovo and Sun -- of the just over 49,000 malware sites it investigated, nearly 18,000 were hosted by the leading group of providers.

The worst offender implicated in the research report is Phoenix, Ariz.-based iPowerWeb, which had almost 11,000 of the malware infected sites tracked residing on its Web servers. Far behind iPower were Layered Technologies (roughly 2,500 sites), ThePlanet.com Internet Services (2,000) and Internap Network Services (1,400), all of which are also based in the United States.

Coming in a far-off fifth was Chinanet Guangdong province network (800), the only international entry on the list. China is considered by some researchers to rank second behind the U.S. in overall malware distribution.

The most significant trend cited by StopBadware is the use of legitimate Web sites to deliver attacks, a shift that has rapidly emerged over the last year as threat writers have taken steps to avoid black lists of URLs identified by security companies as nefarious.

"The big trend that we see is away from sites distributing badware knowingly and maliciously to a world in which many of the sites hosting badware have no idea," said John Palfrey, co-director of StopBadware and Executive Director of the Berkman Center for Internet & Society at Harvard Law School.

"Often, amateur Web masters find out that their sites have been hacked, and that their sites can infect their customers' computers without anyone's knowledge - except the unscrupulous hacker who is trying to make a buck off the transaction or is just out to cause harm," he said.

The trend would also explain the large proportion of sites being hosted through companies that themselves seem otherwise legitimate.

In the most recent press release posted to its corporate home page, iPower -- which markets itself as an ideal partner for small and medium-sized businesses -- cites a "Rising Star" award it was granted by consultancy Deloitte Touche in late 2006.

Of the other companies named, several actively market security services to customers.

iPower claims to be the fifth largest hosting company in the world, with over a half million customers in 100 countries.

StopBadware is encouraging ISPs to become even more stringent in their policing of virus-infected sites, while pointing out that the problem isn't altogether the companies' fault.

"Hacking can turn a legitimate and otherwise trusted Web site into a badware distributor that can escape the notice of some of the savviest Internet users," said Jonathan Zittrain, co-director of StopBadware and Chair in Internet Governance and Regulation at Oxford.

"Web hosting providers are well positioned to combat the spread of badware, minimizing the risks posed to the greater Internet community. It is our hope they will work proactively, both on their own and with site owners to implement security measures to stem the flow of badware across the Internet."

Among the most common attacks found by the group among hacked sites were:

-Exploiting a known vulnerability in an older version of cpanel software to gain administrative access to sites hosted on servers managed with cpanel.

-Exploiting a known vulnerability in an un-patched content management system to inject lines of code via SQL queries that load exploits in otherwise legitimate sites.

-Guessing weak passwords to inject lines of code that load exploits in otherwise legitimate sites.

By merely pushing their customer to be smart and use more complex passwords the companies named in the study could likely improve the current situation, according to StopBadware, which also advised people to research ISPs before launching their own sites and to "take note of hosting providers that host a high number of infected sites."

"Web hackers and badware distributors are constantly finding new ways to work around the safeguards that are put in place to protect consumers," said Palfrey. "Web hosting providers must do their part to stay ahead of the curve and help keep the websites they host safe from malicious attacks."

I'll be sitting down tomorrow with Ben Edelman, another prominent security researcher who is currently teaching at Harvard who was previously affiliated with the Berkman Center, to chat about trends in adware and spyware. Stay tuned.

Posted by Matt Hines on May 8, 2007 09:29 AM

RATE THIS ARTICLE: