Building on our first article in the series, we continue to analyze the Google Safe Browsing List. In this part, we present more detailed statistics about the hashes seen on the blacklist and try to provide insight into what we observe.

Motivation
Understanding the behavior of infected websites is very important. This provides security researchers with strategies to help deal a blow to the bad guys and at the same time, provide website owners and administrators an idea of the current state of website security.

Since the publication of our last article in this series, we have received good feedback from our colleagues in security. We will attempt to incorporate their comments and concerns in this part of the series.

Methodology
We discussed the aim of this experiment and methodology in the last part of this series. We won’t repeat them here, but we encourage you to take a look at our first article in this series if you haven’t already read it!

Analysis
Below we present some graphs which provide more information about the analysis.

• Websites have a high probability of getting hacked on a Wednesday!

Websites have a high probability of getting hacked on a Wednesday!

• Websites have a high probability of getting hacked between 7-8 PM PDT.

Websites have a high probability of getting hacked between 7-8 PM PDT.

• On Monday websites get hacked most between 11 AM to 12 Noon, PDT
• On Tuesday websites get hacked most between 9 AM to 10 AM, PDT
• On Wednesday websites get hacked most between 7 PM to 8 PM, PDT
• On Thursday websites get hacked most between 10 PM to 11 PM, PDT
• On Friday websites get hacked most between 11 AM to 12 Noon, PDT
• On Saturday websites get hacked most between 1 PM to 2 PM, PDT
• On Sunday websites get hacked most between 11 AM to 12 Noon, PDT

Note: Most hashes which stay on the blacklist (over the 113 day period) seem to get added to the blacklist on Wednesday.

Conclusions
We have presented more interesting statistics regarding the appearance of website hashes on the Google Safe Browsing List. These statistics provide information which website administrators and owners can use better arm themselves with against attackers. We will continue analyzing the dataset to provide more interesting information. If you have any questions please add a comment.

At stopthehacker.com, we work hard to help you combat malicious hackers. If you would like to work with us, please drop us an email. You can also visit our services page to find out how we can help you, in fact you can even sign up for free services!

Till next time…

News, Report, Security analysis, blacklisting, google, malware, monitoring

Blacklists are published by many security groups and organizations around the world to share knowledge about malicious websites, IP addresses and other security features which allow others to insulate themselves from the dark side of the Internet.

In recent years, the number of blacklist being published by web-centric organizations have grown by leaps and bounds. Large Internet based companies such as Google, Yahoo and Microsoft have been providing cues to their users about malicious websites in trying to make the Internet a safer place. Google provides much more in-depth information than the other two, Yahoo and Bing, and seems to have sophisticated virtual machine based analysis tools which can detect misbehaving malicious code. Yahoo employs McAfee’s Search scan service while Bing potentially uses Microsoft specific technologies.

Experiment Goal

The aim of this experiment is to compare the coverage for each of the blacklists published by Google, Yahoo and Bing and compare them to what users in the Internet believe. To do this we will compare the results of Google, Yahoo, Bing and Malware Patrol with Web of Trust (WOT). Furthermore, we have also tried to see how many of these malicious URLs are also involved in Phishing. We have done this by looking up each URL/domain via Phishtank’s API.

Blacklists provide an easy mechanism for users (via browsers) and developers (via APIs) to assimilate security information about websites, IPs and such in order to make an informed decision about whether to allow or deny access to an IP or website.

Methodology

We have collected 1095 confirmed malicious links from MalwareURL. Each of these links was tested to determine if they are listed on blacklists supplied by Google, Yahoo and Bing. Note that Yahoo and Bing unlike Google do not provide any direct APIs to probe their databases. Thereby each link, and its associated domain was pushed via an HTTP request to Yahoo and Bing to analyze if the results indicated that the domain/link was infected.

To determine if a website is present in the Google malware blacklist, the domain name along with the link and its variations, as defined here, are converted to MD5 hashes and checked using Google’s Safe Browsing API. For Malware Patrol, the aggressive version of their blacklist is downloaded and comparisons are made locally. For WOT, we employ their XML based API to gather information about the belief of users in the Internet. For Phishtank we have used their XML based API. The tests were conducted on Mar 22 2010.

Popular blacklists cover only a minuscule percentage of malicious sites.

Highlights

• Google marked 0.18% of the URLs as unsafe.
• Yahoo marked 1.0% of the URLs as unsafe.
• Bing marked 0.09% of the URLs as unsafe.
• Malware Patrol marked 0.63% of the URLs as unsafe.
• Phishtank marked 0% of the URLs as unsafe.
• WOT marked 99% of URLs as unsafe.

Note: 1095 unique, malicious URLs were tested with each service.

Observations

Interestingly, Web Of Trust (WOT) marked 99% of the URLs with “poor” or “very poor” or “unsatisfactory” reputation. We have to assume that when users will see such a rating they will not visit the website in question and hence treat this kind of rating as unsafe, for the purposes of this test. It remains to be determined if WOT uses a data feed from a malware URL which we have used to prime the test set. Nonetheless, it is surprising to see that a company which specializes in collating the trust and opinions of web surfers performs better orders of magnitude than large Internet companies and established blacklist providers.

One must keep in mind though that Google’s approach to maintaining an ever changing blacklist is slightly different from the other actors in the game. Google publishes an updated version of its list every 30 minutes or so and specifies which MD5 hashes need to be purged and which ones need to be inserted. Some blacklist services do not take this approach and hence may claim to store information on millions of sites, which were infected at one point in time. The probability of this happening in the Google blacklist is low, because they have opened up a review process via their webmaster central area to update their blacklist.

In contrast, Bing and Yahoo do not provide public APIs for developers and applications to use.

Also, we see that none of the URL/domains were actually listed on Phishtank. It seems that websites which aim to infect users with malware are quite different from the set of sites used for phishing. It does not seem that malware laced websites are also used to commit phishing.

Conclusion

Large Internet companies, some of whom have published effective blacklists, used by many developers and application all over the world, still have a long way to go in order to become truly effective. As we have seen, only minuscule numbers of malicious websites are identified by the blacklist services. WOT seems to be extremely effective at identifying unsafe websites. It remains to be determined whether the data-set used for this test has a large overlap with any of the sources WOT uses to classify websites.

Another interesting result is that it does not seem that websites which aim to infect users with malware are actively involved in phishing campaigns.

Report, Security bing, blacklisting, google, wot, yahoo

Zombie IPs can be defined as Internet Addresses which participate in bot net communications. When Internet surfers visit websites contaminated with malware, the malicious code often times is successful in infecting the computer of the unsuspecting visitor. Once the malware has installed itself on the personal computer of the Internet surfer, it proceeds to receive commands from a “controller.” This controller machine in many cases a chat group (IRC) or a more sophisticated system.

At StopTheHacker.com, we have tried to investigate whether there is a correlation between zombie IP addresses (botnet communication sources) and blacklisted websites. If there is a strong correlation, then it points to a disturbing trend that servers used to host websites, are infected at two levels. The websites themselves are infected and there is some kind of botnet malware hosted on those servers as well.

The Gumblar variety of infections have targeted web sites by installing malicious binaries on end-user clients and then sniffing through for FTP credentials to inject sites with malicious code. This experiment provides a preliminary look into whether these kinds of malware are just targeting sites and are also creating botnets using the infected machines.

Experiment Setup

We have examined 178 CIDR IP address ranges obtained from SpamHaus. The entire IP address space covered 1,508,096 IP addresses. Out of these, a random sample of 1,600 IP addresses were chosen. Subsequently, we made attempts to determine the websites hosted on each IP address and check them with the Google Safebrowsing list. The experiment was conducted on January 11, 2010.

Experiment Summary

Results in brief:
• The majority of zombie IPs do not seem to host any blacklisted websites.
• Only 0.5% IPs seemed to host a website, none of which were present in the Google blacklist.

This is an indicator that zombie IPs do not usually host blacklisted websites. It seems that malware installs itself stealthily on end-clients and sniffs for ftp credentials, and does not really try to join the host machine with the botnet. This could be due to a concern that creating/joining a botnet increases the chances of the malware being detected on the host. However, given the robust and increasingly related cycle of cyber-crime that proliferates the Internet, this trend may change soon. We will be keeping a close eye on this trend, and expect to publish more results as a follow up to this initial experiment.
Read more…

News, Report, Security blacklisting, IP, sites, zombie

Try our Blacklist Monitoring service for free. Blacklisting can happen to anyone. Now, with Blacklist Monitoring, know before it’s too late to keep your customers. Getting quick notice can let you fix the problem faster. Together, we can help make the web a safer, better place to surf.

What’s in it for you?

• We tell you if your site appears on a blacklist, i.e. Google’s SafeBrowsing list.
• You’ll receive an email every day with your status.

Sign up now. It’s Free!

• Free Google Blacklist Monitoring

Blacklisting happens to sites everyday and some don’t even know it until they hear that their readers and customers can’t reach them (see badwarebusters). Being blacklisted can practically take your website off the Internet! Most web browsers, like Firefox, Internet Explorer, Safari, or Chrome, will keep your visitors from accessing your site entirely, some won’t even give your visitor a choice.

We hope this never happens to you, but we can prepare you for when it does. We’ll notify you immediately. We can even help you recover.

We’ll be adding more services soon, so check back and don’t forget to subscribe to our feed, or follow us on Twitter or Facebook!

Company, News blacklist monitoring, blacklisting, free service, google, notification, tracking