Threat Report for the second half of 2012: Internet

Foreword

This article is a partial translation of the report for H2 2012 .
The report itself was presented to me quite interesting and informative in connection with which I decided to publish a small part of it for a start, and then if that works out and everything else.

What is it actually about?

This time of year is always very interesting. This is the time when the Laboratories look back at events that have occurred over the past six months and draw conclusions.

Common sense is still necessary while using the Internet, but lately it has become increasingly difficult to detect dangers in its wake. Ad networks (Ad-networks) are embedded in a huge number of sites and can distribute malicious software through web portals, which should be reliable.

Introduction

The development of the Internet today is a rather alarming trend.
On the one hand, posting content on the Internet has never been easier. Anyone today can create their own website in a matter of seconds, without having special technical knowledge, this is quite a pleasant moment, but on the other hand, it can be a bad person who wants to profit from malicious actions on the network.
')

Content placement

Traditionally, the “bad guys” place their malicious products on stand-alone websites. Recent events in the hosting industry have made this option even more attractive.

However, hosting has not yet become so affordable that it would be possible to buy domains in bulk; at present, subdomain hosting offers the user to place content on the Internet much cheaper, and often completely free of charge.

Hosting sites are varied, some of them are better suited than others for hosting malware. An image hosting site, for example, is not well suited for intruders. Some types of website hosting themselves are by their nature, can easily distribute malicious content. The following several services are most actively used by malware distributors:

• Dynamic DNS Providers
• Subdomain and redirect hosting
• Blogs and content hosting
• File hosting
• App Stores

All of these services are preferred by the attacker due to ease of use, high level of anonymity and the fact that they are cheap or even completely free. Although all these services received a significant increase in malicious hosting, the brightest of them are dynamic DNS providers and application stores (about which there is a separate article in the report).

Since the number of subdomain hosting offers from dynamic DNS providers has grown, the greatest amount of malicious content is sent through them. When checking one of the top 3 dynamic DNS providers (no-ip.com, dnsdynamic.org and changeip.com), it turned out that 87% of the domains they support host malicious content.


Then come the subdomains and redirect hosting. Although they have given way to dynamic DNS providers, these sites still retain their share of malicious content. A significant number of them (uni.me, 110mb.com, vv.cc, x10.mx and rr.nu) are actively used to host malicious content. Even when a major player, co.cc, mysteriously disappeared, most of these subdomain hosting sites continue to flourish.

Blogs and other content hosting sites are not far behind. Let's look at Wordpress, the most popular CMS at the moment, which accounts for 59% of the market. Its convenience and revolutionary content creation allows people, the least technically savvy, to be part of cyberspace. However, since the “bad guys” are also well aware of the statistics, the exploit kits aimed at sites serviced by CMS Wordpress allow you to substitute legal pages for pages with malicious content.

Finally, file hosting is an easy way to back up or distribute both legitimate and malicious software on the Internet. A significant amount of malicious software from file hosting is extracted using so-called Trojan-Downloader directly into the system without user intervention. File hosting provides free and easy one-time hosting for malware, a good alternative for an attacker who would otherwise have to use technically more complex dynamic DNS hosting, sub-domain hosting, or even standalone domains.

Social networks and social media sites

Currently, social networks and social media sites are very effective places for distributing illegal content, large companies such as Facebook and Twitter have been very interested in improving security systems. Facebook is working with security experts in the hope of clearing a huge amount of data processed by their systems on a daily basis, basically all their efforts are successful.

The number of malicious applications and online scams posted on Facebook has decreased over the years, and in the second half of 2012, we found fewer than 30 illegal applications on a social networking site. Twitter has its own URL shortening service (t.co), created to help check for as much dangerous software distributed by public links as possible. Despite the fact that Facebook and Twitter are working to enhance their security, it is often necessary to consider the security issues of each specific user from different countries.

The main problem with social networking sites is that they are the perfect place for so-called social engineering. Despite the increasing level of computer education, there are still users who unwittingly click on the "enticing" links. And thus, illegal content that is fraudulent is still spreading.

Ad networks

In the era of the empowerment of all platforms for hosting free content, someone must pay the bills of the infrastructure that is behind them. Techcrunch is an interesting analysis of modern methods of monetization of advertising services used and how they affect the mobile world. Advertising goes to the dark side, representing what is called malvertising (from the English. "Angry advertising" - "malicious advertising").

Malicious advertising is developing rapidly. A quick glance at Alexa's domain rating is enough to show its attractiveness: out of the top 1000 domains, 5.9% belong to ad networks. And, of course, users do not see ads on these sites, they see it when visiting other sites with content of interest to which it is added from ad servers.

Quite a lot of websites that currently display remote content, in addition to the main. Let's look at ESPN as an example. In addition to the main part of espn.go.com, the site loads content from these sites:

• espncdn.com - formatting pages and content
• dl-rms.com, doubleclick.net, 2mdn.net, scorecardresearch.com, ooyala.com, adnxs.com, adroll.com, mktoresp.com - advertising services for monetization
• chartbeat.com, google-analytics.com, etc - traffic statistics
• typekit.com, etc - tools / software

Considering that several different sources are used, the security of the website is no longer limited to the displayed content, all this affects the integrity of the advertising networks that provide the content, as well as the security of the tools or software used on the site. Unfortunately, the fact that the area of ​​information security for one site is expanding increases the complexity of security.

The “bad guys” know this and can easily use it. The most common attacks spread malicious ads and jeopardize the ad platforms used by the site host. A striking example is the case when the ad network, which is used by one of the most popular websites of Finland, suomi24, unwittingly served as an attacker.

Ad-platforms for attacks, although they require much more technical knowledge, are also effective. A recent example was provided by Websense and the ad server that participated in it was compromised by an attacker to execute malicious code on the site.

Another popular mechanism for distributing malicious ads is adf.ly, a URL shortening service that pays users for link exchange. Rated Alexa is the 76th most visited site worldwide, 37th across India. 116155 sites have links to it, this service is very widespread. For a better understanding, the malicious ads distributed by this service examine Malekal to track the malicious content distributed by this service.

Take a look at the top 1000 most visited sites

Now let's take a look at Alexa's top 1000 most visited sites and see what it really is. In the ranking are search engines, social networks and social media, as well as news and shopping sites, and all sorts of options for file and advertising hosting.

File hosting sites account for 1.9%, while websites like social networks and social media make up 3.4%. Advertising networks - 5.9% of the total mass. Although only a few of them were found to have spread malicious content for the second half of 2012, they can certainly, if necessary, provide a convenient platform for intruders.

The greatest amount of malicious content came from content hosting sites. In the second half of 2012, we saw that 56 out of 1000 or 5.6% of the best sites according to Alexa, posted malicious content, as a rule, these were links or redirects to malware or phishing pages. The most interesting was that 95.4% of all malicious URLs found on these 56 sites belonged to only a few domains.


Please note that so far we have considered only direct malware or fraud; we did not consider what works on the border of what is permitted and uses all sorts of ways (questions about health, beauty, money and all sorts of sexual problems) luring the victim in order to get money or necessary information from her.

These types of fraud are also increasing their momentum, especially in specific countries. For example, Australia, Spain, Iceland, Hungary and Armenia are very susceptible to tricks that promise a quick way to get rich or to win something.

These types of frauds are generally considered potentially undesirable rather than malicious, and therefore belong to a different category of illegal content.

Finally

It is really amazing how much freedom the Internet offers to its users. Currently, you can access the Internet through any device; this is the true power that connects people from different corners of the globe.

However, the dark side is that malicious behavior has exactly the same possibilities for attacking any corner of the Internet. The concept of online security has been revised. Although some sites are still safer than others, nothing can be 100% safe.

For users, this means that Internet security is becoming an increasingly personal matter, requiring several levels of protection and a healthy dose of paranoia, at least it minimizes the chances of being overwhelmed.