Mad, Beautiful Ideas
An Examination of the Drive-By Malware Distribution System
By on February 18th 2008

Neil Provos, a member of Google’s Anti-Malware team, posted the results of a year-long study of drive-by malware installation. The technical report linked above is not the final paper that will be published on the topic, as it is still undergoing Peer Review, however, the information feels reliable at first glance.

For the purposes of this research, Drive-by is defined to be any malware that is installed simply by a user visiting a landing page, the malware then being installed without further user intervention via exploits of the browser or it’s plugins. What I found most interesting, was that apparently there is a tendency now for malware not to be linked directly in these hi-jackings. Rather, the user can be redirected six or more times in order to confuse any anti-malware systems which may be in place. Plus, there seem to only be a few thousand Malware Distribution Masters that actually host malware. Unfortunately, the distribution architecture should make it fairly easy for distributors to change redirects and “fix” broken downloads if URLs begin getting filtered, so that would be an almost pointless battle.

The numbers were still interesting, with the vast majority of landing sites and Malware-servers being located in China, with the US being a distant second, and Russia being a distant third behind that. Frankly, I was surprised that Russia wasn’t higher on the list, as the Russian Menace has been a hot-topic in security for a while. I suspect (as does Provos et al) this means that there are more mis-configured servers in China than anywhere else, though something about that answer seems like it is a vast oversimplification of the issue.

Like more and more system involved in the technology underground, the malware distribution system is going to be very difficult to do anything about. It’s very de-centralized, and there are so many systems involved that putting a stop to it, is nearly impossible. Another part of this study suggested that ~33% of PHP installs, and ~33% of Apache installs were out of date (they couldn’t get figures on IIS). This is an enormous number of systems that are vulnerable to known vulnerabilities. An enormous number of servers that could be made into slaves in the malware distribution system.

System Administrators need to be more diligent about keeping systems up to date. Security holes will always exist, and it may be a losing battle, trying to keep ahead of the attackers, particularly as long as there is money to be made. Still, it is important that we do all we can to close security holes as they are discovered, and try to impress upon everyone how important those updates are.