26
Feb 08

State of the Malware Nation

It’s a couple weeks old, I know, but for anyone who hasn’t seen it, Google’s Online Security Blog has linked to a draft article produced by some of their malware researchers about the trends they’ve observed in malware hosting and distribution.  Aside from a troubling pre-occupation with CDF graphs, it’s a really interesting look at the way malware networks are spread through the internet.

I found this snippet interesting:

We also examined the network location of the malware distribution servers and the landing sites linking to them. Figure 8 shows that the malware distribution sites are concentrated in a limited number of /8 prefixes. About 70% of the malware distribution sites have IP addresses within 58.* — 61.* and 209.* — 221.* network ranges.

Our results show that all the malware distribution sites’ IP addresses fall into only 500 ASes. Figure 9 shows the cumulative fraction of these sites across the 500 ASes hosting them (sorted in descending order by the number of sites in each AS).  The graph further shows the highly nonuniform concentration of the malware distribution sites— 95% of these sites map to only 210 ASes.

But I think this is the big takeaway:

Malware Landing Site Distribution

Because malware is being distributed via ad networks more and more, it’s no longer safe to assume that you’ll be okay if you just avoid the seedy parts of the net.  And because it’s no longer requiring user interaction in a lot of cases, the old-school “don’t run executables from random websites” best practice might not be enough either.  To stay on top of things, you are going to want to be running a browser that is as hardened as we can make it, and that also incorporates active checking of known malware sites.

And lookit, the Firefox 3 beta is right over here.