January 27th, 2009

Spammers evade detection with temporary Web sites

Posted by Andrew Nusca @ 9:46 am

Categories: Security

Tags: Web, Spammer, Codec, Malware, Web Site, Site, Attack, Malware Author, Spyware, Adware & Malware, Cyberthreats

Cybercriminals are evading detection by anti-virus and anti-malware vendors by putting up malicious sites that are live for just one day or less.

AVG Research found that in the last quarter of 2008, about 60 percent of new sites linked to malware were up for less than one day — and the average number of such temporary Web sites grew from between 100,000 and 200,000 to between 200,000 and 300,000.

Using short-lived Web sites and pages makes it more difficult to track and stop malware authors, all while delivering fake antispyware (”scareware”) to victims.

According to an article on InternetNews, hackers seem to find these sites more effective than using fake codecs, which tell victims to click on a link to download a software upgrade so they can view a video or an Adobe Flash presentation.

AVG found that 62 percent of sites distributing fake codecs, 50 percent of sites distributing attacks from China and 28 percent of sites distributing scareware were all active for less than one day, with the majority active for less than 10 to 14 days.

The malware war rages on, according to the article:

Typically, malware authors hack into an innocent third party’s Web site and do a remote file injection that will redirect queries to an infected site, he explained. “The site that originally hosts the redirect command is probably a mom and pop barbecue shop where they have no idea what’s being done,” said Thompson

That is exactly what happened to BusinessWeek.com just one week after its launch in early September. Hundreds of pages on a part of its Web site were infected.

Unless the original hacker’s site is discovered, it is almost impossible to shut down the attack, Thompson said. The transience of Web sites and pages used by hackers is making it less and less important to be able to block bad pages or sites by checking against their URL or IP address, which most antivirus vendors are doing, he added.

Malware authors are also making heavy use of social networking sites, which offer “transient, rapidly changing information.”

What’s more, while cybercriminals using fake codec attacks use 4.6 times as many unique pages as those distributing scareware, scareware attacks affect 68 percent more victims, according to AVG.