Spammers Ramp Up Short-Lived Web Sites

In their never-ending war with antivirus vendors and other malware fighters, cybercriminals have come up with a new twist to evade detection – putting up malicious sites for one day or less on average.

Antivirus vendor AVG Research found that in the last quarter of 2008, about 60 percent of new sites linked to malware were up for less than one day. The average number of such new Web sites put up daily grew from between 100,000 and 200,000 to between 200,000 and 300,000, AVG said.

Using short-lived Web sites and pages makes it more difficult to track and stop malware authors, Roger Thompson, chief research officer at AVG, told

The most common use for these short-lived sites is to deliver fake antispyware, also known as scareware. Users are told their computer is infected and they need to download a “cleaner,” when in fact that “cleaner” is the infecting payload.

Hackers seem to find these more effective than using fake codecs , which tell victims to click on a link to download a software upgrade so they can view a video or an Adobe Flash presentation, AVG said.

AVG found that 62 percent of sites distributing fake codecs as well as about 50 percent of sites distributing attacks from China and 28 percent of sites distributing scareware were all active for less than one day.

Overall, most of these sites are active for less than 10 to 14 days, AVG found.

AVG expects the explosive growth in the number of unique new sites linked to malware to continue. That is because cybercriminals have become smarter at evading detection, Thompson said.

Hitting the small guys

Typically, malware authors hack into an innocent third party’s Web site and do a remote file injection that will redirect queries to an infected site, he explained. “The site that originally hosts the redirect command is probably a mom and pop barbecue shop where they have no idea what’s being done,” said Thompson

That is exactly what happened to just one week after its launch in early
September. Hundreds of pages on a part of its Web site were infected.

Unless the original hacker’s site is discovered, it is almost impossible to shut down the attack, Thompson said. The transience of Web sites and pages used by hackers is making it less and less important to be able to block bad pages or sites by checking against their URL or IP address, which most antivirus vendors are doing, he added.

Malware authors are also making heavy use of social networking sites, AVG has found. Social networking sites offer transient, rapidly changing information, which makes them fertile ground for cybercriminals, Thompson said.

Scareware is proving to be the biggest threat to consumers because of the frequency of spam and pop-ups, and news of virus and worm attacks and data breaches. While cybercriminals using fake codec attacks use 4.6 times as many unique pages as those distributing scareware, scareware attacks affect 68 percent more victims, AVG has found.

Microsoft has declared war on scareware authors, and is pursuing lawsuits against them both privately and with government authorities.

Thompson recommends a layered defense using different approaches to fight cybercriminals. “No one approach is 100 percent capable of blocking attacks, it’s like Swiss cheese. But if you put one piece of Swiss cheese on top of another, and a third piece on top of the other two, you’ll not have any holes that go all the way through because the holes in the pieces are random,” he said.

Instead of looking for signatures or URLs and IPs alone, AVG uses a combination of heuristics and pattern matching to block malware. “Each of the criminal gangs involved in authoring malware has a specific way of doing things,” he explained. “Once we can spot how they write their HTML and JavaScript code, we know their M.O. and can block them anywhere.”

News Around the Web