New discoveries were recently reported as a continuation of a March report on observed maliciousness in Alexa top-ranked domains. Barracuda Labs has intentionally been mimicking typical web browsing behavior to review the most popular websites as listed by Alexa Internet, Inc, which offers information about websites including top sites, Internet traffic stats and the like. I wrote about the initial report in Popular Web Sites Found to Host Malicious Content.
According to researcher Paul Royal, the Lab continued to look at some of the same items from the March study, but this time went further into the data to examine recurring maliciousness for a given domain, the use of ad networks as entry points to drive-by downloads, and the use of Java in exploited sites.
The latest observations validate the March findings. In this report, top sites served malicious content for 26 days per month, up from 23 days last report. The sites involved showed no geographic borders, with malicious content served across 13 countries this time and 18 last time. Also observed again was that the sites are not new: Over 97 percent of the affected sites were a year or more old, in both this report and the earlier one.
For this report period, 39 of the Alexa top 25,000 websites, when visited, served drive-by downloads for at least one day. Royal says this time the researchers examined how, beginning with a visit to a popular website, malicious content was served to the browser. “Given that almost all of the sites were long lived, we expected most instances of malicious content to arrive via the sites’ use of ad networks, which are a frequent target of criminals,” Royal explains. “However, to our surprise, malicious content originated from [ad servers in] only 18 (or 46.1 percent) of the 39 sites. The remainder were, in one form or another, the result of directly compromising the website.”
This latest report also examined the the use of Java among browser-based exploits. Royal notes, “Of the 39 sites, 34 (or 87.1 percent) served malicious content (usually targeting multiple software components) that included one or more exploits for Java (e.g., CVE-2012-0507). This finding supports the widely held belief that Java is one of the most ubiquitous targets of drive-by download attacks.”
Disabling Java when it’s not needed is recommended by Barracuda Labs for this reason. Go to New Insights on Maliciousness in Top-ranked Domains for more on this study.