More evidence of U.S. as malware capital

Contrary to beliefs that overseas crime networks and unemployed computer programmers in Eastern Europe remain the leading sources of virus code on the Internet, new research supports the growing perception that the United States is producing greater volumes of malware code than any other region of the planet.

According to security hardware maker Finjan's latest Web Security Trends Report -- which analyzes data collected by the San Jose-based firm over the first three months of 2007 -- more than 80% of the Web sites it found to be distributing malicious code were hosted on servers located in the U.S.

Although Finjan officials concede that much of the malware distributed by those sites may indeed be written and controlled by hackers operating outside of the U.S., the results indicate that efforts by legislators and law enforcement officials to crack down on illegal computing activity in the nation may not yet be succeeding.

According to the Q1 Finjan report, published on March 26, the United Kingdom ranked second in the list of countries hosting infected sites, accounting for roughly 10 percent, followed by Canada, Germany, and Italy. Noticeably absent from the top of the rankings are Russia and China, which have been widely perceived in recent years as leading sources of malware worldwide.

Finjan'sresults jibe with rival Symantec's latest Internet Security Threat Report -- released earlier this month -- which also maintains that attacks are increasingly emanating from sources in the United States. Symantec's research, which focused on all types of threats, not just Web-based attacks, reported that the U.S. is the source of about 31% of all malware and phishing schemes.

The reason why so many threats are coming from sites hosted in the U.S. and other relatively wealthy nations -- most of which have stricter laws in place to combat such efforts than their developing neighbors -- is simple, said Yuval Ben-Itzhak, chief technology officer at Finjan.

No matter what region the code writers live in, he said, attackers are flocking to markets where the most money is changing hands to carry out their crimeware schemes, and increasingly doing so by hijacking legitimate URLs to pass out their work.

"If you look back at many reports over the last few years, the perception has been that the malware is coming from Russia and other areas where laws are fewer and harder to enforce, but when we analyzed the live end-user content, we realized that a vast majority of malware was coming from servers in the U.S. where there are advanced laws and practices," Ben-Itzhak said.

The upside of the issue is that security researchers can take action when they find malware URLs that are based in the U.S. by reporting them to authorities and applying pressure to the companies hosting the sites to take them offline.

For the most part, the malware delivery pages are supported by cheap hosting companies that don't appear to closely monitor their behavior, Ben-Itzhak said. But an even more alarming trend is the high number of attacks being passed along to end-users via seemingly legitimate sites.

In many of those cases, the attacks are being served up as advertisements that site operators may not even recognize as malware sources, making the situation even harder to fight.

"It's very clear that a lot of malware is coming from advertisements, and it's difficult to track where the code is originating because of the layers of ad systems, aggregators and agents that work together to create and distribute this content," Ben-Itzhak said. "There are so many third parties pushing ads to these sites, and there is no official process among these parties for seeking out the bad code."

A high-profile example of this type of attack was being distributed on a banner ad posted to social networking site MySpace.com in July 2006, which specifically attempted to use a security flaw in Microsoft Windows to infect Web surfers with spyware.

Finjan'sreport indicates a trend of new efforts to spread malware using Web pages that have been filtered by automatic translation services, which are typically used by people to read content written in foreign languages.  

Because the translation services don't scan for threats, and are often distributed in cooperation with known sources such as news sites or search engines, attackers can use the systems to sneak infected links through to end-users without tipping off security applications that look for unknown content.

"The translation service sends a link that looks fine but the malware is still in there," Ben-Itzhak said. "This is another reason why people need real-time dynamic scanning for protection, because it's so hard to tell what you might actually be looking at these days."

This story, "More evidence of U.S. as malware capital" was originally published by InfoWorld .

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies