The Google Anti-Malware Team has published a research paper detailing the technical background of websites that distribute malicious software. According to the leading author of the study, Google has found in its index more than three million unique URLs pointing to 180,000 websites, which attempt to automatically infect systems when opened in a browser. Two-thirds of those "drive-by download" sites are hosted in China.

The technique most commonly use is to "hijack" portions of third-party websites, which then redirect visitors to the sites that attempt to infect their computers. Often exploits and weaknesses in unpatched software (PHPBB, InvisionBoard) are used to inject links or zero-pixel iframes into a legitimate website. Vast ammount of problematic links is also posted on forums and in blog comments. Two percent of malicious web sites deliver malware via advertising networks -- a trend the paper authors find alarming, because "even protected web-servers can be used as vehicles for transferring malware."

Another interesting quote from the study: "...the malware serving networks are composed of tree-like structures with strong fan-in edges leading to the main malware distribution sites. These distribution sites normally deliver the malware to the victim after a number of indirection steps traversing a path on the distribution network tree."

A technical report, named "All Your iFrames Point to Us" in a humorous reference to one of the oldest internet memes, can be downloaded in PDF format from the Google Online Security Blog. Some of the important points in the document:

• The hundreds of thousands "drive-by download" sites boil down to 500 "autonomous systems", or individual hosting companies and their clients.
• The USA is the second most popular hosting location for malware sites after China, with a share of 1/6; Russia is third.
• 63% of the 180K malicious sites are hosted on Microsoft's IIS, 33% are hosted on Apache. Most use outdated PHP and server versions.
• Among drive-by downloads, a half alter the system's startup, a third attack security, a fourth change system preferences.
• Three unnamed antivirus engines tested against malware retrieved by the study had detection rates of about 35, 50, and 70%.

Copyright © 2008 DevStart, Inc. Permission is required to use the material on this page.