One of the biggest threats to the world of computing is how slow vendors are to respond to malware threats. For example, it took Apple 49 Days after Adobe fixed a vulnerability in Flash to make that fix available to OS X users. That delay allowed hundreds of thousands of Macs to be infected with the Flashback malware. The last few days I had the opportunity to test how quickly the industry as a whole was to respond to a report of a website distributing Malware. The results aren’t pretty.
Last Friday I discovered a website that tried to install Fake AV software (aka Scareware). How? I’m not really sure! I was hitting “next” through a slide show and suddenly I was redirected to the Scareware site. Obviously the original site had been compromised. I took the URL for the Fake AV site and submitted it to virustotal.com (a service that checks a couple of dozen anti-malware services) to see what the malware industry broadly thought of the website and discovered that no one had yet flagged the site as harmful. So I went around reporting the URL as malware to everyone I could think of. A couple of hours later Google Safebrowsing had flagged the URL as containing malware. That was a great response. Sadly it was the only decent response in the entire industry. Two days later no one else had flagged the site for malware. Early on the third day Websense ThreatSeeker flagged the URL for malware. The bad URL is no longer responding, so after almost three full days the domain hosting the scareware has been taken down. But the scareware distribution site had almost three days from when I reported it, which may or may not have been the first report, to spread its malicious payload. Thousands of machines may have been infected, a situation that was preventable. I amnot happy with the industry’s response, and you shouldn’t be either.
It doesn’t appear that Microsoft updated its SmartScreen to block the offending website within the three days the site was online. My report to OpenDNS went nowhere. Web of Trust (WOT)? Nowhere. Malware Patrol? I got email promising me the site would be checked within an hour and I’d receive followup email. After three days I still haven’t received the followup email, and querying today doesn’t show any results. Yandex Safebrowsing? It still shows the URL as not having a problem. MalwareDomainList? No activity on my report. URLQuery? It actually just hung analyzing the site. Scumware.org? It is a little ambiguous because virustotal tells me that it reports the URL as safe, but direct use of the scumware.org website says it is not safe. So I guess they deserve a passing grade.
It is one thing for a malware distribution site to continue to dispense its malicious content in the hours, or even days, before it comes to the attention of malware fighters. But once a site is reported for malware distribution the protection systems need to move to block it within minutes or hours. Malware Patrol’s promise of one hour response was music to my ears, unfortunately there was no follow-through. Google’s response was excellent, but I’ve had other incidents where they were slow to respond so I’m hesitant to praise them too strongly (just yet).
I do understand the challenge here, but that doesn’t excuse the industry’s tardy response. The designers of malware distribution sites have been able to trick automated tools into thinking they aren’t infected (and URLQuery’s hang is probably an example of this). Commercial malware research teams can only afford so many people to analyze potential malware distributors and must prioritize by the numbers of reports received, meaning a site may not get attention until it is impacting lots of people. Community-based systems rely on large numbers of people voting, or at least one of their designated superusers to decide to investigate and designate a site as a bad actor. It looks to me like most have a large backlog of sites waiting to be investigated. These factors mean a website stays online way too long.
Are their solutions to this problem? Sure, but no easy ones. The first step towards a solution would be for the major players to set organizational goals that all reports of malware distribution URLs will receive an initial investigation within one hour of being reported. In some cases, as with drive-by downloads, determining a site is distributing malware takes some work. But in the case of the URL I reported this was a 30-second exercise. Click on the URL, you get the Scareware webpage, press a button to “Add this URL to our Block List”. Overall setting an aggressive goal may cause staffing increases, but more importantly will force development of better tools for automatic evaluation.
Another tactic I would employ would be creation of a Grey List that caused browsers to block automatic redirects while a URL was being investigated. So when a URL was reported for malware distribution an automated system would check to see if the domain was on a White List (e.g., well-known sites) and if not immediately add it to the Grey List until a full investigation could be done. The White List would prevent malicious users from causing websites from being disrupted. Other techniques could automate this further (e.g., domains that have been around for years would be immune from being added to the Grey List while recently created domains would go on the Grey List immediately on any malware distribution report).
The industry must respond quickly and aggressively to reports of malware distribution. The time is now. Users, demand whoever you rely on for protection commit to one hour turnaround on all malware or malware distribution reports. Vendors, make your responsiveness commitment to malware reports a competitive weapon!