In the first part of this series on the threat landscape in the European Union (EU) I examined threats found in the location with the highest malware infection rate, Romania.  In this article I will discuss malicious websites that are hosted in the EU, specifically malware hosting sites, phishing sites and drive-by download sites.  This analysis leverages data from the recently released Microsoft Security Intelligence Report volume 14 (SIRv14) and previous volumes and focuses on the fourth quarter of 2012 (4Q12).  If you are unfamiliar with any of these types of attacks, please read some of the articles I have written in the past that contain background information:

Today more and more attackers are using websites to attempt to distribute malware and steal credentials.  As I wrote about recently, we see that drive-by downloads are now the top threat detected in enterprise environments. Malicious websites typically appear to be legitimate and often provide no outward indicators of their malicious nature. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques.  Compromising legitimate websites allows attackers to take advantage of the established trust (positive brand) that users have with these sites. When this strategy is successful, it helps attackers get malware past firewalls, IDS/IPS, and other perimeter defenses; users literally bring the malware into their networks by visiting websites with systems that have out of date software installed on them. 

We see malicious websites hosted in every country within the EU at uneven levels.  Figure 1 illustrates the number of malware hosting sites found in each country/region per 1,000 Internet hosts.  The locations with the largest numbers of servers hosting malware are Brazil, Venezuela, and China. 

Figure 1: Malware distribution sites per 1,000 Internet hosts for locations around the world in 4Q12

Figure 2 illustrates the number of malware hosting servers found in all twenty-seven locations in the EU, compared to the worldwide average.  Most locations are below the worldwide average, but several locations had above average numbers of malware hosting servers in 4Q12 including Luxembourg, Romania, Cyprus, Latvia, and Lithuania.  Of these locations only Romania and Cyprus had above average levels of malware hosting servers in 3Q12.  I wrote about Romania in part 1 of this series, as it also has the highest malware infection rate of any location in the EU.  Cyprus is interesting because its malware infection rate has been trending down for several quarters and was below the worldwide average in 4Q12.  I say this is interesting because unlike Romania where there is a relatively high number of compromised systems from which to host malware (12 systems infected for every 1,000 scanned), Cyprus has relatively fewer compromised systems (5.4 systems infected for every 1,000 scanned).  Luxembourg also has this interesting characteristic, but the spread between the malware infection rate (2.2) and the number of systems hosting malware (19.33) is even larger.  The number malware hosting servers in Luxembourg almost doubled between 3Q12 and 4Q12, going from 8.92 to 19.33.   

Figure 2: Malware distribution sites per 1,000 Internet hosts for twenty-seven locations in the EU in the fourth quarter of 2012 (4Q12)

As seen in Figure 3, drive-by download sites are also hosted all over the world.  Locations with high concentrations of drive-by download URLs in the second half of 2012 include Azerbaijan, with 3.9 drive-by URLs for every 1,000 URLs tracked by Bing at the end of 4Q12; Syria, with 3.8; and Uzbekistan, with 3.2. The worldwide average was 0.3 in 4Q12.

Figure 3: Drive-by download pages indexed by Bing at the end of 4Q12, per 1000 URLs in each country/region

The number and distribution of drive-by download sites hosted in the EU is also very interesting as numerous locations have above average levels.  Cyprus had the largest number of drive-by download sites of any location in the EU, nearly six times the worldwide average.  Germany and Luxembourg hosted more than triple the number of drive-by download sites compared to the worldwide average in 4Q12, despite having malware infection rates nearly a third of the worldwide average.

Figure 4: Drive-by download pages indexed by Bing at the end of 4Q12, per 1000 URLs in each EU country/region

Phishing sites are hosted all over the world on free hosting sites, on compromised web servers, and in numerous other contexts.  Figure 5 illustrates the geographic distribution of phishing sites in 4Q12. Locations with higher than average concentrations of phishing sites include Brazil (12.6 per 1,000 Internet hosts in 4Q12), Australia (9.1), and Russia (8.3).   

Figure 5: Phishing sites per 1,000 Internet hosts for locations around the world in 4Q12

Figure 6 shows the distribution of phishing sites in locations in the EU.  Again numerous locations have above average levels of phishing sites, and again Cyprus has the highest levels of these servers in the EU with about triple the worldwide average.  Romania had above average levels of phishing sites in addition to above average levels of malware hosting and drive-by download sites.  It’s also noteworthy that although the United Kingdom had a relatively low malware infection rate, below average levels of malware hosting servers and drive-by download sites, it had above average levels of phishing sites.
 
Figure 6: Phishing sites per 1,000 Internet hosts for locations in the EU in 4Q12



To combat malicious websites in the EU, I recommend the following:

  • Keep all software up-to-date:  attackers are trying to use vulnerabilities in all sorts of software from different vendors.  Organizations need to keep all of the software in their environment up to date, and run the latest versions of software whenever possible.  This will make it much harder for drive-by download attacks to be successful.
  • Demand software that was developed with a security development lifecycle:  asking your software vendors for software developed with security in mind will help you reduce operational costs, because you’ll have fewer security updates to deploy.  If the software takes advantage of the security mitigations built into the platform, such as ASLR, DEP, SEHOP and others, this will make it much harder for attackers to successfully exploit vulnerabilities.  Demand software from your vendors that use these mitigations.  You can check if the software you have in your environment have these mitigations turned on, using tools like Binscope or EMET.  In cases where you have software deployed in your environment that do not use these mitigations, in some cases EMET might be able to turn them on for you.  These mitigations can help you manage risk by giving you more time to test and deploy security updates or new versions of software.
  • Restrict websites: limiting the web sites that systems can access will reduce the chance of being exposed to malicious websites.  Given that 70% of the top threats found in enterprise environments in 4Q12 are known to be associated with malicious websites, restricting web surfing on systems can be a very effective approach to minimizing exposure to these threats. 
  • Manage security of your websites: many organizations don’t realize that their websites could be hosting the malicious content that is being used in these attacks.  Organizations should regularly assess the security of their own web properties to avoid a compromise that could enable attackers to use them for the malicious web-based attacks I discussed in this article.
  • Leverage network security technologies: technologies like Network Access Protection (NAP), IPS, and content filtering can provide additional layers of defense.

In the next part of this series I will focus on locations in the European Union that have low malware infection rates.

Tim Rains
Director
Trustworthy Computing