The U.S. hosts approximately 5 times more malware than the second-leading malware-hosting nation, Germany, which is responsible for 9 percent of the detected malware.
In addition to these findings, they discovered that malware distributors are rapidly and widely adopting cloud computing, either by buying services directly or by compromising legitimate domains. This trend is allowing distributors to quickly and cost-effectively develop sites and bring them online, as well as to avoid geographic blacklisting by hiding behind the reputations of major hosting providers such as Amazon, GoDaddy and Google.
“The information in this report will show our readers how widespread the malware problem truly is and how close it hits to home. We aren’t just talking about foreign espionage campaigns, APTs and breaches; many of these malicious activities are taking place within U.S. borders,” said Solutionary SERT Director of Research Rob Kraus.
“Malware and, more specifically, its distributors are utilizing the technologies and services that make processes, application deployment and website creation easier. Now we have to maintain our focus not only on the most dangerous parts of the Web but also on the parts we expect to be more trustworthy,” Kraus added.
U.S. identified as leading malware-hosting nation by large margin
The U.S. hosts 44 percent of all SERT-detected malware. This is approximately 5 times more than the next malware-hosting leader, Germany, which SERT identified as being responsible for hosting 9 percent of detected malware. Because of the overwhelming geographic dominance of domestically hosted malware, it is evident that geographic blacklisting and blocking strategies are not effective defensive mechanisms for U.S. organizations to use in the fight to detect and block malware attacks.
Malware distributors leverage cloud, using top hosting providers such as Amazon, GoDaddy, Google
The cloud is allowing malware distributors to create, host and remove websites rapidly, and major hosting providers such as Amazon, GoDaddy and Google have made it economical for malicious actors to use their services to infect millions of computers and vast numbers of enterprise systems.
Malicious actors are also compromising legitimate domains for nefarious purposes. Use of these services and domains also allows malware distributors to avoid detection and geographic blacklisting, as they provide trusted URL spaces that will not turn up on most blacklists. The SERT identified Amazon and GoDaddy as the top malware-hosting providers, with a 16 percent and a 14 percent share, respectively.
As part of its report, Solutionary provides recommendations for how Internet Service Providers can limit the risk associated with malware distribution by sites hosted and DNS names registered. But, ultimately it is still up to providers to take action to stop the proliferation of malware and to be accountable for policing the activities on their properties.
Anti-virus engines still important but do not detect all malware
A sampling of the malware distributed by sites hosted by OVH revealed that none of the 40 top anti-virus engines detected the 750-plus malicious binaries. Researchers found that a significant portion of the malware sampled consisted of Microsoft Windows 32-bit Portable Executable (PE32) files being used to distribute pay-per-install applications known as potentially unwanted applications (PUAs).
The adware installer would install, or appear to install, legitimate software applications to cover its tracks. One specific malicious domain, bb.rauzqivu.ru, was of specific interest to SERT researchers, since to evade detection it had operated across 20 countries, 67 services providers and 199 unique IP addresses in just a two-week period. A list of noted applications can be found in the report.
The complete report is available here (registration required).