In March of 2018, a Swiss security researcher from abuse.ch began an initiative to take down websites hosting malware by contacting their hosting providers. The initiative was highly successful, taking down over 100,000 malware hosting websites in just 10 months. A team of 265 security researchers submitted takedown requests for approximately 300 new websites per day in an effort to make the internet a safer place. While the campaign to clean up the internet was successful as evidenced by the takedown numbers, there have been a few lessons learned along the way that trouble security researchers.
The nemesis of Marvel’s Captain America, Red Skull, had a motto for his organization Hydra: “Cut off one head, two more shall take its place.” This is true of super villains, mythical creatures, and websites hosting malware. Research from abuse.ch shows that the number of active malware sites outnumber the takedown requests by nearly 10 to 1. Hosting malware has become a modern-day Whack-a-Mole game, in which security researchers submit a takedown request, then wait an unspecified amount of time for the website to be removed. During the time between takedown request and actual takedown, malware authors would have set up dozens of mirrors and more websites to host their malware. This approach to removal is obviously not scalable with the all-volunteer team of researchers scouring the internet after performing their day jobs.
Security researchers were disappointed by the amount to time it took for takedown requests to be approved and processed. While the average person believes a site that’s obviously hosting malware should be taken down with the flip of a switch, many hosting providers have abuse teams that are overworked or just do not place much priority on these requests. On average, malware hosting websites stayed active for about eight and a half days. Looking at the top 10 hosting providers by the number of takedown requests submitted, seven are hosted in the U.S. or China. Takedown requests for providers in the U.S. ranged from two days (Unified Layer) to almost two weeks (CloudFlare). U.S. hosting provider Digital Ocean came in as the top hosting provider with the most takedown requests (307) and an average takedown time of six and a half days.
The story gets much worse for the three hosting providers in China. The average takedown time was over a month. Chinese hosting providers either lack the resources to process these takedown requests or simply do not take them seriously. Either way, the delay raises serious concern for security researchers. The time to take down a malicious website is highly disproportional to the time it takes to set up a malicious website. With services like Wix, Squarespace, and DigitalOcean promoting the speed and simplicity of setting up a website, it is no wonder takedown requests can’t or won’t keep up with the vast number of malicious websites popping up every day. While these facts are troubling, the type of malware being hosted is even more alarming.
The vast majority of websites serving malware and targeted for takedown hosted the Emotet banking Trojan. Notorious bank robber Willie Sutton said in an interview, "I rob banks because that’s where the money is.” It is easy to draw the comparison between banking Trojans as modern-day bank robbers. With the majority of the developing world and a good percentage of the developed use mobile devices and computers to perform online banking, it is clear why this family of malware would be the most popular. Three of the top five malware signatures were tied to credential stealers or banking Trojans. Rounding out the top five were GrandCrab ransomware and Breitschopp adware (pay-per-install).
Abuse.ch provides a threat feed that can be ingested into a content filtering solution in order to block websites that researchers report to be serving malware. While this list is still a valuable tool in a defense-in-depth security strategy, it is clear that solving the malware problem on the supply-side will simply not suffice. Takedown requests take too long to process, and sites are spinning up faster than they can be taken down.
To protect themselves, organizations need to tackle this problem on the demand-side—users going out to the internet. Content filtering solutions are good at ingesting URL lists and blocking based on URL categories. But with malware sites coming online faster than they can be reported and categorized, it is simply not enough to rely on reputation or category-based content filtering. Blocking users, cautioning users, or implementing stricter security controls when visiting a URL category for newly registered domains will help, but could also hinder business productivity. For example, a law firm specializing in assisting startup companies may have a legitimate business need to visit newly registered websites.
Until the internet hosting industry comes to a consensus and streamlines the process for taking down harmful websites, organizations are on their own to protect themselves against malicious websites. Organizations that wish to protect users against these threats must do more than depend on the URL category of a website to block malicious content. Inspecting every byte of data being served, no matter where the user connects, and including TLS-encrypted traffic is the only way to ensure that users are protected all the time. It is simply not enough to rely on good-hearted security researchers and the responsive hosting providers to keep the internet safe.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Christopher Louie, CISSP, is a sales engineer at Zscaler