Turning A Blind Eye

All too often, evil is lurking right under our noses, yet we choose to turn a blind eye. Sometimes we do this out of fear. After all, if we get involved, we too could get hurt. Other times however, we are just as much to blame as the guilty parties perpetrating the crime. We choose not to get involved because we too profit from the crime, although we do so passively and leverage that as our defense.

A couple of years ago, I drew attention to the fact that free website providers were profiting from allowing phishers to set up shop and doing nothing to stop them. They were profiting as they make money from ad-supported pages. The more traffic they generate, the more money they make and how that traffic is generated doesn’t seem to be of concern. I ruffled a few feathers by speaking my mind and generated a much-needed debate on the issue. The argument from the hosting providers was that they try very hard but some pages slip through the cracks. Although I don’t buy the excuse, to be fair, automating the detection of phishing pages isn’t without challenges. What about malware then? Do these same sites foot the bill for hosting/delivering malicious binaries? Sadly, the answer is yes.

Being an ‘in-the cloud’ security solution, our Zscaler infrastructure permits powerful data-mining capabilities from a research perspective. The very nature of a cloud architecture means that logs can be centralized, providing a powerful view into global attacks. Leveraging this capability, I sought to identify malware being hosted on free web sites. It didn’t turn out to be much of a challenge as evidence was everywhere. A sample of what was discovered can be seen below:

Caution: At the time of this blog post, these URLs were live and hosting malware – proceed at your own risk.

Geocities (Owned by Yahoo!)

http://www.geocities.com/sltap/main.html

• Malware found - Virus.VBS.Redlof.a
• VirusTotal Results - 32/37

http://uk.geocities.com/dravidaperavai/

• Malware found - Virus.VBS.Redlof.n
• VirusTotal Results - 26/37

http://www.geocities.com/SiliconValley/Hills/7140/

• Maware found - Net-Worm.Win32.Nimda
• VirusTotal Results - 30/37

http://www.geocities.com/dental_associates/

• Malware found - Virus.VBS.Confi
• VirusTotal Results - 32/37

http://www.geocities.com/jennifer_garner_zone/trivia.htm

• Malware found - Virus.VBS.Redlof.a
• VirusTotal Results - 23/38

http://www.geocities.com/aga_muhlach_2000/r.html

• Malware found - Virus.VBS.Redlof.a
• VirusTotal Results - 33/38

Tripod (Owned by Lycos)

http://india_resource.tripod.com/indianhistory.html

• Malware found - Virus.VBS.Redlof.a
• VirusTotal Results - 34/38

http://members.tripod.com/~INDIA_RESOURCE/Shia-Plight.html

• Malware found - Virus.VBS.Redlof.a
• VirusTotal Results - 34/38

Angelfire (Owned by Lycos)

http://www.angelfire.com/tx5/jr2k/Stor/2.html

• Malware found - Virus.VBS.Redlof.k
• VirusTotal Results - 27/38

How difficult would it be for these providers to have identified the malware that they are hosting? It would have been trivial. The files are hosted on machines they control and we’re not talking about 0day attacks here. In every case at least 20+ commonly available AV scanners detected the malicious content and in some cases the malware was years old! This isn’t just incompetence, it’s gross negligence.

So why then wouldn’t they make an effort to eradicate viruses from their servers? The answer is simple. The cost to do so outweighs the benefits derived. In other words, removing content from their sites reduces the number of eyeballs they receive and in turn decreases ad revenue. They are turning a blind eye to the fact that their users are getting infected with malware.

Gross negligence can be defined as “failure to use even the slightest amount of care in a way that shows recklessness or willful disregard for the safety of others”...sounds like an open and shut case to me.

- michael