More Malware distributing Websites in Q3 2012

In the 3rd quarter 2012, SWITCH-CERT has helped to clean 1260 malware distributing websites under the .ch and .li top level domains. This is more than twice than in the quarters before.

Visiting a hacked website is the most common reason to get infected with malware. Most often these are legitimate websites that are compromised by cyber criminals. The attackers inject invisible elements, such as iframes of javascript into the website. These invisible elements try to exploit vulnerabilities when a visitor opens the website with his browser. When the exploits succeed, the computer of the visitor is most likely infected with a trojan and becomes part of a botnet. The attackers now have complete remote control over the infected system and can use it to steal confidential data, attack e-banking, send SPAM or launch a Distributed Denial of Service (DDOS) attacks from the “bot client”.

The dramatic rise of compromised websites in Q3 2012 is most likely due to a vulnerability in the popular Plesk server admin software, that allowed attackers to access the websites and enabled them to inject their invisible code. Exploit kits were commercially available on the internet.

More than 2’000 websites were reported to SWITCH-CERT in Q3. In 1’260 cases SWITCH-CERT could confirm the presence of malicious code threatening visitors. SWITCH routinely informs the owner and technical contacts for these domains and requests that the malicious code is removed within one working day. In 970 cases the website owners or hosters cleaned the website and removed the malicious code within this time frame. In the remaining 290 cases the domain name was temporarily removed from the DNS to protect internet users from getting infected with malware when visiting these sites. From these 290 domains, 187 where cleaned by the owner within 5 days after the blocking. 86 Domains have been cleaned after SWITCH issued a request for identification and 17 domains have been deleted, either because the owners didn’t answered the identification request, or deleted the domain themselves.

Despite the rising numbers of malicious websites, Switzerland is still the country with the lowest rate of infected PCs, according to the Phishing Activity Trends Report Q2 from the Anti Phishing Working Group (apwg).

To reduce the risk for a website to be misused by criminals to infect the visitors with malware SWITCH recomends to following measures:

Use strong passwords for your FTP account and, if possible, use SFTP.
Make sure that all the programs installed on your PC and server are always up-to-date.
Check your PC regularly for malware and viruses.

Bluehost and stopbadware have created a movie that explains basics of protecting websites and visitors.