Browsing Known Sites is Safe – True or False 2: malware distribution

Read previous: Browsing Known Sites is Safe – True or False: Ill-family malware

Having talked about the ‘Ill-family’ infections, Lukas Hasik and Jiri Sejtko get down to explaining the peculiarities and distribution patterns of JS:Kroxxu and JS:Prontexi which are the two other widespread types of currently active web malware. Concluding the presentation, the speakers specify some essential measures to be implemented by webmasters and users for evading the consequences of web malware contamination.

JS:Kroxxu description

Jiri Sejtko: The second infection I will talk about is Kroxxu. Kroxxu is a multilayered botnet. It uses only compromised websites to host itself. It comes with indirect cross infection vector, which I will explain later. Kroxxu is a self-reproducing botnet, which means that it distributes password stealers, and the credentials stolen by these password stealers are then used to support the growth of the botnet.

Usual drive-by infection vector

Usual drive-by infection vector

Indirect cross infection is actually a special type of drive-by download1. I will explain the differences that caused us to create a new term for it. The picture shows the usual drive-by download (see image), where you have a legitimate website which is hacked. When the user goes in there, he is redirected to the malware distribution domain from where he gets infected through the exploit kit2.

This malware distribution domain is owned and operated by the bad guys only with purpose to distribute malware, and there is no other chance to get into this malware distribution domain without previous redirection.

Lukas Hasik: So, it should be quite easy to block the malware distribution domain when we discover it.

Indirect cross infection: how it works

Indirect cross infection: how it works

Jiri Sejtko: You are absolutely right. The easiest way of protecting users is to block the domain that distributes malware. But in the indirect cross infection, this is not exactly possible because all the parts used in the infection vector are interchangeable (see image). It means when one part, one domain is used as a malware distribution domain one day, it might be used as an initial redirector another day. Indirect cross infection actually means the ability to interchange any part of infection vector in order to create a new direction of this vector.

So it is not as easy to block the targeted domain because all these parts are hosted on the compromised websites. These websites are legitimate, you can’t simply block them.

Active zombie domains lifespan stats

Active zombie domains lifespan stats

This graph shows how long the currently living domains are used in the Kroxxu botnet (see image). We estimated the average lifespan of each domain used in Kroxxu to be around 90 days – just three months. And more than 300 malware distribution domains live more than 3 months. These two numbers are really big in comparison with other approaches of normal drive-by downloads, so this is the point we should care about because administrators and domain owners probably don’t know their websites are misused to spread infections.

JS:Prontexi description

The third infection I will talk about is Prontexi. It uses a little bit different approach to spread. It uses infected ads. Previous approaches target mainly small websites. Well-known and big websites are usually well secured to be infected that way. Their weak point stands in advertisement. It is the only content the owners cannot influence, and they shift the responsibility for the content to the ad companies. And ad companies probably don’t care about what they are distributing, because in case of Prontexi we have detected on our user base more than 5 million infected ads that redirect users to the malware distribution domains.

Ad poisoning scheme

Ad poisoning scheme

So how does it work? Let’s get back to our user George again. User George often reads newspapers. And these newspapers use ad services to profit from them. So user George connects to his favorite newspaper and he is redirected immediately to the ad service. These ad services share content with fake advertisement services that spread only fake ads and share fake ads with each other.

So, user George is redirected through this fake ad to the malware distribution domain. There is usually more than one malware distribution domain, and fake advertisement services rotate these – that is the reason we call them Rotators. And from these malware distribution domains, user George gets malicious content through the exploit kit.

Prontexi distribution statistics

Prontexi distribution statistics

On this slide, you see how active bad guys are, and that they are targeting main events during the year. In the Prontexi case, they targeted mainly Christmas 2009 and New Year 2010, and of course Valentine’s day 2010.

Lukas Hasik: These are the dates when most people search for some presents, and they usually follow the ads to go to some websites.

Jiri Sejtko: That’s right, but in this case you don’t need to follow the ad. Once the ad is displayed, infection begins. So, that’s all about the three most spreading infections over the last year, and let’s move to the conclusion.


Lukas Hasik: We’ve finally got to our conclusions. So, now you probably know the answer to the question in the name of our presentation: “Am I safe if I browse only known sites?” – actually, the answer is “No”, as you probably know. So you can be sure that the infection comes from everywhere as the bad guys really like legitimate websites, because you don’t expect that the infection can come to your computer from these trustworthy and legitimate websites.

The bad guys also use the advertisement services because it allows them to get to your computer from sites that are visited by a lot of people, or that are operated by some huge companies, because they don’t have control of the advertisement provided through advertisement services.

And we haven’t mentioned the search engines that the bad guys really like to confuse with their blackhat SEO. These are the main channels that they use to get the infection, the exploits to your computer.

So, what should you do at least to keep yourself safe from the infections? The first thing is to keep your operating system and your software up-to-date. The reason is that when your operating system and your software is up-to-date, it will close the security holes for the exploits spread by the bad guys. And of course don’t browse or don’t download the ‘grey’ zone stuff. The infection ratio in the ‘grey’ zone is definitely higher than in the safe zone.

And the last but not the least, you should definitely use some good antivirus software, and when you are using antivirus protection you should not turn it off when an alert appears because you can be almost 100% sure that the website is infected. And if it is a false positive, you can be sure it will be fixed by our virus analysts in hours usually.

During our presentation, we spoke about the trust phenomenon, so one thing that you should remember is that even the most reliable sites can be infected, and sometimes they are really infected by bad guys, because it is the main channel to spread the web infection over to your computer.

Jiri Sejtko: We have seen the bad guys move many parts of infection vectors into the compromised websites, and in case of Kroxxu all of these parts were moved to the compromised websites. Malware authors are quick in adding newly discovered exploits.

So, there are two answers to apply. One is for domain owners – there are some tools, there are some products and services that will help you protect your site and keep it clean. And for users – be paranoid, even the most reliable sites can be infected.

Lukas Hasik: Jiri mentioned it a few times and you have seen it on the graphs that many infected sites remain infected almost forever. Once the site is infected, the web owners or the domain owners don’t remove the infection, or when they remove it they don’t change the credentials, so the bad guys can infect it again and again.

Jiri Sejtko: And some simple steps you should take when you find your website is infected: change your credentials, however it has to be done from a clean computer; remove the infection from your website – remove it from HTTP code, PHP code or SQL database; find the way your website has been hacked, to prevent future attacks; fix the holes in the software used on your server; and of course you may use some protection services that will help you keep your site clean.


1Drive-by download a download that happens without a person’s knowledge, often spyware, a computer virus or malware.

2Exploit kit is a software pack injected into a compromised or malicious website. It is mostly used to carry out automated ‘drive-by’ attacks in order to distribute malware.

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: