Moving on with the presentation, David Maynor and Paul Judge analyze prevalent patterns of malware distribution via search results poisoning.
Paul Judge: Another question that we looked to answer was whether these were known attacks, whether these were attacks that we knew – kind of what types of attacks or malware they were using in their search poisoning. So this looks at the amount of malware that was detected each day that was found on the previous day, but wasn’t detected till later (see graph).
David Maynor (Errata Security CTO): Let’s go back for a second – so, the malware captured by time. Well, everything in my world is defined by Eastern Standard Time, which is the best time zone. However, we take a look at rate, and no one on the East Coast is working between 11 PM and 5 AM. So if you take a look and correlate this – who is working are generally are people in Eastern Europe or in Asia somewhere. That kind of fits in what we call a ‘hacker time’, you just have to invert the time that you would think normal people work, and make that the ‘hacker time’.
So the malware detected each day is kind of a funny thing because, well, when we went on this research we had our own biases, we had ideas of what we’re trying. And the days that seemed to have the most malware were the days of the biggest pop culture events, like the MTV Music Awards, you know, things like that. And this kind of represented in chart. So we started this research, and the research ran for 57 days, and that’s а number we picked that we felt would be a good indication of, you know, total traffic.
So it ran for 57 days from, you know April to June, and there was a lot of kind of pop culture stuff happening, as you see towards the end of the graph, that’s world cup malware and stuff like that. In the beginning it’s more, you know, Justin Bieber malware – he is the primary reason why peoples’ machines get infected. So if you have kids and they buy Justin Bieber CDs, tell them you’re gonna get viruses.
Paul Judge: One of the points here is that 98% of the malware that we found on search results, was identifiable by the techniques that we used. So that’s one of the things to understand, if you look at the results that we pulled and the ways that we analyzed them.
So those are the 3 detection techniques that we used to find the different malware. And the point here is 98% of the malware that were on these search results were detectable. Kind of the good news is that attackers aren’t using kind of true zero-days on the other end of search results. 98% of the stuff is detectible if someone was actually using something in between them.
One of the other interesting things that we came across is the relationship between different search engines. If you look at something that pops up on Twitter versus something that pops up on Google, or Bing, or Yahoo – we tried to see what is the difference in time, in the delay: for example, the time that it shows up on Twitter or the time that it shows on different search engines. And so let’s take a look at this. Let’s take a look at the top 10 trending topics on Twitter, and look at how long it took them to show up on different search engines (see histogram). The green bar here is the number of days on Yahoo, the red bar is on Bing, the blue bar is on Google. And if there is no bar – it didn’t show up on the other search engines.
So what you see is this delay (see histogram). What happened is on average it took 1.2 days for something to become a trending topic on Google after it became a trending topic on Twitter. It took 4.3 to become a trending topic on Bing, and 4.8 days on Yahoo!.
What’s interesting is the set of things that were the trending topics on Twitter: there were things that were trending topics on the search engines that were not on Twitter. We saw that in general things that were kind of culture related or pop related became trending topics on Twitter first. And things like more serious news, like election results – those things became trending topics on search engines before they became trending topics on Twitter.
That’s one of the points for understanding, from attackers’ viewpoint, where you should target your attacks first. If you see the time one thing moves from one network to another and it’s gonna be popular, it’s gonna become something that people are searching for, this is a pretty interesting roadmap for where you should spend your attention early on, in a particular event that’s happening.
David Maynor: So when you go home, make sure you tell your kids that if they search for news sites, they are less likely to get malware than if they’re gonna search for Justin Bieber. We really don’t like that kid, I have to be honest.
Paul Judge: Here is the view of all the trending topics that we looked at: over the 25,000 trending topics, what type of sites were trending, so what are the categories? And so one of the top things here is news: 26% of the sites that were trending were news sites. After that was entertainment, so 23% of the sites were entertainment. And after that were things pointing to news groups and to streaming media, and so forth. So no big surprises here – people like news, and people like entertainment.
Right now, if you take a look at the top 10 categories for malware, it’s a little bit different. You know, one of the things that you see here is that the top category is spyware. So 35% of the sites that were pointed to were classified by traditional URL filtering engine as being bad sites. These were sites that were known to continually carry malware over time. The good news is we could catch this based on web filtering technology. But then you see entertainment here, you see search engines here, you don’t see news pretty high up in the results.
So one thing we wanted to look at was whether there were particular categories that malware liked or didn’t like. These are the top 10 categories overall, news being 1, then entertainment, then forums and newsgroups. If you look at the 3rd column, that’s the ranking for malware. So news – while it was the number one sites overall for trending topics, it was number 17 for malware. If you look at streaming media, it is number 4 overall, and it is number 21 for malware. Sports – similarly, number 6 overall but 14 for malware. So this shows examples of the types of sites that malware authors don’t particularly like to target.But then, if you look at categories that are popular, you see some names that you would expect. You see that overall the malware ranking for hosting sites is number 5, where in general it’s 20. If you look at peer-to-peer, it’s number 6 for malware but number 46 overall. So you see some of the usual suspects: hosting, peer-to-peer and proxy sites being targeted by the search terms where they’re leading to.