Cybercriminals Keep Malware Alive Longer

By Matthew Harwood
Cybercriminals have found a new, more cost-effective way to get the most bang for their buck when spreading malware, according to Symantec’s MessageLabs.

In their August report, MessageLabs reports cybercriminals have stopped producing as much new malware to maintain their criminal activity, opting for a cheaper approach.
According to the report, “[r]egistering new domains is much more economical for [cybercriminals], and by spreading the malware across as many different Web sites and domains as possible, the longevity of each new malware is increased.”

Over the last six months more than a third of websites blocked each day were new and previously not used to host malware, says Paul Wood, an intelligence senior analyst at MessageLabs. "Similarly," he said, "over the same period, an average of 12 percent of the malware blocked each day is new malware that hasn’t been seen before."

By corrupting legitimate sites, it’s nearly impossible for Internet users to know they’ve visited or stumbled upon a contaminated site, says Wood.
The process is rather simple, according to the report.
“[A] new form of malware is created and initially only hosted on a small number of websites or directly linked in malicious hyperlinks from other websites or emails,” the report explains. “Over time, more websites are used, and often a simple redirect is used to divert the visitor seamlessly to another website, or to the malware itself. Sometimes several redirections are used, as one website bounces the user to another before the malware is reached.”
Redirections such as these will probably be imperceptible to the user, the report warns. The only indication something suspicious is going on maybe a page that takes longer than usual to load.
By creating these “proxy” Web sites, cybercriminals can obscure which site is hosting the malware for a much longer period of time. Proxy Web sites can be anything, although a popular method is to create fake accounts on social networking sites like and riddle them with malicious links that eventually lead to malware.
Oftentimes, the site that hosts the malware is dressed up to look like a legitimate site, like
Cybercriminals often have automated techniques that continually compromise legitimate Web sites, increasing the probability users will eventually get redirecting to the site hosting the malware.
Cybercriminals have also begun to package the same strain of malware differently to confuse antivirus software, says Wood. When antivirus software discovers a piece of malware, it produces a signature that helps the program block that strain of malware. By packaging malware differently, says Wood, cybercriminals can beat many antivirus programs and extend the life of that particular piece of malware.  
In April, Symantec reported it had created 1.6 million malware signatures, an exponential increase.
“Sixty percent of all the [malicious code] threats in the past 20 years came in the last 12 months alone,” said Vincent Weafer, Symantec’s vice president of security content and intelligence, in a statement.
Wood says people should be suspicious but not paranoid when surfing the Web. If someone sends you a link out of nowhere in an e-mail or on a social networking site or the language attached is uncharacteristic of that person, you probably shouldn’t click on that link.
The problem, however Wood notes, is that “even the most security-minded person can fall victim to these sites.”

♦ Photo of malware by mdaniels7/Flickr


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.