U.S. malware share rising, Amazon service No.1 in hosting it
By Ellen Messmer, Network World | July 15th, 2014
Solutionary’s Top 10 list also includes Google and Akamai.
In its quarterly report on global malware distribution and threats, security firm Solutionary Tuesday said that 56% of the malware it captured via sensors and other means was hosted in the U.S.– a 12% increase from six months ago — and about half of the malware overall appeared to originate at 10 Internet service and hosting providers.
This “Top 10” list includes Amazon Web Services, France’s OVH, Akamai, Google, Akrino, Hetzner Online, CloudFlare, CDN, GoDaddy and Website Welcome, according to Solutionary.
In a comparison to what it found in the fourth quarter of 2013 through the same methodology, Solutionary reports that GoDaddy’s percentage of actively hosted malware dropped from 14% to 2%. But “on the other end of the spectrum, sites supported through Amazon services showed a massive increase moving from 16% to 41% of the identified malware hosts, retaining their top spot in the top 10.”
In its malware hosting analysis, Solutionary also notes the “new appearance of smaller providers, such as Akrino and Website Welcome, in the top 10.”
The jump in overall U.S. malware share from 44% to 56% “is likely attributed to malicious actors’ increased utilization of Amazon’s cloud infrastructure and Dropbox,” says Rob Kraus, director of research at Solutionary’s Security Engineering Research Team. “However, it appears Dropbox utilizes some of Amazon’s infrastructure to support its cloud storage service. Many of the distributing domains also utilize virtual private servers to distribute warez. Due to the affordability and increased presence of hosting providers, these have become a popular platform for malicious activity.”
So, who is to blame, the hosting provider or the customer for not cleaning up this malware? Kraus says both bear responsibility in order to be “mutually protected.”
“The providers who are hosting content for their clients can be affected and may have responsibilities from a few different viewpoints,” says Kraus. “First, they are hosting content for their clients, they should ensure the reputation and ecosystem for their services are well guarded. Ensuring technologies are deployed to detect malicious hosted content can significantly help identify and reduce these types of threats.” He adds that these processes do exist, but may not be as widely used as would be hoped.
Another factor in all this is if the content being hosted is solely for the purpose of malicious actions by someone who has rented hosting services to take advantage of them, Kraus notes. Attackers are using ISPs and hosting providers to set up malware distribution points, download drive-by centers or “even drop points for data exfiltrated from a company targeted during a breach,” he notes.
Unlike the U.S. where malware on ISPs and hosting providers is said to have risen, a few countries saw their share of malware drop.
The Russian Federation, for example, dropped from 7% to 3%, Germany went from 9% to 7% and The Netherlands from 7% to 3%. France, however, saw its share rise, according to Solutionary, from 4% to 7%, putting it at No.2 on the Top 10 list. It also notes that unexpectedly, the Virgins Islands suddenly rose to No.5 on the list with 5% of total worldwide hosted malware.