The lifecycle of Web-based malware
According to the August edition of the MessageLabs Intelligence monthly report, it can be a costly exercise for the bad guys to produce new families of malware in order to maintain their criminal activity at sufficient levels. Registering new domains is much more economical for them, and by spreading the malware across as many different websites and domains as possible, the longevity of each new malware is increased.
When employing server-side polymorphism, the same family of malware code may be packaged differently into new strains, automatically and dynamically, each time it is accessed. This requires a different anti-virus signature each time in order to detect it accurately.
These approaches combined with the use of “bullet-proof” hosting services and “fast-flux” hosting means that criminals can ensure that malicious websites are not taken down quickly in response to complaints.
In many cases the organized criminals often have highly automated techniques in place that require little or no monitoring, and their systems are automatically working day and night compromising as many legitimate websites as possible and registering new ones. Once these processes are in place, a compromised website can be re-configured remotely depending on what method the attackers are using.
When a victim downloads malware directly from a compromised, legitimate website, the victim may be automatically led through a complex system of invisible redirects to the endpoint where the new malware is hosted. In addition, often many new websites are brought online over time to act as “stepping-stones” between the compromised websites and the endpoints where the malware is located:
You can see in the diagram how new form of malware is created and initially only hosted on a small number of websites or directly linked in malicious hyperlinks from other websites or emails. Over time, more websites are used, and often a simple redirect is used to divert the visitor seamlessly to another website, or to the malware itself. Sometimes several redirections are used, as one website bounces the user to another before the malware is reached. This process would be invisible to the user, perhaps only noticeable as the page may take longer to load. The use of these disposable proxies helps to ensure that the websites hosing the malware remain obscured for as long as possible.