A collaborative effort aided by hundreds of cyber security researchers to identify and share links to websites that are being used for distributing malware has succeeded in destroying almost 100,000 malware distribution websites since it was launched in March last year.
The initiative was the brainchild of cyber security firm Abuse.ch who launched a new project called URLhaus in March with the objective of collecting URLs of malicious websites that were being used for distributing malware and sharing them with hosting providers.
Following its launch, URLhaus received hundreds of thousands of malicious URLs from 265 cyber security researchers, averaging 300 malware sites every day and has so far succeeded in taking down 100,000 such URLs. Abuse.ch aims to carry on its effort of identifying and reporting malicious URLs with greater success in the days ahead.
“URLhaus also managed to get the attention of many hosting providers, helping them to identify and re-mediate compromised websites hosted in their network. This is not an easy task, especially for large hosting providers that have tens of thousands of customers and hence a significant amount hijacked websites in their network that are getting abused by cybercriminals to distribute malware,” the firm said.
Hosting providers taking too long to shut down malicious sites
Even though URLhaus counts between 4,000 and 5,000 active malware distribution sites every day and frequently send out abuse reports to hosting providers, its efforts often get wasted because of the time taken by hosting providers to take down malware distribution sites which, at present, averages more than a week (8 days, 10 hours, 24 minutes), enough time for malware to infect thousands of devices.
While hosting providers based in the United States took between two and sixteen days to take down sites used for distributing malware, some hosting providers in China took well over a month to shut down such websites, thereby defeating the very purpose of the exercise.
“An average reaction time of more than a week is just too much and proofs a bad internet hygiene. I do also hope that the Chinese hosting providers weak up and start taking care about the abuse problems in their networks in time. Having malware distribution sites staying active for over a month is just not acceptable,” the firm said.
Based on an analysis of malware-distribution sites whose URLs were shared by security researchers, URLhaus found that a vast amount of the malware distribution sites were linked to Emotet which is usually distributed via spam emails. Once victims click on malicious links, Emotet is downloaded to their devices from already-compromised websites. The effectiveness of such spam campaigns can be reduced by taking down such compromised websites in quick time as well.
Other forms of malware that were being distributed widely by cyber criminals included the GandCrab ransomware, Gozi, Breitchopp adware, Dridex, Dorv, Slimware adware, Loki ransomware, AgentTesla, and Formbook.