Security Experts:

Dozens of Alexa Top 25,000 Domains Serving Malware to Millions, Firm Says

An analysis of the Alexa top 25,000 most popular domains revealed 58 were serving malicious content during the month of February – translating to more than 10.5 million users being targeted by malware, according to research by Barracuda Networks.

The firm also found that on average, two of the Alexa top 25,000 domains serve malicious content each day. In addition, Alexa top-ranked domains served malicious content 23 of the 29 days in February, underscoring that the problem is persistent, argued Barracuda Networks research consultant Paul Royal.

“While Alexa does not publish the total number of page views it uses to determine site rankings, there exists sufficient information to determine that number,” Royal explained in a blog post. “As an example, Wikipedia, which represented ~0.54% of total Alexa views in February 2012, reported ~15.75 billion views for the previous month. Working backwards, we can thus calculate that Alexa used an average of (15,756 * 1,000,000)/(29 * (0.5416/100)) = ~100.31 billion views each day to rank the popularity of websites.”

“Using [that] number,” he continued, “we can calculate the affected views for a given site in a 24-hour period. As an example, free-tv-video-online[.]me, which via an ad network served visitors malicious content on February 13, represented ~0.0053% of the total Alexa views, which yields 5,366,895 affected views for that day. However, to estimate how many users were served exploit content, this number must be adjusted to account for the average number of views per user. Fortunately, Alexa makes this information available.”

“Continuing with the example, free-tv-video-online[.]me has an average of 7.2 views per user,” Royal added. “Thus, for this site, 5,366,895 views equates to 745,402 users served malicious content on February 13. Across all 58 sites that (directly or indirectly) served malicious content, there were 44,160,016 affected views from 10,541,379 users.”

Almost all of the sites hitting visitors with malicious content were a year old or more, and more than half of the sites were older than five years. That means attackers were specifically utilizing well-established, long-lived sites for their drive-by download operations, Royal noted.

“Of course, not every user served malicious content was compromised,” he added. “To estimate the number of successfully exploited users, we used several different sources, including Wikipedia’s browser statistics. To begin, if we examine platform and browser popularity, only about half (or 50.81%) of users (who run Windows and IE or Firefox) possess properties conducive to exploitation. According to Adobe, 73% of PC users have the Java plugin installed,” Royal noted. “According to Qualys, 42% of users with the Java plugin installed have versions vulnerable to exploitation. Thus, of 10,541,379 users served malicious content, 42% (insecure Java) of 73% (Java installed) of 50.81% (Windows and Firefox/IE), or 1,642,172, were likely compromised.”

Just recently, an exploit targeting patched-Java vulnerability CVE-2012-0507 was observed being offered as part of the BlackHole crimeware kit. According to Rapid7, users typically lag far behind when it comes to deploying Java fixes. In the first month after a Java patch is released the fix is deployed by less than 10 percent of users, the company told SecurityWeek last week.

The domains spanned 18 different countries, meaning that the problem has no geographic barrier, Royal added.

The infographic below summarizes Barracuda Networks’ findings.

Malware Served from Popular Websites

view counter