Over the last ten months, security researchers filed abuse reports with web hosting providers and have taken down nearly 100,000 URLs that were used to distribute malware, said today Abuse.ch, a non-profit cybersecurity organization.
These coordinated efforts were part of the URLhaus initiative that Abuse.ch launched in March 2018, and whose primary objective is to collect and share URLs about active malware campaigns so the information security (infosec) community can take action by blacklisting or taking down URLs.
In a report published today, Abuse.ch says the URLhaus project has been a resounding success, with 265 security researchers sharing URLs and filing abuse reports with web hosting providers over the past year.
The organization says that researchers shared between 4,000 and 5,000 active malware distribution sites per day, filing hundreds of abuse reports in the process.
But while Abuse.ch noted that “URLhaus […] managed to get the attention of many hosting providers,” there is still a lot of work to be done, as many web hosting providers are still very slow in responding to abuse complaints.
Furthermore, numbers show that the average response time appears to have increased compared to last year. In a previous report published in October 2018, Abuse.ch said that web hosting providers previously took 3 days, 2 hours, and 33 minutes, on average, to respond to abuse complaints and remove malware hosted on their servers.
But in today’s report, the organization noted that recent numbers indicate that the average takedown time has now increased to more than a week, to 8 days, 10 hours, and 24 minutes, giving malware authors more than enough time to infect thousands of device every day.
Furthermore, the situation has gotten out of control in China –one of the most popular country for hosting malware files together with the US– where web hosting providers now have an average abuse report response time of over a month.
Long live Emotet, the malware king!
As for what the 265 security researchers have reported the most in the last ten months, the answer was not a surprise. Of the 380,000 malware samples that security researchers found hosted on newly created or hacked websites, the most common malware family was Emotet (also known as Heodo), a multi-faceted malware strain that can work as a downloader for other malware, a backdoor, a banking trojan, a credentials stealer, or a spam bot, among many other things.
Other popular malware strains that researchers spotted and reported included variations of the Gozi banking trojan, and installers for GandCrab, which is, by far, today’s most prevalent ransomware strain.
Because most of today’s email security scanners do a good job at detecting malicious file attachments, recent email spam campaigns don’t work as they did in the past. Nowadays, many spam campaigns have switched from including the malware payload in the file attachment to adding a link inside the email body that points to a website from where the victim is asked to download a malicious document or the malware’s installer.
Furthermore, most malware is now modular, and seemingly benign software components connect online and download malware hosted on legitimate or hacked websites.
This is what the URLhaus project has been tracking over the past ten months, building a database of all these new malware distribution URLs.
Having databases of these newly detected malicious links is crucial for cyber-security firms and private corporations that want to blacklist these URLs before something bad happens.
The optimum scenario would be if web hosting providers would take down these links as soon as they’re reported in the URLhaus database.
But while there are still many problems when it comes to getting web hosts to cooperate, taking down nearly 100,000 malware URLs with just 265 researchers is quite the feat for URLhaus’ first year in existence.