In March of 2018, a Swiss security researcher from abuse.ch began an initiative to take down websites hosting malware by contacting their hosting providers. The initiative was highly successful, taking down over 100,000 malware hosting websites in just 10 short months. A team of 265 security researchers submitted takedown requests for approximately 300 new websites per day in order to make the internet a safer place. While the campaign to clean up the internet was successful as evidenced by the takedown numbers, there are a few lessons learned along the way that continue to trouble security researchers.
The nemesis of Marvel’s Captain America, Red Skull, had a motto for his organization Hydra: “Cut off one head, two more shall take its place.” This is true of super villains, mythical creatures, and websites hosting malware. Research from abluse.ch shows that the number of active malware sites outnumber the takedown requests by nearly 10 to 1. Hosting malware has become a modern day Whack-a-Mole where security researchers submit a takedown request, wait an unspecified amount of time, then the website gets removed. During the time between takedown request and actual takedown, malware authors would have set up dozens of mirrors and more websites to host their malware. This is obviously not scalable with the all-volunteer team of researchers scouring the internet while also having day jobs.
Security researchers were disappointed with the amount to time it took for takedown requests to be approved and processed. While the average layperson believes that a site that’s obviously hosting malware should be taken down with the flip of a switch, many hosting providers have abuse teams that are overworked or just do not place much priority on these requests. On average, malware hosting websites stayed active for about eight and a half days. Looking at the top ten hosting providers by number of takedown requests submitted, 7 are hosted in the US or China. Takedown requests for providers in the US ranged from two days (Unified Layer) to almost two weeks (CloudFlare). US hosting provider Digital Ocean came in as the top hosting provider with the most takedown requests (307) and an average takedown time of six and a half days.
The story gets much worse for the three hosting providers located in China. The average takedown time was over one month. Chinese hosting providers either lack the resources to process these takedown requests or simply do not take them seriously. This is concerning for security researchers. The time to take down a malicious website is highly disproportional to the time it takes to set up a malicious website. With services like Wix, SquareSpace, and Digital Ocean promoting how easy and fast it is to set up a website, it is no wonder takedown requests cannot keep up with the vast number of malicious websites popping up every single day. While these facts are already cause for concern, the type of malware being hosted is even more deeply troubling.
The vast majority of websites serving malware and targeted for takedown hosted the Emotet backing trojan. Notorious bank robber Willie Sutton said in an interview "I Rob Banks Because That’s Where the Money Is.” It is easy to draw the comparison between banking trojans as modern day bank robbers. With the majority of the developing world and a good percentage of the developed works using mobile devices and computers to perform online banking, it is clear why this family of malware would be the most popular. Three of the top five malware signatures were tied to credential stealers or banking trojans. Rounding out the top five were GrandCrab ransomware and Breitschopp adware (pay-per-install).
Abuse.ch provides a threat feed that can be ingested into a content filtering solution in order to block websites researchers report to be serving malware. While this list is still a valuable tool in a defense-in-depth security strategy, it is clear by the previously mentioned reasons that solving the malware problem on the supply-side will simply not suffice. Takedown requests take too long to process and sites are spinning up faster than they can be taken down. In order to protect themselves, organizations need to tackle this problem on the demand-side (users going out to the internet). Content filtering solutions are good at ingesting URL lists and blocking based on URL categories. With malware sites coming online faster than they can be reported and categorized, it is simply not enough to rely on reputation or category-based content filtering. Blocking users, cautioning users, or implementing stricter security controls when visiting a URL category for newly registered domains will greatly help, but could also hinder business productivity. For example, a law firm specializing in assisting new startup companies may have a legitimate business need to visit newly registered websites.
Until the internet hosting industry comes to a consensus and streamlines the process to take down harmful websites, organizations are on their own to protect themselves against malicious websites. Organizations that wish to protect users against these threats must take a zero trust approach and not simply depend on the URL category of a website to block malicious content. Inspecting every byte of data being served, no matter where the user connects from, and including TLS encrypted traffic is the only way to ensure users are protected. It is simply not enough to rely on good-hearted security researchers and responsive hosting providers to keep the internet safe.