The world is changing
A couple of months ago, someone asked me what was happening in the malicious website world, and I replied that I thought it was all changing, but I wasn't sure how.
It has changed, but it's still not clear how much, but here's what we're seeing.
The first notable change is geographic. A year ago, we would have said that 90% of the malicious website activity was Russian based. Today, those guys are still there, but we now have huge activity from China, Morocco, Brazil and France as well, and the Russian component is probably less than 30%.
The second change is the sheer volume of attacks. If you don't believe me, go google for .cn/1.js, and see how many results are returned. (WARNING!!! Don't go to any of the result websites, unless you're well protected by LinkScanner, or you're patched). Today, you get about 60,000 hits, and a week ago, it was about 120,000. Now, this is not _proof_ of anything, because some of the returned results are now clean, and some have never been infected in the first place, but it does give an indication of the scope of the problem because 1.js is just one example of one of the recent Chinese attack scripts, and there are _lots_ of other ones.
The third change is the reduction of adware. I guess there's still lots of it, but it doesn't seem to figure as prominantly in the malicious website equation. It used to be that the first thing a malicious website did when it nailed you was to install 20mb of adware (usually the variety that paid commissions per install), followed by keylogger/ rootkit, and a pitch for a fake antispy to remove it all (for just $49.95). Now we just see the keylogger/ rootkit, and sometimes the pitch for the fake antispy.
In other words, the whole idea of malicious websites seems to be Catching On (tm), and the payloads are less innocent, and more overtly criminal.
Labels: malicious website exploit