More malware is hosted on local servers in the U.S. and Britain than in countries with less developed e-crime law enforcement policies, researchers at Finjan Inc. determined after reviewing data from the first quarter of the year.
The San Jose, Calif.-based security vendor released its Web Security Trends Report for the first quarter of 2007 Monday. Its findings are based on an analysis of more than 10 million unique URLs from live Web traffic recorded in the UK. Finjan said its biggest findings were that:
- Malicious code is more likely to be hosted on local servers in the U.S. and U.K. than in countries with less developed e-crime law enforcement policies.
- Attacks that involve the use of code obfuscation through diverse randomization techniques are growing more numerous and complex. More than 80% of the malicious code detected by Finjan was obfuscated, making it virtually invisible to pattern-matching/signature-based methods in use by antivirus products.
- Digital miscreants are displaying an increasing level of sophistication when embedding malicious code within legitimate content with less dependence on outlaw servers in unregulated countries.
"The results of this study shatter the myth that malicious code is primarily being hosted in countries where e-crime laws are less developed," Finjan CTO Yuval Ben-Itzhak said in a statement. "Our research shows that malicious content is much more likely to show up on a local server than one in Asia or Eastern Europe. Unfortunately this means that the traditional location-based reputation heuristics are decreasingly effective against modern attacks."
Specifically, Finjan found that 90% of the URLs containing malware resided on servers located in the U.S. or U.K. Advertising is the leading category for URLs containing malicious code, representing 80% of all instances, the report said, adding, "Attackers have discovered that the multiple parties involved and the complex structure of business relationships involved in online advertising make it relatively easy to inject malicious content into generally legitimate ad delivery streams."
When analyzing malicious content in terms of the URL Web site categories, Finjan found that malware is just as likely to be accessed through legitimate Web sites for such things as finance, travel and computing as through what might be considered disreputable Web sites promising porn or free downloads.
"The fact that malicious code is just as likely to be found in legitimate categories as in questionable categories means that security products that rely solely on URL categories to block access to malicious sites are no longer effective," Ben-Itzhak said.