Malware hosting trends exposed


Using newly registered domains with a very short lifespan to host malware websites is so last year. It would appear that these days such things are far more likely to be hosted on much older compromised web sites instead. Could this be down to a decline in domain tasting?

The latest MessageLabs Intelligence report appears to think so, suggesting that the previously widespread practise of cancelling a new domain registration within a few days 'cooling off' period has been in decline recently. Indeed, the Internet Corporation for Assigned Names and Numbers stated as much in June. The MessageLabs analysis of those websites which had been established purely to deliver malware showed that those domains classified as young, registered within three months of being blocked for hosting malicious content, are now relatively small in number. Mainly because they are discovered and taken down within the first 38 days of registration in 90% of cases. When it came to older domains that had been registered for more than three months and then compromised for malware service, MessageLabs discovered that they have a much longer shelf life: 90% are taken down after 138 days. Overall, 80% of sites blocked for serving up malware are established legitimate sites which have been compromised.

"It is not surprising that with a small window of opportunity for younger domains, the attackers register domains much faster" Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec says "suggesting that attackers are working very hard to set up new domains and compromise new websites. However, in an effort to keep up with the rapid turnover of domains, the bad guys are often serving up the same malware". Which is why it is of a greater benefit for the bad guys to compromise those existing sites rather than establish a specialised new domain for the purpose. "Fundamentally, using legitimate websites to spread malware reduces the labor for the cybercriminals and extends the lifetime of the malware" Wood explains, adding "moreover, by taking advantage of the Add Grace Period, a policy that allows scammers to register a domain at no cost and cancel after five days, 'domain tasting' and 'domain kiting' have become common practice for cybercriminals, allowing them to beat the system without ever paying for malware distribution."

The report also highlights a decrease in the global ratio of spam in email traffic from new and previously unknown bad sources in September, down 2.1% since August to 86.4% or 1 in every 1.2 emails sent. Year on year though, spam levels were up: 88.1% for Q3 2009 compared with 81.0% for Q3 2008. There was also bad news about botnets, which appear to be have well and truly recovered from the McColo takedown hiccup and are now responsible for sending a staggering 150 billion spam emails every day!

Member Avatar
Davey Winder

I've been a freelance word punk for more than two decades and for the last few years an Editorial Fellow at Dennis Publishing. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011. As well as working for DaniWeb I have been a Contributing Editor with PC Pro (the best selling IT magazine in the UK) for twenty years.


Damn! That's crazy. I'm glad that there are people protecting us ^_^

Isn't it about time forums rewarded their contributors?

Earn rewards points for helping others. Gain kudos. Cash out. Get better answers yourself.

It's as simple as contributing editorial or replying to discussions labeled or OP Kudos

This is an OP Kudos discussion and contributors may be rewarded
Start New Discussion
View similar articles that have also been tagged: