Using newly registered domains with a very short lifespan to host malware websites is so last year. It would appear that these days such things are far more likely to be hosted on much older compromised web sites instead. Could this be down to a decline in domain tasting?
The latest MessageLabs Intelligence report appears to think so, suggesting that the previously widespread practise of cancelling a new domain registration within a few days 'cooling off' period has been in decline recently. Indeed, the Internet Corporation for Assigned Names and Numbers stated as much in June. The MessageLabs analysis of those websites which had been established purely to deliver malware showed that those domains classified as young, registered within three months of being blocked for hosting malicious content, are now relatively small in number. Mainly because they are discovered and taken down within the first 38 days of registration in 90% of cases. When it came to older domains that had been registered for more than three months and then compromised for malware service, MessageLabs discovered that they have a much longer shelf life: 90% are taken down after 138 days. Overall, 80% of sites blocked for serving up malware are established legitimate sites which have been compromised.
"It is not surprising that with a small window of opportunity for younger domains, the attackers register domains much faster" Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec says "suggesting that attackers are working very hard to set up new domains and compromise new websites. However, in an effort to keep up with the rapid turnover of domains, the bad guys are often serving up the same malware". Which is why it is of a greater benefit for the bad guys to compromise those existing sites rather than establish a specialised new domain for the purpose. "Fundamentally, using legitimate websites to spread malware reduces the labor for the cybercriminals and extends the lifetime of the malware" Wood explains, adding "moreover, by taking advantage of the Add Grace Period, a policy that allows scammers to register a domain at no cost and cancel after five days, 'domain tasting' and 'domain kiting' have become common practice for cybercriminals, allowing them to beat the system without ever paying for malware distribution."
The report also highlights a decrease in the global ratio of spam in email traffic from new and previously unknown bad sources in September, down 2.1% since August to 86.4% or 1 in every 1.2 emails sent. Year on year though, spam levels were up: 88.1% for Q3 2009 compared with 81.0% for Q3 2008. There was also bad news about botnets, which appear to be have well and truly recovered from the McColo takedown hiccup and are now responsible for sending a staggering 150 billion spam emails every day!