The US is home to 44% of all malware hosted domestically. A new report from Solutionary shows that it hosts approximately five times more malware than the second-leading malware-hosting nation, Germany, which is responsible for just 9% of the world’s malware.
“The information in this report will show our readers how widespread the malware problem truly is and how close it hits to home," said Solutionary SERT director of research, Rob Kraus, in announcing the research. "We aren’t just talking about foreign espionage campaigns, APTs and breaches; many of these malicious activities are taking place within US borders."
The rise of cloud computing and cloud services gives malware distributors fresh fuel: they are rapidly and widely adopting cloud computing, either via buying services directly or by compromising legitimate domains. This trend is allowing distributors to quickly and cost-effectively develop sites and bring them online, as well as to avoid geographic blacklisting, by hiding behind the reputations of major hosting providers such as Amazon, GoDaddy and Google.
“Because of the overwhelming geographic dominance of domestically hosted malware, it is evident that geographic blacklisting and blocking strategies are not effective defensive mechanisms for U.S. organizations to use in the fight to detect and block malware attacks,” Solutionary noted in its report.
In fact, the efficacy of major hosting providers have made it economical for malicious actors to use their services to infect millions of computers and vast numbers of enterprise systems, the report said. Solutionary uncovered that Amazon and GoDaddy are the top malware-hosting providers, with a 16% and a 14% share, respectively.
“Malware and, more specifically, its distributors, are utilizing the technologies and services that make processes, application deployment and website creation easier,” Kraus said. “Now we have to maintain our focus not only on the most dangerous parts of the Web but also on the parts we expect to be more trustworthy.”
For instance, a sampling of the malware distributed by various sites revealed that none of the 40 top anti-virus engines detected the 750-plus malicious binaries. Researchers found that a significant portion of the malware sampled consisted of Microsoft Windows 32-bit Portable Executable (PE32) files being used to distribute pay-per-install applications known as potentially unwanted applications (PUAs). The adware installer would install, or appear to install, legitimate software applications to cover its tracks. One specific malicious domain, bb.rauzqivu.ru, was of specific interest to SERT researchers, since to evade detection it had operated across 20 countries, 67 service providers and 199 unique IP addresses in just a two-week period.