Research predicts websites likely to be infected with malware

Research into website malwareResearch conducted by Kyle Soska and Nicolas Christin of Carnegie Mellon University proves that with some degree of accuracy, they can predict which websites will be successfully infected with malware.

“Our approach relies on an online classification algorithm that can automatically detect whether a server is likely to become malicious,” the researchers stated.

Their research uses an algorithm that analyzed websites before they were infected and after they were infected.

“we use machine-learning tools to attempt to detect websites that have not been compromised yet, but
that are likely to become malicious in the future, over a reasonably long horizon (approximately one year)” they stated in their research paper.

Whether or not their predictions come true, it could be used to alert website owners before their website becomes infected with malware.

Many website owners are more reactive – they often don’t consider website security until after they’ve been infected. However, with this research, they could be warned ahead of time and take corrective action before their website and their business becomes victimized by website malware.

“Our goal is to build a classifier which can predict with high certainty if a given website will become malicious in the future.”

“At a high level, the classifier determines if a given website shares a set of features with websites known to have been malicious. A key aspect of our approach is that the feature list used to make this determination is automatically extracted from a training set of malicious and benign webpages, and is updated over time, as threats evolve.”

Could this actually help?

Only time will tell, but it does present some interesting ideas.


The latest round of WordPress infections

WordPress plugin custom-contact-forms used to infect websites
This past week has seen another influx of infected WordPress sites. This time, it’s another plugin: custom-contact-forms.

Their website shows a total of 630,792 downloads as of this blog post, so it appears to be quite popular.

It was last updated on August 4, 2014, however, again, it does not seem like many people are keeping their WordPress AND plugins updated.

What we’re seeing is in the wp-content/plugins/custom-contact-forms/import folder, typically 2 files that have a series of numbers and end with .sql.php. The files we’ve seen usually have some bogus looking Joomla code in them. Yes, you read that correctly, Joomla looking code.

There have other files as well, but these appear to be the hackers first uploads to a vulnerable website.

From there the hackers have uploaded phishing files, other backdoors, emailers and other malicious code.

Many of the most recent infections we’ve found are on either VPS’s or dedicated servers. If they have all the websites on one cPanel, then the hackers can and do, infect many of the other websites as well.

A scenario we see frequently is where there are let’s say 10 websites on a single cPanel. The hackers will find a way in on website number 3. They don’t leave their code there, because they don’t want to attract your attention to that site. They’ll infect say, websites 5, 6, 7 and 8.

That way you focus your malware removal efforts on that site and they keep coming in on website number 3. They may also put backdoor shells on websites 1 and 2. These backdoor shells allow them to have remote access to your files after you remove their original point of entry on website number 3.

For this reason, we recommend that each website be on it’s own cPanel. Yes, it’s a hassle, but so is having all of your websites down while the one is the original point of entry.

This entire sequence of events can be prevented if you’re very diligent about keeping your WordPress and it’s plugins updated – daily.

Thank you for reading. If you have any questions, please do not hesitate to ask here. Also, if you want to share this, please do.