Researchers, organisations and vendors came together under the project, URLhaus, to bring down sites providing malware content. 100,000 sites were consequently taken offline in just 10 months.
A non-profit Swiss organisation, Abuse.ch, set up URLhaus and invited organisations to add details of the malicious websites to the public list. The objective was to track and share the information in a bid to raise awareness and help organisations protect their networks. To do this, Abuse.ch used the list to notify network owners of these sites who would then eventually bring them offline. Security solution providers such as Google Safe Browsing and SURBL are just a few recipients of the list.
Upon attempting to notify network owners via their abuse complaints procedure, Abuse.ch initially received setbacks such as non-delivery reports or emails delivered in spam.
Most of the hosting networks were based in China and the US with a majority of Chinese websites taking the longest time to respond. A month was the response time for some hosting networks.
This challenge showed the reality of some networks’ efforts to keep users safe. The lack of prioritising such complaints raises questions. One question is whether there are internal procedures to facilitate reporting such threats to network security. Secondly, whether there are procedures in place to take malicious websites offline. If procedures are in place, taking up to a month to remediate the issue reveals that there are inadequate monitoring, reviews and testing on the procedure. Such measures would make the process more efficient.
Abuse.ch reported the fastest networks to reply and take down the sites were based in Italy, with the response time of 22 hours for 151 malicious URLs.
Out of the 380,000 malware distribution sites listed, threat types included:
- Emotet/Heodo – This was the most common type of malware. It sends daily email spams with malicious macro content;
- Gozi – A single attack of this trojan can compromise over 5200 hosts and 10,000 users. Through spam, it steals SSL data;
- GandCrab- A ransomware that sends a word document in its mail spam campaigns. The document simply reads, “Emergency Exit Map” with malicious macros triggered when the user clicks “Enable Content.” It will then proceed to encrypt users’ files and distribute a ransom note/s.
- Loki-Bot – Steals passwords and other user credentials via a key-logger component that it implements. The malware and Command and Control (C2) are sold extremely cheap, attracting more hackers.
Project URLhaus is still active and organisations are still posting links. It has proven effective with its current success rate in the malware clampdown. With that said, Gandcrab has surfaced in the past few days using the sender name, Rosie L. Ashton. Sites can close down and pop-up elsewhere again or could be a different one its entirety. The good thing is, the more exposed threat actors are and the more knowledge individuals receive to detect these, the less impact they can have over time.
Following the malware crackdown, Abuse.ch stated the following:
“URLhaus wouldn’t be successful without the help of the community. It proves that the key (is) in fighting malware and botnets is sharing.”