Cybersecurity Researchers Unite to Take Down 100,000 Malware Sites

abuse.ch, a non-profit cybersecurity organization based in Switzerland, initiated a project that has united security researchers across the world. The project, called URLhaus, involved researchers submitting URLs used in malicious campaigns. These URLs were then investigated and taken down, ultimately removing 100,000 malicious URLs.

In order to pull off the takedown activity, the researchers needed the help of the companies hosting the malicious URLs on their infrastructure. Some companies were quicker to respond than others, with Chinese hosting networks being the slowest to react.

In a report abuse.ch stated:

“The three top Chinese malware hosting networks have an average abuse desk reaction time of more than a month!”

The top three Chinese malware hosting networks in question were ChinaNet, China Unicom, and Alibaba.

This is particularly worrying because there were close to 500 websites being hosted by Chinese companies, and they often too so long to respond that malicious activities could have continued for some time. One malicious website was kept active for one month and 23 days.

The fastest acting company was Unified Layer, a US-based company, who took down 127 malicious URLs in two and a half days.

URLhaus was launched in March 2018 with the goal to “collect and share URLs that are being used for distributing malware.” The project has now been heralded as a huge success.

The statement from abuse.ch continues:

“With the help of the community, URLhaus was able take down almost 100,000 malware distribution sites within just 10 months! During that time, 265 security researchers located all over the world have identified and submitted in average 300 malware sites to URLhaus each day, helping others to protect their network and users from malware campaigns.”

Taking down these malware websites will be a long and continuous process, with URLhaus counting between 4000 and 5000 active malware distribution sites every day. This is, of course, a huge problem. Although there are great efforts to take down these dites, the average malware distribution site stays active for almost nine days. That’s more than enough time to infect thousands of device every day.

abuse.ch have also revealed that a vast amount of the malware distribution sites are related to Emotet.

Emotet is a banking Trojan malware program which obtains financial information by injecting computer code into the networking stack of an infected Microsoft Windows computer, allowing sensitive data to be stolen via transmission. Emotet gets propagated through spam that hits users inbox almost every day. These malspam campaigns usually contain a malicious office document with macros. If the recipient opens the word document and enables the macros, the file will be automatically downloaded and executed.

abuse.ch finished on this note:

“URLhaus wouldn’t be successful without the help of the community. It proves [sic] that the key in fighting malware and botnets is sharing.

But we are not where we should be yet. There is still a long way to go with regards to response time of abuse desks. An average reaction time of more than a week is just too much and proves [sic] bad internet hygiene. I do also hope that the Chinese hosting providers wake [sic] up and start taking care about the abuse problems in their networks in time. Having malware distribution sites staying active for over a month is just not acceptable.